在尝试使用configuration为使用DNSSECvalidation的未绑定parsing器从主机parsingdnsviz.net ,结果为“无法访问服务器”:
$ dig -t soa dnsviz.net ; <<>> DiG 9.6-ESV-R4 <<>> -t soa dnsviz.net ;; global options: +cmd ;; connection timed out; no servers could be reached
Unboundlogging没有任何内容来表明为什么会出现这种情况。
这里是/etc/unbound/unbound.conf :
server: verbosity: 1 interface: 192.168.0.8 interface: 127.0.0.1 interface: ::0 access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 127.0.0.0/8 allow_snoop access-control: 192.168.0.0/16 allow_snoop chroot: "" auto-trust-anchor-file: "/etc/unbound/root.key" val-log-level: 2 python: remote-control: control-enable: yes
如果我添加:
module-config: "iterator"
(因此禁用DNSSECvalidation),那么我可以正常parsing这个主机。
域名及其DNSSEC根据http://dnscheck.iis.se/检查出来,所以我的parsing器configuration一定有问题。
这是什么,我怎么去debugging呢?
更新:
有人build议我在debugging模式下使用unbound-host来获取更多信息。 开始了:
$ /usr/local/sbin/unbound-host -d -4 -v -C /etc/unbound/unbound.conf -ta dnsviz.net [1341735286] libunbound[27690:0] notice: init module 0: validator [1341735286] libunbound[27690:0] notice: init module 1: iterator [1341735286] libunbound[27690:0] info: resolving dnsviz.net. A IN [1341735286] libunbound[27690:0] info: priming . IN NS [1341735288] libunbound[27690:0] info: response for . NS IN [1341735288] libunbound[27690:0] info: reply from <.> 192.5.5.241#53 [1341735288] libunbound[27690:0] info: query response was ANSWER [1341735288] libunbound[27690:0] info: priming successful for . NS IN [1341735288] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735288] libunbound[27690:0] info: reply from <.> 128.8.10.90#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735288] libunbound[27690:0] info: reply from <net.> 192.42.93.30#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: resolving ns8.sandia.gov. A IN [1341735288] libunbound[27690:0] info: resolving ns9.sandia.gov. A IN [1341735288] libunbound[27690:0] info: resolving ns2.ca.sandia.gov. A IN [1341735288] libunbound[27690:0] info: response for ns9.sandia.gov. A IN [1341735288] libunbound[27690:0] info: reply from <.> 199.7.83.42#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: response for ns8.sandia.gov. A IN [1341735288] libunbound[27690:0] info: reply from <.> 192.58.128.30#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN [1341735288] libunbound[27690:0] info: reply from <.> 192.112.36.4#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: response for ns9.sandia.gov. A IN [1341735288] libunbound[27690:0] info: reply from <gov.> 209.112.123.30#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: response for ns8.sandia.gov. A IN [1341735288] libunbound[27690:0] info: reply from <gov.> 209.112.123.30#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735288] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN [1341735288] libunbound[27690:0] info: reply from <gov.> 209.112.123.30#53 [1341735288] libunbound[27690:0] info: query response was REFERRAL [1341735300] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.29 port 53 [1341735300] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN [1341735300] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.29#53 [1341735300] libunbound[27690:0] info: query response was ANSWER [1341735300] libunbound[27690:0] info: resolving ns1.ca.sandia.gov. A IN [1341735301] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.66 port 53 [1341735301] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735301] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.66#53 [1341735301] libunbound[27690:0] info: query response was DNSSEC LAME [1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53 [1341735310] libunbound[27690:0] info: response for ns9.sandia.gov. A IN [1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.206.219.65#53 [1341735310] libunbound[27690:0] info: query response was DNSSEC LAME [1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53 [1341735310] libunbound[27690:0] info: response for ns8.sandia.gov. A IN [1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.206.219.65#53 [1341735310] libunbound[27690:0] info: query response was DNSSEC LAME [1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.28 port 53 [1341735310] libunbound[27690:0] info: response for ns9.sandia.gov. A IN [1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53 [1341735310] libunbound[27690:0] info: query response was DNSSEC LAME [1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.28 port 53 [1341735310] libunbound[27690:0] info: response for ns8.sandia.gov. A IN [1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53 [1341735310] libunbound[27690:0] info: query response was DNSSEC LAME [1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.29 port 53 [1341735310] libunbound[27690:0] info: response for ns9.sandia.gov. A IN [1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.29#53 [1341735310] libunbound[27690:0] info: query response was DNSSEC LAME [1341735311] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.66 port 53 [1341735311] libunbound[27690:0] info: response for ns8.sandia.gov. A IN [1341735311] libunbound[27690:0] info: reply from <sandia.gov.> 198.206.219.66#53 [1341735311] libunbound[27690:0] info: query response was DNSSEC LAME [1341735315] libunbound[27690:0] info: resolving ns2.ca.sandia.gov. A IN [1341735315] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN [1341735315] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53 [1341735315] libunbound[27690:0] info: query response was REFERRAL [1341735328] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.28 port 53 [1341735328] libunbound[27690:0] info: response for ns1.ca.sandia.gov. A IN [1341735328] libunbound[27690:0] info: reply from <ca.sandia.gov.> 198.102.153.28#53 [1341735328] libunbound[27690:0] info: query response was ANSWER [1341735328] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53 [1341735328] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735328] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.65#53 [1341735328] libunbound[27690:0] info: query response was DNSSEC LAME [1341735332] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN [1341735332] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53 [1341735332] libunbound[27690:0] info: query response was ANSWER [1341735332] libunbound[27690:0] info: resolving ns1.ca.sandia.gov. A IN [1341735332] libunbound[27690:0] info: response for ns1.ca.sandia.gov. A IN [1341735332] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53 [1341735332] libunbound[27690:0] info: query response was REFERRAL [1341735332] libunbound[27690:0] info: response for ns1.ca.sandia.gov. A IN [1341735332] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53 [1341735332] libunbound[27690:0] info: query response was ANSWER [1341735333] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.28#53 [1341735333] libunbound[27690:0] info: query response was DNSSEC LAME [1341735333] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.29 port 53 [1341735333] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.29#53 [1341735333] libunbound[27690:0] info: query response was DNSSEC LAME [1341735333] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.28#53 [1341735333] libunbound[27690:0] info: query response was ANSWER [1341735333] libunbound[27690:0] info: prime trust anchor [1341735333] libunbound[27690:0] info: resolving . DNSKEY IN [1341735333] libunbound[27690:0] info: response for . DNSKEY IN [1341735333] libunbound[27690:0] info: reply from <.> 192.5.5.241#53 [1341735333] libunbound[27690:0] info: query response was ANSWER [1341735333] libunbound[27690:0] error: Could not open autotrust file for writing, /etc/unbound/root.key: Permission denied [1341735333] libunbound[27690:0] info: validate keys with anchor(DS): sec_status_secure [1341735333] libunbound[27690:0] info: Successfully primed trust anchor . DNSKEY IN [1341735333] libunbound[27690:0] info: validated DS net. DS IN [1341735333] libunbound[27690:0] info: resolving net. DNSKEY IN [1341735333] libunbound[27690:0] info: response for net. DNSKEY IN [1341735333] libunbound[27690:0] info: reply from <net.> 192.48.79.30#53 [1341735333] libunbound[27690:0] info: query response was ANSWER [1341735333] libunbound[27690:0] info: validated DNSKEY net. DNSKEY IN [1341735333] libunbound[27690:0] info: validated DS dnsviz.net. DS IN [1341735333] libunbound[27690:0] info: resolving dnsviz.net. DNSKEY IN [1341735333] libunbound[27690:0] info: response for dnsviz.net. DNSKEY IN [1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.29#53 [1341735333] libunbound[27690:0] info: query response was ANSWER [1341735333] libunbound[27690:0] info: validated DNSKEY dnsviz.net. DNSKEY IN [1341735333] libunbound[27690:0] info: Could not establish validation of INSECURE status of unsigned response. [1341735333] libunbound[27690:0] info: resolving dnsviz.net. A IN [1341735358] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.66 port 53 [1341735358] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735358] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.66#53 [1341735358] libunbound[27690:0] info: query response was ANSWER [1341735358] libunbound[27690:0] info: Could not establish validation of INSECURE status of unsigned response. [1341735358] libunbound[27690:0] info: resolving dnsviz.net. A IN [1341735358] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53 [1341735358] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735358] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.65#53 [1341735358] libunbound[27690:0] info: query response was ANSWER [1341735358] libunbound[27690:0] info: Could not establish validation of INSECURE status of unsigned response. [1341735358] libunbound[27690:0] info: resolving dnsviz.net. A IN [1341735374] libunbound[27690:0] info: resolving dnsviz.net. A IN [1341735375] libunbound[27690:0] info: response for dnsviz.net. A IN [1341735375] libunbound[27690:0] info: reply from <net.> 192.54.112.30#53 [1341735375] libunbound[27690:0] info: query response was REFERRAL [1341735375] libunbound[27690:0] info: resolving ns9.sandia.gov. A IN [1341735375] libunbound[27690:0] info: response for ns9.sandia.gov. A IN [1341735375] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53 [1341735375] libunbound[27690:0] info: query response was REFERRAL [1341735375] libunbound[27690:0] info: resolving ns8.sandia.gov. A IN [1341735375] libunbound[27690:0] info: response for ns8.sandia.gov. A IN [1341735375] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53 [1341735375] libunbound[27690:0] info: query response was REFERRAL Host dnsviz.net not found: 2(SERVFAIL). (insecure)
我还没有机会通过这个正确的呢,但是concluded that connection to host drops EDNS packets位跳出来对我。
更新:
这与Unbound无关 – 我的防火墙主机不转发某些UDP数据包。
eth0是防火墙的Internet端,eth1是LAN端。 在这个问题的DNS服务器上,在一台机器上发出dig +norec +dnssec @198.102.153.29 sandia.gov这两个接口的tcpdump :
# tcpdump -vpni eth0 'host 198.102.153.29' tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 09:37:57.234085 IP (tos 0x0, ttl 63, id 32258, offset 0, flags [none], length: 67) 82.69.129.108.37722 > 198.102.153.29.53: [udp sum ok] 24755 [1au] A? sandia.gov. (39) 09:37:57.387165 IP (tos 0x4, ttl 47, id 48355, offset 0, flags [+], length: 1196) 198.102.153.29.53 > 82.69.129.108.37722: 24755*- 2/5/13 sandia.gov. A 132.175.81.4, sandia.gov. (1168) 09:37:57.387502 IP (tos 0x4, ttl 47, id 48355, offset 1176, flags [none], length: 1498) 198.102.153.29 > 82.69.129.108: udp 09:38:02.234014 IP (tos 0x0, ttl 63, id 32259, offset 0, flags [none], length: 67) 82.69.129.108.37722 > 198.102.153.29.53: [udp sum ok] 24755 [1au] A? sandia.gov. (39) 09:38:02.386762 IP (tos 0x4, ttl 47, id 48356, offset 0, flags [+], length: 1196) 198.102.153.29.53 > 82.69.129.108.37722: 24755*- 2/5/13 sandia.gov. A 132.175.81.4, sandia.gov. (1168) 09:38:02.387101 IP (tos 0x4, ttl 47, id 48356, offset 1176, flags [none], length: 1498) 198.102.153.29 > 82.69.129.108: udp 09:38:07.260492 IP (tos 0x0, ttl 63, id 32260, offset 0, flags [none], length: 67) 82.69.129.108.37722 > 198.102.153.29.53: [udp sum ok] 24755 [1au] A? sandia.gov. (39) 09:38:07.433906 IP (tos 0x4, ttl 47, id 48357, offset 0, flags [+], length: 1196) 198.102.153.29.53 > 82.69.129.108.37722: 24755*- 2/5/13 sandia.gov. A 132.175.81.4, sandia.gov. (1168) 09:38:07.434244 IP (tos 0x4, ttl 47, id 48357, offset 1176, flags [none], length: 1498) 198.102.153.29 > 82.69.129.108: udp 9 packets captured 9 packets received by filter 0 packets dropped by kernel # tcpdump -vpni eth1 'host 198.102.153.29' tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 09:38:20.646202 IP (tos 0x0, ttl 64, id 32261, offset 0, flags [none], length: 67) 192.168.0.8.54056 > 198.102.153.29.53: [udp sum ok] 31422 [1au] A? sandia.gov. (39) 09:38:25.645589 IP (tos 0x0, ttl 64, id 32262, offset 0, flags [none], length: 67) 192.168.0.8.54056 > 198.102.153.29.53: [udp sum ok] 31422 [1au] A? sandia.gov. (39) 09:38:30.645640 IP (tos 0x0, ttl 64, id 32263, offset 0, flags [none], length: 67) 192.168.0.8.54056 > 198.102.153.29.53: [udp sum ok] 31422 [1au] A? sandia.gov. (39)
请注意,eth0会得到一堆未被转发的UDP数据包。
防火墙的规则很简单,基本上是“NAT /从192.168.0.8到82.69.129.108,NAT到82.69.129.105,一切合适的端口/协议后阻止所有的通信”。
这是一个规则列表:
# iptables -vnL Chain INPUT (policy DROP 87 packets, 5073 bytes) pkts bytes target prot opt in out source destination 1010 216K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 58 4408 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123 0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 87 5073 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix `INPUT: ' Chain FORWARD (policy DROP 6 packets, 300 bytes) pkts bytes target prot opt in out source destination 2 1383 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New but not syn: ' 2 1383 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW 78595 75M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 58873 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 576 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.8 tcp dpt:22 4 240 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.8 tcp dpt:80 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.8 tcp dpt:443 2 120 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.8 tcp dpt:25 0 0 ACCEPT udp -- eth0 * 192.168.2.1 192.168.0.8 udp dpt:514 2 152 ACCEPT udp -- eth0 * 192.168.2.1 192.168.0.8 udp dpt:123 0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 6 300 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix `FORWARD: ' Chain OUTPUT (policy ACCEPT 460 packets, 67812 bytes) pkts bytes target prot opt in out source destination # iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 2696K packets, 192M bytes) pkts bytes target prot opt in out source destination 21 1236 DNAT all -- eth0 * 0.0.0.0/0 82.69.129.108 to:192.168.0.8 Chain POSTROUTING (policy ACCEPT 108K packets, 10M bytes) pkts bytes target prot opt in out source destination 1549 115K SNAT all -- * eth0 192.168.0.8 0.0.0.0/0 to:82.69.129.108 709 42396 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 to:82.69.129.105 Chain OUTPUT (policy ACCEPT 19719 packets, 3998K bytes) pkts bytes target prot opt in out source destination
那些LOG规则没有logging什么有用的东西。
防火墙是Linux安装的,但是它只能从CF卡上读取Soekris设备; 因此我把它当作一个设备来对待,而且从安装起就没有对它进行升级。 因此,它是一个2.6.12内核的一个非常古老的Debian刻蚀安装。 这可能是与UDP碎片或连接跟踪有关的内核错误吗?
无论如何,我要去除DNSSEC和Unbound标签,并添加iptables等
你有没有确保当客户端联系你的unbound和你的unbound当试图联系外部服务器可以使用TCP? 你可以试试dig +tcp @server example.com ,更改server 。
DNSSEC使请求太大以适应UDP。
我有确切的问题,我发现来自http://comments.gmane.org/gmane.network.dns.unbound.user/1891的信息解决了我的问题:
您的跟踪显示,未绑定认为连接丢失MTU 1500+数据包。 Faa.gov使用大键,在1480以上有很多答案 – 即DNSKEY,NXDOMAIN的答案。 因此,你的麻烦可能源于碎片问题。 您的服务器无法接收大于1480的UDP DNS响应。
从服务器上简单的挖掘@ fanesver faa.gov DNSKEY + dnssec显示它可能产生的超时。
最好的解决scheme是修复丢弃UDP碎片的path。 修复您的防火墙,升级它,更改旧设备上的Cisco路由器规则。 它必须接近你的最后,因为我可以得到的碎片就好了。 这是最好的解决方法,因为它可以让你的服务器运行得更好,并且通常会清理你的networking。
解决方法是在unbound.conf中的edns-buffer-size:1280。
一个代码修复,就是在svn trunk development版本中解除绑定。 该版本应该自动回退到更小的edns大小。
还有一些有用的MTU大小testing网站。