BIND9 DNS 服务器无法解析一个域中的两个名称

BIND9 DNS 服务器无法解析一个域中的两个名称

我在华硕路由器 (armv7l、ASUSWRT-Merlin) 上运行 BIND 9.18.11-3。
它是我自己的域的权威服务器,可以解析我网络上主机的 DNS 查询。

我的问题

这些澳大利亚政府网站记录返回服务失败(没有反应):

然而,这些澳大利亚政府网站记录返回无错误(附回复):

  • 搜索网站bom.gov.au
  • satview.bom.gov.au
  • 媒体网站bom.gov.au
  • 商店网站

所有其他域名均正确解析,没有错误或失败。

这个问题大约在 1 周前(2023 年 4 月 26 日)才开始出现。在此之前,wwwweather记录解析正确。在此期间,我没有更改绑定配置或区域文件(最后一次更改是 2023 年 3 月 8 日,DKIM 密钥更新)。

weather记录由我每天使用的 BoM Android 应用程序使用。我第一次注意到这个问题时,应用程序报告“无法找到天气”。然后我尝试在 BoM 网站上查看天气(www使用台式电脑上的 Firefox),但再次失败。然后我使用 dig 手动检查路由器上的 DNS 查找,发现了这个 SERVFAIL 问题。

使用或使用公共 DNS 服务器(如)查找www和记录会返回 NOERROR 和响应。weatherdig +trace@1.1.1.1

我尝试过

  • 禁用 DNSSEC
  • 禁用黑洞
  • 启用 IPv6 响应(通常被我的配置过滤掉)
  • 清除绑定缓存
  • 重新启动绑定(冷重启)

以上任何一项都不会对结果产生任何影响。

我已经打开了调试 10 日志记录(结果如下)但它并没有揭示问题的原因(至少对我来说没有)。

named-checkconf返回 0(零)

SERVFAIL 事件

[655] root@router:~ # dig weather.bom.gov.au

; <<>> DiG 9.18.11 <<>> weather.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35769
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56004f0ced2814ac010000006450775eca9d6dc5e0cf4a81 (good)
;; QUESTION SECTION:
;weather.bom.gov.au.            IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:18 AEST 2023
;; MSG SIZE  rcvd: 75

[656] root@router:~ # dig www.bom.gov.au

; <<>> DiG 9.18.11 <<>> www.bom.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7a03ecf8730c7b270100000064507b32d860b9b9ae62d5c1 (good)
;; QUESTION SECTION:
;www.bom.gov.au.                        IN      A

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue May 02 12:37:25 AEST 2023
;; MSG SIZE  rcvd: 71

我的配置

命名配置文件

所有内容<these>均为编辑过的数据。

acl bastion {
        <my public IP>;
};

acl router {
        127.0.0.1; 192.168.9.1;
};

acl lan {
        127.0.0.1; 192.168.9.0/24; 192.168.10.0/24; 192.168.11.0/24;
};

acl blacklist {
        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.0.2.0/24; 224.0.0.0/3;
        ! 192.168.9.0/24; ! 192.168.10.0/24; ! 192.168.11.0/24; 192.168.0.0/16;
};

options {
        directory               "/opt/etc/bind";
        version                 "No information";
        hostname                "bastion.<my_domain>.au";

        auth-nxdomain           no;

        allow-transfer          { none; };
        blackhole               { blacklist; };
        listen-on               { bastion; router; };
        notify                  no;

        listen-on-v6            { none; };

        dnssec-validation       auto;
};

logging {

        channel file_dbug10 {
                file            "/opt/data/logs/bind.log" versions 3 size 10M;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        debug 10;
        };

        channel syslog_info {
                syslog          daemon;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        info;
        };

        channel syslog_warn {
                syslog          daemon;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
                severity        warning;
        };

        category config         { syslog_info; };
        category default        { syslog_info; };
        category dnssec         { syslog_warn; };
        category general        { syslog_info; };
        category lame-servers   { syslog_warn; };
        category notify         { syslog_info; };
#       category queries        { syslog_info; };
#       category query-errors   { file_dbug10; };
        category resolver       { syslog_warn; };
        category security       { syslog_info; };
        category update         { syslog_info; };
        category xfer-in        { syslog_info; };
        category xfer-out       { syslog_info; };
};

include "rndc.key";

controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

view internal {

        match-destinations      { router; };
        match-clients           { lan; };

        recursion               yes;
        allow-recursion         { lan; };

        plugin query "filter-aaaa.so" {
                filter-aaaa-on-v4        yes;
        };

        include "named.conf.internal.<my_domain>.au";
        include "named.conf.internal.<my_other_domain>.au";
        include "named.conf.combined.localhost";
        include "named.conf.combined.root.hint";
};

view external {

        match-destinations      { bastion; };
        match-clients           { any; };

        recursion               no;

        plugin query "filter-aaaa.so" {
                filter-aaaa-on-v4        yes;
        };

        include "named.conf.external.<my_domain>.au";
        include "named.conf.external.<my_other_domain>.au";
        include "named.conf.combined.localhost";
        include "named.conf.combined.root.hint";
};

其余绑定配置文件都是我的域(或本地主机)的区域文件。我不认为它们与此问题有关,但如果需要,我可以提供它们(已删除)。

BIND日志

以下是精简日志(查找使用缓存结果)。完整的 BIND 查找日志(从冷启动开始)可在此处获取

02-May-2023 10:29:26.906 client: debug 3: client @0x2c629eac 127.0.0.1#52995: UDP request
02-May-2023 10:29:26.906 client: debug 5: client @0x2c629eac 127.0.0.1#52995: view internal: using view 'internal'
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: request is not signed
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995: view internal: recursion available
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query (cache) 'weather.bom.gov.au/A/IN' approved
02-May-2023 10:29:26.906 resolver: debug 1: fetch: weather.bom.gov.au/A
02-May-2023 10:29:26.906 resolver: debug 10: log_ns_ttl: fctx 0x2cd69128: fctx_create: weather.bom.gov.au (in 'weather.bom.gov.au'?): 1 124171
02-May-2023 10:29:26.906 resolver: debug 5: QNAME minimization - not minimized, qmintype 1 qminname weather.bom.gov.au
02-May-2023 10:29:26.906 database: debug 5: dns_adb_createfind: found A for name a24-66.akam.net (0x2c677490) in db
02-May-2023 10:29:26.906 resolver: debug 3: fctx 0x2cd69128(weather.bom.gov.au/A): createfind for 127.0.0.1#52995 - success
02-May-2023 10:29:26.906 database: debug 5: dns_adb_destroyfind on find 0x2c660288
02-May-2023 10:29:26.906 query-errors: debug 1: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: query failed (SERVFAIL) for weather.bom.gov.au/IN/A at query.c:7775
02-May-2023 10:29:26.906 query-errors: debug 2: fetch completed at resolver.c:4173 for weather.bom.gov.au/A in 0.000000: SERVFAIL/success [domain:weather.bom.gov.au,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
02-May-2023 10:29:26.906 security: debug 3: client @0x2c629eac 127.0.0.1#52995 (weather.bom.gov.au): view internal: reset client

答案1

的权威名称服务器之一www.bom.gov.aua24-66.akam.net

a24-66.akam.net有 IPv4 地址2.16.130.66

但是你的BIND配置有黑洞2.0.0.0/8

相关内容