Change in behaviour regarding ndots and searchlist

Sebastian Wiesinger bind-users at ml.karotte.org
Mon Sep 15 08:35:32 UTC 2014


Hello,

I noticed a change in the host tool in regard to how searches are done
when there are >= "ndots" dots in the query. In the following case
ndots is always nonexistant in the configuration.

With bind 9.8 (Debian 1:9.8.4.dfsg.P1):

$ host -d test.example
Trying "test.example"
Received 105 bytes from 127.0.0.1#53 in 6 ms
Trying "test.example.office.example.com"
Trying "test.example.backup.example.org"
Trying "test.example.example.com"
Trying "test.example.example.org"
Trying "test.example.winzone.example.com"
Trying "test.example.nms.example.com"
Host test.example not found: 3(NXDOMAIN)
Received 104 bytes from 127.0.0.1#53 in 1 ms


With bind 9.9 (Debian 1:9.9.5.dfsg-4~bpo70, same on Ubuntu
1:9.9.5.dfsg-3):

$ host -d test.example
Trying "test.example"
Host test.example not found: 3(NXDOMAIN)
Received 105 bytes from 127.0.0.1#53 in 15 ms
Received 105 bytes from 127.0.0.1#53 in 15 ms


So with "host" from bind 9.8 the absolute name is tried first and
after that the search list is tried.

With bind 9.9 this is no longer the case.

Does anyone know if that was a deliberate change? I liked the old
behaviour because I could search for internal subdomains without
specifying/knowing the full FQDN.

As a workaround I raised the ndots value to 2 but that increases the
number of queries because the searchlist is tried first for things
like linux.org. Also it increases the potential for MITM as
"linux.org.example.com." is tried first.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant


More information about the bind-users mailing list