我们使用的是 Windows Server 2012。有时我们无法解析 .gov 网站。当我们使用以下命令检查时,它们确实可以解析,因此我们知道 .gov 网站可用。
nslookup www.fda.gov 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: a1715.dscb.akamai.net
Addresses: 2607:f7d8:801:100::40ba:2f29
2607:f7d8:801:100::40ba:2f30
23.3.96.168
23.3.96.89
Aliases: www.fda.gov
www.fda.gov.edgesuite.net
使用我们的 DNS 转发器:
nslookup www.fda.gov [IP address of DNS forwarder]
Server: [FQDN of DNS forwarder]
Address: [IP address of DNS forwarder]
Non-authoritative answer:
Name: a1715.dscb.akamai.net
Addresses: 2607:f7d8:801:100::40ba:2f30
2607:f7d8:801:100::40ba:2f29
23.3.96.168
23.3.96.89
Aliases: www.fda.gov
www.fda.gov.edgesuite.net
使用我们的 DNS 服务器:
nslookup -d2 www.fda.gov
------------
SendRequest(), len 43
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
11.1.168.192.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (126 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
11.1.168.192.in-addr.arpa, type = PTR, class = IN
AUTHORITY RECORDS:
-> 1.168.192.in-addr.arpa
type = SOA, class = IN, dlen = 49
ttl = 3600 (1 hour)
primary name server = iss3.iss.local
responsible mail addr = hostmaster.iss.local
serial = 163
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Server: UnKnown
Address: [server IP]
------------
SendRequest(), len 29
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.fda.gov, type = A, class = IN
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
SendRequest failed
------------
SendRequest(), len 29
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.fda.gov, type = AAAA, class = IN
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
SendRequest failed
*** Request to UnKnown timed-out
当我set vc在 nslookup 命令中使用时:
Server: UnKnown
Address: 192.168.1.11
*** UnKnown can't find www.fda.gov: Server failed
我们确实禁用了 IPv6,所以我重新启用了它,但问题仍然存在。我们将不胜感激任何解决此问题的建议或故障排除步骤。
我们在美国。这是我们可以访问 FDA 网站时的 ping 信号。(如上所述,这是间歇性的。):
Pinging a1715.dscb.akamai.net [23.3.96.168] with 32 bytes of data:
Reply from 23.3.96.168: bytes=32 time=97ms TTL=57
Reply from 23.3.96.168: bytes=32 time=14ms TTL=57
Reply from 23.3.96.168: bytes=32 time=36ms TTL=57
Reply from 23.3.96.168: bytes=32 time=20ms TTL=57
Ping statistics for 23.3.96.168:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 97ms, Average = 41ms
当不可用时,请执行以下 ping 操作:
ping www.fda.gov
Ping request could not find host www.fda.gov. Please check the name and try again.
ping www.fda.gov.
Ping request could not find host www.fda.gov.. Please check the name and try again.
其他的遇到过类似的问题。我们尝试将 MaxCacheTTL 更改为 30 分钟 (1800),因为它解决了该线程中的问题,但问题仍然存在。
我们还尝试将 MaxCacheTTL 更改为 0。这没有用。但我们还发现,我们无法访问 www.paypal.com,同时我们无法访问这些其他 .gov 网站。有趣的是,当我们能够访问 www.fda.gov 时,我们也可以访问 www.paypal.com。这表明这不可能是 TTL 的问题,因为 TTL 是按记录发生的。此外,第一次调整 MaxCacheTTL 不起作用这一事实应该已经足够明显了。
我们对 www.fda.gov 的 DNS 执行了详细的日志记录操作。结果令人着迷,但我们不知道如何处理它。DNS 服务器似乎将其视为我们域中的子域:www.fda.gov.[domain].local。
3/9/2017 11:33:10 AM 448C PACKET 000000010655E8A0 UDP Rcv [server IP] 0002 Q [0001 D NOERROR] A (3)www(3)fda(3)gov(3)[domain](5)local(0)
UDP question info at 000000010655E8A0
Socket = 492
Remote addr [server IP], port 60700
Time Query=2151068, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0027 (39)
Message:
XID 0x0002
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(3)fda(3)gov(3)[domain](5)local(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
3/9/2017 11:33:10 AM 448C PACKET 000000010655E8A0 UDP Snd [server IP] 0002 R Q [8385 A DR NXDOMAIN] A (3)www(3)fda(3)gov(3)[domain](5)local(0)
UDP response info at 000000010655E8A0
Socket = 492
Remote addr [server IP], port 60700
Time Query=2151068, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0064 (100)
Message:
XID 0x0002
Flags 0x8583
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 3 (NXDOMAIN)
QCOUNT 1
ACOUNT 0
NSCOUNT 1
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(3)fda(3)gov(3)[domain](5)local(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
Offset = 0x0027, RR count = 0
Name "(3)[domain](5)local(0)"
TYPE SOA (6)
CLASS 1
TTL 3600
DLEN 40
DATA
PrimaryServer: (4)servername[C027](3)[domain](5)local(0)
Administrator: (10)hostmaster[C027](3)[domain](5)local(0)
SerialNo = 2735
Refresh = 900
Retry = 600
Expire = 86400
MinimumTTL = 3600
ADDITIONAL SECTION:
empty
工作时:
3/9/2017 11:33:10 AM 448C PACKET 000000010672E9F0 UDP Snd [server IP] 0004 R Q [8081 DR NOERROR] A (3)www(3)fda(3)gov(0)
UDP response info at 000000010672E9F0
Socket = 492
Remote addr [server IP], port 60702
Time Query=2151068, Queued=2151068, Expire=2151071
Buf length = 0x0200 (512)
Msg length = 0x0077 (119)
Message:
XID 0x0004
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 3
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(3)fda(3)gov(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
Offset = 0x001d, RR count = 0
Name "[C00C](3)www(3)fda(3)gov(0)"
TYPE CNAME (5)
CLASS 1
TTL 128
DLEN 25
DATA (3)www(3)fda(3)gov(7)edgekey(3)net(0)
Offset = 0x0042, RR count = 1
Name "[C029](3)www(3)fda(3)gov(7)edgekey(3)net(0)"
TYPE CNAME (5)
CLASS 1
TTL 3992
DLEN 25
DATA (6)e11872(4)dscb(10)akamaiedge[C03D](3)net(0)
Offset = 0x0067, RR count = 2
Name "[C04E](6)e11872(4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 20
DLEN 4
DATA 184.31.201.196
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
3/9/2017 11:33:32 AM 4988 PACKET 00000001050E88F0 UDP Rcv [server IP] 9658 Q [0001 D NOERROR] A (3)www(3)fda(3)gov(0)
UDP question info at 00000001050E88F0
Socket = 492
Remote addr [server IP], port 62657
Time Query=2151089, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x001d (29)
Message:
XID 0x9658
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(3)fda(3)gov(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
3/9/2017 11:40:36 AM 0F98 PACKET 0000000102B32600 UDP Snd [server IP] 23f2 R Q [8081 DR NOERROR] A (3)www(3)fda(3)gov(0)
UDP response info at 0000000102B32600
Socket = 492
Remote addr [server IP], port 55901
Time Query=2151514, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0184 (388)
Message:
XID 0x23f2
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 3
NSCOUNT 9
ARCOUNT 5
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(3)fda(3)gov(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
Offset = 0x001d, RR count = 0
Name "[C00C](3)www(3)fda(3)gov(0)"
TYPE CNAME (5)
CLASS 1
TTL 300
DLEN 25
DATA (3)www(3)fda(3)gov(7)edgekey(3)net(0)
Offset = 0x0042, RR count = 1
Name "[C029](3)www(3)fda(3)gov(7)edgekey(3)net(0)"
TYPE CNAME (5)
CLASS 1
TTL 15195
DLEN 25
DATA (6)e11872(4)dscb(10)akamaiedge[C03D](3)net(0)
Offset = 0x0067, RR count = 2
Name "[C04E](6)e11872(4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 20
DLEN 4
DATA 23.194.99.134
AUTHORITY SECTION:
Offset = 0x0077, RR count = 0
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n6dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x008c, RR count = 1
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n7dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x00a1, RR count = 2
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)a0dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x00b6, RR count = 3
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n0dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x00cb, RR count = 4
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n1dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x00e0, RR count = 5
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n2dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x00f5, RR count = 6
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n3dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x010a, RR count = 7
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n4dscb[C05A](10)akamaiedge[C03D](3)net(0)
Offset = 0x011f, RR count = 8
Name "[C055](4)dscb(10)akamaiedge[C03D](3)net(0)"
TYPE NS (2)
CLASS 1
TTL 1566
DLEN 9
DATA (6)n5dscb[C05A](10)akamaiedge[C03D](3)net(0)
ADDITIONAL SECTION:
Offset = 0x0134, RR count = 0
Name "[C0D7](6)n1dscb[C05A](10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 807
DLEN 4
DATA 69.22.155.207
Offset = 0x0144, RR count = 1
Name "[C0EC](6)n2dscb[C05A](10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 3922
DLEN 4
DATA 69.22.155.209
Offset = 0x0154, RR count = 2
Name "[C101](6)n3dscb[C05A](10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 1418
DLEN 4
DATA 24.143.193.180
Offset = 0x0164, RR count = 3
Name "[C083](6)n6dscb[C05A](10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 3973
DLEN 4
DATA 23.220.96.109
Offset = 0x0174, RR count = 4
Name "[C098](6)n7dscb[C05A](10)akamaiedge[C03D](3)net(0)"
TYPE A (1)
CLASS 1
TTL 279
DLEN 4
DATA 23.220.96.86
当它不工作时:
3/9/2017 11:50:47 AM 2988 PACKET 00000001058C3ED0 UDP Snd [server IP] 44af R Q [8281 DR SERVFAIL] A (3)www(3)fda(3)gov(0)
UDP response info at 00000001058C3ED0
Socket = 492
Remote addr [server IP], port 54261
Time Query=2152117, Queued=2152121, Expire=2152124
Buf length = 0x0200 (512)
Msg length = 0x001d (29)
Message:
XID 0x44af
Flags 0x8182
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 2 (SERVFAIL)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)www(3)fda(3)gov(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
我发现 RAS 收到的 IP 地址被报告为 DNS 名称服务器。我修改了这些设置以删除该 IP 地址,但问题仍然存在。
下面是 [domain].local 正向区域的 DNS 属性的快照。
![[domain].local 的正向区域](https://i.stack.imgur.com/Iw5Ng.png)
以下是 DNS 服务器属性的快照:
答案1
基于禁用 DNS 转发器并仅使用 Root Hint 服务器已消除问题这一事实,我们有理由相信问题与转发器有关。您对 DNS 服务器配置错误的广泛搜索一无所获。似乎无法清楚地解释您为何遇到此问题,因此您可能需要采用有效的方法。
尽管如此,在这种情况下,你有几个选择:
- 继续专门使用根提示服务器。虽然使用 DNS 转发器可能会提供更快的查找时间(例如,由于“更接近”您的网络并缓存了热门访问网站的记录),但使用根提示并没有错。
- 尝试不同的转发器。您可以使用Google 的 DNS 服务器(8.8.8.8 和 8.8.4.4),Verisign 的公共 DNS 服务器(64.6.64.6 和 64.6.65.6),或者从中选择一个一个列表。
答案2
几个月前我确实做了一个更改,在回答我的问题之前,我想确认一下它是否有效。结果发现问题不是 DNS 服务器,而是防火墙。我们使用 Cisco ASA 5500,它没有启用 EDNS0(DNS 扩展机制)。我们使用了文章来解决问题。基本上,这个想法是允许 DNS 数据包将其“最大数据包长度”从 512 更改为 4096。显然,.gov 服务器正在使用 DNS 扩展。从那以后我们就没再遇到过问题。我打算在不久的将来将 DNS 设置改回我们 ISP DNS 服务器的 IP 地址。