2

Today I was shocked when checking where the staging domain of my website was actually pointing to. I was assuming by some sloppy configuration of either the domain or our company network, my stage-Domain somehow pointed to the production server.

So I typed host http://stage.***.com and got 212.##.##.70 => Booom, the production server. Afterwards, I tried host stage.***.com and got 212.#.##.73 => Whew, the staging server

So, my question is: How can it happen, that accidentally pasting the "http://" into the commandline makes "host" return another IP address?

Edit: Since it seems unclear what I'm asking, I'm trying to clarify: As Sven Points out in his comment,

host http://stage.***.com

shouldn't return anything, but in my case it DOES return

http://stage.***.com has address 212.##.##.70

which is actually the IP of ***.com (production) So I would like to know how this could happen.

  1. why does it return the Prod-IP?
  2. Considering Sven's comment, why does it return anything at all? Since the actual answer was pretty misleading I would have preferred an error message. The "http://" was a copy/paste mistake anyway

By the way, I'm on a Ubuntu 16.10. client

Edit2:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> http://stage.***.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26978
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;http://stage.***.com. IN   A

;; ANSWER SECTION:
http://stage.***.com. 180 IN    A   212.48.122.70

;; AUTHORITY SECTION:
***.com.    65  IN  NS  auth2.###.de.
***.com.    65  IN  NS  auth1.###.de.

;; ADDITIONAL SECTION:
auth1.###.de.   180 IN  A   212.##.##.53
auth1.###.de.   180 IN  AAAA    2a00:####:##:##::2
auth2.###.de.   180 IN  A   212.##.##.53
auth2.###.de.   180 IN  AAAA    2a00:####:##:##::2

Hmm. I guess the "http://" part is considered part of the domain and our DNS config says *.***.com has ###.70 ??? (So we have a wildcard for anything that is not stage....)

S. Parton
  • 23
  • 3
  • 1
    You shouldn't get any result when entering an URL, as an URL is not a valid hostname. `Host http://serverfault.com not found: 3(NXDOMAIN)` – Sven Oct 24 '17 at 10:48
  • 1
    Can you post the full output of `host -a ...` and try the same with `dig`? – Sven Oct 24 '17 at 11:27
  • Adding the output of `dig http://stage.***.com` to the original question since it is too long to post it here – S. Parton Oct 24 '17 at 12:06
  • 1
    What @Sven said. It sounds like there is a default wild card so it is treating the http:// part as part of a hostname instead of the protocol. Without wild cards, a proper DNS server should return the `NXDOMAIN` error. Note that some ISPs will send you to a search page, etc. instead of returning the error.... – ivanivan Oct 24 '17 at 12:37

2 Answers2

1

You must have a wildcard for your domain for this to be happening (and you should remove it)

The results of the following should be the same assuming you have a zone like

Zone File:

example.com IN A 192.0.2.5
*.example.com IN A 192.0.2.0
www.example.com IN A 192.0.2.10

Host command outputs:

host http://a.example.com
http://a.example.com has address 192.0.2.0

host http://www.example.com
http://www.example.com has address 192.0.2.0

host www.example.com
www.example.com has address 192.0.2.10

As you can see, www matches www A record, http://www matches the wildcard

The apex record doesn't match * as it's not a subdomain.

host http://example.com
http://example.com not found: 3(NXDOMAIN

Will always NXDomain, this has something to do with the lack of any character + .

I checked the query log, and yes the query is actually for http://a.example.com and matches *.example.com.

Wildcards are a terrible, avoid them as much as possible!

  1. disables negative TTL (there's no NXDomain, you always answer with a record)
  2. increases propagation* of new records
  3. increase chance of dns cache poison (in cases of split dns especially!)
  4. Not all Nameservers treat wildcards the same, SOME are full recursive, others are not (*.*.*.*.example.com vs *.example.com)

*propagation is not a thing, however it's commonly used to describe the time it takes for 3rd parties to refresh their cache.

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
-3

Remove "http://" totally as that's not part of a FQDN.

Manuel Muñoz
  • 11
  • 2