[kiallmacinnes]

On the `ndots` problem, it's best to get in the habit of using fully qualified names when you know them. A fully qualified DNS name ends in a period.

Continuing the example in the article, use `google.com.` and there will be just one query.

[m3047]

This doesn't work reliably, because TLS gets implemented incorrectly and the trailing dot is not stripped from the SNI host (TLS not HTTP) header.

Curl has gone back and forth; dunno whether that is curl itself or the resolver libs. Firefox used to be broken, and may still be.

Apache used to almost blow chunks when it got one of these, and I filed a bug (https://bz.apache.org/bugzilla/show_bug.cgi?id=58007); the chosen fix was to serve some "random" cert. Just tried it with an older version of FFX which I know is borked though and it did the right thing, so presumably something further has occurred since 2017.

[AndyMcConachie]

You can kinda fix this by lowering the ndots value. But probably the better way to fix this is to not include a 'search' directive at all. Don't specify anything for 'search' or 'ndots'. And then do as you say, use FQDNs everywhere.

[kiallmacinnes]

That's not always possible & wise, e.g. the example given is the Kubernetes search/ndots values. Changing this would break the expected "API" between the applications in Kube and the Kube cluster, which is bound to cause some pain and suffering down the line :)

Using a FQDN (as in, a DNS name with the trailing dot) is the only reliable way to avoid this without breaking other things!