為什麼bind 拒絕我的一些查詢?這只發生在某些域中。
透過named 進行查詢失敗:
$ dig -t A fedoraproject.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33117
$ journalctl -n10
...
Aug 01 17:07:11 ns3.r3.mclarkdev.com named[10807]: resolver priming query complete
Aug 01 17:09:57 ns3.r3.mclarkdev.com named[10807]: timed out resolving 'fedoraproject.org/DNSKEY/IN': 8.8.8.8#53
Aug 01 17:09:59 ns3.r3.mclarkdev.com named[10807]: timed out resolving 'fedoraproject.org/DNSKEY/IN': 8.8.8.8#53
然而,直接查詢轉發器是有效的:
$ dig -t A fedoraproject.org @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42249
... records ...
Bind 使用相當預設的配置。
我唯一改變的是允許從任何地方進行查詢並添加一個區域文件來提供一些本地記錄。
options {
listen-on port 53 { any; };
allow-query { any; };
forwarders { 8.8.8.8; };
recursion yes;
...
dnssec-enable yes;
dnssec-validation yes; // also tried auto
}
...
// includes two additional `zone` definitions
include "/opt/dns/named.zones";
作業系統版本:CentOS Linux 版本 8.4.2105
核心版本:4.18.0-305.10.2.el8_4.x86_64
命名版本:綁定9.11.26-RedHat-9.11.26-4.el8_4
觀看tcp轉儲,我可以看到,named 正在聯絡轉發器並檢索 A 記錄,但在執行一些其他查詢後拒絕將它們提供給客戶端。
localhost.49683 > localhost.domain: 14274+ A? fedoraproject.org. (35)
ns3.r3.mclarkdev.com.56668 > 8.8.8.8.domain: 21852+% [1au] A? fedoraproject.org. (58)
localhost.39587 > localhost.domain: 53253+ PTR? 8.8.8.8.in-addr.arpa. (38)
ns3.r3.mclarkdev.com.55378 > 8.8.8.8.domain: 61019+% [1au] PTR? 8.8.8.8.in-addr.arpa. (61)
8.8.8.8.domain > ns3.r3.mclarkdev.com.56668: 21852$ 12/0/1 fedoraproject.org. A 140.211.169.206, fedoraproject.org. A 152.19.134.198, fedoraproject.org. A 8.43.85.73, fedoraproject.org. A 152.19.134.142, fedoraproject.org. A 38.145.60.21, fedoraproject.org. A 140.211.169.196, fedoraproject.org. A 209.132.190.2, fedoraproject.org. A 8.43.85.67, fedoraproject.org. A 67.219.144.68, fedoraproject.org. A 38.145.60.20, fedoraproject.org. RRSIG, fedoraproject.org. RRSIG (528)
/\ bind has the A records
ns3.r3.mclarkdev.com.52120 > 8.8.8.8.domain: 7073+% [1au] DNSKEY? fedoraproject.org. (58)
8.8.8.8.domain > ns3.r3.mclarkdev.com.55378: 61019 1/0/1 8.8.8.8.in-addr.arpa. PTR dns.google. (73)
ns3.r3.mclarkdev.com.55309 > 8.8.8.8.domain: 23607+% [1au] DS? 8.in-addr.arpa. (55)
localhost.48388 > localhost.domain: 55328+ PTR? 201.23.16.172.in-addr.arpa. (44)
/\ bind makes some extra queries
localhost.domain > localhost.48388: 55328 NXDomain* 0/1/0 (98)
/\ bind serves NXDomain to client
為什麼 name 拒絕將結果提供給客戶端?這種情況僅發生在大約 1% 的域中。
答案1
tcpdump 顯示它已成功取得A的記錄fedoraproject.org,但它也正在嘗試取得該DNSKEY記錄,該記錄用於 DNSSEC 驗證。但對此沒有任何回應。
我查詢8.8.8.8了這個DNSKEY記錄,效果很好。
$ dig fedoraproject.org dnskey @8.8.8.8
; <<>> DiG 9.10.6 <<>> fedoraproject.org dnskey @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63666
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fedoraproject.org. IN DNSKEY
;; ANSWER SECTION:
fedoraproject.org. 108 IN DNSKEY 256 3 5 AwEAAcCWNQWl5pCI3iOOP2r8nStL60Zjb/2JQLQytamVap0L44z0YWft u7pu0hx3cnIM1ejQOsEwbg2/10IyC+38cYqJDXbSdFg1zGztOS5xNz7r 9hzSRK5N2jkycdJ/BoByJ4Y+XGpDqfG4I97++8sIzSrw60TmGAKTvM9v iL3ByeCN
fedoraproject.org. 108 IN DNSKEY 257 3 5 AwEAAdTXJc0joiKGfTvLXi+LXxGpKvPvOoJEst9PR8TCCvXGVp7h3BY3 uXLkjckuT0aopCp2KF8zHgNgpMK03p1fd94pn9JZSuxfqvKsiYH2KvNO a/655oPj06jRhqAP5grX01Iz4BH411ZhGxIQ1BzZtOr1wAazojMJzLUg ChRJs8GVt3LU0e6T8z1RQF33Dt9UMHIR5EAsFAqfZ/tsbfJDYktGoZi3 nFlW7A745+ObM1LNXOWq3FcYPVzhH08Q7/7WpxmzM6/ET8VeqWIsvh8E nZNDNMfJyPbY9B1BOIrFCpE03ALgFMejaBZwmeQaX+D4Duup5xGOmdtC O4GSpM1YH6c=
fedoraproject.org. 108 IN DNSKEY 257 3 14 7ttmhus8JD56ybsvMVZVsXa3U2R+2+WmOPIP7BU6t2LicosMZ2Ju3pfv ijsa5LvBvVCB4xVtLSqEdLSvW4vJPLSAB2uyJwHPJMezh0SzGmVCImLU 6qDxsxjHqtZ76/Sf
fedoraproject.org. 108 IN DNSKEY 256 3 14 04ZsDOgyzs3kJsJ4jEY3MYufkCOWm1OI8N4M+dlBOBmweln0TSaKfafH zNCkaPiVG4bdgdnrzwxmjpK5GQgsiB47np+I8850Ea3EJG5ORDl3f//l rr92HiYh5DxCNhkG
所以我懷疑您的環境中的某些內容正在阻止查詢或回應。這可能是防火牆問題、過濾 DNS 記錄類型或大型回應。
答案2
您安裝的bind 似乎因 DNSSEC 簽章網域的 DNSSEC 驗證而受到阻礙。 Bind 的最新版本預設啟用 DNSSEC 驗證,但是舊版(例如 9.11)需要明確啟用它:
options {
...
dnssec-validation auto;
...
};