DNS 转发器响应被忽略

DNS 转发器响应被忽略

我们在内部 DNS 服务器上运行绑定。

我们在 AWS 中有一个提供 RDS 的高可用性子网组。为了管理通过内部链接进行的访问,我们希望 RDS 实例解析为其私有 IP,而不是公共 IP。

由于 IP 会不时发生变化,我在我们的 DNS 中设置了一个转发,它将针对 Amazon DNS 服务器解析 RDS,并为我们提供当前的私有 IP:

zone "coivvuccn9hs.eu-west-1.rds.amazonaws.com" IN {
   type forward;
   forward only;
   forwarders { 
       xxx.xxx.xxx.xxx; 
   };
};

当我从其中一个内部 DNS 服务器针对 AWS DNS 执行查询时:dig @xxx.xxx.xxx.xxx server.coivvuccn9hs.eu-west-1.rds.amazonaws.com 我得到了正确的答案

然而,当我 dig @localhost server.coivvuccn9hs.eu-west-1.rds.amazonaws.com 时,我得到的是公共 IP,尽管 tcpdump 显示服务器确实查询了 AWS DNS 服务器并得到了有效响应。

我的理解是转发器将优先于来自根服务器的响应,那么为什么我会得到公共 IP,而不是私有 IP?

这是我得到的答案:

dig @localhost server.coivvuccn9hs.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @localhost server.coivvuccn9hs.eu-west-1.rds.amazonaws.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5580
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;server.coivvuccn9hs.eu-west-1.rds.amazonaws.com. IN A

;; ANSWER SECTION:
server.coivvuccn9hs.eu-west-1.rds.amazonaws.com. 5  IN CNAME <somename>.eu-west-1.compute.amazonaws.com.
<somename>.eu-west-1.compute.amazonaws.com. 604800  IN A <public ip>

;; AUTHORITY SECTION:
eu-west-1.compute.amazonaws.com. 900 IN NS  u6.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS  pdns1.ultradns.net.
eu-west-1.compute.amazonaws.com. 900 IN NS  u2.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS  ns1.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS  u4.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS  pdns3.ultradns.org.
eu-west-1.compute.amazonaws.com. 900 IN NS  ns4.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS  u3.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS  pdns5.ultradns.info.
eu-west-1.compute.amazonaws.com. 900 IN NS  u1.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS  ns2.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS  ns3.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS  u5.amazonaws.com.

;; Query time: 489 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 24 15:13:53 2017
;; MSG SIZE  rcvd: 416

答案1

请注意 dig/nslookup 响应指向CNAME<somename>.eu-west-1.compute.amazonaws.com<somename>您的帖子中被省略)。

;; ANSWER SECTION:
server.coivvuccn9hs.eu-west-1.rds.amazonaws.com. 5  IN CNAME <somename>.eu-west-1.compute.amazonaws.com.

这意味着查找server.coivvuccn9hs.eu-west-1.rds.amazonaws.com实际上指向<somename>.eu-west-1.compute.amazonaws.com主机名。

由于您的绑定服务器仅有一个转发规则,因此rds.amazonaws.com它现在对查找执行默认正向查找compute.amazonaws.com,从而产生公共 IP。

因此,解决方案是在 CNAME 解析后为“真实”地址添加第二个转发区域。然后,您应该会在这种情况下获得返回的私有 IP。

答案2

我觉得这像是 DNSSEC 验证问题。您dnssec-validation yes;在 main/viewoptions部分中遇到了这个问题吗?如果是,请尝试dnssec-must-be-secure domain.tld no;在其后立即添加。

肝素钠

相关内容