不同的 DNS 服务器会给我不同的答案

tag-icon tag-icon domain-name-system email email-server
不同的 DNS 服务器会给我不同的答案

我无法接收电子邮件“jslawglobe.com”。对于某些电子邮件,它总是有效。对于其他电子邮件,这需要运气。

在调查了其中一个问题后发件人电子邮件它不起作用:

nslookup -type=MX jslawglobe.com

回到:

Server:  dns.google
Address:  8.8.8.8
*** dns.google can't find jslawglobe.com: Server failed

最奇怪的是,在我自己的笔记本电脑上:

nslookup -type=MX jslawglobe.com

回到:

Server:  G3100.myfiosgateway.com
Address:  192.168.1.1

Non-authoritative answer:
jslawglobe.com  MX preference = 10, mail exchanger = alt4.aspmx.l.google.com
jslawglobe.com  MX preference = 10, mail exchanger = alt3.aspmx.l.google.com
jslawglobe.com  MX preference = 5, mail exchanger = alt2.aspmx.l.google.com
jslawglobe.com  MX preference = 5, mail exchanger = alt1.aspmx.l.google.com
jslawglobe.com  MX preference = 1, mail exchanger = aspmx.l.google.com

但指挥部:

nslookup -type=MX jslawglobe.com  8.8.8.8

回到:

Server:  dns.google  
Address:  8.8.8.8
 
*** dns.google can't find jslawglobe.com: Server failed

为什么 2 个 DNS 服务器给我的答案如此不同?这不是暂时的,至少已经这样一周了,但很可能已经 4 个月了。

答案1

通常当我遇到这种错误时,是因为目标 DNS 破坏了 DNSSEC 记录。

(这是 bind 实例写入的日志行)

Sep 19 20:17:07 ZZZZZ named[14371]: validating jslawglobe.com/MX: got insecure response; parent indicates it should be secure

这次也不例外。

jslawglobe.com 需要联系维护其 DNS 记录的人员并让他们解决此问题。

答案2

经过深入挖掘后找出下一步(参见原始问题下的评论)。

一些 DNS 解析器返回status: SERVFAIL

jslawglobe.com有来自区域的签名授权com,但其 NS 上没有记录DNSKEY,因此 DNSSEC 配置已损坏。因此,一些 DNS 解析器会忽略损坏的 DNSSEC 并做出响应,而其他 DNS 解析器则不会忽略也不做出响应。

您需要在您的 DNS 注册商上配置 dnssec 或禁用签名委派。

dig NS +additional jslawglobe.com. @8.8.4.4
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> NS +additional jslawglobe.com. @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20791
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jslawglobe.com.            IN  NS

;; Query time: 26 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Tue Sep 20 12:32:49 2022
;; MSG SIZE  rcvd: 32


[email protected] (AdGuard (CY)):  Copy results to clipboard
dig NS +additional jslawglobe.com. @94.140.14.14
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> NS +additional jslawglobe.com. @94.140.14.14
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27191
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jslawglobe.com.            IN  NS

;; Query time: 1 msec
;; SERVER: 94.140.14.14#53(94.140.14.14)
;; WHEN: Tue Sep 20 12:32:49 2022
;; MSG SIZE  rcvd: 32
[email protected] (AT&T (US)):  Copy results to clipboard
dig NS +additional jslawglobe.com. @165.87.13.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> NS +additional jslawglobe.com. @165.87.13.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44457
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 12

;; QUESTION SECTION:
;jslawglobe.com.            IN  NS

;; ANSWER SECTION:
jslawglobe.com.     86400   IN  NS  kehlani.ns.cloudflare.com.
jslawglobe.com.     86400   IN  NS  quinton.ns.cloudflare.com.

;; ADDITIONAL SECTION:
kehlani.ns.cloudflare.com. 78728 IN A   108.162.194.223
kehlani.ns.cloudflare.com. 78728 IN A   162.159.38.223
kehlani.ns.cloudflare.com. 78728 IN A   172.64.34.223
quinton.ns.cloudflare.com. 164999 IN    A   172.64.35.249
quinton.ns.cloudflare.com. 164999 IN    A   108.162.195.249
quinton.ns.cloudflare.com. 164999 IN    A   162.159.44.249
kehlani.ns.cloudflare.com. 78728 IN AAAA    2a06:98c1:50::ac40:22df
kehlani.ns.cloudflare.com. 78728 IN AAAA    2606:4700:50::a29f:26df
kehlani.ns.cloudflare.com. 78728 IN AAAA    2803:f800:50::6ca2:c2df
quinton.ns.cloudflare.com. 164999 IN    AAAA    2606:4700:58::a29f:2cf9
quinton.ns.cloudflare.com. 164999 IN    AAAA    2803:f800:50::6ca2:c3f9
quinton.ns.cloudflare.com. 164999 IN    AAAA    2a06:98c1:50::ac40:23f9

;; Query time: 41 msec
;; SERVER: 165.87.13.129#53(165.87.13.129)
;; WHEN: Tue Sep 20 12:32:49 2022
;; MSG SIZE  rcvd: 354

com. 区域

dig DS +additional +multiline +dnssec jslawglobe.com. @e.gtld-servers.net.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> DS +additional +multiline +dnssec jslawglobe.com. @e.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5877
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jslawglobe.com.        IN DS

;; ANSWER SECTION:
jslawglobe.com.     86400 IN DS 49211 8 2 (
                EEE39935BA7E61FFAD077F04F6877495B659B1295712
                B2A67BD03F470EFE0F2F )
jslawglobe.com.     86400 IN RRSIG DS 8 2 86400 20220927052146 (
                20220920041146 32298 com.
                qGgZ3u9IGoNHnN3z6o6yuW2LHh7iyjvEgICFWUI98ZGU
                Si+/drWBe0nmZOiQAGQRtUAE71lbbCloZ1R6y585PTJW
                Z+1aC5k40/bNVP/gi9nWmrSWSFAzupXmbZ5yEgSxFT5z
                1b5Pvrhg9DnE2xteTaaQJMPJT6Wx+YOQm7qawji2Q54u
                xc2wto57Vpv84wmq1NWjM/Ed5g9FmVa5NB9mDg== )

jslawglobe.com. 名称服务器

dig DNSKEY +additional +multiline +dnssec jslawglobe.com. @kehlani.ns.cloudflare.com.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> DNSKEY +additional +multiline +dnssec jslawglobe.com. @kehlani.ns.cloudflare.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9460
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;jslawglobe.com.        IN DNSKEY

;; AUTHORITY SECTION:
jslawglobe.com.     3600 IN SOA kehlani.ns.cloudflare.com. dns.cloudflare.com. (
                2286759303 ; serial
                10000      ; refresh (2 hours 46 minutes 40 seconds)
                2400       ; retry (40 minutes)
                604800     ; expire (1 week)
                3600       ; minimum (1 hour)
                )

;; Query time: 3 msec
;; SERVER: 172.64.34.223#53(172.64.34.223)
;; WHEN: Tue Sep 20 12:27:16 2022
;; MSG SIZE  rcvd: 105
[email protected].:  Copy results to clipboard
dig DNSKEY +additional +multiline +dnssec jslawglobe.com. @quinton.ns.cloudflare.com.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> DNSKEY +additional +multiline +dnssec jslawglobe.com. @quinton.ns.cloudflare.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31849
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;jslawglobe.com.        IN DNSKEY

;; AUTHORITY SECTION:
jslawglobe.com.     3600 IN SOA kehlani.ns.cloudflare.com. dns.cloudflare.com. (
                2286759303 ; serial
                10000      ; refresh (2 hours 46 minutes 40 seconds)
                2400       ; retry (40 minutes)
                604800     ; expire (1 week)
                3600       ; minimum (1 hour)
                )

;; Query time: 3 msec
;; SERVER: 172.64.35.249#53(172.64.35.249)
;; WHEN: Tue Sep 20 12:27:16 2022
;; MSG SIZE  rcvd: 105

在此处输入图片描述

https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/

https://metebalci.com/blog/a-minimum-complete-tutorial-of-dnssec/

https://dnsviz.net/d/jslawglobe.com/dnssec/

https://dnssec-analyzer.verisignlabs.com/jslawglobe.com

答案3

Google DNS 可能会检查 TXT 记录是否有一个名为 SPF(在 TXT 内)的条目。

在 Google 搜索中查找 SPF 记录。有很多文章和很好的教程。

相关内容