按照 SANS 文档为我的组织设置一对 DNS 漏洞 (http://handlers.sans.org/gbruneau/docs/DNS_Sinkhole_setup.pdf)。在以下方面,两者表现相同
我对 azure.microsoft.com 的 nslookup 和 dig 结果不同,nslookup 无法解析。
nslookup:
root@SINK01:~# nslookup azure.microsoft.com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find azure.microsoft.com: NXDOMAIN
挖:
root@SINK01:~# dig azure.microsoft.com
; <<>> DiG 9.9.8-P4 <<>> azure.microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1389
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;azure.microsoft.com. IN A
;; ANSWER SECTION:
azure.microsoft.com. 34 IN CNAME azure.microsoft.com.nsatc.net.
azure.microsoft.com.nsatc.net. 220 IN CNAME acom-prod-uswest-01.azurewebsites.net.
acom-prod-uswest-01.azurewebsites.net. 1663 IN CNAME waws-prod-bay-013.vip.azurewebsites.windows.net.
;; AUTHORITY SECTION:
windows.net. 600 IN SOA localhost. root.localhost. 2 10800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 24 09:56:10 PDT 2016
;; MSG SIZE rcvd: 247
/etc/named.conf
options {
directory "/var/named";
version "my own";
allow-transfer {"none";};
allow-recursion {192.168.0.0/16; 10.0.0.0/8; localhost;};
forwarders { 8.8.8.8; 8.8.4.4; };
query-source address * port 53;
listen-on { 127.0.0.1; };
};
zone "." IN {
type hint;
file "caching-example/named.root";
};
include "/etc/rndc.key";
include "/var/named/site_specific_sinkhole.conf";
include "/var/named/entire_domain_sinkhole.conf";
include "/var/named/custom_wildcard_sinkhole.conf";
include "/var/named/custom_single_sinkhole.conf";
zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
解析配置文件
root@SINK01:~# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.168.87
调试 nslookup:
root@SINK01:~# nslookup azure.microsoft.ocm -d2
setup_system()
ndots is 1.
copy_server_list()
make_server(127.0.0.1)
make_server(192.168.168.87)
lock_lookup dighost.c:3750
success
start_lookup()
setup_lookup(0x223a258)
resetting lookup counter.
cloning server list
clone_server_list()
make_server(127.0.0.1)
make_server(192.168.168.87)
using root origin
recursive query
add_question()
starting to render the message
done rendering
create query 0x7fe864505018 linked to lookup 0x223a258
create query 0x7fe864505268 linked to lookup 0x223a258
do_lookup()
send_udp(0x7fe864505018)
bringup_timer()
have local timeout of 1
working on lookup 0x223a258, query 0x7fe864505018
sockcount=1
recving with lookup=0x223a258, query=0x7fe864505018, sock=0x7fe8645054b0
recvcount=1
sending a request
unlock_lookup dighost.c:3752
lock_lookup dighost.c:2398
success
send_done()
sendcount=0
check_if_done()
list empty
unlock_lookup dighost.c:2429
recv_done()
lock_lookup dighost.c:3172
success
recvcount=0
lookup=0x223a258, query=0x7fe864505018
before parse starts
after parse
next_origin()
following up azure.microsoft.ocm
printmessage()
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find azure.microsoft.ocm: NXDOMAIN
returning with rcode == 0
still pending.
cancel_lookup()
check_if_done()
list empty
clear_query(0x7fe864505268)
clear_query(0x7fe864505018)
sockcount=0
check_next_lookup(0x223a258)
try_clear_lookup(0x223a258)
destroy
freeing server 0x7fe8580008e8 belonging to 0x223a258
freeing server 0x7fe858001108 belonging to 0x223a258
start_lookup()
check_if_done()
list empty
shutting down
dighost_shutdown()
done, and starting to shut down
cancel_all()
lock_lookup dighost.c:3766
unlock_lookup dighost.c:3651
success
unlock_lookup dighost.c:3809
destroy_libs()
freeing task
freeing taskmgr
lock_lookup dighost.c:3841
success
flush_server_list()
freeing commctx
freeing socketmgr
freeing timermgr
destroy DST lib
detach from entropy
unlock_lookup dighost.c:3894
Removing log context
Destroy memory
答案1
dig使用操作系统的 DNS 解析库。nslookup使用自己的库,包括可能缓存响应,如NXDOMAIN。有一段时间nslookup被认为是一种弃用的工具,应避免使用,而应使用其他工具,如dig。Bind 9.9.0 改变了这一点(文本搜索1700.),但是,nslookup显然处于稍微不那么糟糕的状态。
你应该做的是确保你的 是nslookup在 Bind 9.9.0 或之后编译的。然后你应该问自己“我为什么要关心nslookupvs dig?”如果你没有一个非常具体和详细的答案,那就坚持使用dig。
太棒了,如果您真的想对 nslookup 进行调整,则应该刷新任何本地解析器的缓存,例如 ncsd 或 dnsmasq,或任何特定于操作系统的 DNS 缓存刷新机制,例如某些版本的 Ubuntu 上的 sudo service dns-clean restart。确定主机上是否有 DNS 缓存工具以及如何刷新它的具体细节留给读者练习。