Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Jan 2014 21:03:52 +0000
From:      Frank Leonhardt <>
Subject:   Re: Why was nslookup removed from FreeBSD 10?
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 25/01/2014 20:20, RW wrote:
> On Sat, 25 Jan 2014 19:52:57 +0000
> Frank Leonhardt wrote:
>> As you and Waitman both pointed out, nslookup IS part of BIND, yet as
>> I said in the diatribe following the question in my post, so is
>> "host" and that's still there.
> >From the host manpage:
>       host aims to be reasonably compatible with `host' utility from
>       BIND9 distribution,

Yes -  I read that too, and assumed it means it's a derived work until 
I'd checked the source code. It's contributed, but part of ldns and not 
bind. By removing bind from the base system in favour of ldns based 
stuff, it could mean that its just the case that no one wrote an ldns 
version of nslookup or dig; only host. This is one of my theories as to 
the answer.

It's worth noting that one of the criticisms I've heard of nslookup has 
been that it DOESN'T use BIND as a resolver and works in its 
self-contained way, and is therefore not valid as a DNS (meaning BIND) 
debugging tool. However, it should mean that it's stand-alone - hence 
the Windoze port (which used to contain incriminating strings showing it 
was pinched from BSD!)

So if you prefer a slightly rephrased question: Why has someone written 
"host" for FreeBSD 10.0 but neglected to provide nslookup (or dig)?

As to Matt's comment that "almost half of all the security 
vulnerabilities in the entire lifetime of the FreeBSD project have been 
from BIND. Personally, I'd say that's "pretty spectacular."" - I'd say 
that's these security vulnerabilities are more to do with DNS the 
protocol rather than BIND the implementation. Whoever would have thought 
that criminals would have got their hands on computers? By removing BIND 
and not replacing it with anything (apart from a local resolver) will, I 
guess, meet your security needs. But I'm talking about nslookup, not the 
whole of BIND and all its utilities. I've never heard of a security 
problem with nslookup. Except, of course, with the Micro$soft version ;-)

There must be a discussion about how the decision was taken somewhere, 
mustn't there? If there isn't, its looking like an accident.

Regards, Frank.

Want to link to this message? Use this URL: <>