Re: nsswitch what should come first
Lee, Jeffrey, David,
Thank you for your replies.
Their is much about DNS and networking that I have yet to learn. My knowledge is usually enough to set up working systems that [hopefully] do not collide with other systems, but not enough to understand further details or to full understand if what I do is correct as in industry standard, or how to do it better. Your responses has given me more details to study.
Do you know if there is a good place to post Bind9 DNS server configuration questions to?
I desire to set up an isolated-from-the-Internet environment to test DMARC and DNSSEC protected email systems, hence I want to replicate the Internet's DNS system, or to put it, configure a TLD nameservers for Chain of Trust in my Isolated network that is not able to reach the ICANN's real TLD nameservers.
https://www.neatcode.org/dns/
Chain of Trust: DNSSEC establishes a chain of trust from the root zone (represented by the “.” at the top of the DNS hierarchy) down to the individual domain.
I guess the correct thing would be to purchase a domain name just for testing, and then I could test as I wanted, but then I would need hosting of the domain name that also supports DNSSEC (more expense). Though this also takes away some of the configuration from me, and hence a reduction in understanding of how it works.
https://www.cloudflare.com/en-au/learning/dns/dns-records/dns-dmarc-record/
Domain-based Message Authentication Reporting and Conformance (DMARC) is a method of authenticating email messages. A DMARC policy tells a receiving email server what to do after checking a domain's Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records, which are additional email authentication methods.
On Friday, 02-08-2024 at 11:15 Lee wrote:
> On Thu, Aug 1, 2024 at 7:41 PM George at Clug wrote:
> >
> > On Friday, 02-08-2024 at 00:48 David Wright wrote:
> > > On Thu 01 Aug 2024 at 10:32:27 (-0400), Greg Wooledge wrote:
> > > > On Thu, Aug 01, 2024 at 14:30:05 +0000, fxkl47BF@protonmail.com wrote:
> > > > > my nsswitch.conf is "hosts: files mdns4_minimal [NOTFOUND=return] dns"
> > > > > i don't remenber changing it in the past few decades
> > > > > i recently had a situation that made me question the ordering
> > > > > my dns server is my primary router
> > > > > should dns be first
> > > >
> > > > It would be *extremely* unusual to want to consult DNS before /etc/hosts.
> > > > I recommend leaving files first unless you have a *really* good reason
> > > > to switch them.
> > > >
> > > > I have no comment on mdns4_minimal because I don't really know what that
> > > > is.
> > >
> > > AIUI mdns4_minimal is for devices that configure themselves using
> > > multicast DNS on .local. If you put dns first, then the names of any
> > > .local devices will be leaked out of your LAN and on to the Internet's
> > > DNS servers. [NOTFOUND=return] is what prevent that happening IF you
> > > leave the order alone.
> >
> > > (BTW don't use .local for your LAN domain name.)
> >
> > Why is that? (recently I was starting to believe I should stop using the domain names I had chosen, and start using (what I thought was) the standard of .local)
>
> Because .local is used for names that can be resolved by multicast
> DNS. See the wikipedia article
> https://en.wikipedia.org/wiki/.local
>
> > Is it your personal preference, or a technical necessity?
>
> to quote from wikipedia
Yes, due to past work experience, this was my understanding...
https://en.wikipedia.org/wiki/.local
Microsoft TechNet article 708159[7] suggested .local for the exact opposite reason:
Using the .local label for the full DNS name for the internal domain is a more secure configuration because the .local label is not registered for use on the Internet. This separates your internal domain from your public Internet domain name.
By default, a freshly installed Windows Server 2016 Essentials also adds .local as the default dns-prefix when a user doesn't select the advanced option, resulting in a domain with .local extension.
https://www.ietf.org/rfc/rfc6762.txt
This document specifies that the DNS top-level domain ".local." is a
special domain with special semantics, namely that any fully
qualified name ending in ".local." is link-local, and names within
this domain are meaningful only on the link where they originate.
https://www.icann.org/en/board-activities-and-meetings/materials/approved-board-resolutions-regular-meeting-of-the-icann-board-04-02-2018-en#2.c
However, the New gTLD Program has brought renewed attention to this issue of queries for undelegated TLDs at the root level of the DNS because certain applied-for new TLD strings could be identical to name labels used in private networks (i.e., .HOME, .CORP, and .MAIL).
> Linux distributions use the Name Service Switch configuration file
> /etc/nsswitch.conf[9] in which mDNS name resolution was
> added via the mdns4_minimal plugin to nsswitch. In this
> configuration, where mdns4_minimal precedes the standard dns option,
> which uses /etc/resolv.conf, the mDNS resolution will block
> subsequent DNS resolution on the local network.
>
> > What is best practice for a local LAN prefix? (I have never found conclusive instruction).
>
> home.arpa
> see https://www.rfc-editor.org/rfc/rfc8375.html
A fairly straight forward statement in this RFC, just not sure if I could get used to using .arpa as a suffix. But seems like a great choice?
>
> > It is my belief that .local is a MS idea originating from the configuration of their servers. Is this correct?
>
> again, quoting from the .local wikipedia article
> Microsoft TechNet article 708159[7] suggested .local ...
> but later recommended against it
https://en.wikipedia.org/wiki/.local
If you have *Macintosh client computers* that are running the Macintosh OS X version 10.3 operating system or later, ... it is recommended that you do not use the .local label for the full DNS name of your internal domain.
>
> Regards,
> Lee
>
Reply to: