I have two different FreeBSD servers (different hosting companies), both exhibit this same behavior: They pick a specific IP address (216.239.120.238) for every domain that does NOT exist.
nslookup fails as it should….
$ nslookup thisdomainsurelydoesntexist.com
Server: xx.xx.229.3
Address: xx.xx.229.3#53
** server can't find thisdomainsurelydoesntexist.com: NXDOMAIN
dig gives me:
$ dig thisdomainsurelydoesntexist.com
; <<>> DiG 9.6.-ESV-R5-P1 <<>> thisdomainsurelydoesntexist.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;thisdomainsurelydoesntexist.com. IN A
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1370378827 1800 900 604800 86400
;; Query time: 23 msec
;; SERVER: xx.xx.229.3#53(xx.xx.229.3)
;; WHEN: Tue Jun 4 16:05:02 2013
;; MSG SIZE rcvd: 122
and ping gives me:
$ ping thisdomainsurelydoesntexist.com
PING phx2-ss-5-bug616849-lb.cnet.com (216.239.120.238): 56 data bytes
64 bytes from 216.239.120.238: icmp_seq=0 ttl=244 time=25.733 ms
64 bytes from 216.239.120.238: icmp_seq=1 ttl=244 time=20.460 ms
^C
--- phx2-ss-5-bug616849-lb.cnet.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 20.460/23.096/25.733/2.637 ms
Note that dig's final host name, nstld.verisign-grs.com, resolves to that IP.
What's the fix?
UPDATE: /etc/resolv.conf has two nameserver rows, each with an IP(v4) I got from my ISP.
But if I add a "search" row to resolv.conf, behavior changes: if "search mydomain.com" (i.e., my real domain name), everything resolves to it and I get my own IP. E.g., thisdomainsurelydoesntexist.com.mydomain.com. Not good. But if I set it to something else, like "search myispdomain.com", then everything works: existing domains resolve, and nonexistent ones don't.
But is that anything but an accident?
Thanks for the suggestions! Here's host -a, and the xx.xx.80.18 IP is the first nameserver in /etc/resolv.conf
$ host -a thisdomainsurelydoesntexist.com
Trying "thisdomainsurelydoesntexist.com"
Received 122 bytes from xx.xx.80.18#53 in 13 ms
Trying "thisdomainsurelydoesntexist.com"
Host thisdomainsurelydoesntexist.com not found: 3(NXDOMAIN)
Received 122 bytes from xx.xx.80.18#53 in 0 ms
My ISP just told me it could be because my hostname is of the form "mydomain.com" instead of "myhost.mydomain.com" (which is their recommended practice). I could see how that might fix it. Is that the thing to do? No downsides to it?
Also, very significantly, I should mention that this python code works the same way ping does:
import _socket
_socket.getaddrinfo('thisdomainsurelydoesntexist.com', 80)
And many other python modules are built on this core.
Best Answer
The system (particularly glibc, which handles name resolution) behaves erratically when the hostname of the server is a domain name. From the man page for resolv.conf:
The search list is normally determined from the local domain name; by default, it contains only the local domain name.
What this means in simple terms is that when a domain lookup fails (after nothing turns up in /etc/hosts and the resolver fails to return a useful result) the system will proceed to cheerfully remove the first part of the hostname - for example 'abcxyz.com' - and append the remainder as a search suffix.
Since '.com' is the search suffix produced by removing 'abcxyz' from the hostname, the system is appending '.com' as the search suffix for failed lookups, which produces results such as:
foobar-abcxyz.cz -> foobar-abcxyz.cz.com -> www.czjewelry.com
foobar-abcxyz.com -> foobar-abcxyz.com.com -> www.cnet.com
To correct for this, you will likely want to set the hostname of the server to a hostname such as 'hostname.abcxyz.com' instead of 'abcxyz.com' - which will in turn result in 'abcxyz.com' being appended as the search suffix by default.
As an interim measure, you can create a random MD5 checksum and add it to /etc/resolv.conf as an override for the search suffix:
This will append 'e930f5f4ba6ba7868b0cc6718bcef568' to failed DNS lookups instead of '.com' - which in turn results in the default behavior of failed lookups for nonexistent domains. Should you change the hostname to an actual hostname, this line can be removed.