From a7710e905895eca463bb27a0b680ba86e3a8e662 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Fri, 21 Nov 2014 15:14:23 +0000 Subject: [PATCH] dns.resolver.query treats hostnames as relative names if they don't end in a period Relative hostnames have a fall-back lookup with the machine's hostname appended, which makes no sense. Add a period, e.g. "my.hostname.com" => "my.hostname.com.", to prevent that. This caused false positive Spamhaus checks. Fixes #185. --- management/dns_update.py | 2 +- management/status_checks.py | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index ccbebc89..ba9a5964 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -490,7 +490,7 @@ zone: # Get the IP address of the nameserver by resolving it. hostname = additional_records.get("_secondary_nameserver") resolver = dns.resolver.get_default_resolver() - response = dns.resolver.query(hostname, "A") + response = dns.resolver.query(hostname+'.', "A") ipaddr = str(response[0]) nsdconf += """\tnotify: %s NOKEY provide-xfr: %s NOKEY diff --git a/management/status_checks.py b/management/status_checks.py index 5351a673..86f83d09 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -347,7 +347,15 @@ def check_web_domain(domain, env): check_ssl_cert(domain, env) def query_dns(qname, rtype, nxdomain='[Not Set]'): - resolver = dns.resolver.get_default_resolver() + # Make the qname absolute by appending a period. Without this, dns.resolver.query + # will fall back a failed lookup to a second query with this machine's hostname + # appended. This has been causing some false-positive Spamhaus reports. The + # reverse DNS lookup will pass a dns.name.Name instance which is already + # absolute so we should not modify that. + if isinstance(qname, str): + qname += "." + + # Do the query. try: response = dns.resolver.query(qname, rtype) except (dns.resolver.NoNameservers, dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):