FQDN 可以通过 ping 正确解析,但 nslookup 则不行

FQDN 可以通过 ping 正确解析,但 nslookup 则不行

以下 AD DS 域是新设置的:

  • DNS 域名、FLZ 和唯一 DNS 后缀:internal.example.co.uk
  • DC 操作系统:Windows Server 2016 Standard
  • DC #1 DNS 服务器:172.16.233.2、127.0.0.1
  • DC #2 DNS 服务器:172.16.233.1、127.0.0.1
  • DNS 转发器:8.8.8.8、208.67.222.222

从各方面来看,域名和 DNS 均运行正常。

然而,nslookup行为非常奇怪:

  • nslookup <any FQDN> <any DC server>工作不正确,附加example.co.uk(非internal.example.co.uk)并解析为相同的未知公共 IP 地址。
  • nslookup <any FQDN>. <any DC server>工作正常。

我确定路由、文件hosts、Windows 服务DNS Server等不相关,并且未知公共 IP 地址不存在 DNS PTR RR。

我知道你应该在 FQDN 后面加上后缀.,但我从来没有这样做过,也从来没有见过它这样做。

我在网上找不到合适的解决方案,因此写了这篇帖子。

以下匿名命令提示符输出证明了这一点:

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\username>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DC2
Primary Dns Suffix . . . . . . . : internal.example.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internal.example.co.uk

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-9E-13-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::45fd:755c:e86d:eed3%14(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.233.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.233.254
DHCPv6 IAID . . . . . . . . . . . : 100668765
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-42-DF-91-00-15-5D-9E-13-05
DNS Servers . . . . . . . . . . . : ::1
172.16.233.1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{DEFCF64F-0919-47F6-8206-DA42E6828191}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

C:\Users\username>ping internal.example.co.uk

Pinging internal.example.co.uk [172.16.233.2] with 32 bytes of data:
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.233.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\username>nslookup internal.example.co.uk 127.0.0.1
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: internal.example.co.uk.example.co.uk
Address: <unknown public IP address>


C:\Users\username>nslookup internal.example.co.uk. 127.0.0.1
Server:  localhost
Address:  127.0.0.1

Name:    internal.example.co.uk
Addresses:  172.16.233.1
          172.16.233.2


C:\Users\username>ping DC1

Pinging DC1.internal.example.co.uk [172.16.233.1] with 32 bytes of data:
Reply from 172.16.233.1: bytes=32 time=1ms TTL=128
Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
Reply from 172.16.233.1: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.233.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

C:\Users\username>nslookup DC1 127.0.0.1
Server: localhost
Address: 127.0.0.1

Name: DC1.internal.example.co.uk
Address: 172.16.233.1


C:\Users\username>ping google.co.uk

Pinging google.co.uk [74.125.133.94] with 32 bytes of data:
Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
Reply from 74.125.133.94: bytes=32 time=15ms TTL=49

Ping statistics for 74.125.133.94:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 15ms, Average = 12ms

C:\Users\username>nslookup google.co.uk 127.0.0.1
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: google.co.uk.example.co.uk
Address: <unknown public IP address>


C:\Users\username>nslookup google.co.uk. 127.0.0.1
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    google.co.uk
Addresses:  2a00:1450:4007:80e::2003
          216.58.208.227


C:\Users\username>

答案1

使用 的nslookup调试模式,我发现这是由于 DNS递归引起的 权力下放(谢谢 @乔奎蒂) 以及先前存在但未知的公共根通配符 DNS RR(*.example.co.uk. IN A <unknown public IP address>)。

 

具体来说,我发现在这种情况下有一个 DNS 后缀;:

  • 给定的 DNS 名称是带有后缀.; 的 FQDN,并且 DNS 递归已启用(默认),nslookup原为:
    1. 不附加 DNS 后缀并成功。
  • 给定的 DNS 名称是没有后缀的 FQDN .;并且 DNS 递归已启用(默认),nslookup原为:
    1. 附加主 DNS 后缀并失败。
    2. 将主 DNS 后缀追加上一级并“成功”,因为给定的 DNS 名称与通配符 DNS RR 匹配。
  • 给定的 DNS 名称是没有后缀的 FQDN .;并且 DNS 递归已被禁用,nslookup原为:
    1. 附加主 DNS 后缀并失败。
    2. 将主 DNS 后缀追加到上一级并失败。
    3. 不附加 DNS 后缀并成功。

 

当启用递归(默认)时,以下匿名命令提示符输出证明了这一点:

C:\Users\username>nslookup
Default Server:  UnKnown
Address:  ::1

> set debug=true
> internal.example.co.uk
Server:  UnKnown
Address:  ::1

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk.internal.example.co.uk, type = A, class = IN
    AUTHORITY RECORDS:
    ->  internal.example.co.uk
        ttl = 3600 (1 hour)
        primary name server = DC2.internal.example.co.uk
        responsible mail addr = hostmaster.internal.example.co.uk
        serial  = 170
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  internal.example.co.uk
        ttl = 3600 (1 hour)
        primary name server = DC2.internal.example.co.uk
        responsible mail addr = hostmaster.internal.example.co.uk
        serial  = 170
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        internal.example.co.uk.example.co.uk, type = A, class = IN
    ANSWERS:
    ->  internal.example.co.uk.example.co.uk
        internet address = <unknown public IP address>
        ttl = 599 (9 mins 59 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk.example.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  example.co.uk
        ttl = 599 (9 mins 59 secs)
        primary name server = ns.domaincheck.co.uk
        responsible mail addr = dns.domaincheck.co.uk
        serial  = 2017092801
        refresh = 7200 (2 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

------------
Name:    internal.example.co.uk.example.co.uk
Address:  <unknown public IP address>

> internal.example.co.uk.
Server:  UnKnown
Address:  ::1

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        internal.example.co.uk, type = A, class = IN
    ANSWERS:
    ->  internal.example.co.uk
        internet address = 172.16.233.2
        ttl = 600 (10 mins)
    ->  internal.example.co.uk
        internet address = 172.16.233.1
        ttl = 600 (10 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  internal.example.co.uk
        ttl = 3600 (1 hour)
        primary name server = DC2.internal.example.co.uk
        responsible mail addr = hostmaster.internal.example.co.uk
        serial  = 170
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
Name:    internal.example.co.uk
Addresses:  172.16.233.2
          172.16.233.1

>

当递归被禁用时,以下匿名命令提示符输出证明了这一点:

C:\Users\username>nslookup
Default Server:  UnKnown
Address:  ::1

> set debug=true
> set norecurse
> internal.example.co.uk
Server:  UnKnown
Address:  ::1

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk.internal.example.co.uk, type = A, class = IN
    AUTHORITY RECORDS:
    ->  internal.example.co.uk
        ttl = 3600 (1 hour)
        primary name server = DC2.internal.example.co.uk
        responsible mail addr = hostmaster.internal.example.co.uk
        serial  = 170
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, auth. answer, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  internal.example.co.uk
        ttl = 3600 (1 hour)
        primary name server = DC2.internal.example.co.uk
        responsible mail addr = hostmaster.internal.example.co.uk
        serial  = 170
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = SERVFAIL
        header flags:  response, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        internal.example.co.uk.example.co.uk, type = A, class = IN

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = SERVFAIL
        header flags:  response, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        internal.example.co.uk.example.co.uk, type = AAAA, class = IN

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  response, auth. answer, recursion avail.
        questions = 1,  answers = 2,  authority records = 0,  additional = 0

    QUESTIONS:
        internal.example.co.uk, type = A, class = IN
    ANSWERS:
    ->  internal.example.co.uk
        internet address = 172.16.233.2
        ttl = 600 (10 mins)
    ->  internal.example.co.uk
        internet address = 172.16.233.1
        ttl = 600 (10 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, auth. answer, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        internal.example.co.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  internal.example.co.uk
        ttl = 3600 (1 hour)
        primary name server = DC2.internal.example.co.uk
        responsible mail addr = hostmaster.internal.example.co.uk
        serial  = 170
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
Name:    internal.example.co.uk
Addresses:  172.16.233.2
          172.16.233.1

>

相关内容