short names for remote hosts not in my network
Kevin Darcy
kcd at daimlerchrysler.com
Mon Feb 20 21:45:46 UTC 2006
reader at newsguy.com wrote:
>Setup: Gentoo linux
> bind-9.3.2
>
>Until I started running a local home network nameserver I used short
>names for 2 remote hosts where I have user accounts, by listing them
>in /etc/hosts:
> 207.106.84.135 io.jtan.com io # gentoo
> 207.106.84.134 callisto.jtan.com callisto # obsd
>
>Then at the command line I could `ssh io' and ssh would know it was
>io.jtan.com.
>
>My domain is a private home domain `local.net0'
>
>I still have those entries in /etc/hosts but now that I'm running
>bind, my system thinks `io' is a completely different machine not in
>jtan.com domain at all.
>
>So `ssh io' now tries to contact a different io.
>
> nslookup io
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: io
> Address: 80.249.100.38
>====================================
>
> nslookup io.jtan.com
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> Name: io.jtan.com
> Address: 207.106.84.135
>
>The name io does not appear anywhere in my bind setup files. So I'm
>wondering why the short name is not known to be the one listed in
>/etc/host? Or why it doesn't just fail if /etc/hosts isn't coming
>into play.
>
>Is it coming from a cached lookup or what?
>
This is a good example of why shortnames are evil. They produce
unexpected, unreliable results. In this case, you should use the -debug
option to nslookup to see what it is *actually* looking up. Chances are,
there is some whacky domain in the "domain" or "searchlist" directives
of /etc/resolv.conf that's causing "io" to resolve in a way that you
didn't expect. Imagine if someone set up a website under the other "io"
that looked just like your "io" website. You might be fooled into
logging into that website, and voila! your password is stolen and maybe
your identity too...
Get in the habit of using fully-qualified names. It may seem like a pain
now, but in the long run you're better off for it.
- Kevin
More information about the bind-users
mailing list