Applications on IBM OS/2 generally link to TCP32DLL.DLL, which contains a DNS Client library. This is IBM's port of the DNS Client library that comes with BIND.
The Internet Utilities contains a drop-in replacement for TCP32DLL.DLL that uses the DNS Client library that is used by the Internet Utilities. If the system is configured so that this replacement DLL is found ahead of the DLL containing BIND's DNS Client, then OS/2 applications that link to TCP32DLL.DLL will use the DNS Client library of the Internet Utilities in place of the BIND DNS Client library.
The DNS Client of the Internet Utilities operates differently to BIND's DNS Client, It has a different timeout algorithm for queries; it determines the IP address of the proxy DNS server to contact in a different way; and it performs name qualification, to convert the names used by applications to the fully-qualified names that the DNS proper deals in, according to a suite of qualification rules.
DNS queries are tried 5 times, with the following timeout periods:
If no acceptable response is received after all 5 tries, the query is considered to have timed out with no response.
Partial domain names are normally converted to fully qualified form by
using pattern matching and substitution rules from a configuration file.
This configuration file is normally the file
%_BOOT%:\Config\Apps\JdeBP\IU\DNSQual.CFG,
but this
can be overriden by setting the DNSQUAL.CFG environment
variable. If that file does not exist or cannot be opened for reading,
name qualification falls back to
compatibility mode.
The contents of the file comprise a list of rules, one per line. Lines containing only whitespace, or whose first non-whitespace character is the ':' character, are ignored. (This allows comments to be placed in the file.)
A rule comprises a regular expression specifying a pattern to match and a substitution expression specifying changes to make. All rules are processed in the order that they occur in the file. For each rule, if the pattern specified by the regular expression matches the partial name, the substitution expression is applied to the partial name.
The most usual requirement is to append a string, such as
.mydomain, to any name that does not contain an explicit dot.
Usually this will be the penultimate rule in the file. This can be done
with a rule in the form:
^\([^.]*\)$ \1.mydomain.
The following rule appends a trailing full stop if none exists, and will usually be the final rule in the file:
^\(.*[^.]\)$ \1.
This rule is an example of domain rewriting. It transforms any name
ending in .altavista.com to a name ending in
.altavista.co.uk:
^\(.*\)\.altavista\.com$ \1.altavista.co.uk
This rule is an example of host aliasing. It transforms the name
slippery.jim.digriz into the name
stainless.steel.rat:
^slippery\.jim\.digriz$ stainless.steel.rat
This rule is an example of domain masquerading. It transforms any name
ending in .arisia.1stgalaxy into the name
mentor.arisia.1stgalaxy:
^.*\.arisia\.1stgalaxy$ mentor.arisia.1stgalaxy
Compatibility mode name qualification is used when the qualification rules file does not exist or cannot be opened for reading.
If the partial name does not contain a dot, the name of the current local domain is obtained and appended, with a leading dot, to the partial name to form the fully-qualified name. Otherwise, the name is assumed (since it contains a dot) to already be in fully-qualified form, and is not changed. If the local domain name cannot be obtained, the partial name is also unchanged.
The local domain name is obtained as follows:
LOCALDOMAINNAME environment variable, if
it exists.
domain directive in the
%ETC%\RESOLV file.
domain directive in the
%ETC%\RESOLV2 file.
HOSTNAME environment variable that
follows the first dot, if that variable exists and contains a dot.
Notes:
The value of the LOCALDOMAINNAME environment variable must be
a fully-qualified name (i.e. a name ending in a dot).
If the value specified by the domain directive in either
%ETC%\RESOLV or %ETC%\RESOLV2 is not a
fully-qualified name (as it properly should be), a dot will be
automatically appended.
If the value of the HOSTNAME environment variable is not a
fully-qualified name (as it properly should be when there is no
LOCALDOMAINNAME environment variable), a dot will be
automatically appended.
DNS clients should be configured to talk to a proxy server. Here is how how to instruct the DNS clients on a machine to consult the proxy server on 10.0.0.1:
If using the DNS client library DLL in the Internet Utilities, set the
DNS_PROXY_IP_ADDRESS environment variable to the value
10.0.0.1 .
If using IBM's DNS client library DLL, add the following directive
to the %ETC%\RESOLV or %ETC%\RESOLV2 files:
nameserver 10.0.0.1
Certain wrongly written server softwares perform reverse lookups of their clients' IP addresses and drop the connection or return an error if that lookup fails. Some even also perform "double-reverse" lookups on that name and compare the result with the original IP address.
These things are done in the name of "security"; but the idea is fundamentally flawed and is not in fact secure at all. It assumes that DNS is reliable and omnipresent, when this is not in fact the case. It also makes the fundamental mistake of assuming that all IP addresses have corresponding domain names, which is not true at all.
(In any event, secure servers should restrict their service based upon the connecting client's IP address alone. Basing a service's access controls on human-readable domain names, whose mappings to the underlying IP addresses may change at any moment, not necessarily under the control of or even with the consent of the administrator of that particular service, is foolishness.)
If one has clients connecting to such softwares on other sites, one way of coping with them is to install and run the Fixed-data Content Server as described in the section on anonymity. This will provide both reverse and double-reverse lookups, with self-consistent values, for any IP address, satisfying the needs of any wrongly-written "secure" server softwares.
If you have such softwares on your own site, to prevent annoying the rest of Internet with the brokenness of your servers, filter out the reverse and double-reverse lookups locally, before they reach the rest of Internet. (Or better still, fix the servers themselves.) How to do this is just a special case of the procedure for creating "split horizon" DNS service.
Certain wrongly written applications accept both domain names and IP addresses as input from users, but do not, as they should, filter out the IP addresses before attempting hostname lookup using their DNS client libraries.
Other applications do correctly filter out IP addresses, but use a distinguished syntax (such as surrounding the string with square brackets) to do so, and users (out of ignorance) fail to use that syntax when entering IP addresses.
In both cases, this results in queries being sent to DNS servers for (malformed) names that are dotted-decimal IP addresses. If not filtered out, they would place load on the root DNS servers, which would have to continually respond with "no such name" to the non-existent top-level domains "0." to "255.".
The Internet Utilities provides three ways of filtering out such queries so that they never reach the root DNS servers:
The hostname lookup functions in the DNS client library DLL refuse to generate DNS queries for dotted-decimal names, instead returning a "no such name" error immediately.
The Forwarding Caching Proxy Server and the Resolving Caching Proxy Server both have built-in processing for dotted-decimal names.
The Fixed-data Content Server is a standalone server that handles dotted-decimal names, which is intended for use in the rare situations where neither of the previous mechanisms can be used.