Comment 43 for bug 80900

Will Rouesnel wrote:
> Switching it to
> hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
> fixes it by having DNS get checked first.

Please see Lennart Poettering's comments at avahi.org

    http://avahi.org/wiki/AvahiAndUnicastDotLocal

and in Debian bug report #393711

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393711

about putting "dns" before "mdns4" in nsswitch.conf.

Quoting:

«[T]he line your package version adds has several
disadvantages, among them:

  * Slows down all mDNS lookups
  * Breaks mDNS lookups when the configured DNS server is not
    reachable (!)
  * Is a security hole, because local host info is leaked on unicast
    dns server and as such the internet
  * Is a security hole, because people on the internet can
    redirect local services to other hosts
  * Increases the burden on internet DNS servers needlessly. (This is
    a major problem which caused the creation of projects like AS112)
  * Breaks mDNS RR consistency because the unicast DNS zone .local is
    kind-of merged with the multicast DNS zone .local. However, the
    conflict protocol which makes sure that no two host names or
    service names conflict in the .local zone simply doesn't work
    against names from the .local unicast domain.»

where "the line your package version adds" he refers to is

    hosts: files mdns_minimal dns mdns