DNS lookup false positives with: com.co.nz > 208.73.212.12 > information.com
Are any others being affected by the fools who have registered "com.co.nz"? It's been setup as a 'catch all' search engine, for the 'append parent DNS suffix' queries. So a lookup on "abcd.com" that should fail, comes back successful from "abcd.com.co.nz"... :-(
On 30/10/2007, at 9:43 AM, Paul Adshead wrote:
Are any others being affected by the fools who have registered "com.co.nz"?
It's been setup as a 'catch all' search engine, for the 'append parent DNS suffix' queries. So a lookup on "abcd.com" that should fail, comes back successful from " abcd.com.co.nz"... :-(
I got caught with this a month or two ago. I mentioned it on the InternetNZ list, as I figured we should stop people registering <tld>.<2ld>.nz, but it turns out the behaviour was deprecated in an RFC several years ago, and most OSes don't do it anymore. The only OS I've found that does it (by that, I mean it's the only one I looked at) is OS X, and it seems to be in the mDNSResponder stuff. The problem exists in Leopard, and Tiger. Not sure about pre 10.4. Leopard also has some weird behaviour when asking for AAAA records, but I've got a bit more digging to do there before I can say anything conclusive. -- Nathan Ward
Nathan Ward wrote:
I got caught with this a month or two ago. I mentioned it on the InternetNZ list, as I figured we should stop people registering <tld>.<2ld>.nz, but it turns out the behaviour was deprecated in an RFC several years ago, and most OSes don't do it anymore.
The only OS I've found that does it (by that, I mean it's the only one I looked at) is OS X, and it seems to be in the mDNSResponder stuff. The problem exists in Leopard, and Tiger. Not sure about pre 10.4.
Someone registered nz.gen.nz and that bit me on OS X for years. As far as I recall, if /etc/resolv.conf has "domain X.Y.Z", then OS X search through each parent sub domain in turn (the way that RFC says not to). If /etc/resolv.conf contains a "search" line instead, then it just goes through the search list as specified. The domain line appears when I configure the client with DHCP, and the search line appears when I hard code the domain search list in the TCP/IP preferences panel. I haven't tried setting the domain search list through DHCP yet. Cheers -- Lloyd Parkes Senior Systems Programmer Open Systems Ph: +64 4 890 2437
On 29-Oct-2007, at 17:56, Lloyd Parkes wrote:
Someone registered nz.gen.nz and that bit me on OS X for years. As far as I recall, if /etc/resolv.conf has "domain X.Y.Z", then OS X search through each parent sub domain in turn (the way that RFC says not to).
I was under the impression that OS X uses the BIND9 libresolv to provide the DNS functionality of its lookup service.
If /etc/resolv.conf contains a "search" line instead, then it just goes through the search list as specified.
So how is this different to any other libresolv-based *ix? Joe
participants (4)
-
Joe Abley -
Lloyd Parkes -
Nathan Ward -
Paul Adshead