How doing relative name DNS lookups can shoot you in the foot

November 10, 2005

DNS-based host name lookups can be what I'll call 'relative', which look for the host name inside some domain, or 'absolute', which assumes that the host name is fully qualified and starts right from the root DNS. (For clarity, absolute names are often written with a trailing '.'; this can often be used to make resolver libraries treat them as absolute.)

Once upon a time, we had an interesting mail explosion. The campus wide mail servers started sending our server bouce mail addressed to various users at ''; our server accepted it (we're willing to relay mail for on-campus people), and it promptly sat around doing very odd things. In addition to the problems, this struck us as very odd; the campus wide mail servers do not normally smarthost outgoing mail through us.

What had happened was a DNS problem combined with relative name lookups:

  • various spammers sent mail to nonexistent user names on the campus-wide mail system, using various forged usernames as the origin address. Bounces ensued, and the mail servers tried to route them back to
  •'s MX was just 'www.' (they probably intended '').
  • the campus-wide mail servers are machines.
  • '' is one of our server's aliases.

So the absolute 'www' of the MX wound up being looked up as a relative hostname in the mail server's domain, resulting in our server. Dutifully the mailer called us up and passed us the hot potato, whereupon very odd things happened because to our mailer it looked sort of like we ought to be handling mail for this domain, except it wasn't on our list of local domains.

(You might question the sanity of mailers trying relative name lookups in general. However, users usually like being able to write addresses as 'spamtrap1@utcc' instead of ''.)

Comments on this page:

From at 2005-11-10 10:10:40:

Well, what I would question is the sanity of trying relative DNS lookups on what you get as an answer to an MX query, which must always be a fully qualified domain name. What you get back as an MX record from an MX query, you should always try to resolve only via a DNS lookup for a type A record, and nothing else. (i.e. don't go through your usual name resolving procedure, which may involve host files, NIS lookups, and other sillyness)

For flexibility, you might allow the brokenness where people put literal IP addresses into their MX records, but I wouldn't be any more flexible than that.

I'll note that no longer has any mx record at all - they just have an A record. (and they don't even have an A record for

-- DanielMartin

Written on 10 November 2005.
« Using Python introspection for semi-evil
The importance of understanding Python's implementation »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Nov 10 02:15:12 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.