DNS just started resolving the server.prod addresses to 127.0.53.53

domain-name-systemtld

I have servers named like server.prod.example.com, and I regularly log into them as server.prod. Recently, these hostnames started resolving to 127.0.53.53.

It turns out that ICANN recently enabled the .prod TLD. In addition, every request that goes to the .prod nameservers get resolved to 127.0.53.53 instead of coming back as NXDOMAIN, which would allow resolution to continue to work properly. (I'm guessing the point behind this is to let people know that their stuff will break worse before those start resolving to something real.)

How can I avoid having to type in my domain name for every host like this?

Is this still biting you occasionally? I couldn't find a list of new TLDs and when they were added, so I set one up myself: https://twitter.com/newgtldannounce

Best Answer

When you see internal domains suddenly resolve to 127.0.53.53 you have a namecollision and ICANN is trying to tell you that you urgently need to fix your DNS configuration.
If it would return NXDOMAIN like you suggested, you are correct, it would continue to work - for now.

It would also leak your internally intended DNS query to outside parties.

Worse, in the future someone could register server.prod and cause you much more trouble.

See here for more information https://icann.org/namecollision or run:

$ dig -t TXT server.prod +short
"Your DNS configuration needs immediate attention see https://icann.org/namecollision"

As to how to resolve this: Depends on the use case, I probably would just add them to .ssh/config with the short names. Or start using the FQDNs really.

Related Solutions

The recommended client DNS config for resolving internal and external addresses

If you want things to work easily and painlessly, do the following:

Run Windows DNS servers only on Active Directory domain controller computers. (This insures they have copies of your Active Directory-integrated DNS zones).
Insure that your Windows DNS servers have either "Root Hints" specified (which is the case by default) or have a "Forwarder" specified referring to a DNS server at your IPS.
Verify that all Windows machines (servers and clients) have only Windows DNS servers specified as their DNS servers. (No non-Windows DC-based DNS servers should be specified in any server, client, or DHCP configurations.)
Verify that your firewall rules permit the Windows DNS servers outbound UDP port 53 to the Internet (either the entire 'net, if you're using "Root Hints" or your ISP DNS servers, if you're using "Forwarders").

This is the recommended configuration from Microsoft and will result in both Internet and internal name resolution w/o "leaking" dynamic registration requests from Windows machines to your ISP or other external DNS servers.

This answer is rather assumptive, but being that you mentioned SBS it's likely that this is a fairly simplistic network and the above is your most painless way to get what you're looking for moving forward.

If it were me, BTW, I'd use root hints rather than forwarders. I don't trust my ISP not to do nasty things with DNS (respond with their own "serach engine" site rather than returing NXDOMAIN's for invalid domain names, etc).

DNS not resolving on Virtualmin

So after taking a break and coming back to the problem and a little help from the virtualmin forums this is why the nameservers were not responding:

The name.conf file was completely set up for local use only. I was under the impression that virtualmin was supposed to take care of this but as I said before I am very new at this. When I added the IP manually to named.conf I should have also changed:

allow-query { localhost; };

allow-query { any; };

Hopefully this will be of some use to those who encounter a similar situation.

Best Answer

Related Solutions

The recommended client DNS config for resolving internal and external addresses

DNS not resolving on Virtualmin

Related Topic