[systemd-devel] Antw: [EXT] .local searches not working

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Mon Apr 12 06:57:20 UTC 2021 

>>> Phillip Susi <phill at thesusis.net> schrieb am 09.04.2021 um 20:27 in
Nachricht
<874kgfqphb.fsf at vps.thesusis.net>:
> What special treatment does systemd‑resolved give to .local domains?
> The corporate windows network uses a .local domain and even when I point
> systemd‑resolved at the domain controller, it fails the query without
> bothering to ask the dc saying:
> 
> resolve call failed: No appropriate name servers or networks for name
> found

I don't know who established using ".local" for Windows AD "DNS" names, but
RFC 6762 says:
      1. Users may use these names as they would other DNS names,
         entering them anywhere that they would otherwise enter a
         conventional DNS name, or a dotted decimal IPv4 address, or a
         literal IPv6 address.
         Since there is no central authority responsible for assigning
         dot-local names, and all devices on the local network are
         equally entitled to claim any dot-local name, users SHOULD be
         aware of this and SHOULD exercise appropriate caution.  In an
         untrusted or unfamiliar network environment, users SHOULD be
         aware that using a name like "www.local" may not actually
         connect them to the web site they expected, and could easily
         connect them to a different web page, or even a fake or spoof
         of their intended web site, designed to trick them into
         revealing confidential information. (...)
      3. Name resolution APIs and libraries SHOULD recognize these names
         as special and SHOULD NOT send queries for these names to their
         configured (unicast) caching DNS server(s). (...)
      4. Caching DNS servers SHOULD recognize these names as special and
         SHOULD NOT attempt to look up NS records for them, or otherwise
         query authoritative DNS servers in an attempt to resolve these
         names.(...)
      5. Authoritative DNS servers SHOULD NOT by default be configurable
         to answer queries for these names, and, like caching DNS
         servers, SHOULD generate immediate NXDOMAIN responses for all
         such queries they may receive.(...)
      6. DNS server operators SHOULD NOT attempt to configure
         authoritative DNS servers to act as authoritative for any of
         these names.(...)
      7. DNS Registrars MUST NOT allow any of these names to be
         registered in the normal way to any person or entity. (...)

RFC 7368 (Home Networking):
   If, however, a global name space is not available, the homenet will
   need to pick and use a local name space, which would only have
   meaning within the local homenet (i.e., it would not be used for
   remote access to the homenet).  The .local name space currently has a
   special meaning for certain existing protocols that have link-local
   scope and is thus not appropriate for multi-subnet home networks.

Regards,
Ulrich

> 
> _______________________________________________
> systemd‑devel mailing list
> systemd‑devel at lists.freedesktop.org 
> https://lists.freedesktop.org/mailman/listinfo/systemd‑devel

More information about the systemd-devel mailing list