How to disable DNS lookups?

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to disable DNS lookups?

Heikki Lindholm
Hello list,

Out of laziness I'll just copy & paste an issue I sent to a freebsd ml
(without responses):
---------------------------------------------------------------------
I'm trying to mount a kerberized NFSv4 share on FreeBSD 11. It's an
experimental setup without DNS; only /etc/hosts based lookup. I can't
even get kinit to work and, expectedly, mounting also fails. The problem
is that kinit stubbornly tries to get the kerberos kdc records from DNS,
although the server's ip is specified in /etc/hosts and it's in
krb5.conf and additionally krb5.conf is set to not do any DNS lookups.

So, I installed MIT kerberos and that version of kinit works fine, but
the problem then is, how to make mount use the MIT version?
----------------------------------------------------------------------

The Heimdal version identifies itself as 1.5.2. The main problem is that
Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
address, but goes to DNS, and fails.

Maybe someone here can help? Of course, I can edit the freebsd source
and rebuild Heimdal, but I'd rather not if I could configure my way out
of this.

Regards,
Heikki Lindholm
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Roland C. Dowdeswell-2
On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:
>

> The Heimdal version identifies itself as 1.5.2. The main problem is that
> Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
> address, but goes to DNS, and fails.

1.5.2 is quite old and, IIRC, I've seen this before.  You can work
around it by adding the kdc name with a dot at the end as an alias in
the hosts file.

So, if your kdc is kdc1.example.com, then your /etc/hosts line should
look like this:

1.2.3.4 kdc1.example.com kdc1.example.com. kdc1

or something quite like that.

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Heikki Lindholm
On 24.07.2017 19:40, Roland C. Dowdeswell wrote:

> On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:
>>
>
>> The Heimdal version identifies itself as 1.5.2. The main problem is that
>> Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
>> address, but goes to DNS, and fails.
>
> 1.5.2 is quite old and, IIRC, I've seen this before.  You can work
> around it by adding the kdc name with a dot at the end as an alias in
> the hosts file.

Thank you very much. That trick did it. It's weird, though. I would have
likely never arrived at the same solution by myself.

FreeBSD appears unwilling to update the base system heimdal as it has
been the same for several releases already. I have no idea why.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Benjamin Kaduk
On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote:
>
> Thank you very much. That trick did it. It's weird, though. I would have
> likely never arrived at the same solution by myself.

I'll second the thanks, as I've run into this same issue many times
(and usually ended up just reverting to MIT kerberos, which I know better).

> FreeBSD appears unwilling to update the base system heimdal as it has
> been the same for several releases already. I have no idea why.

It is relatively recent that there was a newer actual heimdal release
that FreeBSD could even consider upgrading to.  Given how importing
a development snapshot worked for Debian, I don't blame FreeBSD for
choosing to wait for official releases.

There is some effort underway to modernize the Kerberos offerings for
FreeBSD, though there is not much concrete to show for it, yet.

-Ben
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Roland C. Dowdeswell-2
In reply to this post by Heikki Lindholm
On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote:
>

> On 24.07.2017 19:40, Roland C. Dowdeswell wrote:
> >On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:
> >>
> >
> >>The Heimdal version identifies itself as 1.5.2. The main problem is that
> >>Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
> >>address, but goes to DNS, and fails.
> >
> >1.5.2 is quite old and, IIRC, I've seen this before.  You can work
> >around it by adding the kdc name with a dot at the end as an alias in
> >the hosts file.
>
> Thank you very much. That trick did it. It's weird, though. I would have
> likely never arrived at the same solution by myself.

It's a work-around in the Heimdal code which appends a trailing dot to
hostnames when looking them up to avoid the DNS search path specified
in /etc/resolv.conf.  Viktor and I discussed relaxing this yesterday
because we believe that it is counter-intuitive.  It certainly confused
me, but I worked it out by reading the code rather than the documentation.
The approach that we think will work in the short term is to append the
trailing dot iff the hostname came from DNS SRV RRs as they should not
honour the DNS search path.  The existing behaviour will be able to be
replicated by those who are using /etc/krb5.conf by appending their own
trailing dot to the configured names.

In the longer term, we should likely stop using getaddrinfo(3) for names
obtained from DNS SRV RRs and directly query DNS for them as this matches
expectations.  That is: you wouldn't expect that if you find

_kerberos._udp.my.realm IN SRV 0 0 88 foo.my.realm

that an entry for foo.my.realm in /etc/hosts would then override the
DNS for it.

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Russ Allbery-2
"Roland C. Dowdeswell" <[hidden email]> writes:

> In the longer term, we should likely stop using getaddrinfo(3) for names
> obtained from DNS SRV RRs and directly query DNS for them as this matches
> expectations.  That is: you wouldn't expect that if you find

> _kerberos._udp.my.realm IN SRV 0 0 88 foo.my.realm

> that an entry for foo.my.realm in /etc/hosts would then override the
> DNS for it.

Eh?  I *absolutely* would expect that and would consider it a bug if it
did not.  It is incredibly useful for testing to be able to temporarily
override the IP address of a host in /etc/hosts, and I expect all software
to honor that.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Heikki Lindholm
In reply to this post by Roland C. Dowdeswell-2
On 25.07.2017 17:00, Roland C. Dowdeswell wrote:

> On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote:
>>
>
>> On 24.07.2017 19:40, Roland C. Dowdeswell wrote:
>>> On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:
>>>>
>>>
>>>> The Heimdal version identifies itself as 1.5.2. The main problem is that
>>>> Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
>>>> address, but goes to DNS, and fails.
>>>
>>> 1.5.2 is quite old and, IIRC, I've seen this before.  You can work
>>> around it by adding the kdc name with a dot at the end as an alias in
>>> the hosts file.
>>
>> Thank you very much. That trick did it. It's weird, though. I would have
>> likely never arrived at the same solution by myself.
>
> It's a work-around in the Heimdal code which appends a trailing dot to
> hostnames when looking them up to avoid the DNS search path specified
> in /etc/resolv.conf.  Viktor and I discussed relaxing this yesterday
> because we believe that it is counter-intuitive.  It certainly confused
> me, but I worked it out by reading the code rather than the documentation.
> The approach that we think will work in the short term is to append the
> trailing dot iff the hostname came from DNS SRV RRs as they should not
> honour the DNS search path.  The existing behaviour will be able to be
> replicated by those who are using /etc/krb5.conf by appending their own
> trailing dot to the configured names.
>
> In the longer term, we should likely stop using getaddrinfo(3) for names
> obtained from DNS SRV RRs and directly query DNS for them as this matches
> expectations.  That is: you wouldn't expect that if you find

Isn't nsswitch.conf there to let the user specify which lookup to prefer
for getaddrinfo() and others?

MIT krb5's behaviour at least was exactly what I expected, i.e. if
there's a "kdc = kdc.foo.bar" in krb5.conf, kinit does the same kind of
lookup as "ping kdc.foo.bar" does (= in my case takes it from /etc/hosts
without DNS involvement).
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Roland C. Dowdeswell-2
In reply to this post by Russ Allbery-2
On Tue, Jul 25, 2017 at 08:45:44AM -0700, Russ Allbery wrote:

> "Roland C. Dowdeswell" <[hidden email]> writes:
>
> > In the longer term, we should likely stop using getaddrinfo(3) for names
> > obtained from DNS SRV RRs and directly query DNS for them as this matches
> > expectations.  That is: you wouldn't expect that if you find
>
> > _kerberos._udp.my.realm IN SRV 0 0 88 foo.my.realm
>
> > that an entry for foo.my.realm in /etc/hosts would then override the
> > DNS for it.
>
> Eh?  I *absolutely* would expect that and would consider it a bug if it
> did not.  It is incredibly useful for testing to be able to temporarily
> override the IP address of a host in /etc/hosts, and I expect all software
> to honor that.

SRV RRs are essentially a generalisation of CNAMEs or perhaps MX records.
It is counter-intuitive to expect that /etc/hosts will interpose in the
middle of a lookup.  Even using getaddrinfo(3) as demonstrated below,
we see that /etc/hosts does not interpose when resolving CNAMEs into
addresses.

$ dig www.imrryr.org
.
.
.
www.imrryr.org.         600     IN      CNAME   mournblade.imrryr.org.
mournblade.imrryr.org.  600     IN      A       108.5.242.66
.
.
.
$ grep mournblade /etc/hosts
1.1.1.1 mournblade.imrryr.org
$ getent hosts www.imrryr.org
108.5.242.66    mournblade.imrryr.org www.imrryr.org

As you can see, getaddrinfo(3) will only use DNS to chase the CNAME
defined in DNS and does not consult /etc/hosts in the middle of a
single lookup.  This is exactly analogous to our proposal which is to
eventually disable the /etc/hosts lookup by not using getaddrinfo(3)
when resolving the intermediate DNS results returned by the SRV RRs.

MTAs, e.g., expressly go out of their way to resolve the hostnames obtain
from MX record via DNS and not getaddrinfo(3).  However, just as we are
proposing, MTAs will use names directly from /etc/hosts if no MX RRs
are found---or if they are configured to directly communicate with a
host via a transport/mailer table override or the like.

There are many reasons for this behaviour but the main ones are:

        1.  it isn't intuitive to bounce back and forth between different
            name spaces in the midst of a query, and

        2.  DNS SRV RRs contain fully qualified domain names and
            getaddrinfo(3) does not have a standard way of disabling the
            search path.  The fact that Heimdal appends a dot to disable
            the search is a work-around which causes additional unintended
            confusion as we have previously seen on this thread.

So, I think that our best short term path forward is to restrict the
current dot-appending work-around to names obtained via DNS SRV RRs.
This matches the current MIT Kerberos behaviour as seen in:

https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/dnssrv.c#L235

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

u-hd-phes
On Tue, Jul 25, 2017 at 02:58:29PM -0400, Roland C. Dowdeswell wrote:
> On Tue, Jul 25, 2017 at 08:45:44AM -0700, Russ Allbery wrote:
> > Eh?  I *absolutely* would expect that and would consider it a bug if it
> > did not.  It is incredibly useful for testing to be able to temporarily
> > override the IP address of a host in /etc/hosts, and I expect all software
> > to honor that.
>
> SRV RRs are essentially a generalisation of CNAMEs or perhaps MX records.

We can also say SRV are a more elegant expression of the main DNS
purpose: to map service names to endpoints.
(This was historically inconsistently done by static allocation of service
port numbers combined with collective naming of _sets_ of services aka
hostnames, the result complemented by the regrettably incomplete solutions
like MX and AFSDB. Thus, SRV RRs are a great step forward.)

> It is counter-intuitive to expect that /etc/hosts will interpose in the
> middle of a lookup.

I second Russ and do not agree with you on this point.

Given that SRV records as a matter of fact are defined via A[AAA] records,
(and given that A lookups historically _are_ interposed by /etc/hosts)
what says that /etc/hosts are to be ignored if an A lookup happens as
a consequence of an SRV one?

> As you can see, getaddrinfo(3) will only use DNS to chase the CNAME
> defined in DNS and does not consult /etc/hosts in the middle of a

You refer to a certain implementation which is not a specification
by itself. What do the applicable standards say?

Regards,
Rune

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Russ Allbery-2
[hidden email] writes:
> On Tue, Jul 25, 2017 at 02:58:29PM -0400, Roland C. Dowdeswell wrote:

>> It is counter-intuitive to expect that /etc/hosts will interpose in the
>> middle of a lookup.

> I second Russ and do not agree with you on this point.

> Given that SRV records as a matter of fact are defined via A[AAA]
> records, (and given that A lookups historically _are_ interposed by
> /etc/hosts) what says that /etc/hosts are to be ignored if an A lookup
> happens as a consequence of an SRV one?

Yup, agreed.  I'm unconvinced by the argument that this is confusing.

My mental model of how an implementation that uses SRV records works is
that it does a SRV query to find the list of hosts and weights, and then,
for each host in weight order, does a gethostinfo(3) call on that
hostname.  This will, in fact, interpose /etc/hosts with a standard
nsswitch configuration.  Now, perhaps my mental model is wrong for a given
implementation, but (a) the resulting behavior is very useful for testing
and something I've used for years, and (b) it's not an *unreasonable*
mental model, or particularly confusing.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Henry B (Hank) Hotz, CISSP-2
In reply to this post by Roland C. Dowdeswell-2
I’m with Russ on this one, too. I’ve done /etc/hosts based deployments for robustness against DNS-failure scenarios.

POXIX getaddrinfo() does not require DNS. It’s an interface to the system and whatever it uses. The system should be configurable to use whatever name resolution is appropriate with as little surprise as possible.

> On Jul 25, 2017, at 11:58 AM, Roland C. Dowdeswell <[hidden email]> wrote:
>
> On Tue, Jul 25, 2017 at 08:45:44AM -0700, Russ Allbery wrote:
>> "Roland C. Dowdeswell" <[hidden email]> writes:
>>
>>> In the longer term, we should likely stop using getaddrinfo(3) for names
>>> obtained from DNS SRV RRs and directly query DNS for them as this matches
>>> expectations.  That is: you wouldn't expect that if you find
>>
>>> _kerberos._udp.my.realm IN SRV 0 0 88 foo.my.realm
>>
>>> that an entry for foo.my.realm in /etc/hosts would then override the
>>> DNS for it.
>>
>> Eh?  I *absolutely* would expect that and would consider it a bug if it
>> did not.  It is incredibly useful for testing to be able to temporarily
>> override the IP address of a host in /etc/hosts, and I expect all software
>> to honor that.
>
> SRV RRs are essentially a generalisation of CNAMEs or perhaps MX records.
> It is counter-intuitive to expect that /etc/hosts will interpose in the
> middle of a lookup.

. . .


Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Roland C. Dowdeswell-2
On Tue, Jul 25, 2017 at 06:14:36PM -0700, Henry B (Hank) Hotz, CISSP wrote:
>

> I???m with Russ on this one, too. I???ve done /etc/hosts based
> deployments for robustness against DNS-failure scenarios.
>
> POXIX getaddrinfo() does not require DNS. It???s an interface to
> the system and whatever it uses. The system should be configurable to
> use whatever name resolution is appropriate with as little surprise
> as possible.

I use /etc/hosts based deployments as well and note that there are many
advantages.  We are not suggesting that we break this.  If you specify
hosts in /etc/krb5.conf, then we will continue to use getaddrinfo(3)
to look them up.  In fact, we have recently fixed this because Heimdal
used to unconditionally add a trailing dot to kdc names which makes
using /etc/hosts difficult unless you know this [undocumented] piece
of information.

But, if you specify:

[libdefaults]
        dns_lookup_kdc = true

And there are no KDCs configured in /etc/krb5.conf for the realm that
you are querying, you will use DNS SRV RRs.  And, we think that once you
have retrieved hostnames from DNS SRV RRs that they should be looked up
only in DNS and not subjected to search lists and the like.

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Russ Allbery-2
In reply to this post by Russ Allbery-2
Russ Allbery <[hidden email]> writes:

> My mental model of how an implementation that uses SRV records works is
> that it does a SRV query to find the list of hosts and weights, and then,
> for each host in weight order, does a gethostinfo(3) call on that
> hostname.

Apologies, that of course was supposed to be getnameinfo(3).

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Roland C. Dowdeswell-2
In reply to this post by u-hd-phes
On Tue, Jul 25, 2017 at 11:20:57PM +0200, [hidden email] wrote:
>

> > As you can see, getaddrinfo(3) will only use DNS to chase the CNAME
> > defined in DNS and does not consult /etc/hosts in the middle of a
>
> You refer to a certain implementation which is not a specification
> by itself. What do the applicable standards say?

Since we are discussing our processing of SRVs rather than CNAMEs, I'll
limit my conversation to the relevant stanards for SRVs.

From RFC2782[1] page 4, the target of a SRV RR:

   Target
        The domain name of the target host.  There MUST be one or more
        address records for this name, the name MUST NOT be an alias (in
        the sense of RFC 1034 or RFC 2181).  Implementors are urged, but
        not required, to return the address record(s) in the Additional
        Data section.  Unless and until permitted by future standards
        action, name compression is not to be used for this field.

        A Target of "." means that the service is decidedly not
        available at this domain.

Note that it states "the domain name of the target host".  /etc/hosts
doesn't contain domain names but rather host names.  It also urges
implementors to return the address records in the Additional Data section.
This implies, I think, the addresses are to be obtained by the implementor
probably on the domain name server.

Later in RFC2782, on page 6 (according to the below URL), there is
a section entitled "Usage rules" which again clearly states that a
SRV-cognisant client SHOULD use a procedure which includes querying DNS
for the results of the SRV RR targets:

        For each element in the new list

                query the DNS for address records for the Target or
                use any such records found in the Additional Data
                section of the earlier SRV response.

Later in the "Notes:" section, the RFC states:

           - If the Additional Data section doesn't contain address records
             for all the SRV RR's and the client may want to connect to the
             target host(s) involved, the client MUST look up the address
             record(s).  (This happens quite often when the address record
             has shorter TTL than the SRV or NS RR's.)

An "address record" in the context of an RFC about DNS is clearly a DNS
A or AAAA RR and not an entry in /etc/hosts.
 
[1] https://tools.ietf.org/html/rfc2782

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Roland C. Dowdeswell-2
In reply to this post by u-hd-phes
On Tue, Jul 25, 2017 at 11:20:57PM +0200, [hidden email] wrote:
>

> Given that SRV records as a matter of fact are defined via A[AAA] records,
> (and given that A lookups historically _are_ interposed by /etc/hosts)
> what says that /etc/hosts are to be ignored if an A lookup happens as
> a consequence of an SRV one?

Actually, I do not think that A lookups historically are interposed by
/etc/hosts.

I think that it is more accurate to say that historically there have been
functions called gethostbyname(3) and getaddrinfo(3) which mediated by
the definitions in /etc/nsswitch.conf choose whether to do files, DNS,
LDAP, YP, etc.  In all of the implementations that I've seen, once you
call into one of those modules, it will either return an entire answer
back up or fail which allows the NSS framework to pass control to the
next module.  In some cases, mostly with YP there are ways to mix the
modules a bit but those are mostly used for the passwd and group maps
rather than the host map.

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Russ Allbery-2
In reply to this post by Roland C. Dowdeswell-2
"Roland C. Dowdeswell" <[hidden email]> writes:

> Note that it states "the domain name of the target host".  /etc/hosts
> doesn't contain domain names but rather host names.

The "hostname" in /etc/hosts can contain periods, and it functions like an
FQDN in practice.

> It also urges implementors to return the address records in the
> Additional Data section.  This implies, I think, the addresses are to be
> obtained by the implementor probably on the domain name server.

My understanding is that Additional Data is a performance optimization in
DNS that allows a cache to make fewer queries by anticipating some of the
questions it's likely to ask next and letting it pre-cache that data.
This information is not used by clients under normal circumstances (dig is
not a normal client); in fact, some quick searching seems to indicate that
it's often not even exposed by DNS libraries.  It's used by the cache to
answer subsequent queries (or not if you don't bother to make them).

Anyway, I think the standard question is a red herring.  You cannot look
at DNS standards to figure out whether /etc/hosts should override, because
of course /etc/hosts isn't mentioned in DNS standards because it's not
part of DNS.

I think this is pretty clearly implementation-defined.  Nothing in any
standard is going to tell you that you MUST connect to an address
specified in an A or AAAA record or you're not doing Kerberos; that's not
how standards work.  They're going to tell you that, for interop with a
site specifying Kerberos KDCs in DNS, this is the IP that the SRV record
points to and that you should connect to if you want to honor their DNS
records, which is fine; that's not what we're discussing.  What we're
discussing is whether to maintain what has become a valuable UNIX
*debugging and override* tool, which of course isn't in the scope of a
Kerberos or DNS standard for the same reason that LD_PRELOAD isn't in the
scope of a Kerberos or DNS standard.

I do see the point that people can override their /etc/krb5.conf instead,
and now that I know about this I suspect I will be able to make my systems
do the right thing, but /etc/hosts is convenient because it overrides *all
software* (as opposed to making you go hunt down some specific config file
for each piece of software).  I think not honoring it would be
unpleasantly surprising.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

u-hd-phes
In reply to this post by Roland C. Dowdeswell-2
On Tue, Jul 25, 2017 at 09:48:11PM -0400, Roland C. Dowdeswell wrote:
> On Tue, Jul 25, 2017 at 11:20:57PM +0200, [hidden email] wrote:
> > > As you can see, getaddrinfo(3) will only use DNS to chase the CNAME
> > > defined in DNS and does not consult /etc/hosts in the middle of a
> >
> > You refer to a certain implementation which is not a specification
> > by itself. What do the applicable standards say?
>
> Since we are discussing our processing of SRVs rather than CNAMEs, I'll
> limit my conversation to the relevant stanards for SRVs.

As Russ already pointed out, the DNS standard is not an authority
which defines the behaviour of the applicable APIs. Of course widely used
implementations may create "de-facto standards" but this discussion shows
that there is no apparent consensus about how name lookup is supposed
to happen.

So unless we find a relevant standard reference saying otherwise,
the least surprise approach should reflect the practice of treating
/etc/hosts as a part of service name resolution.

Note, it is "service names to endpoints resolution" which I mean,
irrespectively of which technologies (DNS/non-DNS) are being used
for the purpose and possibly behind the scenes.

Name-to-endpoint mapping data is traditionally spread across multiple
local and more or less global databases like /etc/hosts, /etc/services,
various DNS servers and more.

Is there an API specification which says "if a lookup implies
multiple steps and begins against a certain database instance, then
all of the possibly needed additional lookups must use the same
database instance (or the same technology/protocol/implementation?)"?
I may be wrong but I doubt this.

Regards,
Rune

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Viktor Dukhovni-2

> On Jul 26, 2017, at 5:37 AM, [hidden email] wrote:
>
> As Russ already pointed out, the DNS standard is not an authority
> which defines the behaviour of the applicable APIs. Of course widely used
> implementations may create "de-facto standards" but this discussion shows
> that there is no apparent consensus about how name lookup is supposed
> to happen.

The problem is that we don't get:

        1. Look up name from SRV in /etc/hosts, return address(es) if found
        2. Look up same name in DNS, return address(es) if found

instead, in step 2, we may get undesirable, incorrect and/or costly
interactions with the stub resolver's domain search list.  The name
in the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES
or RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal
that a name should not be subjected to the DNS search list.

Furthermore, if a domain's KDC list is not locally administered, and
you're delegating the KDC names to remotely administered DNS, local
overrides of the address resolution are no less costly than just
putting override kdcs in the [realms] section.  Indeed the latter
is much less fragile.

Heimdal should be optimized for correct and reliable operation in normal
use first, and debugging hooks second.  Thus I plan to partly revert the
changes in the "master" branch to ensure that names that are obtained
from SRV records are resolved without search list suffixes, by appending
"." in the getaddrinfo(3) hostname argument for such names.  This will
match the behaviour of the MIT implementation.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

Russ Allbery-2
Viktor Dukhovni <[hidden email]> writes:

> The problem is that we don't get:

> 1. Look up name from SRV in /etc/hosts, return address(es) if found
> 2. Look up same name in DNS, return address(es) if found

> instead, in step 2, we may get undesirable, incorrect and/or costly
> interactions with the stub resolver's domain search list.  The name in
> the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or
> RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal that a
> name should not be subjected to the DNS search list.

Ah!  Thank you.  That helps me understand the problem you're trying to
solve.

How often does this actually come up, though?  My understanding of how
domain search works is that the record returned by the SRV record would
have to not exist *and* some record formed by appending the local domain
to the name would have to exist.  That seems *extremely* unlikely,
although I guess the latter could match local wildcard entries if someone
was doing something weird.

> Furthermore, if a domain's KDC list is not locally administered, and
> you're delegating the KDC names to remotely administered DNS, local
> overrides of the address resolution are no less costly than just putting
> override kdcs in the [realms] section.  Indeed the latter is much less
> fragile.

Right, the point is not that you can't override with /etc/krb5.conf, the
point is that /etc/hosts normally overrides everything without having to
hunt down software-specific configuration files.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to disable DNS lookups?

u-hd-phes
On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:

> Viktor Dukhovni <[hidden email]> writes:
> > 2. Look up same name in DNS, return address(es) if found
>
> > instead, in step 2, we may get undesirable, incorrect and/or costly
> > interactions with the stub resolver's domain search list.  The name in
> > the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or
> > RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal that a
> > name should not be subjected to the DNS search list.
>
> Ah!  Thank you.  That helps me understand the problem you're trying to
> solve.

+1

Then the explicit trailing dots in /etc/hosts look indeed
like a reasonable trade-off.

Rune

12
Loading...