[Mimedefang] Trailing dots in hostname lookups

Bill Cole mdlist-20140424 at billmail.scconsult.com
Fri Feb 2 20:22:41 EST 2024 

On 2024-02-02 at 18:35:08 UTC-0500 (Fri, 02 Feb 2024 15:35:08 -0800)
Kenneth Porter via MIMEDefang <mimedefang at lists.mimedefang.org>
is rumored to have said:

> I was recently reminded that a DNS lookup of a name with one internal 
> dot but no trailing dot will cause the resolver to first search the 
> domain search list before submitting the unmodified name to the DNS 
> server. (I'd seen a story about the proposed .internal domain and 
> chasing through related links turned up the resolver dot rule.)
>
> <https://www.theverge.com/2024/1/30/24055534/web-private-network-internal-icann-name>
>
> Today I was looking into a user's bounce and found that 
> us-smtp-inbound-1.mimecast.com transiently failed to resolve in 
> /var/log/maillog. I then grepped my BIND queries log and saw that 
> queries were first going through the search list and suffixing MX 
> server names with the local LAN domains before finding it in the 
> external DNS. Not the issue for this bounce, but I'm wondering if this 
> is a reasonable thing to do for hostnames found in MX records.
>
> What I can't tell is which program is doing the lookup and stripping 
> the trailing dot from the MX result. I'm guessing it's sendmail, not 
> MD, SpamAssassin or some other thing in my mail chain. But it could be 
> MD.

I would bet on sendmail, if it is anything at all. Does the MX reply 
include a trailing dot? Are we certain?

> Is this something to even be worried about? My search list has 4 
> entries so every lookup fails 4 times before it resolves to the 
> external MX server.

Well, you could maybe fix your resolver config. According to resolver(5) 
on my machine:

ndots:n  Sets a threshold for the number of dots which must appear in a 
name
          given to res_query (see resolver(3)) before an initial 
absolute query
          will be made.  The default for n is ``1'', meaning that if 
there are
          any dots in a name, the name will be tried first as an 
absolute name
          before any search list elements are appended to it.

The Linux, macOS, and FreeBSD man a pages all agree on that, so mayb e 
your problem is lurking in your /etc/resolv.conf. Of course, if you have 
multi-level names under the domains in your local search list, this may 
be an unavoidable issue.

Hopefully, if you cannot make your resolver behave better, the resolvers 
for the domains in your search list are nearby and fast, so even if 
you're doing 4 queries they will be usually be painless.


-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the MIMEDefang mailing list