[ntp:hackers] NTPv4 Brian Version

Brad Knowles brad at stop.mail-abuse.org
Thu Aug 11 14:36:11 UTC 2005


At 9:01 PM -0400 2005-08-10, Danny Mayer wrote:

>  Dave, the reason that dig and nslookup give you different answers than
>  the ntpd calls is that dig and nslookup are BIND utilities and they only
>  ask the DNS for answers, they never check anywhere else.

	Partially correct.  Most vendors modify the "nslookup" program to 
use their own resolver code, which usually goes through something 
like /etc/nsswitch.conf and may also consult /etc/hosts tables, NIS 
or NIS+, etc....  So, you'd have to know which "nslookup" program 
you're using to know whether or not it has been modified in this way 
-- type "which nslookup" to see the path to the version you'd be 
using.

	If that path is something like "/usr/bin/nslookup" or 
"/bin/nslookup", then it's almost certainly the system modified 
version.  If that path is something like "/usr/local/bin/nslookup" or 
"/opt/bin/nslookup", you might be using the standard BIND version 
which should bypass all of the vendor resolver routines, and instead 
use the standard DNS-only resolver from BIND.

	So far as I know, most vendors do not provide or modify the "dig" 
program, so if you're using that, it's probably the BIND version 
which uses the standard DNS-only resolver routines.  But maybe not -- 
you'd have to check to make sure.

>                                                            The resolver
>  that the box uses can check in all sorts of places including the ncsd
>  or whatever. dig, host and nslookup can only tell you what the answer
>  should be not what your application is seeing.

	Depending on which resolver library they're using.  A vendor 
could easily provide a modified version of any of these programs, 
which use their proprietary resolver routine.

>  I'd rather ntpd bypass that nonsense though vendors may disagree.

	That is my preference, too.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.


More information about the hackers mailing list