According to many guides I've found, the search domain in /etc/resolv.conf should be used for dotless queries only. However, man resolv.conf says this about the ndots option:

sets a threshold for the number of dots which must appear in a name given to res_query(3) (see resolver(3)) before an initial absolute query will be made. The default for n is 1, meaning that if there are any dots in a name, the name will be tried first as an absolute name before any search list elements are appended to it. The value for this option is silently capped to 15.

This contradicts the claims about search domains being used only for dotless queries, and also seems to be true. I first noticed it by accident using tcpdump. When resolving for example reallynonexistentdomain.com, and my resolv.conf contains 'search test.com', the result is two queries: reallynonexistentdomain.com and reallynonexistentdomain.com.test.com. Both queries get the NXDOMAIN answer, and resolving seems to work as it should, but is there any way to prevent the latter query? It is obviously bogus and (not 100% sure about this) a potential security risk.

What practical reasons are there anyway for appending the search domain to a fully qualified domain name (or more specifically, a name with at least ndots dots)? I can't think of any. Wouldn't it be better if the resolver just didn't try use the search domain at all when the original query is answered with NXDOMAIN, provided that it had at least ndots dots?

I'm using Debian wheezy. Could the behavior be different on other distributions, or other UNIX-like systems?