Chris Adams wrote: > Once upon a time, Roberto Ragusa <mail@xxxxxxxxxxxxxxxx> said: >> But there is another problem which I'm not able to solve easily: >> if you try to resolve www.google.com and you have >> "search my.corp.com" in /etc/resolv.conf, a query for >> www.google.com.my.corp.com will be tried first. >> The only solution I know is to use "www.google.com.", >> with a final dot, but that would mean changing every domain >> in every config (including rewiring my brain to always >> append an extra dot :-) ). > > That would be a bug according to the documentation. If at least 1 (by > default) dot appears, the initial query is supposed to be the absolute > query. See the man pages for resolv.conf and resolver. I don't see the > same behvior (it works the documented way for me). Hmm, I was sure to have often seen this stuff in wireshark logs. Done some tests, with following results. If you have a dot at the end, it's an absolute query and nothing else. If you don't have a dot at the end and you are below ndots threshold, suffixed queries and nothing else. If you don't have a dot at the end and you are at/above ndots threshold, absolute query and (on failure) then suffixed queries. So, you're right in correcting me: in normal conditions the resolver is not leaking info about the domain I visit to my.corp.com DNS servers. But it indeed happens when I mistype www.google.xom for www.google.com, as it attempts www.google.xom.my.corp.com. It would be nice to have a hard ndots option: "only try suffixes if less than ndots dots" Rethinking about it... ndots currently can avoid the absolute query. No way to avoid the suffixed queries. What about having two options: - mindotsforabsolute (a.k.a. ndots, default 1) - maxdotsforsuffixed (new option to avoid suffixed queries, default infinite, but in my case I'd like to put a 0 here) What is the right place to propose that as an enhancement? Best regards. -- Roberto Ragusa mail at robertoragusa.it -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
