以下 AD DS 域是新设置的:
- DNS 域名、FLZ 和唯一 DNS 后缀:
internal.example.co.uk - DC 操作系统:Windows Server 2016 Standard
- DC #1 DNS 服务器:172.16.233.2、127.0.0.1
- DC #2 DNS 服务器:172.16.233.1、127.0.0.1
- DNS 转发器:8.8.8.8、208.67.222.222
从各方面来看,域名和 DNS 均运行正常。
然而,nslookup行为非常奇怪:
nslookup <any FQDN> <any DC server>工作不正确,附加example.co.uk(非internal.example.co.uk)并解析为相同的未知公共 IP 地址。nslookup <any FQDN>. <any DC server>工作正常。
我确定路由、文件hosts、Windows 服务DNS Server等不相关,并且未知公共 IP 地址不存在 DNS PTR RR。
我知道你应该在 FQDN 后面加上后缀.,但我从来没有这样做过,也从来没有见过它这样做。
我在网上找不到合适的解决方案,因此写了这篇帖子。
以下匿名命令提示符输出证明了这一点:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\username>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC2
Primary Dns Suffix . . . . . . . : internal.example.co.uk
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : internal.example.co.uk
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-9E-13-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::45fd:755c:e86d:eed3%14(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.233.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.233.254
DHCPv6 IAID . . . . . . . . . . . : 100668765
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-42-DF-91-00-15-5D-9E-13-05
DNS Servers . . . . . . . . . . . : ::1
172.16.233.1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{DEFCF64F-0919-47F6-8206-DA42E6828191}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\username>ping internal.example.co.uk
Pinging internal.example.co.uk [172.16.233.2] with 32 bytes of data:
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.233.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\username>nslookup internal.example.co.uk 127.0.0.1
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: internal.example.co.uk.example.co.uk
Address: <unknown public IP address>
C:\Users\username>nslookup internal.example.co.uk. 127.0.0.1
Server: localhost
Address: 127.0.0.1
Name: internal.example.co.uk
Addresses: 172.16.233.1
172.16.233.2
C:\Users\username>ping DC1
Pinging DC1.internal.example.co.uk [172.16.233.1] with 32 bytes of data:
Reply from 172.16.233.1: bytes=32 time=1ms TTL=128
Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.233.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\Users\username>nslookup DC1 127.0.0.1
Server: localhost
Address: 127.0.0.1
Name: DC1.internal.example.co.uk
Address: 172.16.233.1
C:\Users\username>ping google.co.uk
Pinging google.co.uk [74.125.133.94] with 32 bytes of data:
Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
Reply from 74.125.133.94: bytes=32 time=15ms TTL=49
Ping statistics for 74.125.133.94:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 15ms, Average = 12ms
C:\Users\username>nslookup google.co.uk 127.0.0.1
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: google.co.uk.example.co.uk
Address: <unknown public IP address>
C:\Users\username>nslookup google.co.uk. 127.0.0.1
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: google.co.uk
Addresses: 2a00:1450:4007:80e::2003
216.58.208.227
C:\Users\username>
答案1
使用 的nslookup调试模式,我发现这是由于 DNS递归引起的 权力下放(谢谢 @乔奎蒂) 以及先前存在但未知的公共根通配符 DNS RR(*.example.co.uk. IN A <unknown public IP address>)。
具体来说,我发现在这种情况下有一个 DNS 后缀;:
- 给定的 DNS 名称是带有后缀
.; 的 FQDN,并且 DNS 递归已启用(默认),nslookup原为:- 不附加 DNS 后缀并成功。
- 给定的 DNS 名称是没有后缀的 FQDN
.;并且 DNS 递归已启用(默认),nslookup原为:- 附加主 DNS 后缀并失败。
- 将主 DNS 后缀追加上一级并“成功”,因为给定的 DNS 名称与通配符 DNS RR 匹配。
- 给定的 DNS 名称是没有后缀的 FQDN
.;并且 DNS 递归已被禁用,nslookup原为:- 附加主 DNS 后缀并失败。
- 将主 DNS 后缀追加到上一级并失败。
- 不附加 DNS 后缀并成功。
当启用递归(默认)时,以下匿名命令提示符输出证明了这一点:
C:\Users\username>nslookup
Default Server: UnKnown
Address: ::1
> set debug=true
> internal.example.co.uk
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = A, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = A, class = IN
ANSWERS:
-> internal.example.co.uk.example.co.uk
internet address = <unknown public IP address>
ttl = 599 (9 mins 59 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> example.co.uk
ttl = 599 (9 mins 59 secs)
primary name server = ns.domaincheck.co.uk
responsible mail addr = dns.domaincheck.co.uk
serial = 2017092801
refresh = 7200 (2 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
Name: internal.example.co.uk.example.co.uk
Address: <unknown public IP address>
> internal.example.co.uk.
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk, type = A, class = IN
ANSWERS:
-> internal.example.co.uk
internet address = 172.16.233.2
ttl = 600 (10 mins)
-> internal.example.co.uk
internet address = 172.16.233.1
ttl = 600 (10 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Name: internal.example.co.uk
Addresses: 172.16.233.2
172.16.233.1
>
当递归被禁用时,以下匿名命令提示符输出证明了这一点:
C:\Users\username>nslookup
Default Server: UnKnown
Address: ::1
> set debug=true
> set norecurse
> internal.example.co.uk
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = A, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = SERVFAIL
header flags: response, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = SERVFAIL
header flags: response, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = AAAA, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk, type = A, class = IN
ANSWERS:
-> internal.example.co.uk
internet address = 172.16.233.2
ttl = 600 (10 mins)
-> internal.example.co.uk
internet address = 172.16.233.1
ttl = 600 (10 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Name: internal.example.co.uk
Addresses: 172.16.233.2
172.16.233.1
>