我们在尝试只parsing某些域时遇到了我们公司DNS服务器的问题,我们在CentOS 6.5服务器上运行BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6。 我们是autoritative一些区域和我们的内部客户端和邮件系统解决使用此服务器。 www.dhl.com是我们遇到麻烦解决的一个领域,下面是使用dig进行查询时得到的结果:
[root@serverx etc] dig www.dhl.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.dhl.com ;; global options: +cmd ;; connection timed out; no servers could be reached 和
[root@serverx etc]# dig +trace www.dhl.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> +trace www.dhl.com ;; global options: +cmd . 517419 IN NS g.root-servers.net. . 517419 IN NS a.root-servers.net. . 517419 IN NS h.root-servers.net. . 517419 IN NS m.root-servers.net. . 517419 IN NS f.root-servers.net. . 517419 IN NS b.root-servers.net. . 517419 IN NS l.root-servers.net. . 517419 IN NS j.root-servers.net. . 517419 IN NS k.root-servers.net. . 517419 IN NS e.root-servers.net. . 517419 IN NS i.root-servers.net. . 517419 IN NS d.root-servers.net. . 517419 IN NS c.root-servers.net. ;; Received 496 bytes from 192.168.XX#53(192.168.XX) in 11 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. ;; Received 489 bytes from 202.12.27.33#53(202.12.27.33) in 6128 ms dhl.com. 172800 IN NS ns4.dhl.com. dhl.com. 172800 IN NS ns6.dhl.com. dig: couldn't get address for 'ns4.dhl.com': no more
而当我用谷歌的DNS服务器挖掘:
dig @8.8.4.4 www.dhl.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> @8.8.4.4 www.dhl.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11325 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.dhl.com. IN A ;; ANSWER SECTION: www.dhl.com. 1619 IN CNAME ngw.dhl.com.edgesuite.net. ngw.dhl.com.edgesuite.net. 8520 IN CNAME a1085.g.akamai.net. a1085.g.akamai.net. 19 IN A 23.74.2.113 a1085.g.akamai.net. 19 IN A 23.74.2.120 ;; Query time: 229 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Thu Dec 4 14:47:56 2014 ;; MSG SIZE rcvd: 129
没问题!,并从同一台服务器…
当你看“/ var / log / messages”时,什么都不logging!!! 再次,这只发生在某些域名,这台服务器几天前工作正常,我们也禁用了selinux进行testing。
这是我们的named.conf文件(在chroot环境中名为runnig):
options { // listen-on port 53 { 127.0.0.1;192.168.xx.x; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; allow-query { any; }; recursion yes; allow-recursion { recursive-clients; }; // query-source address * port 53; // dnssec-enable yes; dnssec-enable no; // dnssec-validation yes; dnssec-validation no; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; allow-transfer { xxx.xxx; xxx.xxx; xxx.xxx; 127.0.0.1; }; allow-update { 192.168.xx.xx; }; // forwarders { 8.8.4.4; }; }; acl recursive-clients { xxx.xxx/24; 127.0.0.1; xxx.xxx.xx.x/24; xx.xxx.xxx.xxx/29; xxx.xxx.xx.x;}; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "domain.com.xx" IN { type master; file "db.domain.com.xx"; allow-transfer { xxx.xxx.xx.xx; xxx.xxx.xxx.x; }; }; zone "xx.xxx.xxx.in-addr.arpa" IN { type master; file "db.xxx.xxx.xx"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
任何想法的家伙???我一直在做testing和研究自昨天以来,我不知道发生了什么事情!
提前感谢任何帮助或想法。
在这里使用dig + trace + additional www.dhl.com:
挖+追踪+额外的www.dhl.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> +trace +additional www.dhl.com ;; global options: +cmd . 518340 IN NS h.root-servers.net. . 518340 IN NS l.root-servers.net. . 518340 IN NS e.root-servers.net. . 518340 IN NS k.root-servers.net. . 518340 IN NS i.root-servers.net. . 518340 IN NS m.root-servers.net. . 518340 IN NS b.root-servers.net. . 518340 IN NS c.root-servers.net. . 518340 IN NS g.root-servers.net. . 518340 IN NS f.root-servers.net. . 518340 IN NS d.root-servers.net. . 518340 IN NS a.root-servers.net. . 518340 IN NS j.root-servers.net. k.root-servers.net. 518345 IN A 193.0.14.129 k.root-servers.net. 518345 IN AAAA 2001:7fd::1 b.root-servers.net. 518345 IN A 192.228.79.201 b.root-servers.net. 518345 IN AAAA 2001:500:84::b c.root-servers.net. 518345 IN A 192.33.4.12 c.root-servers.net. 518345 IN AAAA 2001:500:2::c i.root-servers.net. 518345 IN A 192.36.148.17 i.root-servers.net. 518345 IN AAAA 2001:7fe::53 f.root-servers.net. 518345 IN A 192.5.5.241 f.root-servers.net. 518345 IN AAAA 2001:500:2f::f h.root-servers.net. 518345 IN A 128.63.2.53 h.root-servers.net. 518345 IN AAAA 2001:500:1::803f:235 a.root-servers.net. 518345 IN A 198.41.0.4 ;; Received 508 bytes from 192.168.xx#53(192.168.xx) in 11363 ms com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. a.gtld-servers.net. 172800 IN A 192.5.6.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 ;; Received 489 bytes from 202.12.27.33#53(202.12.27.33) in 4335 ms dhl.com. 172800 IN NS ns4.dhl.com. dhl.com. 172800 IN NS ns6.dhl.com. ns4.dhl.com. 172800 IN A 165.72.192.16 ns6.dhl.com. 172800 IN A 199.40.254.166 dig: couldn't get address for 'ns4.dhl.com': no more
从dig + tcp www.redhat.com输出
dig + tcp www.redhat.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> +tcp www.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62110 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 8, ADDITIONAL: 8 ;; QUESTION SECTION: ;www.redhat.com. IN A ;; ANSWER SECTION: www.redhat.com. 11 IN CNAME wildcard.redhat.com.edgekey.net. wildcard.redhat.com.edgekey.net. 20484 IN CNAME wildcard.redhat.com.edgekey.net.globalredir.akadns.net. wildcard.redhat.com.edgekey.net.globalredir.akadns.net. 2485 IN CNAME e1890.b.akamaiedge.net. e1890.b.akamaiedge.net. 20 IN A 172.229.164.152 ;; AUTHORITY SECTION: b.akamaiedge.net. 2874 IN NS n2b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n3b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n4b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n1b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n7b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n5b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n6b.akamaiedge.net. b.akamaiedge.net. 2874 IN NS n0b.akamaiedge.net. ;; ADDITIONAL SECTION: n5b.akamaiedge.net. 6917 IN A 201.144.215.107 n1b.akamaiedge.net. 4917 IN A 23.61.206.74 n6b.akamaiedge.net. 2917 IN A 201.144.215.108 n2b.akamaiedge.net. 6917 IN A 192.204.11.244 n4b.akamaiedge.net. 4917 IN A 201.144.215.110 n7b.akamaiedge.net. 4917 IN A 201.144.215.113 n0b.akamaiedge.net. 2917 IN A 23.61.206.68 n3b.akamaiedge.net. 2917 IN A 201.144.215.114 ;; Query time: 132 msec ;; SERVER: 192.168.xx#53(192.168.xx) ;; WHEN: Thu Dec 4 16:03:03 2014 ;; MSG SIZE rcvd: 463
其他testing:
traceroute -U -p 53 165.72.192.16 traceroute to 165.72.192.16 (165.72.192.16), 30 hops max, 60 byte packets 1 192.168.17.10 (192.168.17.10) 0.724 ms 0.718 ms 0.681 ms 2 168.243.205.74 (168.243.205.74) 4.188 ms 4.677 ms 3.945 ms 3 172.26.64.21 (172.26.64.21) 179.831 ms 180.282 ms 181.633 ms 4 172.24.0.13 (172.24.0.13) 182.433 ms 182.585 ms 179.870 ms 5 172.24.0.9 (172.24.0.9) 180.654 ms 183.023 ms 180.876 ms 6 * * * 7 * * * 8 * * * 9 * * * 10 * * *
和:
ping 165.72.192.16 PING 165.72.192.16 (165.72.192.16) 56(84) bytes of data. 64 bytes from 165.72.192.16: icmp_seq=1 ttl=240 time=356 ms 64 bytes from 165.72.192.16: icmp_seq=2 ttl=240 time=325 ms 64 bytes from 165.72.192.16: icmp_seq=3 ttl=240 time=291 ms 64 bytes from 165.72.192.16: icmp_seq=4 ttl=240 time=260 ms traceroute -U -p 53 199.40.254.166 traceroute to 199.40.254.166 (199.40.254.166), 30 hops max, 60 byte packets 1 192.168.17.10 (192.168.17.10) 0.710 ms 0.683 ms 0.764 ms 2 168.243.205.74 (168.243.205.74) 3.136 ms 3.875 ms 4.191 ms 3 172.26.64.21 (172.26.64.21) 19.367 ms 18.988 ms 19.698 ms 4 172.24.0.177 (172.24.0.177) 4.657 ms 6.608 ms 7.088 ms 5 172.24.0.9 (172.24.0.9) 5.126 ms 7.412 ms 5.518 ms 6 * * * 7 * * * 8 * * * 9 * * * ping 199.40.254.166 PING 199.40.254.166 (199.40.254.166) 56(84) bytes of data. 64 bytes from 199.40.254.166: icmp_seq=1 ttl=237 time=287 ms 64 bytes from 199.40.254.166: icmp_seq=2 ttl=237 time=280 ms 64 bytes from 199.40.254.166: icmp_seq=3 ttl=237 time=286 ms
更新 – 5 Dic 2014
那么,我已经安装在另一台服务器在相同的子网,相同的操作系统版本和相同的绑定释放绑定,它工作得很好!!!,唯一改变的是IP地址,我不能改变testing,因为有问题的服务器正在生产中……所以我认为安德鲁所倡导的IDS理论是真实的……我将和我们的ISP谈谈,并且调查我们的外部IP,如果它被列入黑名单并发布它如何去…
更新 – 6 Dic 2014
服务器的IP地址没有列在我在互联网上查过的黑名单中。
用+additional标志重新运行您的dig +trace 。 我希望它仍然失败,但我会解释发生了什么。
+trace与+additional将显示名称服务器胶(ADDITIONAL部分),这将至less告诉你TLD名称服务器正确返回的IP地址ns4.dhl.com 。 couldn't get address for 'ns4.dhl.com': no more故障来自您的本地域名服务器。 这是一个晦涩难懂的细节,但是dig + trace不会使用来自ADDITIONAL部分的数据来确定“next hop”域名服务器的IP地址。 它实际上是在/etc/resolv.conf中查询你的域名服务器来获取ns4.dhl.com的IP地址,而这个查询是失败的。 根据挖掘命令的结果,我在注释中运行,似乎有一个问题与端口53上的DHL的名称服务器通信。端口53上的基于UDP的跟踪路由( traceroute -U -p 53 )会给你一个更好的想知道包丢失在哪里。 这可能是您networking上的设备,或者是DHL丢失了查询/回复。 在后一种情况下,您的域名服务器的IP地址可能会以某种方式进入到IDS设备的信誉数据库中。
你检查你的防火墙是不是阻止端口53 TCP – 它在我看来,dhl.com区域签署,因此是相当大的 – 大的请求DNS从UDP回落到TCP,这可能解释您的问题。
我在我的conf中评论了这一行:
query-source address * port 53;
然后我只是要configuration日志function,但我再次尝试nslookup问题域之一。 它这次工作。 我不知道如何以及为什么,但可能与查询源地址端口有关。 我去了第二个DNS服务器那里没有评论,试图nslookup相同的领域,它失败了。 目前我删除了这条线,一切都开始正常工作了。 你有什么想法为什么和这个东西如何工作?