resolve a subdomain in debian 10

ortiga asked:

I have a server with active directory and dns on windows server 2012 with the following subdomain:

ac: alm.local <— 10.0.0.3

dns hosts:

javi.a.alm.local <—- 10.0.0.20

when I solve in windows:

nslookup javi.a

server: localhost
address: 127.0.0.1

name: javi.a.alm.local
address: 10.0.0.20

but when i result in debian:

nslookup javi.a

Server: 10.0.0.3
Address: 10.0.0.3 # 53

** server can't find javi.a: NXDOMAIN

why does it not solve ??

resolv.conf:

nameserver 10.0.0.3
search alm.local

My answer:


By default, the Linux resolver will not apply the search domain to a queried name that already contains a dot. So javi.a will be treated as a FQDN and will not have the domain alm.local appended to it.

You can change this behavior using the ndots option. This says the minimum number of dots that can be in a name to be treated as a FQDN. It defaults to 1.

You should also consider the warnings in the man page resolv.conf(5) before doing so.

Resolver queries having fewer than ndots dots (default
is 1) in them will be attempted using each component of the
search path in turn until a match is found. For environments
with multiple subdomains please read options ndots:n below to
avoid man-in-the-middle attacks and unnecessary traffic for the
root-dns-servers. Note that this process may be slow and will
generate a lot of network traffic if the servers for the listed
domains are not local, and that queries will time out if no
server is available for one of the domains.

And the documentation for options ndots:

Sets a threshold for the number of dots which must appear
in a name given to res_query(3) (see resolver(3)) before
an initial absolute query will be made. The default for
n is 1, meaning that if there are any dots in a name, the
name will be tried first as an absolute name before any
search list elements are appended to it. The value for
this option is silently capped to 15.

(Note that this implies that the name will be tried with search domains after being tried as a FQDN, but in practice this does not actually happen. It is not tried with the search domains at all. Which is why you have posted here today.)

So in resolv.conf you can add:

options ndots:2

And a name with one dot will now have the search domain appended, but names with two or more dots will not. As the man page says, you can set this as high as 15 if necessary.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.