This is the situation: a friend and I both use a broadband router with a few machines behind them, at our respective homes. We each picked a name for our 'domain'. His is fictional. Mine also exists on the net, but with only the www and ftp of rikishi42.net defined in the DNS, not my home machines. He's added 2 of my PC's in the /etc/hosts of his laptop, for use when he visits and connects it to my LAN. This would be a sample from that file: # Home net 192.168.108.101 desktop.myDomain desktop 192.168.108.124 laptop.myDomain laptop 192.168.108.101 server.myDomain server #Rikishi's net 192.168.8.142 gramps.rikishi42.net gramps 192.168.8.181 pigmy.rikishi42.net pigmy We've allways used this, works just fine. When connectiong to my machines, he's allways used the short (host only) name. Last time, he accidentally tried with the full name. It failed. My guess is that, upon finding that rikishi42.net exists, there is an attempt to get the address from the DNS, skipping hosts all together. But do I presume correctly, or is there more to it? -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

On Fri, 2 Nov 2007 12:44:11 +0100, Rikishi 42 <skunkworks@rikishi42.net> wrote: | This is the situation: a friend and I both use a broadband router with a few | machines behind them, at our respective homes. We each picked a name for our | 'domain'. His is fictional. Mine also exists on the net, but with only the | www and ftp of rikishi42.net defined in the DNS, not my home machines. | | He's added 2 of my PC's in the /etc/hosts of his laptop, for use when he | visits and connects it to my LAN. | | This would be a sample from that file: | | # Home net | 192.168.108.101 desktop.myDomain desktop | 192.168.108.124 laptop.myDomain laptop | 192.168.108.101 server.myDomain server | #Rikishi's net | 192.168.8.142 gramps.rikishi42.net gramps | 192.168.8.181 pigmy.rikishi42.net pigmy | | | We've allways used this, works just fine. | When connectiong to my machines, he's allways used the short (host only) | name. Last time, he accidentally tried with the full name. It failed. | | | My guess is that, upon finding that rikishi42.net exists, there is an | attempt to get the address from the DNS, skipping hosts all together. | | But do I presume correctly, or is there more to it? /etc/nsswitch.conf determines whether DNS or /etc/hosts is checked first, and whether the other is checked at all. Sounds like your friend might have DNS first. The second choice is generally only checked if the first fails (i.e DNS is unreachable). If DNS returns a "host does not exist" error, that does not trigger a fall back to /etc/hosts. -- Reverend Paul Colquhoun, ULC. http://andor.dropbear.id.au/~paulcol Asking for technical help in newsgroups? Read this first: http://catb.org/~esr/faqs/smart-questions.html#intro

On 2007-11-02, Ashish Shukla ???? ????? <wahjava@gmail.com> wrote: >| We've allways used this, works just fine. >| When connectiong to my machines, he's allways used the short (host only) >| name. Last time, he accidentally tried with the full name. It failed. > > How is he trying connect to your box ? And are you sure, it failed at > name resolution step, not something like connection etc. ? To resolve > a hostname yourself, you can try "getent hosts <hostname>" . Connection is OK, since the short names worked. Thanks for getent, I leared something. >| My guess is that, upon finding that rikishi42.net exists, there is an >| attempt to get the address from the DNS, skipping hosts all together. > >| But do I presume correctly, or is there more to it? > > It all depends on "/etc/nsswitch.conf"'s "hosts" entry. Usually > "hosts" entry has "files" first and then "dns". But anyways, even if > order is reverse, then also it should work, if it is not able to > resolve from DNS. > > Anyways I added your records in my /etc/hosts and it is able to > resolve 'gramps.rikishi42.net' without any problems. That would confirm that his nsswitch is not set correctly. Thanks for the info. -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

On 2007-11-02, Paul Colquhoun <postmaster@andor.dropbear.id.au> wrote: > /etc/nsswitch.conf determines whether DNS or /etc/hosts is checked > first, and whether the other is checked at all. Didn't know that one, thanks. I'll check it out. > Sounds like your friend might have DNS first. The second choice is > generally only checked if the first fails (i.e DNS is unreachable). If > DNS returns a "host does not exist" error, that does not trigger a fall > back to /etc/hosts. Seems exactly what I feared. I'll check his config, next time he visits. -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

On Fri, 2 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article <b5frv4-0qn.ln1@whisper.very.softly>, Rikishi 42 wrote: >He's added 2 of my PC's in the /etc/hosts of his laptop, for use when he >visits and connects it to my LAN. > >This would be a sample from that file: > ># Home net >192.168.108.101 desktop.myDomain desktop >192.168.108.124 laptop.myDomain laptop >192.168.108.101 server.myDomain server Minor quibble - a given hostname OR IP address should appear on one line only. >#Rikishi's net >192.168.8.142 gramps.rikishi42.net gramps >192.168.8.181 pigmy.rikishi42.net pigmy > >We've allways used this, works just fine. >When connectiong to my machines, he's allways used the short (host only) >name. Last time, he accidentally tried with the full name. It failed. Might be interesting to know what is in /etc/resolv.conf - domain or search lines? >My guess is that, upon finding that rikishi42.net exists, there is an >attempt to get the address from the DNS, skipping hosts all together. No - how would it know that a domainname exists in DNS without asking the DNS? >But do I presume correctly, or is there more to it? There are two files that control the order in which the hosts file or DNS is consulted. Older applications used /etc/host.conf, and this has a simple line that reads order hosts,bind which translates to 'check the hosts file, and if the hostname is not found, check DNS'. The second (more modern file) is /etc/nsswitch.conf which has it's own man page [compton ~]$ whatis nsswitch.conf nsswitch.conf [nsswitch] (5) - System Databases and Name Service Switch configuration file [compton ~]$ and a common configuration might be hosts: files nisplus nis dns which translates to 'check the hosts file, and if the hostname is not found, check NIS+ and if the hostname is not found check NIS, and if the hostname is not found check DNS". This line might be shortened by eliminating the NIS terms if you don't have NIS or NIS+ servers on your LAN (most don't). The other possible problem is the '/etc/resolv.conf' file, and the brain-dead use of 'domain' and/or 'search' lines. These lines allow use of short names in DNS - which may or may not be a massive security hole. There are a number of man pages you can look at - start with 'gethostbyname', 'resolver (5)' and 'hostname'. Perhaps the best way to troubleshoot DNS problems is to simply use a packet sniffer and LOOK at the questions (and answers) you are tossing at the name server. /usr/sbin/tcpdump -ni eth0 port 53 might give the clues needed. The DNS-HOWTO offers some assistance if you don't know what this dialog should look like. Old guy

Rikishi 42 <skunkworks@rikishi42.net> writes: >This is the situation: a friend and I both use a broadband router with a few >machines behind them, at our respective homes. We each picked a name for our >'domain'. His is fictional. Mine also exists on the net, but with only the >www and ftp of rikishi42.net defined in the DNS, not my home machines. >He's added 2 of my PC's in the /etc/hosts of his laptop, for use when he >visits and connects it to my LAN. >This would be a sample from that file: ># Home net >192.168.108.101 desktop.myDomain desktop >192.168.108.124 laptop.myDomain laptop >192.168.108.101 server.myDomain server >#Rikishi's net >192.168.8.142 gramps.rikishi42.net gramps >192.168.8.181 pigmy.rikishi42.net pigmy >We've allways used this, works just fine. >When connectiong to my machines, he's allways used the short (host only) >name. Last time, he accidentally tried with the full name. It failed. >My guess is that, upon finding that rikishi42.net exists, there is an >attempt to get the address from the DNS, skipping hosts all together. It depends on whether he told his system to look for the address in hosts or in dns first. /etc/hosts.conf and /etc/nsswitch.conf >But do I presume correctly, or is there more to it? >-- >There is an art, it says, or rather, a knack to flying. >The knack lies in learning how to throw yourself at the ground and miss. >Douglas Adams

On 2007-11-03, Send <Send@Nospam.com> wrote: > Rikishi 42 wrote: >> This is the situation: a friend and I both use a broadband router with a few >> machines behind them, at our respective homes. We each picked a name for our >> 'domain'. His is fictional. Mine also exists on the net, but with only the >> www and ftp of rikishi42.net defined in the DNS, not my home machines. >> > > stealing - Using some one elses domain name is unethical. Bottom line > "IT'S NOT YOURS" Yes it is. Read the headers... > 192.168.xxx.xxx addresses are private network addresses and usually not > forwarded upstream by a router. Can you imagine what would happen if > everyone using the same addresses allowed all their network traffic to > reach the www. They would be mass collisions Not to mention that your > private network is no longer "private". > > Be forewarned of the security implications Are you on medication? Or did you just miss the original post? >> My guess is that, upon finding that rikishi42.net exists, there is an >> attempt to get the address from the DNS, skipping hosts all together. >> >> But do I presume correctly, or is there more to it? >> > > Why bother with all this ? Do it right. Just use the name & IP address > that has been assigned to you by your ISP. If you are assigned a > dynamic (IP address changes from time to time) which they normally are > then use a FREE service like DynDns and have your own "REAL" domain ... > > "YOU".dyndns.org > > they have several domain you can pick from other than dyndns.org. There > are programs you can run that will update the Dyndns listing > automatically when your ISP changes your IP address. > > Dns lookup Work ... Other friends anyware can reach your machine and you > will NOT be blocked by upstream routers. You *are* stoned out of your mind, aren't you. :-) Please, please read the original post, and grep it. -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

On 2007-11-02, Moe Trin <ibuprofin@painkiller.example.tld> wrote: > On Fri, 2 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article ><b5frv4-0qn.ln1@whisper.very.softly>, Rikishi 42 wrote: > >>He's added 2 of my PC's in the /etc/hosts of his laptop, for use when he >>visits and connects it to my LAN. >> >>This would be a sample from that file: >> >># Home net >>192.168.108.101 desktop.myDomain desktop >>192.168.108.124 laptop.myDomain laptop >>192.168.108.101 server.myDomain server > > Minor quibble - a given hostname OR IP address should appear on one > line only. That would be my fault, I messed up the example. In the real file, there are no double entries. -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

Send <Send@Nospam.com> writes: >Rikishi 42 wrote: >> This is the situation: a friend and I both use a broadband router with a few >> machines behind them, at our respective homes. We each picked a name for our >> 'domain'. His is fictional. Mine also exists on the net, but with only the >> www and ftp of rikishi42.net defined in the DNS, not my home machines. >> >stealing - Using some one elses domain name is unethical. Bottom line >"IT'S NOT YOURS" Uh, stealing? Why not call it treason? Or terrorism? That is just as irrelevant and just as big a misuse of legal term, but more liable to get him into trouble. I agree that using a domain name that is someone elses is stupid, but it is also self limiting, since the net dns servers know only one legitimate address for the name, and will always use that, which will mean that any attempt to contact the miscreant will fail. Ie, this is one crime, which comes with its own punishment. Now if he uses someone elses IP address and he happens to be the on the same subnet, then that is problematic but likely to be severely dealt with by whoever is responsible for that subnet. >> He's added 2 of my PC's in the /etc/hosts of his laptop, for use when he >> visits and connects it to my LAN. >> >> This would be a sample from that file: >> >> # Home net >> 192.168.108.101 desktop.myDomain desktop >> 192.168.108.124 laptop.myDomain laptop >> 192.168.108.101 server.myDomain server >> #Rikishi's net >> 192.168.8.142 gramps.rikishi42.net gramps >> 192.168.8.181 pigmy.rikishi42.net pigmy >> >192.168.xxx.xxx addresses are private network addresses and usually not >forwarded upstream by a router. Can you imagine what would happen if >everyone using the same addresses allowed all their network traffic to >reach the www. They would be mass collisions Not to mention that your >private network is no longer "private". >Be forewarned of the security implications >> >> We've allways used this, works just fine. >> When connectiong to my machines, he's allways used the short (host only) >> name. Last time, he accidentally tried with the full name. It failed. >> >> >> My guess is that, upon finding that rikishi42.net exists, there is an >> attempt to get the address from the DNS, skipping hosts all together. >> >> But do I presume correctly, or is there more to it? >> >Why bother with all this ? Do it right. Just use the name & IP address >that has been assigned to you by your ISP. If you are assigned a >dynamic (IP address changes from time to time) which they normally are >then use a FREE service like DynDns and have your own "REAL" domain ... > "YOU".dyndns.org >they have several domain you can pick from other than dyndns.org. There >are programs you can run that will update the Dyndns listing >automatically when your ISP changes your IP address. >Dns lookup Work ... Other friends anyware can reach your machine and you >will NOT be blocked by upstream routers.

On Sun, 04 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article <472de7fd$0$3510$8404b019@news.wineasy.se>, David Brown wrote: >Moe Trin wrote: >> Minor quibble - a given hostname OR IP address should appear on one >> line only. >If you are using the hosts file to avoid web advertisements or other >sites you want to avoid, the hosts file generally contains a long list >of "127.0.0.1 ads.doubleclick.net" lines, with every line resolving to >the same IP address. Is there some problem with lists like that? Generally that technique slows things down. In theory, you can list multiple host _names_ on each line (and the lines can be long), but _any_ IP address in the range 127.0.0.0 through 127.255.255.254 resolves to 'localhost'. [compton ~]$ ping -qc 1 127.0.0.0 PING 127.0.0.0 (127.0.0.0): 56 data bytes --- 127.0.0.0 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.3/0.3 ms [compton ~]$ ping -qc 1 127.2.3.4 PING 127.2.3.4 (127.2.3.4): 56 data bytes --- 127.2.3.4 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.3/0.3 ms [compton ~]$ ping -qc 1 127.255.255.254 PING 127.255.255.254 (127.255.255.254): 56 data bytes --- 127.255.255.254 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.3/0.3 ms [compton ~]$ so you could put 4,294,967,295 lines in there. Might take a bit of extra RAM on your part, and would slow your browsing to a crawl, but it's possible. (Running your own DNS would probably be quicker.) Old guy

On Tue, 06 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article <jwv8x5a3ejy.fsf-monnier+comp.os.linux.networking@gnu.org>, Stefan Monnier wrote: >> You're adding another chance for spoofing, unless you are able to >> verify that the host claiming to be 'foo.example.com' really is. > >AFAIK dnsmasq will always add its domain name to those names, so if >the host requests "foo" he'll get for example "foo.home". I don't use dnsmasq, either as a DNS or DHCP server, but that appears be the function of the '-s' option. >I'm not even sure if "foo.example.com" would be accepted (and turned >into foo.example.com.home) or just rejected, but in any case it >doesn't seem like a big security risk. I was assuming this was 'example.com' - but what do you do if the host that _should_ be 'bar.example.com' comes up claiming to be 'foo.example.com'? Bear in mind that a lot of network cards will accept a '/sbin/ifconfig hw ether 01:02:03:04:05:06 eth0' command, and thus you can't trust the MAC address. If you are using a switched network, and the switch remembers which MAC/IP is on which port, it might cause problems, but few people hard-code their switches. >> Very true. It was never designed for that function. But don't >> forget that this was also the era of the Berkeley 'r' commands, and >> the network authentication based on hostnames. > >I believe this is unfair to DHCP: this is a protocol for LANs, not for >the Internet... I really haven't met anyone using 'r' commands over the Internet yet, but RFC2827 and RFC3704 (plus a minimum of common sense on the part of who-ever set up the local network) should eliminate that problem. >a very different context. And it's not clear to me what a safer >system could look like anyway. Context is very important. Where I work, computers are not moving around, and we have an adequate number of IP addresses (no need for DHCP), and very few of our users have elevated privileges (makes a number of tricks harder to pull off). The networks are monitored, and punishment for malefactors is harsh. The "average" home user is in a different realm, lacking technical skills to configure their computer on the cable/DSL/telephone/what-ever connection their ISP provides. Much of the security depends on the way the ISP has things tightened down, but the results are the same - not much _local_ spoofing. The problem occurs outside of these situations. As for a "safer" system, how about RFC3118 (possibly including RFC4030 if the local network needs this)? 3118 Authentication for DHCP Messages. R. Droms, W. Arbaugh, Eds.. June 2001. (Format: TXT=35536 bytes) (Status: PROPOSED STANDARD) 4030 The Authentication Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Option. M. Stapp, T. Lemon. March 2005. (Format: TXT=34332 bytes) (Status: PROPOSED STANDARD) I have no need for either, so have no experience to say whether or not this is the solution. Certainly a word search in the man page of dnsmasq fails to turn up a case-insensitive hit for 'authe'. Old guy

On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article <4731f293$0$3218$8404b019@news.wineasy.se>, David Brown wrote: >Moe Trin wrote: >> I don't use dnsmasq, but I suspect you want to look at the -A option. > >It's the -H option (or --addn-hosts, which I use in the conf file). I >don't see any -A option. -A, --address=/<domain>/[domain/]<ipaddr> Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use repeated -A flags. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was as for --server, with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. At least that's what it says on the man page I have ;-) >> You may need to be careful if you are grabbing updates for windoze >> systems, as they frequently use a network bandwidth provider such as >> akamai to do the actual delivery. There are other applications in >> addition to those used by windoze that MAY use a bandwidth provider. > >Yes, it's important to be careful to avoid blocking useful domains that >also host adverts. On the other hand, windows updates often cause more >harm than good, so blocking them might be a good plan! I've had reports from my users who have run into this problem with their home installations. It's usually overly aggressive filtering/blocking on their part. I dunno about windoze - I stopped using that in 1992. >I didn't see the -A option you mention, but the -H option loads a whole >file, and it's possible to use it many times (thus the downloaded file >would be in addition to the dns / dhcp server's own /etc/hosts and >another list I have for local machines). Above - The man page I have is about 900 lines long, and the -A option is about line 250. >While I've use lynx a few times, I really don't think there are many >others in my company who would be happy with it! I've bullied them all >into using Firefox or Opera, and threatened them with wire cutters (for >their network cables, of course) if they ever use IE, but there's a >limit to my authority :-( Well, you could always set up a local proxy server (and block outbound access to port 80 from all but that server) and configure it to abuse the users who try to connect using IE... but you may not win many friends by doing so ;-) Old guy

On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article <473236ae$0$3209$8404b019@news.wineasy.se>, David Brown wrote: >Moe Trin wrote: >> At least that's what it says on the man page I have ;-) > >I don't know how I missed that before, but the option is in my man >page now! I just grabbed the page off the 'net, as it's not installed on any of the systems here. The source appears to be http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html. >As far as I can see, the -H option works like a file full of -A lines, >nd is thus more convenient for me. That's one way to do it. Our DNS servers are updated via a dumb script that uses a file very much like the hosts file as a source, but it also creates the separate forward and reverse zones, and then kicks the primary name server to update things. We don't have external IPs in the zone files as we aren't authoritative for them. >> Well, you could always set up a local proxy server (and block >> outbound access to port 80 from all but that server) and configure >> it to abuse the users who try to connect using IE... but you may not >> win many friends by doing so ;-) > >I intend to set up a proxy server sometime (I'm going to test out >squid with clamd virus scanning, at least for web-based email sites >which bypass the normal email scanner). Why do you need web-based email sites? Doesn't your company run it's own mail system? Here, both Security and HR would be going ballistic if our users even tried accessing those sites, never mind attempting to do business through them. Company policy prohibits personal use of computers or network, which is why we've got "Employee Association" owned computers in the break areas and they're on a separate network completely isolated from the company. >I'll log access by IE rather than block it (as the IT man, I have few >enough friends...) You have friends... Wow. ;-) Seriously, I'm lucky here as we don't use windoze at this facility - it's limited mainly to the corporate and the regional sales offices which are on different subnets thankfully. We also don't allow visiting computers. That eliminates a lot of network problems. Old guy