尽管 DNS 服务器响应 NXDOMAIN,但 systemd-resolved 仍响应 NOERROR

tag-icon tag-icon domain-name-system systemd
尽管 DNS 服务器响应 NXDOMAIN,但 systemd-resolved 仍响应 NOERROR

我正在使用 Fedora 33 和 systemd 246。为了提供一些背景信息,我在通过多播 DNS 解析时遇到了问题,nss-mdns并确定了单播 SOA 启发式是一个问题。

然后我注意到,即使 systemd-resolved 向当前 DNS 服务器发送的查询导致 NXDOMAIN,它也会以 NOERROR 响应代码进行响应。

$ resolvectl status
Global
       LLMNR setting: resolve             
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
Fallback DNS Servers: 1.1.1.1             
                      8.8.8.8             
                      1.0.0.1             
                      8.8.4.4             
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844

Link 3 (wlo1)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: no                       
      DNSSEC setting: no                       
    DNSSEC supported: no                       
  Current DNS Server: 192.168.1.1              
         DNS Servers: 192.168.1.1              
          DNS Domain: ~.                       
                      lan

向 DNS 服务器查询:

$ dig @192.168.1.1 -t SOA example.local

; <<>> DiG 9.11.24-RedHat-9.11.24-2.fc33 <<>> @192.168.1.1 -t SOA example.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4136
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;example.local.                 IN      SOA

;; AUTHORITY SECTION:
example.local.          10800   IN      SOA     example.local. nobody.invalid. 1 3600 1200 604800 10800

;; ADDITIONAL SECTION:
explanation.invalid.    10800   IN      TXT     "Blocking is mandated by standards, see references on https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml"

;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: St pro 02 16:42:24 CET 2020
;; MSG SIZE  rcvd: 254

向 systemd 解析的本地 DNS 存根侦听器进行查询:

$ dig @127.0.0.53 -t SOA example.local

; <<>> DiG 9.11.24-RedHat-9.11.24-2.fc33 <<>> @127.0.0.53 -t SOA example.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5771
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.local.                 IN      SOA

;; ANSWER SECTION:
example.local.          10800   IN      SOA     example.local. nobody.invalid. 1 3600 1200 604800 10800

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: St pro 02 16:44:21 CET 2020
;; MSG SIZE  rcvd: 92

使用 resolvectl 查询:

$ resolvectl query -t SOA example.local
example.local IN SOA example.local nobody.invalid 1 3600 1200 604800 10800 -- link: wlo1

-- Information acquired via protocol DNS in 5.0ms.
-- Data is authenticated: no

tcpdump捕获的相应数据包:

$ tcpdump -n -i wlo1 port domain
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:49:57.660945 IP 192.168.1.187.37304 > 192.168.1.1.domain: 32798+ SOA? example.local. (31)
16:49:57.664257 IP 192.168.1.1.domain > 192.168.1.187.37304: 32798 NXDomain* 0/1/1 (254)

对应的systemd-resolved日志:

systemd-resolved[186024]: Got message type=method_call sender=:1.3283 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveRecord cookie=2 reply_cookie=0 signature=isqqt error-name=n/a error-message=n/a
systemd-resolved[186024]: Looking up RR for example.local IN SOA.
systemd-resolved[186024]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=89 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[186024]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=90 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[186024]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.3260 path=n/a interface=n/a member=n/a cookie=4294967295 reply_cookie=90 signature=s error-name=n/a error-message=n/a
systemd-resolved[186024]: Cache miss for example.local IN SOA
systemd-resolved[186024]: Transaction 13951 for <example.local IN SOA> scope dns on wlo1/*.
systemd-resolved[186024]: Using feature level UDP+EDNS0 for transaction 13951.
systemd-resolved[186024]: Using DNS server 192.168.1.1 for transaction 13951.
systemd-resolved[186024]: Sending query packet with id 13951.
systemd-resolved[186024]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.3260 path=n/a interface=n/a member=n/a cookie=4294967295 reply_cookie=89 signature= error-name=n/a error-message=n/a
systemd-resolved[186024]: Match type='signal',sender='org.freedesktop.DBus',path='/org/freedesktop/DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',arg0=':1.3283' successfully installed.
systemd-resolved[186024]: Processing incoming packet on transaction 13951 (rcode=NXDOMAIN).
systemd-resolved[186024]: Server doesn't support EDNS(0) properly, downgrading feature level...
systemd-resolved[186024]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 192.168.1.1.
systemd-resolved[186024]: Server feature level is now lower than when we began our transaction. Restarting with new ID.
systemd-resolved[186024]: Transaction 13951 is now 31028.
systemd-resolved[186024]: Cache miss for example.local IN SOA
systemd-resolved[186024]: Transaction 31028 for <example.local IN SOA> scope dns on wlo1/*.
systemd-resolved[186024]: Using feature level UDP for transaction 31028.
systemd-resolved[186024]: Sending query packet with id 31028.
systemd-resolved[186024]: Processing incoming packet on transaction 31028 (rcode=NXDOMAIN).
systemd-resolved[186024]: Transaction 31028 for <example.local IN SOA> on scope dns on wlo1/* now complete with <success> from network (unsigned).
systemd-resolved[186024]: Sent message type=method_return sender=n/a destination=:1.3283 path=n/a interface=n/a member=n/a cookie=91 reply_cookie=2 signature=a(iqqay)t error-name=n/a error-message=n/a
systemd-resolved[186024]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=92 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[186024]: Freeing transaction 31028.

为什么会发生这种情况?

相关内容