Hostnames not resolving

David Woodhouse dwmw2 at infradead.org
Wed Feb 11 06:12:55 PST 2015 

On Wed, 2015-02-11 at 14:01 +0000, David Woodhouse wrote:
> 
> > 
> > Addresses such as this will not resolve:
> >      http://site.company.local/
> > 
> > However, this is perfectly fine:
> >      http://site/

Hm, actually I think this is due to the use of '.local.' as the TLD.

That TLD is reserved for mDNS. I think it's actually a bug that
http://site/ "works" for you. It's certainly *not* a bug that
http://site.company.local/ does not.

If you look closely, I think you'll see those DNS requests being
correctly sent via multicast, and *not* to the VPN's DNS servers.

See RFC6762 §3:
   Any DNS query for a name ending with ".local." MUST be sent to the
   mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6
   equivalent FF02::FB).  The design rationale for using a fixed
   multicast address instead of selecting from a range of multicast
   addresses using a hash function is discussed in Appendix B.
   Implementers MAY choose to look up such names concurrently via other
   mechanisms (e.g., Unicast DNS) and coalesce the results in some
   fashion.  Implementers choosing to do this should be aware of the
   potential for user confusion when a given name can produce different
   results depending on external network conditions (such as, but not
   limited to, which name lookup mechanism responds faster).

   It is unimportant whether a name ending with ".local." occurred
   because the user explicitly typed in a fully qualified domain name
   ending in ".local.", or because the user entered an unqualified
   domain name and the host software appended the suffix ".local."
   because that suffix appears in the user's search list. 


You might *perhaps* persuade your local system to violate RFC6762 (as
Windows apparently does) by removing the nss_mdns (or equivalent)
package, or removing mention of it from /etc/nsswitch.conf.


-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150211/d48a3fb1/attachment.bin>

More information about the openconnect-devel mailing list