Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Your local nameserver should be configured to not forward unqualified names upstream.


Any time you say something 'should' be something, it's an indication that sometimes it's not.


There is no such thing as unqualified names at this level. All domain names are fully qualified, and comprise one or more labels.


I'm referring not to a recursive nameserver, but to a caching one that simply forwards queries to an upstream resolver. Like the one in every consumer router. Usually that's dnsmasq, with this option:

       -D, --domain-needed
              Tells dnsmasq to never forward A or AAAA queries for plain names,  without  dots
              or  domain  parts,  to  upstream  nameservers.  If  the  name  is not known from
              /etc/hosts or DHCP then a "not found" answer is returned.


That is not an unqualified domain name, and notice that it does not say that it is.

* http://jdebp.uk./FGA/dns-name-qualification.html

And the words that you are looking for are "resolving" and "forwarding". A proxy DNS server either does query resolution itself or forwards to another proxy DNS server that does. Both sorts can cache, so whether something is a caching server is not the distinction. dnsmasq is choosing whether to forward the query or to do query resolution itself (using a local data source) according to the number of labels in the domain name. As I said, at this level the idea of domain name qualification does not apply.

You are also mis-using "resolver", incidentally. The actual meaning of "resolver" per RFC 1034 is not what people sometimes think it to be. Avoid using "resolver". The mis-use creates confusion.

See https://news.ycombinator.com/item?id=15232208 .


How many people know how to configure their local name server outside of the HN crowd?


This is the default configuration in all consumer routers I've seen. Granted, that's not very many.


So how does it resolve com then? Or the (small number) of sites that are on the TLD.


It doesn't. It's not a recursive resolver. It forwards qualified names (those including a dot) to the upstream nameserver (the ISP's).


My local nameserver is run by comcast!


Really? Your router does not have a caching nameserver built in?


Both may be true. https://www.logicum.co/wp-content/uploads/2016/08/Comcast-Ro...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: