How to disable DNS lookups?

Viktor Dukhovni Viktor.Dukhovni at twosigma.com
Thu Jul 27 01:12:39 CEST 2017


On Wed, Jul 26, 2017 at 03:08:30PM -0700, Henry B (Hank) Hotz, CISSP wrote:

> > Then the explicit trailing dots in /etc/hosts look indeed
> > like a reasonable trade-off.
> 
> Actually, isn’t the trailing dot just a red herring?

No.

> The RR is guaranteed to return a name which has an A/AAAA record.

It is not.  SRV RRs can and sometimes do reference names that don't exist.
Ditto with MX records, ...  Even when the name exists a lookup can
time out.

> therefore no search list will be exercised. <pun>period!</pun> The first
> lookup must succeed, by design.

Whether the first lookup is absolute or uses the search list depends on
"ndots" (which Heimdal does not control and has no knowledge of), and
in any case that lookup can fail.

-- 
	Viktor.


More information about the Heimdal-discuss mailing list