[Pkg-utopia-maintainers] Bug#1127331: libnss-mdns: DNS tried before mDNS despite configuration for mdns4_minimal first

Aurelien Jarno aurel32 at debian.org
Mon Feb 9 18:49:56 GMT 2026 

Hi,

On 2026-02-07 10:50, Simon McVittie wrote:
> Control: retitle -1 libnss-mdns: DNS tried before mDNS despite configuration for mdns4_minimal first
> Control: tags -1 + moreinfo
> 
> On Sat, 07 Feb 2026 at 10:54:21 +0900, 황병주 wrote:
> > mDNS name resolution via libnss-mdns is completely broken on Debian trixie
> > with glibc 2.41. The NSS module is loaded but never called, causing .local
> > hostnames to fall through to DNS instead of being resolved via mDNS.
> 
> I was unable to reproduce this on a trixie machine.
> 
> Steps:
> 
> 1. Install libnss-mdns and avahi-daemon on Debian trixie (glibc 2.41)
> . Have another host ($OTHER) with mDNS, on the same network
> 3. Edit /etc/nsswitch.conf to contain:
>    hosts: files dns
> 4. getent hosts $OTHER.local; echo $? -> no output, exit status 2
> 5. Edit /etc/nsswitch.conf to contain:
>    hosts: files mdns4_minimal [NOTFOUND=return] dns
> 6. getent hosts $OTHER.local; echo $? -> resolved, exit status 0
> 
> But, something that I *do* observe in this configuration is that a strace'd
> getent process does a connect() to my DNS server (in my case it's
> systemd-resolved) *before* connecting to the Avahi socket:
> 
> $ strace -e openat,connect getent hosts remnant.local
> ...

I think there are two issues with this command:

- You should add a final dot, so that the search is not expanded with 
  the search domains from /etc/resolv.conf, which libnss-mdns obviously 
  can't handle and then goes to your configured recursive DNS resolver.

- You should use ahosts instead of hosts. hosts uses the deprecated
  gethostbyname2() interface, which does explicit lookups with AF_INET 
  and AF_INET6. The latter is not supported given your nsswitch.conf.  
  On the other hand ahosts uses getaddrinfo() with AF_UNSPEC. 
  Alternatively you should either add mdns6_minimal entry or even better 
  use mdns_minimal instead (why isn't that the default noawdays?).

> openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2", O_RDONLY|O_CLOEXEC) = 3
> connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
> connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
> connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0

This three lookups are likely due to the missing final dot and the use of 
hosts instead of ahosts.

> openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
> connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0

This one is due to libnss-mdns doing a SOA lookup of the .local domain. 
This is by design in libnss-mdns, which implements the heuristic 
described in https://support.apple.com/en-us/HT201275. This is not 
linked with glibc.

> connect(3, {sa_family=AF_FILE, path="/run/avahi-daemon/socket"}, 110) = 0
> REDACTED  remnant.local

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien at aurel32.net                     http://aurel32.net

More information about the Pkg-utopia-maintainers mailing list