AWS AmazonProvidedDNS 似乎不尊重 TTL - 我们能做些什么?

tag-icon tag-icon domain-name-system amazon-web-services dnsmasq
AWS AmazonProvidedDNS 似乎不尊重 TTL - 我们能做些什么?

我们在 AWS EC2 上有几台服务器不遵守 DNS 的 TTL 值。路由表设置为“AmazonProvidedDNS”,看来“AmazonProvidedDNS”将 TTL 限制为 60 秒。

问:这是由于 AWS DNS 服务器在传输过程中调整 TTL 导致的吗?我们可以做些什么呢?

注意: - 我们现在已经使用了 dnsmasq,其 min-expiry-ttl 为 300;这并不理想,因为我们希望遵守 TTL 规则 - 运行 Centos7,官方 AMI - 但我不认为这相关。

支持该问题的证据。

这些测试是在 Route 53 中的域上运行的,我们的 CNAME TTL 为 300 秒。(以下输出经过搜索并替换为example;测试是针对我们控制的真实域运行的。)

TTL 设置示例

有以下五个输出证明它是 AWS DNS:

1)运行官方 Centos7 AMI,无需任何修改。

这显示错误的 TTL 为 60 秒:

dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9532
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.            IN      A

;; ANSWER SECTION:
www.example.com.     60      IN      CNAME   example-645584916.us-east-1                                                                                                    .elb.amazonaws.com.
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 52.0.228.53
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 18.232.11.127

;; Query time: 391 msec
;; SERVER: 10.131.0.2#53(10.131.0.2)
;; WHEN: Wed Jul 25 01:04:00 UTC 2018
;; MSG SIZE  rcvd: 140

2) 运行相同的 AMI,设置 dnsmasq 但使用指向 AWS DNS 作为父级。

这显示错误的 TTL 为 60 秒:

dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57290
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.            IN      A

;; ANSWER SECTION:
www.example.com.     60      IN      CNAME   example-645584916.us-east-1.elb.amazonaws.com.
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 52.0.228.53
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 18.232.11.127

;; Query time: 276 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 25 01:03:07 UTC 2018
;; MSG SIZE  rcvd: 140

3) 运行相同的 AMI,设置 dnsmasq 但使用指向 AWS DNS 作为父级,并使用 min-cache-ttl。

第一个请求显示错误的 TTL 为 60 秒(因为这来自 AWS),第二个请求显示“min-cache-ttl”为 300 秒:

dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26595
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.            IN      A

;; ANSWER SECTION:
www.example.com.     60      IN      CNAME   example-645584916.us-east-1                                                                                                                                      .elb.amazonaws.com.
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 52.0.228.53
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 18.232.11.127

;; Query time: 280 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 25 01:25:31 UTC 2018
;; MSG SIZE  rcvd: 140

dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50913
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.            IN      A

;; ANSWER SECTION:
www.example.com.     289      IN      CNAME   example-645584916.us-east-1.elb.amazonaws.com.
example-645584916.us-east-1.elb.amazonaws.com. 289 IN A 18.232.11.127
example-645584916.us-east-1.elb.amazonaws.com. 289 IN A 52.0.228.53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 25 01:29:02 UTC 2018
;; MSG SIZE  rcvd: 143

4) 运行相同的 AMI,并设置 dnsmasq(但使用指向 Google DNS 作为父级)。

这显示正确的 TTL 为 300 秒:

dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36048
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.example.com.            IN      A

;; ANSWER SECTION:
www.example.com.     299     IN      CNAME   example-645584916.us-east-1                                                                                          .elb.amazonaws.com.
example-645584916.us-east-1.elb.amazonaws.com. 59 IN A 18.232.11.127
example-645584916.us-east-1.elb.amazonaws.com. 59 IN A 52.0.228.53

;; Query time: 295 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 25 01:07:15 UTC 2018
;; MSG SIZE  rcvd: 140

5)运行指向我们自己的DNS的本地Centos7。

这显示正确的 TTL 为 300 秒:

dig www.example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7307
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.            IN      A

;; ANSWER SECTION:
www.example.com.     300     IN      CNAME   example-645584916.us-east-1.elb.amazonaws.com.
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 52.0.228.53
example-645584916.us-east-1.elb.amazonaws.com. 60 IN A 18.232.11.127

;; Query time: 343 msec
;; SERVER: 10.72.73.31#53(10.72.73.31)
;; WHEN: Wed Jul 25 10:41:02 AEST 2018
;; MSG SIZE  rcvd: 936

相关内容