fully qualified domain names, dhcp dns search suffixes, and trailing dots

http domain-name-system

Yes, this is a vulnerability. No, servers should not stop offering content when queried using internet relative domain names.

Trying to figure out if a name is internet relative or just relative is not a problem with a good stateless general solution. A bad stateless solution is to abolish the use of all relative naming. Relative names exist for valid reasons.

Care should be taken to ensure that the using FQDN results in the same content as the internet relative domain name. This is mostly an issue for http servers.

If you want to be zealous without being obnoxious:

  • never use internet relative domain names when you can use FQDN
  • use permanent redirects 308 or 301 on your webservers to point clients in the right direction.

Whenever I configure anything that accepts a DNS domain name, I include the trailing dot. Some systems reject this in their attempts to validate the input, which is a shame. Windows clients that rely on DNS devolution for AD-walking can be troublesome, if you have a two-part domain suffix. MS have documented workarounds.

Reference resolv.conf... The equivalent Windows configuration also requires privilege elevation to effect a change.

Related

Is it possible to run 2 concurrent tcpdump with different options?
Why postfix does MX lookup for relayhost?
Postfix - rate limit outgoing concurrent connections to one machine/ip
How can I generate/or edit a grub.cfg on each EFI partition that refers to the ubuntu installation on the same physical disk?
tomcat 9 configuration for port 443
How to choose which IP apache2 uses globally
Setting a default gateway which is on a different subnet
Should I enable port 587 for mail relay access?
SMTP service detection
Redirect wildcard subdomain to same subdomain on different domain
A local IP address (RFC 1918) on my network that is not … local
Can I restore a backup made with Windows Server 2008 R2 in Windows Server 2012 R2?