[ntp:hackers] NTPv4 Brian Version
Brad Knowles
brad at stop.mail-abuse.org
Thu Aug 11 14:36:11 UTC 2005
At 9:01 PM -0400 2005-08-10, Danny Mayer wrote:
> Dave, the reason that dig and nslookup give you different answers than
> the ntpd calls is that dig and nslookup are BIND utilities and they only
> ask the DNS for answers, they never check anywhere else.
Partially correct. Most vendors modify the "nslookup" program to
use their own resolver code, which usually goes through something
like /etc/nsswitch.conf and may also consult /etc/hosts tables, NIS
or NIS+, etc.... So, you'd have to know which "nslookup" program
you're using to know whether or not it has been modified in this way
-- type "which nslookup" to see the path to the version you'd be
using.
If that path is something like "/usr/bin/nslookup" or
"/bin/nslookup", then it's almost certainly the system modified
version. If that path is something like "/usr/local/bin/nslookup" or
"/opt/bin/nslookup", you might be using the standard BIND version
which should bypass all of the vendor resolver routines, and instead
use the standard DNS-only resolver from BIND.
So far as I know, most vendors do not provide or modify the "dig"
program, so if you're using that, it's probably the BIND version
which uses the standard DNS-only resolver routines. But maybe not --
you'd have to check to make sure.
> The resolver
> that the box uses can check in all sorts of places including the ncsd
> or whatever. dig, host and nslookup can only tell you what the answer
> should be not what your application is seeing.
Depending on which resolver library they're using. A vendor
could easily provide a modified version of any of these programs,
which use their proprietary resolver routine.
> I'd rather ntpd bypass that nonsense though vendors may disagree.
That is my preference, too.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the hackers
mailing list