BIND will completely drop D-BUS dynamic forwarders table support
Roberto Ragusa
mail at robertoragusa.it
Fri Dec 28 22:01:29 UTC 2007
Chris Adams wrote:
> Once upon a time, Roberto Ragusa <mail at robertoragusa.it> said:
>> But there is another problem which I'm not able to solve easily:
>> if you try to resolve www.google.com and you have
>> "search my.corp.com" in /etc/resolv.conf, a query for
>> www.google.com.my.corp.com will be tried first.
>> The only solution I know is to use "www.google.com.",
>> with a final dot, but that would mean changing every domain
>> in every config (including rewiring my brain to always
>> append an extra dot :-) ).
>
> That would be a bug according to the documentation. If at least 1 (by
> default) dot appears, the initial query is supposed to be the absolute
> query. See the man pages for resolv.conf and resolver. I don't see the
> same behvior (it works the documented way for me).
Hmm, I was sure to have often seen this stuff in wireshark logs.
Done some tests, with following results.
If you have a dot at the end, it's an absolute query and nothing else.
If you don't have a dot at the end and you are below ndots threshold,
suffixed queries and nothing else.
If you don't have a dot at the end and you are at/above ndots threshold,
absolute query and (on failure) then suffixed queries.
So, you're right in correcting me: in normal conditions the resolver
is not leaking info about the domain I visit to my.corp.com DNS servers.
But it indeed happens when I mistype www.google.xom for
www.google.com, as it attempts www.google.xom.my.corp.com.
It would be nice to have a hard ndots option:
"only try suffixes if less than ndots dots"
Rethinking about it...
ndots currently can avoid the absolute query.
No way to avoid the suffixed queries.
What about having two options:
- mindotsforabsolute (a.k.a. ndots, default 1)
- maxdotsforsuffixed (new option to avoid suffixed queries, default
infinite, but in my case I'd like to put a 0 here)
What is the right place to propose that as an enhancement?
Best regards.
--
Roberto Ragusa mail at robertoragusa.it
More information about the fedora-devel-list
mailing list