fully qualified domain names, dhcp dns search suffixes, and trailing dots

Yes, this is a vulnerability. No, servers should not stop offering content when queried using internet relative domain names.

Trying to figure out if a name is internet relative or just relative is not a problem with a good stateless general solution. A bad stateless solution is to abolish the use of all relative naming. Relative names exist for valid reasons.

Care should be taken to ensure that the using FQDN results in the same content as the internet relative domain name. This is mostly an issue for http servers.

If you want to be zealous without being obnoxious:

  • never use internet relative domain names when you can use FQDN
  • use permanent redirects 308 or 301 on your webservers to point clients in the right direction.

Whenever I configure anything that accepts a DNS domain name, I include the trailing dot. Some systems reject this in their attempts to validate the input, which is a shame. Windows clients that rely on DNS devolution for AD-walking can be troublesome, if you have a two-part domain suffix. MS have documented workarounds.

Reference resolv.conf... The equivalent Windows configuration also requires privilege elevation to effect a change.