Noticed some strange DNS behavior today on my 'node in Newark. If I try to resolve a nonexistent hostname that is a subdomain of anything in the root zone, it searches under .members.linode.com:

$ host nonexistent-example.com
Host nonexistent-example.com.members.linode.com not found: 5(REFUSED)

If I try to resolve a bogus hostname that's not in the root zone hierarchy, I get an NXDOMAIN, as it should be.

$ host steve.jobs
Host steve.jobs.members.linode.com not found: 5(REFUSED)
$ host bill.gates
Host bill.gates not found: 3(NXDOMAIN)

My /etc/resolv.conf:

domain members.linode.com
search members.linode.com
nameserver 97.107.133.4
nameserver 207.192.69.4
nameserver 207.192.69.5

I definitely used to get all NXDOMAINs for these types of queries on this box. Any ideas?

When you look up a non-fully qualified domain name (i.e., one that doesn't end in "."), and it doesn't exist, the resolver then tries looking up "<the name>.<your search domain from resolv.conf>". For some reason, Linode's recursive nameservers return REFUSED for things like com.members.linode.com. 'host' thinks that's weird, so it returns an error.

'host' is doing the .members.linode.com. lookup for "bill.gates", too; it just doesn't tell you about it because it received an ordinary NXDOMAIN.

_________________
Matt Nordhoff (aka Peng on IRC)

OK, so that's what changed. The resolvers in the other Linode datacenters I have access to don't seem to be refusing those queries. Weird. Is this just Newark? Any way to fix this behavior, other than not using the linode search domain in resolv.conf?

I wonder why the resolvers are only refusing those queries where the most significant level under members.linode.com is in the root zone. I can't think of a good reason for it.

If it only happens in newark I'd raise a ticket and ask support.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I can confirm the odd behaviour in Dallas. And so can you -- the US recursive nameservers are open to any US node. (London is not, for some reason.)

I'm not filing a ticket about it, though.

_________________
Matt Nordhoff (aka Peng on IRC)