我有一个新的服务器,并添加了
dns1.checkersinc.net, dns2.checkersinc.net
到
69.64.33.255, 69.64.35.255
当我测试
dns1.checkersinc.net
和dns2.checkersinc.net
域名dnswatch.info我得到了成功的结果。但问题是当我直接创建一个新的帐户域时,就像(tamamsouq.com)
具有这些名称服务器的服务器无法打开,并出现 DNS 错误!
当我使用intoDNS.com对于 NSLOOKUP,我收到以下错误:
Error Mismatched NS records WARNING: One or more of your nameservers did not return any of your NS records.
Error DNS servers responded ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
69.64.33.255 69.64.35.255
Error Multiple Nameservers ERROR: Looks like you have less than 2 nameservers. According to RFC2182 section 5 you must have at least 3 nameservers, and no more than 7. Having 2 nameservers is also ok by me.
Error Missing nameservers reported by your nameservers You should already know that your NS records at your nameservers are missing, so here it is again:
dns2.checkersinc.net.
dns1.checkersinc.net.
Error SOA record No valid SOA record came back!
MX Error MX Records Oh well, I did not detect any MX records so you probably don't have any and if you know you should have then they may be missing at your nameservers!
WWW Error WWW A Record ERROR: I could not get any A records for www.tamamsouq.com!
当我执行 dig 命令时,我得到了这个结果:
server:~# dig @dns1.checkersinc.net tamamsouq.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns1.checkersinc.net tamamsouq.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns2.checkersinc.net tamamsouq.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns2.checkersinc.net tamamsouq.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns1.checkersinc.net tamamsouq.com +answer +nocmd
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns1.checkersinc.net tamamsouq.com +answer +nocmd
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns2.checkersinc.net tamamsouq.com +answer +nocmd
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns2.checkersinc.net tamamsouq.com +answer +nocmd
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
请注意,我有一个 Centos 7 作为带有 WHM/cPanel 的操作系统,请尽快帮助,我现在遇到了一个大问题,提前谢谢
答案1
您的域名tamamsouq.com
存在与 DNSSEC 相关的问题,您可以访问http://dnsviz.net/d/tamamsouq.com/dnssec/
这是首先要解决的问题。
总之,您将 DS 记录放在父区域,但您的名称服务器未发布任何相关的 DNSKEY 记录。
这将导致您的域名在任何递归名称服务器检查 DNSSEC 时失败。
如果您对前面的内容一无所知:
- 转到您的注册商,根据 whois 信息,其注册商为“PDR Ltd. d/b/a PublicDomainRegistry.com”
- 找到删除 DS 记录的位置
- 等一下
- 您的域名现在将再次适用于任何递归名称服务器。
检查/重现的简便方法:
1)使用检查 DNSSEC 的递归名称服务器:
$ dig @9.9.9.9 tamamsouq.com NS
; <<>> DiG 9.12.0 <<>> @9.9.9.9 tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65308
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65308
注意 SERVFAIL
2)执行相同的查询,但明确跳过 DNSSEC 检查:
$ dig @9.9.9.9 tamamsouq.com NS +cd
; <<>> DiG 9.12.0 <<>> @9.9.9.9 tamamsouq.com NS +cd
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39591
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...
;; QUERY SIZE: 54
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39591
但您仍然会遇到 SERVFAIL,这意味着除了 DNSSEC 之外,您还遇到了其他问题。
让我们手动解决这个问题。
登记处说了什么
$ dig @a.gtld-servers.net tamamsouq.com NS
; <<>> DiG 9.12.0 <<>> @a.gtld-servers.net tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44900
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...
;; QUERY SIZE: 54
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44900
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tamamsouq.com. IN NS
;; AUTHORITY SECTION:
tamamsouq.com. 2d IN NS dns1.checkersinc.net.
tamamsouq.com. 2d IN NS dns2.checkersinc.net.
直接查询您的名称服务器
dig @dns1.checkersinc.net. tamamsouq.com NS
; <<>> DiG 9.12.0 <<>> @dns1.checkersinc.net. tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38704
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...
;; QUERY SIZE: 54
;; connection timed out; no servers could be reached
也一样dns2
。使用+tcp
强制 TCP 不会改变任何东西。
因此您的服务器根本不回复 DNS 查询。
它们似乎是在 IP 地址69.64.35.255
和上69.64.33.255
。
您需要解决他们的连接问题,tcptraceroute 的最后步骤是:
8 * * *
9 ae5.cr-rigel.stl1.core.heg.com (4.35.182.58) 92.607 ms 92.283 ms 94.301 ms
10 207.38.95.10 94.115 ms 93.379 ms 93.532 ms
11 207.38.80.34 93.459 ms 94.508 ms 99.711 ms
12 static-ip-209-239-125-3.inaddr.ip-pool.com (209.239.125.3) 91.946 ms * *
13 * * *
14 * * *
15 * * *
因此,你可能在它们前面有一个防火墙,阻挡所有的 DNS 流量。
UDP 级别相同。
而且由于我们无法联系他们,所以我们无法知道当时是否已经正确发布了 DNSKEY(它应该是用于密钥标签2371
),但如果您对 DNSSEC 的经验存在疑问,并且基于上述情况,我担心您没有正确的 DNSKEY 记录,因此上述在注册表中删除 DS 记录的建议仍然有效。
答案2
花了几分钟才搞清楚——问题出在打字错误上。名称服务器是 ns1.checkerinc.net 和 ns2.checkersinc.net——无论你如何输入dns1.checkersinc.net 和dns2.checkersinc.net。虽然后者的域名存在,但它们似乎不是权威服务器。
解决方案是登录您的注册商并更新 DNS 记录。从每个名称服务器中删除“d”。