On 12/10/2010 08:46 AM, Baird, Josh wrote:

Maybe I am missing something here.. but what does 'sudo' have to do with DNS resolution?

*From:* centos-bounces@centos.org [mailto:centos-bounces@centos.org] *On Behalf Of *Steve Clark *Sent:* Friday, December 10, 2010 7:44 AM *To:* CentOS mailing list *Subject:* [CentOS] sudo doing DNS lookup

Hi,

I have a confusing problem. I have two centos 5,5 boxes. Both have sudo.i386 1.7.2p1-9.el5_5 installed

I am using the same sudoers file, but the one on box A keeps trying to do DNS lookups while the one on box B does not. How do I disable this DNS lookup?

Thanks for any info.

That is a very good question.

But here is part of an strace of sudo cat /etc/hosts

socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("198.6.1.4")}, 28) = 0 fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1291986809, 169934}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) send(4, "\1\231\1\0\0\1\0\0\0\0\0\0\5Z7070\tnetwolves\3com"..., 51, MSG_NOSIGNAL) = 51 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}]) ioctl(4, FIONREAD, [113]) = 0 recvfrom(4, "\1\231\201\203\0\1\0\0\0\1\0\0\5Z7070\tnetwolves\3com"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("198.6.1.4")}, [16]) = 113 close(4)

On 12/10/2010 09:04 AM, John Doe wrote:

From: Steve Clarksclark@netwolves.com

...

I have a confusing problem. I have two centos 5,5 boxes. Both have sudo.i386 1.7.2p1-9.el5_5

installed

...

I am using the same sudoers file, but the one on box A keeps trying to do DNS lookups while the one on box B does not. How do I disable this DNS lookup?

Do you have fqdn in sudoers?

No, thats the crazy part. I don't have that enabled and it still does the DNS lookup. I tried turning it on to see what would happen and the only thing different was it spit out: $ sudo vi /etc/resolv.conf sudo: unable to resolve host Z7070.netwolves.com Vim: Caught deadly signal TERM

Vim: Finished. Terminated

I finally killed it from another terminal cause it was taking so long.

Without the: Defaults fqdn it hangs for a long time, this is when I don't have connection to the net, if I have connection there is just a slight pause while tries to do the DNS lookup.

man sudoers: "Beware that turning on fqdn requires sudo to make DNS lookups which may make sudo unusable if DNS stops working"

JD

---

CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

On Fri, Dec 10, 2010 at 02:53:19PM +0000, John Hodrien wrote:

On Fri, 10 Dec 2010, Steve Clark wrote:

...

it hangs for a long time, this is when I don't have connection to the net, if I have connection there is just a slight pause while tries to do the DNS lookup.

What makes you sure it's a DNS lookup that causes the long hang when there's no network connection?

Just to eliminate other possibilities--are either of these authenticating against an LDAP server?

From: Steve Clark sclark@netwolves.com

Without the: Defaults fqdn it hangs for a long time, this is when I don't have connection to the net, if I have connection there is just a slight pause while tries to do the DNS lookup.

Did you compare the following files between both servers? /etc/hosts /etc/resolv.conf /etc/nsswitch.conf

JD

On 12/10/2010 10:40 AM, Tom H wrote:

On Fri, Dec 10, 2010 at 8:43 AM, Steve Clarksclark@netwolves.com wrote:

...

I have a confusing problem. I have two centos 5,5 boxes. Both have sudo.i386 1.7.2p1-9.el5_5 installed

I am using the same sudoers file, but the one on box A keeps trying to do DNS lookups while the one on box B does not. How do I disable this DNS lookup?

Do both hosts have their hostnames in "/etc/hosts"?

Do both hosts have "hosts: files dns" in "/etc/nsswitch.conf"? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos

strace shows the DNS lookup.

I have resolved the problem as far why they behaved differently. Someone had put an entry in /etc/resolv.conf when normally we run our own nameserver at 127.0.0.1. Putting a hostname and address in the /etc/hosts also fixed the problem.

But I still don't understand why it wants to do a DNS lookup when I don't have Defaults fqdn in the sudoers file.

Again here is part of an strace of sudo cat /etc/rc.local;

... socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1292009049, 862615}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) send(4, "\206r\1\0\0\1\0\0\0\0\0\0\5Z7070\tnetwolves\3com"..., 37, MSG_NOSIGNAL) = 37 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}]) ioctl(4, FIONREAD, [86]) = 0 recvfrom(4, "\206r\205\203\0\1\0\0\0\1\0\0\5Z7070\tnetwolves\3com"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, [16]) = 86 close(4) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1292009049, 864056}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) send(4, "\324\305\1\0\0\1\0\0\0\0\0\0\5Z7070\tnetwolves\3com"..., 51, MSG_NOSIGNAL) = 51 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}]) ioctl(4, FIONREAD, [100]) = 0 recvfrom(4, "\324\305\205\203\0\1\0\0\0\1\0\0\5Z7070\tnetwolves\3com"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, [16]) = 100 close(4) = 0 readlink("/proc/self/exe", "/usr/bin/sudo"..., 4095) = 13