我在华硕路由器 (armv7l、ASUSWRT-Merlin) 上运行 BIND 9.18.11-3。
它是我自己的域的权威服务器,可以解析我网络上主机的 DNS 查询。
我的问题
这些澳大利亚政府网站记录返回服务失败(没有反应):
- www.bom.gov.au
- weather.bom.gov.au
然而,这些澳大利亚政府网站记录返回无错误(附回复):
- 搜索网站bom.gov.au
- satview.bom.gov.au
- 媒体网站bom.gov.au
- 商店网站
所有其他域名均正确解析,没有错误或失败。
这个问题大约在 1 周前(2023 年 4 月 26 日)才开始出现。在此之前,www
和weather
记录解析正确。在此期间,我没有更改绑定配置或区域文件(最后一次更改是 2023 年 3 月 8 日,DKIM 密钥更新)。
该weather
记录由我每天使用的 BoM Android 应用程序使用。我第一次注意到这个问题时,应用程序报告“无法找到天气”。然后我尝试在 BoM 网站上查看天气(www
使用台式电脑上的 Firefox),但再次失败。然后我使用 dig 手动检查路由器上的 DNS 查找,发现了这个 SERVFAIL 问题。
使用或使用公共 DNS 服务器(如)查找www
和记录会返回 NOERROR 和响应。weather
dig +trace
@1.1.1.1
我尝试过
- 禁用 DNSSEC
- 禁用黑洞
- 启用 IPv6 响应(通常被我的配置过滤掉)
- 清除绑定缓存
- 重新启动绑定(冷重启)
以上任何一项都不会对结果产生任何影响。
我已经打开了调试 10 日志记录(结果如下)但它并没有揭示问题的原因(至少对我来说没有)。
named-checkconf
返回 0(零)
SERVFAIL 事件
[655] root@router:~ # dig weather.bom.gov.au
; <<>> DiG 9.18.11 <<>> weather.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35769
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56004f0ced2814ac010000006450775eca9d6dc5e0cf4a81 (good)
;; QUESTION SECTION:
;weather.bom.gov.au. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:18 AEST 2023
;; MSG SIZE rcvd: 75
[656] root@router:~ # dig www.bom.gov.au
; <<>> DiG 9.18.11 <<>> www.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7a03ecf8730c7b270100000064507b32d860b9b9ae62d5c1 (good)
;; QUESTION SECTION:
;www.bom.gov.au. IN A
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:25 AEST 2023
;; MSG SIZE rcvd: 71
我的配置
命名配置文件
所有内容<these>
均为编辑过的数据。
acl bastion {
<my public IP>;
};
acl router {
127.0.0.1; 192.168.9.1;
};
acl lan {
127.0.0.1; 192.168.9.0/24; 192.168.10.0/24; 192.168.11.0/24;
};
acl blacklist {
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.0.2.0/24; 224.0.0.0/3;
! 192.168.9.0/24; ! 192.168.10.0/24; ! 192.168.11.0/24; 192.168.0.0/16;
};
options {
directory "/opt/etc/bind";
version "No information";
hostname "bastion.<my_domain>.au";
auth-nxdomain no;
allow-transfer { none; };
blackhole { blacklist; };
listen-on { bastion; router; };
notify no;
listen-on-v6 { none; };
dnssec-validation auto;
};
logging {
channel file_dbug10 {
file "/opt/data/logs/bind.log" versions 3 size 10M;
print-category yes;
print-severity yes;
print-time yes;
severity debug 10;
};
channel syslog_info {
syslog daemon;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
channel syslog_warn {
syslog daemon;
print-category yes;
print-severity yes;
print-time yes;
severity warning;
};
category config { syslog_info; };
category default { syslog_info; };
category dnssec { syslog_warn; };
category general { syslog_info; };
category lame-servers { syslog_warn; };
category notify { syslog_info; };
# category queries { syslog_info; };
# category query-errors { file_dbug10; };
category resolver { syslog_warn; };
category security { syslog_info; };
category update { syslog_info; };
category xfer-in { syslog_info; };
category xfer-out { syslog_info; };
};
include "rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
view internal {
match-destinations { router; };
match-clients { lan; };
recursion yes;
allow-recursion { lan; };
plugin query "filter-aaaa.so" {
filter-aaaa-on-v4 yes;
};
include "named.conf.internal.<my_domain>.au";
include "named.conf.internal.<my_other_domain>.au";
include "named.conf.combined.localhost";
include "named.conf.combined.root.hint";
};
view external {
match-destinations { bastion; };
match-clients { any; };
recursion no;
plugin query "filter-aaaa.so" {
filter-aaaa-on-v4 yes;
};
include "named.conf.external.<my_domain>.au";
include "named.conf.external.<my_other_domain>.au";
include "named.conf.combined.localhost";
include "named.conf.combined.root.hint";
};
其余绑定配置文件都是我的域(或本地主机)的区域文件。我不认为它们与此问题有关,但如果需要,我可以提供它们(已删除)。
BIND日志
以下是精简日志(查找使用缓存结果)。完整的 BIND 查找日志(从冷启动开始)可在此处获取。
02-May-2023 10:29:26.906 client: debug 3: client @0x2c629eac 127.0.0.1#52995: UDP request
02-May-2023 10:29:26.906 client: debug 5: client @0x2c629eac 127.0.0.1#52995: view internal: using view 'internal'
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: request is not signed
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: recursion available
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query (cache) 'weather.bom.gov.au/A/IN' approved
02-May-2023 10:29:26.906 resolver: debug 1: fetch: weather.bom.gov.au/A
02-May-2023 10:29:26.906 resolver: debug 10: log_ns_ttl: fctx 0x2cd69128: fctx_create: weather.bom.gov.au (in 'weather.bom.gov.au'?): 1 124171
02-May-2023 10:29:26.906 resolver: debug 5: QNAME minimization - not minimized, qmintype 1 qminname weather.bom.gov.au
02-May-2023 10:29:26.906 database: debug 5: dns_adb_createfind: found A for name a24-66.akam.net (0x2c677490) in db
02-May-2023 10:29:26.906 resolver: debug 3: fctx 0x2cd69128(weather.bom.gov.au/A): createfind for 127.0.0.1#52995 - success
02-May-2023 10:29:26.906 database: debug 5: dns_adb_destroyfind on find 0x2c660288
02-May-2023 10:29:26.906 query-errors: debug 1: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query failed (SERVFAIL) for weather.bom.gov.au/IN/A at query.c:7775
02-May-2023 10:29:26.906 query-errors: debug 2: fetch completed at resolver.c:4173 for weather.bom.gov.au/A in 0.000000: SERVFAIL/success [domain:weather.bom.gov.au,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: reset client
答案1
的权威名称服务器之一www.bom.gov.au
是a24-66.akam.net
。
a24-66.akam.net
有 IPv4 地址2.16.130.66
。
但是你的BIND
配置有黑洞2.0.0.0/8
。