Why tries 1 TW machine to resolve its hostname via DNS?

Hi!

Have two networks with different ISPs, for one location the ISP messes around with DNS (DNSSEC, DoT), so I forward DNS via a tunnel (openVPN, now wireguard) to the second location, working fine for almost all machines (including different TW installs), except for one TW that doesn’t play nice with the setup.

Due to reasons I can not understand, the /etc/resolv.conf is correct (DNS from remote network), but everytime I start a browser, the TW sends out a DNS request to resolve its own hostname to the remote DNS server:

1    2020-11-11 16:21:17.150646    aaa.bbb.ccc.3    xxx.yyy.zzz.1    DNS    86    Standard query 0x1f72 A myhostname.localdomain.home.arpa

and as the DNS server (unbound) in the network behind the tunnel does not know this domain/host, it replies with

2    2020-11-11 16:21:17.175907    xxx.yyy.zzz.1    aaa.bbb.ccc.3    DNS    54    Standard query response 0x1f72 Refused

and afterwards no further DNS traffic goes forward.

I deleted the wired interface in NetworkManager and created a new one. I switched to Wicked, all with rebooting. If I edit /etc/rsolv.conf and enter the local router as a DNS server, the machine resolves hostnames (e.g. ping google.com) correctly, but this DNS is not reliable, I don’t want to use it.

Can anybody enlighten me, why this machine is trying to resolve its hostname and how to turn this off?

Many thanks in advance!

Still no idea why the machine resolves its own name, but the “REFUSED” is resolved. The Wireguard tunnel did not add all remote subnets to the Access List of the local unbound…

Networking can be puzzling. Removing every configuration file and restarting every device involved works most of the time: https://forums.opensuse.org/showthread.php/545962-NetworkManager-no-longer-connects

The first thing to know about hostnames is that a machine can have many.
There is the one you configure in YaST that is preferred and is used internally, but for various different purposes a machine and individual resources on the machine might have many.
As long as each name resolves correctly to correct address, that is all you should be concerned about.

Regarding that first DNS query you posted, you should know that is not a normal DNS query (where you query what is the IP address for that name), it’s actually a reverse lookup (where your machine is inquiring what is its name on the network and might also be a type of query made for other IP addresses). If your VPN is set up correctly, your machine is properly using the DNS provided by the VPN (to prevent DNS leakage. DNS leakage is when someone like your ISP might not be able to know what happens within your VPN but if you’re using the ISP’s DNS, then then your ISP knows every Internet address you likely are visiting.

As you should already know, a functioning VPN DNS is not usually necessary to use the VPN, as long as your machine knows the Default Gateway of the VPN, your packets will be routed to the Internet. To resolve Internet addresses, you just need any DNS that can do the job. It would be different only if you were connected to something like a company VPN where you’d have company resources in the VPN like a company file server.

Your machine is querying for its hostname because that’s how you are configured as the VPN client, it’s a standard DHCP setting. You can inspect your VPN network connection properties for what is usually a checkbox, but it might also be hardcoded in your VPN client setup (Most VPN administrators distribute a configuration package to Users to set up their VPNs so it’s not so difficult).

HTH,
TSU

Which browser? I see firefox querying for its hostname address on startup, but not chromium.

1    2020-11-11 16:21:17.150646    aaa.bbb.ccc.3    xxx.yyy.zzz.1    DNS    86    Standard query 0x1f72 A myhostname.localdomain.home.arpa

So this is DNS query. Without any information about your system there is no way to decide whether this query is legitimate or not.

why this machine is trying to resolve its hostname and how to turn this off?

First you need to find out what application does it. If you say it happens on browser startup, then tell which browser, provide full output of “tshark ‘port 53’” during browser startup (or whatever you use for packet capture), /etc/nsswitch.conf and /etc/resolv.conf.

There is only one hostname.

that is not a normal DNS query (where you query what is the IP address for that name), it’s actually a reverse lookup

Oh, so “A” query is reverse lookup. What a revelation.

Hi again, sorry for the delay!

Yepp, it’s the usual suspect, Firefox (83.0). Output from the TW machine starting the FF:

cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

passwd: compat
group:  compat
shadow: compat

hosts:          files mdns_minimal [NOTFOUND=return] dns
networks:       files dns

services:       files usrfiles
protocols:      files usrfiles
rpc:            files usrfiles
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files


cat /etc/resolv.conf 
### /etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf
### autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
search XXXXXXXX.home.arpa
nameserver 10.0.0.1


The nameserver (10.0.0.1) is on the other end of the Wireguard site-to-site.

And this is what I see when I open FF:

No.    Time    Source    Destination    Protocol    Length    Info
2    2020-12-01 15:04:40.063437    192.168.188.156    10.0.0.1    DNS    81    Standard query 0x9e5a A Dell6.XXXXXXX.home.arpa
3    2020-12-01 15:04:40.083632    10.0.0.1    192.168.188.156    DNS    158    Standard query response 0x9e5a No such name A Dell6.XXXXXXX.home.arpa SOA prisoner.iana.org
4    2020-12-01 15:04:40.084300    192.168.188.156    10.0.0.1    DNS    65    Standard query 0xbed4 A Dell6
5    2020-12-01 15:04:40.100444    10.0.0.1    192.168.188.156    DNS    140    Standard query response 0xbed4 No such name A Dell6 SOA a.root-servers.net
6    2020-12-01 15:04:40.125926    192.168.188.156    10.0.0.1    DNS    81    Standard query 0x955c A Dell6.XXXXXXX.home.arpa
7    2020-12-01 15:04:40.148068    10.0.0.1    192.168.188.156    DNS    158    Standard query response 0x955c No such name A Dell6.XXXXXXX.home.arpa SOA prisoner.iana.org
8    2020-12-01 15:04:40.148515    192.168.188.156    10.0.0.1    DNS    65    Standard query 0xe958 A Dell6
9    2020-12-01 15:04:40.168537    10.0.0.1    192.168.188.156    DNS    140    Standard query response 0xe958 No such name A Dell6 SOA a.root-servers.net
...


Only one hostname mapped to a machine?
One of a zillion responses to a Google search
What's an A Record? - DNSimple Help.

And, it’s pretty common.
So, a useful example might be if you run both a mail server and a website on the same machine.
Because people are used to associating the “www” hostname with a website and “mail” with a mailserver, it would make sense to create two A records (hostnames) pointing to the same IP address if both your web service and mail service are bound to the same IP address. You don’t have to do this, but it helps Admins use a hostname that follows convention… After all it would be strange to configure your mail client to connect to your mail server at www.yourdomain.com or connect to a website at mail.yourdomain.com.

And,
A reverse lookup record is not an A record, it’s a PTR record.

TSU

I wouldn’t be worried about your error unless something isn’t working.

All your output means is that

  • Your VPN DHCP is not configured to set a hostname given to you by DHCP
  • Your machine’s hostname as configured by you is of course unknown to the VPN network.
  • You apparently configured your machine with a name home.XXXXXX.Dell6 which of course does not likely match anything set up by the VPN administrator.

There might be situations where the client machine’s hostname would be important… eg If you’re authenticating to a business network security (like LDAP or AD) to access company resources. Then, you’ll likely need to either configure your machine’s hostname as part of your company’s security domain or allow your machine to have its hostname changed by DHCP. If you’re running Workgroup security, it’s probably convenient to allow your machine to identify itself with a hostname that’s part of the Workgroup, but not critically necessary (You can pass credentials including the Workgroup for instance when accessing a network share).

But, if you’re simply using the VPN to access the Internet without revealing your location and not access any company assets in the VPN, this is not something that’s important.

TSU

I’m the VPN (Wireguard) administrator.

I don’t want my local domain name and host name to be blown out the WAN interface. How to stop this Firefox nonsense (short of stopping using it, except if there are better non-Google options)?

It’s unbound on the remote router doing the DNS, anything I can do to stop shouting out local domains via the WAN (yes, i will start looking at the router’s forums)…

So? Now I am rather confused what your question is. Your system behaves absolutely correct - because hostname is not present in /etc/hosts, is not resolved by mdns etc it is queried using DNS and DNS query adds domain name that is defined in search path.

And this is what I see when I open FF:

No.    Time    Source    Destination    Protocol    Length    Info
2    2020-12-01 15:04:40.063437    192.168.188.156    10.0.0.1    DNS    81    Standard query 0x9e5a A Dell6.XXXXXXX.home.arpa

Well, Firefox wants to know IP address for its local hostname. I have no idea how to turn it off if it is possible at all. In any case, this question belongs to separate thread.

So to answer your question in this thread title - one of applications wants to know IP address associated with (short) hostname of your system. It performs query via /etc/nsswitch.conf using configuration in hosts entry. None of configured resolver before DNS returns definitive answer so it calls DNS which does exactly what you told it to do.

To fix it you can

  1. Add entry to /etc/hosts with fixed address. This is the exact reason why SUSE (actually, even SuSE yet) traditionally added entry with address 127.0.0.2 for hostname - to make sure hostname can always be resolved.
  2. Adjust /etc/resolv.conf when you connect to VPN and change search path to something your VPN DNS server understands.

Eeehm, now I’m confused, as I didn’t provide /etc/hosts, so how do you know what’s in there?

And: I didn’t change anything in /etc/hosts, so why should this be my fault at all?

And: If “traditionally” 127.0.0.2 is provided, who changed the “tradition”?

If I understand correctly, /etc/hosts needs a line:

127.0.0.2 XXXX.home.arpa

On all Leaps and TWs I checked, the only entry was

127.0.0.1 localhost

No host/domain at all…

The question is: Why does Firefox request the local IP? To check for VPNs/TOR?

For the moment I added a domain override in unbound (remote, doing the DNS) to hand back requests for the local domain to the DNS handeling the local domain.

The override is not functional, as the remote unbound can’t reach the “local” unbound (problem with Wireguard, maybe Firewall rule, I couldn’t make it work), but at least the request for the local domain is not handed to outside DNS servers, the client opening Firefox get’s “ServFail” and after some re-tries Firefox gives up.

No nice, but a solution of some kind.

Remains the question: Why does Firefox resolve the hostname without/with local domain at all?