[Unbound-users] Replacing /etc/hosts aliases with local-data: directive

Carsten Strotmann unbound at strotmann.de
Sat Mar 26 10:22:38 UTC 2011


On 3/25/11 3:37 PM, Steve Jenkins wrote:
>  however, the systems in question don't all
> share the same domain name, and can't share the same local-zone. So I
> was looking to avoid having to list all the domains as search targets
> in /etc/resolve.conf and manage a dozen+ /etc/hosts.
Hello Steve,

you are right, multiple entries in the search list are not optimal and
can result in a bad user experience.

However my recommendation was not to replace the '.local' top level
domain (TLD) with the original domain names of the machines. Instead I'm
recommending to replace the not delegated '.local' domain with an
delegated 2nd level or 3rd level domain owned by you.

It would still be just _one_ domain, only used for the purpose of having
short names for the machines. The 'resolv.conf' searchlist would just
have this one domain entry.

This domain can either be a new 2nd level domain
('mylocaldomainforshortnames.us' <- silly example, you might want to
have a shorter one :) ) or, if you are able to create DNS delegated
subdomains for a 2nd level domain you already own, a 3rd level domain
(if you already own 'example.com', you can delegate 'local.example.com'
to your authoritative DNS servers and use that single domain name for
the purpose of having short names and a searchlist).

>From the user perspective (being able to use single label names for
commands shuch as 'ping', 'ftp' etc), this is the same as using
'.local'. For the Internet infrastructure, it makes a difference. If you
use '.local', any leaking data will hit the root server system.

With a 2nd or 3rd level domain, any leaking names will just hit the
authoritative DNS Servers for _that_ domain and will not have a negative
impact on the Internet infrastructure.

In my 15 year experience of DNS I found that it is almost impossible to
prevent private names to leak to the Internet (except for networks that
have no direct IP connection to the Internet). While it is possible to
prevent most leaking with a careful configuration of the resolving DNS
Servers, I have often seen that the names will also appear inside the
payload (badly written network protocols, headers of mail messages,
logfiles ...) and being looked up from DNS at a place where you do not
have control over the DNS. I have so far not seen anyone succeeding in
completely preventing leakage of internal names. That is very very hard
to do.

If you look at the graph from the root server I've send in my previous
mail, that chart is full of names (.belkin, .lan, .corp, .home, .domain,
.prv, .localdomain ...) that the companies and persons that 'invented'
them for 'local only use' thought they have the problem of leakage under
control. The real world data from the root server shows that it is not
under control.

However, take this with a grain of salt. I'm not the DNS police :)

This is just a recommendation.

Have a good weekend

Carsten



More information about the Unbound-users mailing list