From: smcv@debian.org   
      
   On Mon, 09 Feb 2026 at 19:49:56 +0100, Aurelien Jarno wrote:   
   >On 2026-02-07 10:50, Simon McVittie wrote:   
   >> $ strace -e openat,connect getent hosts remnant.local   
   >> ...   
   >   
   >I think there are two issues with this command:   
   >   
   >- You should add a final dot, so that the search is not expanded with   
   >  the search domains from /etc/resolv.conf, which libnss-mdns obviously   
   >  can't handle and then goes to your configured recursive DNS resolver.   
      
   Good catch, that makes sense. Yes, I confirm that with the final dot, I   
   get one DNS resolution (which you've explained below as the SOA check   
   for .local, rather than actually resolving remnant.local., so that's   
   benign) followed by mDNS resolution via Avahi.   
      
   >- You should use ahosts instead of hosts. hosts uses the deprecated   
   >  gethostbyname2() interface, which does explicit lookups with AF_INET   
   >  and AF_INET6. The latter is not supported given your nsswitch.conf.   
      
   I agree that `getent ahosts` is a better choice than `getent hosts`,   
   because it replicates the behaviour we'd expect from a modern   
   application that does an AF_UNSPEC lookup.   
      
   >  Alternatively you should either add mdns6_minimal entry or even better   
   >  use mdns_minimal instead (why isn't that the default noawdays?).   
      
   mdns_minimal is intentionally not the default because it was observed to   
   cause long delays (5+ seconds) in legacy software that implements IPv6   
   by doing one lookup with AF_INET6, followed by a second lookup with   
   AF_INET only after failure of the first lookup has been reported, in the   
   scenario where the responding host (remnant.local in my example) is   
   IPv4-only. In that scenario, it would wait 5 seconds for an IPv6   
   response that will never happen, and then do a second, IPv4 query which   
   gets a result immediately.   
      
   More modern software that does an AF_UNSPEC lookup, or AF_INET and   
   AF_INET6 in parallel ("happy eyeballs"), would be OK with mdns_minimal,   
   but Avahi/nss-mdns upstream specifically asked us not to make that the   
   default. Because mDNS is inherently a local LAN protocol, the reasons to   
   prefer IPv6 don't really apply to it: RFC1918 and RFC3927 addresses are   
   readily available, even if globally-routable IPv4 addresses are not.   
      
   mdns6_minimal is only provided for completeness, and is basically   
   pointless: everyone should use either mdns_minimal or mdns4_minimal.   
      
   >> openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3   
   >> connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=i   
   et_addr("127.0.0.53")}, 16) = 0   
   >   
   >This one is due to libnss-mdns doing a SOA lookup of the .local domain.   
   >This is by design in libnss-mdns, which implements the heuristic   
   >described in https://support.apple.com/en-us/HT201275. This is not   
   >linked with glibc.   
      
   Yes, that makes sense. We can tell it's this because it happens after   
   /etc/hosts is opened, which means it's after the "files" step in   
   nsswitch.conf.   
      
        smcv   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)