Change in behaviour regarding ndots and searchlist

Mark Andrews marka at isc.org
Mon Sep 15 09:16:48 UTC 2014


Partially qualified names are DANGEROUS.  You realy do not want
to use them ever no matter how convient or useful they appear to be.

In message <20140915083532.GA29404 at danton.fire-world.de>, Sebastian Wiesinger w
rites:
> Hello,
> 
> I noticed a change in the host tool in regard to how searches are done
> when there are >= "ndots" dots in the query. In the following case
> ndots is always nonexistant in the configuration.
> 
> With bind 9.8 (Debian 1:9.8.4.dfsg.P1):
> 
> $ host -d test.example
> Trying "test.example"
> Received 105 bytes from 127.0.0.1#53 in 6 ms
> Trying "test.example.office.example.com"
> Trying "test.example.backup.example.org"
> Trying "test.example.example.com"
> Trying "test.example.example.org"
> Trying "test.example.winzone.example.com"
> Trying "test.example.nms.example.com"
> Host test.example not found: 3(NXDOMAIN)
> Received 104 bytes from 127.0.0.1#53 in 1 ms
> 
> 
> With bind 9.9 (Debian 1:9.9.5.dfsg-4~bpo70, same on Ubuntu
> 1:9.9.5.dfsg-3):
> 
> $ host -d test.example
> Trying "test.example"
> Host test.example not found: 3(NXDOMAIN)
> Received 105 bytes from 127.0.0.1#53 in 15 ms
> Received 105 bytes from 127.0.0.1#53 in 15 ms
> 
> 
> So with "host" from bind 9.8 the absolute name is tried first and
> after that the search list is tried.
> 
> With bind 9.9 this is no longer the case.
> 
> Does anyone know if that was a deliberate change? I liked the old
> behaviour because I could search for internal subdomains without
> specifying/knowing the full FQDN.
> 
> As a workaround I raised the ndots value to 2 but that increases the
> number of queries because the searchlist is tried first for things
> like linux.org. Also it increases the potential for MITM as
> "linux.org.example.com." is tried first.
> 
> Regards
> 
> Sebastian
> 
> -- 
> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYT
> HE.
>             -- Terry Pratchett, The Fifth Elephant
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list