resolved: does not apply search domain logic to multi-label names

[bellegarde-c]

systemd version the issue has been seen with

systemd-246.1-1.fc33.x86_64

Used distribution

Fedora 33

Expected behaviour you didn't see

resolving a subdomain using short name works

Current NSS configuration
hosts: resolve [!UNAVAIL=return] myhostname files mdns4_minimal [NOTFOUND=return] dns

Resolved status

Global
      LLMNR setting: resolve                        
MulticastDNS setting: resolve                        
 DNSOverTLS setting: no                             
     DNSSEC setting: no                             
   DNSSEC supported: no                             
 Current DNS Server: 172.21.0.203                   
        DNS Servers: 172.21.0.203                   
                     172.21.0.204                   
                     172.21.0.201                   
Fallback DNS Servers: 1.1.1.1                        
                     8.8.8.8                        
                     1.0.0.1                        
                     8.8.4.4                        
                     2606:4700:4700::1111           
                     2001:4860:4860::8888           
                     2606:4700:4700::1001           
                     2001:4860:4860::8844           
         DNS Domain: ad.iut-france.univ-france.prive
                     iut-france.univ-france.prive   

Unexpected behaviour you saw

resolving a subdomain using short name does not work.

Steps to reproduce the problem

$ ping srv-puppet.qa
ping: srv-puppet.qa: Name or service not known

$ sudo systemctl stop systemd-resolved
$ ping srv-puppet.qa
PING srv-puppet.qa.iut-france.univ-france.prive (172.21.178.101) 56(84) bytes of data.
64 bytes from 172.21.178.101 (172.21.178.101): icmp_seq=1 ttl=63 time=0.526 ms

[poettering]

As documented, systemd never applies search domain logic to domains containing dots (aka "multi-label domains"), simply because it's insecure (as this means even lookups for google.com or github.com might be subject to search domain logic)

[poettering]

Duplicate of #4821

[toughkrua]

As documented, systemd never applies search domain logic to domains containing dots (aka "multi-label domains"), simply because it's insecure (as this means even lookups for google.com or github.com might be subject to search domain logic)

What is wrong in that behavior? It is logical that when resolver did not find typed domain, it tries to find them by substituting domains from search list. This situation may be only if normal resolve is not accessible.

[poettering]

if you look up "foo.bar", and expect it to be resolved locally, via some search path, and then someone buys the "foo.bar" top-level domain he gained access to your traffic: you think you talk to a local service but actually you are talking to some remote thing on the internet.

hence it's not generally safe to suffix stuff that already looks like an fqdn (i.e. has at least one dot, i.e. two labels) with search domains, and the opposite is not safe either.

[toughkrua]

If I look up "foo.bar" and do it from are local, I must understand thing what my current location in the local net which managed by some network administrator which have responsibility for it and, if I'm do not understand this, must watch for correlation between the managed network and global. Resolver must do his work, not more, not smaller, and not must take over the responsibility which belong to network administrators. Principles which you wish implement do not match for industrial approach.