DNS SERVFAIL 和错误标志仅通过 TCP:DNS 服务器损坏?

tag-icon tag-icon domain-name-system tcp root udp zones
DNS SERVFAIL 和错误标志仅通过 TCP:DNS 服务器损坏?

在指向另一个域的 CNAME 查找的附加部分中返回根名称服务器是否配置不当?特别是我看到的是由 Network Solutions 托管的 CNAME,该 CNAME 指向不同的域和 TLD。

我问这是否是糟糕的配置,因为所有这些额外的记录导致超出 UDP 数据包的大小,迫使使用 TCP 重新进行查询。

dig www.unitedstatesartists.org +trace

名称服务器响应:

example.org. 86400  IN      NS      ns15.worldnic.com.
example.org. 86400  IN      NS      ns16.worldnic.com.
;; Received 95 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 79 ms

;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
www.example.org. 7200 IN    CNAME   load-01-123.us-west-1.elb.amazonaws.com.
.  518400  IN      NS      a.root-servers.net.
.  518400  IN      NS      b.root-servers.net.
.  518400  IN      NS      c.root-servers.net.
.  518400  IN      NS      d.root-servers.net.
.  518400  IN      NS      e.root-servers.net.
.  518400  IN      NS      f.root-servers.net.
.  518400  IN      NS      g.root-servers.net.
.  518400  IN      NS      h.root-servers.net.
.  518400  IN      NS      i.root-servers.net.
.  518400  IN      NS      j.root-servers.net.
.  518400  IN      NS      k.root-servers.net.
.  518400  IN      NS      l.root-servers.net.
.  518400  IN      NS      m.root-servers.net.
;; Received 526 bytes from 205.178.190.8#53(ns15.worldnic.com) in 173 ms

返回附加记录与否是随机的。有时,当他们不返回附加记录时,仍然会出现截断响应并在 TCP 中进行挖掘重试。

example.org. 86400  IN      NS      ns15.worldnic.com.
example.org. 86400  IN      NS      ns16.worldnic.com.
;; Received 95 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 82 ms

;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
www.example.org. 7200 IN    CNAME   load-01-123.us-west-1.elb.amazonaws.com.
;; Received 107 bytes from 205.178.190.8#53(ns15.worldnic.com) in 164 ms

更新 2010-12-08

进一步测试发现:

  • Network Solutions 通过递归查询(如果不是 +trace,则为 dig 的默认设置)以 SERVFAIL(服务器故障)做出响应,但仍然给出正确答案。
  • 设置 dig 的 +norecurse 可以正常工作,但并非总是如此。有时会返回 SERVFAIL -不好。可能原因如下
  • Network Solutions 将根服务器纳入权威和附加部分,导致 UDP 截断并需要 TCP 才能完成。

以下捕获的概述:

  • 来自 ns15 的非递归请求记录
  • ns15 答案在 auth 和附加中包含根服务器,并将回复标记为截断
  • 由于 UDP 被截断,在 TCP 中重试非递归请求
  • 来自 ns15 的类似答案使用 TCP,只是“需要递归”设置不正确,并且还设置了“服务器故障”代码

我们已经与他们创建了一张票据,但我们会看看它是否有任何进展。以下是之前 tshark 详细信息中的 DNS 数据包:

第一个问题(通过 UDP):

Domain Name System (query)
    Transaction ID: 0x27ef
    Flags: 0x0000 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

第一个答案(通过 UDP):

Domain Name System (response)
    [Request In: 1]
    [Time: 0.078623000 seconds]
    Transaction ID: 0x27ef
    Flags: 0x8600 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..1. .... .... = Truncated: Message is truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0000 = Reply code: No error (0)

第二个问题(通过 TCP):

Domain Name System (query)
    Length: 56
    Transaction ID: 0xbc37
    Flags: 0x0000 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable

第二个答案(通过 TCP,注意“递归愿望”):

Domain Name System (response)
    [Request In: 6]
    [Time: 0.147357000 seconds]
    Length: 107
    Transaction ID: 0xbc37
    Flags: 0x8102 (Standard query response, Server failure)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... .... 0010 = Reply code: Server failure (2)

答案1

是的,这是糟糕的配置和/或实施——权威服务器没有理由在其他有效响应中返回根引用。

此外,我还发现了这两个 Worldnic 服务器中不应该发生的其他错误:

  • 有时它会让正确的答案,但带有SERVFAIL错误代码并且没有AA设置位。

  • UDP 回复总是在 512 字节处被截断,即使使用 EDNS0(RFC 2671) 指定。这意味着 DNSSEC 不适用于此名称服务器

  • 问题不仅仅ADDITIONAL在于该部分,还在于将根名称服务器放在AUTHORITY权威(AA位集)答案的部分中。

相关内容