Autor: Simon Hobson Data: Dla: dng@lists.dyne.org Temat: Re: [DNG] how to clear DNS cache
Rick Moen <rick@???> wrote:
>> Even worse is when there isn't a
>> mechanism for turning this off.
>
> Well, not quite. if you know *ix at all[0]:
>
> # sed -i 's/^nameserver/#nameserver/' /etc/resolv.conf
>
>
> To disable system DNS (but not /etc/hosts) entirely:
>
> # cp /etc/nsswitch.conf /etc/nsswitch.conf-ORIGINAL
> # sed -i 's/dns//g' /etc/nsswitch.conf
OK, I stand corrected. But it's still having to manually "fix" something that wasn't (as people point out) broken for 30 years and now suddenly (and without warning) is now broken.
> Well, I would also _hope_ that you have NTP only if you elected to run
> it. Unlike covert distro-installer additions to /etc/resolv.conf, NTP
> involves running a network daemon.
Indeed. NTP is only something I have to install if I want it.
But you are wrong in that the DNS thing is **not** an addition to resolv.conf - if it were then there would be a little less hate for it. It's the hidden nature of it that really annoys.
Arnt Gulbrandsen <arnt@???> wrote:
>> What is absolutely, 100%, not acceptable behaviour is what's been done - to silently do something that no sane admin would expect, and many people have objections to doing. Even worse is when there isn't a mechanism for turning this off.
>
> You can also make a similar argument that if the software requests DNS lookups and nothing's been firewalled, then the **ONLY** correct behaviour is to fulfil the request.
>
> There is a contradiction here. An operation is requested and configured to be available in the firewall, but configuration blocks it elsewhere. Calling any particular behaviour a 100% solution is IMO naïve.
Taking the last bit first, I didn't say anything was 100% right - what I said was that one thing is 100% wrong. Big difference.
But the firewall thing is a red herring really. If I haven't configured a DNS resolver, then any software asking the "system" for DNS resolution should fail. I should not have to explicitly block it in a firewall to stop it, and what if there's no firewall - does that mean I'm implicitly allowing any software to do whatever it likes regardless of how I've configured it ?