Bug#343140: libc6: resolver always checks search list in /etc/resolv.conf
Hi Gabor,
Gabor Gombas wrote:
> On Mon, Dec 12, 2005 at 09:13:13PM -0800, Edward Buck wrote:
>
>
>>In a nutshell, when using 'search' lines in /etc/resolv.conf, the
>>resolver always appends listed search domains to a hostname lookup even
>>when the host being searched is fully-qualified (contains one or more dots).
>
>
> No, a host name containing a dot is _not_ a FQDN. A host name _ending_
> with a dot is a FQDN.
It's fully qualified in the sense that it contains one or more dots,
which according to the documentation determines whether the search list
is referenced.
$ man resolv.conf
...
search Search list for host-name lookup.
The search list is normally determined from the local domain
name; by default, it contains only the local domain name. This
may be changed by listing the desired domain search path follow-
ing the search keyword with spaces or tabs separating the names.
Resolver queries having fewer than ndots dots (default is 1) in
them will be attempted using each component of the search path
in turn until a match is found. For environments with multiple
subdomains please read options ndots:n below to avoid man-in-
the-middle attacks and unnecessary traffic for the root-dns-
servers. Note that this process may be slow and will generate a
lot of network traffic if the servers for the listed domains are
not local, and that queries will time out if no server is avail-
able for one of the domains.
...
> Using "host.subdomain" while search is set to "some.domain" to access
> "host.subdomain.some.domain" is a common and frequently used feature.
If it's a frequently used feature, it wasn't available until sarge.
Woody did not behave this way (I checked). Also, this "new" feature
completely breaks software that doesn't expect this feature, since
postfix, telnet and others are doing WAY more DNS queries than they
should. Depending on how many search domains are listed and how many
caching nameservers are listed, in my case (2 search domains and 2
nameservers) I count at least 4 unnecessary queries. That's very bad.
As far as the feature you reference, one should be able to change the
'ndots' option in resolv.conf to get the behavior you want.
At the moment, this new behavior is breaking postfix and other software.
>>This results in a LOT of needless DNS traffic. On a busy mail server,
>>it makes using the 'search' lines extremely expensive (because DNS traffic
>>increases exponentially).
>>
>>Here's an strace of 'telnet mx1.hotmail.com 25'. Oddly, it seems to do
>>the right thing initially but the fully-qualified lookup must always
>>fail, resulting in subsequent lookups using the search list.
>
>
> Then use a _real_ FQDN and try 'telnet mx1.hotmail.com. 25' (note the
> terminating dot).
Sure, I can do that with telnet interactively. How do I tell postfix to
do that without a patch? I guess I could try setting the ndots option
to postfix's environment but that seems like a bad hack. The current
behavior makes using the search lines impossible for busy servers,
especially mail servers that do DNS queries for every piece of mail.
Just imagine the excess DNS load on a server processing a million e-mail
messages a day. That's what I'm seeing.
Thanks for your help.
Regards,
Ed
>
> Gabor
>
Reply to: