[Pkg-utopia-maintainers] Bug#1127331: libnss-mdns: DNS tried before mDNS despite configuration for mdns4_minimal first
Simon McVittie
smcv at debian.org
Mon Feb 9 19:21:53 GMT 2026
On Mon, 09 Feb 2026 at 19:49:56 +0100, Aurelien Jarno wrote:
>On 2026-02-07 10:50, Simon McVittie wrote:
>> $ strace -e openat,connect getent hosts remnant.local
>> ...
>
>I think there are two issues with this command:
>
>- You should add a final dot, so that the search is not expanded with
> the search domains from /etc/resolv.conf, which libnss-mdns obviously
> can't handle and then goes to your configured recursive DNS resolver.
Good catch, that makes sense. Yes, I confirm that with the final dot, I
get one DNS resolution (which you've explained below as the SOA check
for .local, rather than actually resolving remnant.local., so that's
benign) followed by mDNS resolution via Avahi.
>- You should use ahosts instead of hosts. hosts uses the deprecated
> gethostbyname2() interface, which does explicit lookups with AF_INET
> and AF_INET6. The latter is not supported given your nsswitch.conf.
I agree that `getent ahosts` is a better choice than `getent hosts`,
because it replicates the behaviour we'd expect from a modern
application that does an AF_UNSPEC lookup.
> Alternatively you should either add mdns6_minimal entry or even better
> use mdns_minimal instead (why isn't that the default noawdays?).
mdns_minimal is intentionally not the default because it was observed to
cause long delays (5+ seconds) in legacy software that implements IPv6
by doing one lookup with AF_INET6, followed by a second lookup with
AF_INET only after failure of the first lookup has been reported, in the
scenario where the responding host (remnant.local in my example) is
IPv4-only. In that scenario, it would wait 5 seconds for an IPv6
response that will never happen, and then do a second, IPv4 query which
gets a result immediately.
More modern software that does an AF_UNSPEC lookup, or AF_INET and
AF_INET6 in parallel ("happy eyeballs"), would be OK with mdns_minimal,
but Avahi/nss-mdns upstream specifically asked us not to make that the
default. Because mDNS is inherently a local LAN protocol, the reasons to
prefer IPv6 don't really apply to it: RFC1918 and RFC3927 addresses are
readily available, even if globally-routable IPv4 addresses are not.
mdns6_minimal is only provided for completeness, and is basically
pointless: everyone should use either mdns_minimal or mdns4_minimal.
>> openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
>> connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.53")}, 16) = 0
>
>This one is due to libnss-mdns doing a SOA lookup of the .local domain.
>This is by design in libnss-mdns, which implements the heuristic
>described in https://support.apple.com/en-us/HT201275. This is not
>linked with glibc.
Yes, that makes sense. We can tell it's this because it happens after
/etc/hosts is opened, which means it's after the "files" step in
nsswitch.conf.
smcv
More information about the Pkg-utopia-maintainers
mailing list