Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Strange DNS behavior and workaround Network

Sometimes, when trying to get to a web site, I'd get redirected to a strange location. I thought perhaps I was getting hijacked or something. After spending some time analysing the problem with Ethereal, I came to the conclusion that Panther does strange things with DNS resolution. This didn't happen before in Jaguar, so I'm pretty sure it's a Panther thing. Since I spent a few hours banging my head on the wall before figuring it out, I thought I'd share with everyone and save you the frustration.

Like many companies, my company uses a different domain name for DHCP to help local users find servers that aren't available outside the firewall. We use 'company.org' for this purpose, where the real domain name is 'company.net'. If Panther fails a DNS lookup, it tries appending the default domain name to the end of the request. So, if I mistyped "foo.com" as "fooo.com," it would fail and then look up "fooo.com.company.org" -- this is pretty standard behaviour.

But then Panther does something strange - it tries appending just the top-level domain for the lookup -- it looks up 'fooo.com.org,' and since 'com.org' goes to a company that does web domain stuff, it looked like a hijacking.

If it was just mistyped domains, that would be no big deal. However, this also happens if your DNS server just happens to drop the ball on something like 'mail.yahoo.com' for example -- and once it happens, OS X caches it for quite a while. I couldn't figure how to turn this behavior off. Doing sudo killall lookupd will reset the cache though, which should fix it if the DNS server is working again.

I spent quite a while hunting this down, so I thought it might help someone.

    •    
  • Currently 2.00 / 5
  You rated: 4 / 5 (7 votes cast)
 
[24,596 views]  

10.3: Strange DNS behavior and workaround | 8 comments | Create New Account
Click here to return to the '10.3: Strange DNS behavior and workaround' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Strange DNS behavior and workaround
Authored by: vogunaescht on Dec 10, '03 11:17:49AM

i advise to read the manpage of lookupd.

lookupd -flushcache does the job.



[ Reply to This | # ]
10.3: Strange DNS behavior and workaround
Authored by: clownburner on Dec 11, '03 08:21:35PM

Yes, that works to clear lookupd's cache, but doesn't change the fact that Panther is not following the standard practice (or the Jaguar method) for DNS lookups...



[ Reply to This | # ]
10.3: Strange DNS behavior and workaround
Authored by: vogunaescht on Dec 16, '03 03:55:26AM

True. Is there a proxy involved that might cache DNS entries? Another possibility is to run bind locally as a caching-only nameserver.



[ Reply to This | # ]
10.3: Strange DNS behavior and workaround
Authored by: DavidMaxWaterman on Jan 08, '04 02:01:40AM

We run our local domain in a similar manner to the original poster, and we have a local dns server to resolve local names.

I am the only one using a Mac and I am the only one that has problems using our dns server. The problem I see is that my initial attempts to load a web page fail; the second and subsequent attempts fail. If I don't visit that page for a while, the failure happens again, again only for the first attempt.

I used tethereal on the server to compare requests made by my Mac with requests made from other OSes (w2k and xp); the traces are here :

http://reality.sgiweb.org/maxw/tmp/Apple/3519742/

if anyone cares to look. To summarise, Mac makes this sort of sequence of requests :

http://reality.sgiweb.org/maxw/tmp/Apple/3519742/eth1-214-OSX-02-dns.txt

1 0.000000 192.168.0.214 -> 192.168.0.1 DNS Standard query A news.google.com
5 0.705145 192.168.0.214 -> 192.168.0.1 DNS Standard query A news.google.com
9 1.410272 192.168.0.214 -> 192.168.0.1 DNS Standard query A news.google.com
12 2.115540 192.168.0.214 -> 192.168.0.1 DNS Standard query A news.google.com.jingmei.org

It tries the 'news.google.com.jingmei.org; domain before the server has even responded to the first request.

I filed a bug (3519742) with Apple on this, but it does not seem to be getting any attention :( It's really messing me up; and is embarressing when all the various Microsoft OSes work fine.

Max.



[ Reply to This | # ]
10.3: Strange DNS behavior and workaround
Authored by: Macindy on Oct 04, '04 09:57:49AM

Hi there!

Sometimes different external domains get routed to my default domain, e.g. www.apple.com goes to www.apple.com.mydomain.com

What could be the reason for this?
The author of the article says this is a standard behaviour. But why this happens and what can I against caching the false ip



[ Reply to This | # ]
10.3: Strange DNS behavior and workaround
Authored by: kevinv on Dec 10, '03 04:39:33PM

never use an internal domain that resolves to an external domain! Especially if you don't own that domain name. This can lead to security leaks of information (especially on laptops that leave the internal network).

I recommend either making sure you own the domain name you are using internally (i.e. company.com for external and company.org for internal, if you own company.org) or (my preferred method) creating your own top level domain (i use .internal, so that all my internal machines are fooo.company.internal)

Just don't use .local. That screws up rendezvous.

kevin



[ Reply to This | # ]
10.3: Strange DNS behavior and workaround
Authored by: clownburner on Dec 11, '03 08:29:52PM

Good point; our internal DNS address does NOT resolve into a public domain.. the problem is that 'com.org' DOES resolve, and Apple is silly for attempting to do DNS lookups in this non-standard and wacky way.



[ Reply to This | # ]
Fink's Ethereal 0.9.14-1 Will Not Download
Authored by: EatingPie on Dec 11, '03 04:23:12PM

Fink may fail when trying to install Ethereal. Here's what I did...

% fink install ethereal
...
curl -f -L -O ftp://ftp.ethereal.com/pub/ethereal/old-versions/ethereal-0.9.14.tar.bz2
curl: (9) Couldn't cd to pub/ethereal/old-versions
### execution of curl failed, exit code 9

The Ethereal site has updated to a new version and changed the directory structure, so fink can't find it. The fix is to hack the info file with the right path.

sudo vi /sw/fink/dists/stable/main/finkinfo/net/ethereal.info

Now move to the line that looks like the following:

Secondary: ftp://ftp.ethereal.com/pub/ethereal/old-versions/

And change it to...

Secondary: ftp://ftp.ethereal.com/pub/ethereal/all-versions/

Now running the fink install should work.

---
-Pie


[ Reply to This | # ]