Domain-Name-System

BIND 無法解析一個域但適用於其他域

  • November 4, 2019

在為 DNS 執行綁定 9.11 的 SMTP 伺服器上,一個域的 DNS 解析失敗,導致發送到該域的電子郵件失敗。解析其他域沒有問題。但是,它可以在其他 DNS 伺服器(例如 google 的伺服器)上解析,或者如果我執行 dig +trace。據我所知,由於 DNSSEC,它失敗了。如果我在 Bind 上禁用 dnssec-validation,它就可以工作。DNSSEC 驗證工具(dnsviz 和威瑞信的 dnssec-analyzer)沒有顯示任何問題。有任何想法嗎?

探勘的輸出:

dig friendsadventure.com

; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> friendsadventure.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4970
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c146b587dba9a5ee7737a2255db1b01c98ae834561f56f47 (good)
;; QUESTION SECTION:
;friendsadventure.com.          IN      A

;; Query time: 4212 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 24 10:07:24 EDT 2019
;; MSG SIZE  rcvd: 77

dig +all friendsadventure.com

; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> +all friendsadventure.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36655
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8cb7b3c12a7442d2efdac7005db1b04141ec511e65959d57 (good)
;; QUESTION SECTION:
;friendsadventure.com.          IN      A

;; Query time: 2465 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 24 10:08:01 EDT 2019
;; MSG SIZE  rcvd: 77

dig +trace friendsadventure.com

; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> +trace friendsadventure.com
;; global options: +cmd
.                       515510  IN      NS      k.root-servers.net.
.                       515510  IN      NS      c.root-servers.net.
.                       515510  IN      NS      e.root-servers.net.
.                       515510  IN      NS      a.root-servers.net.
.                       515510  IN      NS      h.root-servers.net.
.                       515510  IN      NS      l.root-servers.net.
.                       515510  IN      NS      d.root-servers.net.
.                       515510  IN      NS      g.root-servers.net.
.                       515510  IN      NS      m.root-servers.net.
.                       515510  IN      NS      j.root-servers.net.
.                       515510  IN      NS      b.root-servers.net.
.                       515510  IN      NS      i.root-servers.net.
.                       515510  IN      NS      f.root-servers.net.
.                       515510  IN      RRSIG   NS 8 0 518400 20191106050000 20191024040000 22545 . VMJm6mjyJGRlIHIZFqe63o28rV9XrZpMEOjhFIW094xMFd7s2LL49Dfq +gaiZ549QmIfHUNnTAg9ZGeNHgxs+AFobw5/4ag6oieqo6wJdnwLEIcr AdMeHFz6UJ6FA5MKGWTTY/oBfdfCujbCgTxeMKK1sBwrBLrZ70yfH57x 9/tjVsAYagE5sEi+leATrOtBtJf1FfJqa9wD1ps5GAiOODtI7E+FDFsI 6ZvnTqp0d4qnIcNhf1UiUyvhYoFo7OqnJjDo15h/JMMfG1/9Ope1lAba 9Cdg+ufcIpbfIn63ppq6t/gFGsNUO/+E0rTDno2PdKu0w4rmVxN9ouY/ Hs1/Rw==
;; Received 1125 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20191106050000 20191024040000 22545 . aYmq05+eT68QCPzVN5SAQSvxLh82HUwI7Nh0ioeWsyXALVUvN5CVl3S+ qQFTBiUOGn2vbhHDPrfIfLHLQU11VLFQsS9ZCwG8yUBu1agfcpD8/MZF 3GCrnyhBUhWpaj2UptJJlLk/cncoqX+womKaSgbK3vAYAjsmqQ806hhF dlhM3sQodBmTYFqHTTdnmfJVAZWckES7t0K/wjma6DrMsYJK9rgeiTd1 RnmAojPN/y0M+7rLKc1IuJDZK4YFatjuzZACRVMOtEU33Q8GbNrMHMOO 0o5JfwO7r99tVSMXQR/oCWdhT0ljGTpV1Qcl5VldyLr5rkzRFRRoYys/ cKtYvA==
;; Received 1208 bytes from 192.112.36.4#53(g.root-servers.net) in 38 ms

friendsadventure.com.   172800  IN      NS      pdns09.domaincontrol.com.
friendsadventure.com.   172800  IN      NS      pdns10.domaincontrol.com.
friendsadventure.com.   86400   IN      DS      28564 8 1 EAD936FCAE141DD53D38613B1DDB19BCCAC934BA
friendsadventure.com.   86400   IN      DS      18226 8 1 97AE273935A90AA409038F67E6D3F9D3E262AE0E
friendsadventure.com.   86400   IN      RRSIG   DS 8 2 86400 20191031053115 20191024042115 12163 com. a5+9EXcT3oFCxHKwk0kua7Y7eV9R9Suyrzj1MKkgbsrT27/5amOQcGQp J2/K8n1dIuQC5wZRRtDkWXxwyagMGEIJf9MQ4mAtZo9SWl9z46SY/Yh7 59bUao4oIJCzslVUUPsgaqsZutGKgDI5a1DIQLWIKMk3N6dVMbDyAx3m VXFlFaKyo1+ffoA283oQpqjNZ6XIuOxzf1RUwNfptTsF2A==
;; Received 460 bytes from 192.42.93.30#53(g.gtld-servers.net) in 16 ms

friendsadventure.com.   10800   IN      A       160.153.128.37
friendsadventure.com.   10800   IN      RRSIG   A 8 2 10800 20191107175037 20191023175037 12486 friendsadventure.com. BW6U7Jn2wmmT4VOdY/Qb8XZJHVyaLp5FqOFdUpDivP9HG0F781V2V+8u bBmrXKsGPpeZYE/g+dTbhhigdGMKoJtiWkFDRZzo1aQd6SpKkho7vgrk sP4QwTpHviTuF/hbU/PlTGeITVN6JNkY5BX420W35B0kFsxGx+eX+r8E zLmTPRtmc9SQe8iR11Vio5ITsZF6m2Wgo/V4brPo0rbCGhfbUPexhNbH TVhEfFKAvk1Cn/6b2nrpg01EU0Mc8TNQ1eB1/Vf8EyyMU5yJfiOXz7nL kTlT0EVMrEE6phAH5iouS3EwJNzgTC7KhcqsPY91cALNC7Vi10gsT+WS f4Vw+Q==
friendsadventure.com.   3600    IN      NS      pdns09.domaincontrol.com.
friendsadventure.com.   3600    IN      NS      pdns10.domaincontrol.com.
friendsadventure.com.   3600    IN      RRSIG   NS 8 2 3600 20191107175037 20191023175037 12486 friendsadventure.com. gmpyOsvAc9v/GnRV4T9EA1RXxGFQ88C8xG2YljPZEwhvnGjT40j3rrrY tnzKAczZzy064jIwDi2FQ3Q09BUKuswnNALxldPaiZRI22xyj9Mal5n6 AxdYhD4k7esmThO2mUbHtb1Cf7hEOpoPYWZZGCQuHUwsAil+PnbdFto1 +9OhY98Xb8koWHWflNGj+v+2XtemqCXsHrvHncKAY8hZg/DjCFfQMJ5N bE5QnTDKw8uhqHLTm83gsT0pBrSQuz1TGCtNVyqlR37PQwkxrXSJBFtb hrSgRusd5SmYq6kgRN/2Z2n3nYbwKjMikk11FxcppwFUcolledJm59Y4 kzoEyg==
;; Received 737 bytes from 173.201.78.54#53(pdns10.domaincontrol.com) in 14 ms

綁定調試輸出。看起來它正在嘗試使用 IPV6 來解決(我在故障排除過程中禁用了它)。

grep friendsadventure dns.txt
23-Oct-2019 17:37:27.265 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): query (cache) 'friendsadventure.com/A/IN' approved
23-Oct-2019 17:37:27.265 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): replace
23-Oct-2019 17:37:27.266 fetch: friendsadventure.com/A
23-Oct-2019 17:37:27.267 network unreachable resolving 'friendsadventure.com/A/IN': 2001:500:200::b#53
23-Oct-2019 17:37:27.526 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:83eb::30#53
23-Oct-2019 17:37:27.526 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:39c1::30#53
23-Oct-2019 17:37:27.526 network unreachable resolving 'friendsadventure.com/A/IN': 2001:500:856e::30#53
23-Oct-2019 17:37:27.526 network unreachable resolving 'friendsadventure.com/A/IN': 2001:500:d937::30#53
23-Oct-2019 17:37:27.526 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:d414::30#53
23-Oct-2019 17:37:27.527 network unreachable resolving 'friendsadventure.com/A/IN': 2001:502:7094::30#53
23-Oct-2019 17:37:27.527 network unreachable resolving 'friendsadventure.com/A/IN': 2001:501:b1f9::30#53
23-Oct-2019 17:37:27.527 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:231d::2:30#53
23-Oct-2019 17:37:27.527 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:eea3::30#53
23-Oct-2019 17:37:27.527 network unreachable resolving 'friendsadventure.com/A/IN': 2001:502:8cc::30#53
23-Oct-2019 17:37:27.528 network unreachable resolving 'friendsadventure.com/A/IN': 2001:502:1ca1::30#53
23-Oct-2019 17:37:27.528 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:a83e::2:30#53
23-Oct-2019 17:37:27.528 network unreachable resolving 'friendsadventure.com/A/IN': 2001:503:d2d::30#53
23-Oct-2019 17:37:27.556 network unreachable resolving 'friendsadventure.com/A/IN': 2603:5:22e2::36#53
23-Oct-2019 17:37:27.556 network unreachable resolving 'friendsadventure.com/A/IN': 2603:5:21e2::36#53
23-Oct-2019 17:37:27.592 validating friendsadventure.com/A: starting
23-Oct-2019 17:37:27.592 validating friendsadventure.com/A: attempting positive response validation
23-Oct-2019 17:37:27.592 fetch: friendsadventure.com/DNSKEY
23-Oct-2019 17:37:27.592 network unreachable resolving 'friendsadventure.com/DNSKEY/IN': 2603:5:21e2::36#53
23-Oct-2019 17:37:28.425 network unreachable resolving 'friendsadventure.com/DNSKEY/IN': 2603:5:22e2::36#53
23-Oct-2019 17:37:32.287 client @0x7f0bb80019f0 127.0.0.1#56182 (friendsadventure.com): query (cache) 'friendsadventure.com/A/IN' approved
23-Oct-2019 17:37:32.287 client @0x7f0bb80019f0 127.0.0.1#56182 (friendsadventure.com): replace
23-Oct-2019 17:37:32.288 fetch: friendsadventure.com/A
23-Oct-2019 17:37:32.288 client @0x7f0bb80019f0 127.0.0.1#56182 (friendsadventure.com): next
23-Oct-2019 17:37:32.288 client @0x7f0bb80019f0 127.0.0.1#56182 (friendsadventure.com): request failed: duplicate query
23-Oct-2019 17:37:32.288 client @0x7f0bb80019f0 127.0.0.1#56182 (friendsadventure.com): endrequest
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): query failed (SERVFAIL) for friendsadventure.com/IN/A at ../../../bin/         named/query.c:8579
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): error
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): send
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): sendto
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): servfail cache hit friendsadventure.com/A (CD=0)
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): query failed (SERVFAIL) for friendsadventure.com/IN/A at ../../../bin/         named/query.c:7037
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): error
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): send
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): sendto
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): senddone
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): next
23-Oct-2019 17:37:37.277 client @0x7f0bb801e690 127.0.0.1#56182 (friendsadventure.com): endrequest
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): senddone
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): next
23-Oct-2019 17:37:37.277 client @0x7f0bc009ebb0 127.0.0.1#56182 (friendsadventure.com): endrequest
23-Oct-2019 17:37:37.277 fetch completed at ../../../lib/dns/resolver.c:3930 for friendsadventure.com/A in 10.000141: timed out/success [domain:friendsadventu         re.com,referral:2,restart:1,qrysent:4,timeout:0,lame:0,quota:0,neterr:2,badresp:0,adberr:0,findfail:0,valfail:0]
23-Oct-2019 17:37:37.277 validating friendsadventure.com/A: dns_validator_cancel
23-Oct-2019 17:37:37.278 validating friendsadventure.com/A: in fetch_callback_validator

tcpdump 輸出

17:01:19.075437 IP (tos 0x0, ttl 64, id 27795, offset 0, flags [none], proto UDP (17), length 68)
   extsmtp3.mydomain.com.50210 > a.root-servers.net.domain: 41505 [1au] NS? . (40)
17:01:19.076974 IP (tos 0x0, ttl 64, id 27796, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.43500 > a.root-servers.net.domain: 14448 [1au] A? friendsadventure.com. (61)
17:01:19.090998 IP (tos 0x0, ttl 57, id 41258, offset 0, flags [none], proto UDP (17), length 531)
   a.root-servers.net.domain > extsmtp3.mydomain.com.50210: 41505*-| 13/0/13 . NS e.root-servers.net., . NS h.root-servers.net., . NS l.root-servers.net., . NS i.root-servers.net., . NS a.root-servers.net., . NS d.root-servers.net., . NS c.root-servers.net., . NS b.root-servers.net., . NS j.root-servers.net., . NS k.root-servers.net., . NS g.root-servers.net., . NS m.root-servers.net., . NS f.root-servers.net. (503)
17:01:19.092427 IP (tos 0x0, ttl 57, id 17457, offset 0, flags [none], proto UDP (17), length 525)
   a.root-servers.net.domain > extsmtp3.mydomain.com.43500: 14448-| 0/14/9 (497)
17:01:19.113116 IP (tos 0x0, ttl 64, id 43966, offset 0, flags [none], proto UDP (17), length 68)
   extsmtp3.mydomain.com.34191 > i.root-servers.net.domain: 3117 [1au] DNSKEY? . (40)
17:01:19.124800 IP (tos 0x0, ttl 64, id 56207, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.39560 > j.gtld-servers.net.domain: 55503 [1au] A? friendsadventure.com. (61)
17:01:19.140321 IP (tos 0x0, ttl 57, id 3847, offset 0, flags [none], proto UDP (17), length 488)
   j.gtld-servers.net.domain > extsmtp3.mydomain.com.39560: 55503- 0/5/5 (460)
17:01:19.141418 IP (tos 0x0, ttl 64, id 55938, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.52713 > pdns10.domaincontrol.com.domain: 25015 [1au] A? friendsadventure.com. (61)
17:01:19.160193 IP (tos 0x0, ttl 55, id 18703, offset 0, flags [DF], proto UDP (17), length 457)
   pdns10.domaincontrol.com.domain > extsmtp3.mydomain.com.52713: 25015*-| 2/2/1 friendsadventure.com. A 160.153.128.37, friendsadventure.com. RRSIG (429)
17:01:19.187118 IP (tos 0x0, ttl 64, id 57619, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.48726 > pdns09.domaincontrol.com.domain: 13158 [1au] DNSKEY? friendsadventure.com. (61)
17:01:19.195377 IP (tos 0x0, ttl 56, id 11126, offset 0, flags [none], proto UDP (17), length 56)
   i.root-servers.net.domain > extsmtp3.mydomain.com.34191: 3117*-|$ 0/0/1 (28)
17:01:19.195466 IP (tos 0x0, ttl 57, id 46859, offset 0, flags [DF], proto UDP (17), length 353)
   pdns09.domaincontrol.com.domain > extsmtp3.mydomain.com.48726: 13158*-| 1/0/1 friendsadventure.com. DNSKEY (325)
17:01:19.215932 IP (tos 0x0, ttl 64, id 55940, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.37145 > pdns10.domaincontrol.com.domain: 48829 [1au] DNSKEY? friendsadventure.com. (61)
17:01:20.016338 IP (tos 0x0, ttl 64, id 57790, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.36543 > pdns09.domaincontrol.com.domain: 22039 [1au] DNSKEY? friendsadventure.com. (61)
17:01:20.025279 IP (tos 0x0, ttl 55, id 32534, offset 0, flags [DF], proto UDP (17), length 1181)
   pdns09.domaincontrol.com.domain > extsmtp3.mydomain.com.36543: 22039*-| 4/0/1 friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY (1153)
17:01:20.043305 IP (tos 0x0, ttl 64, id 56055, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.48540 > pdns10.domaincontrol.com.domain: 55907 [1au] DNSKEY? friendsadventure.com. (61)
17:01:21.156737 IP (tos 0x0, ttl 64, id 58059, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.48699 > pdns09.domaincontrol.com.domain: 26029 [1au] DNSKEY? friendsadventure.com. (61)
17:01:21.167443 IP (tos 0x0, ttl 55, id 62141, offset 0, flags [DF], proto UDP (17), length 353)
   pdns09.domaincontrol.com.domain > extsmtp3.mydomain.com.48699: 26029*-| 1/0/1 friendsadventure.com. DNSKEY (325)
17:01:21.188141 IP (tos 0x0, ttl 64, id 56250, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.60396 > pdns10.domaincontrol.com.domain: 48516 [1au] DNSKEY? friendsadventure.com. (61)
17:01:22.788241 IP (tos 0x0, ttl 64, id 58358, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.36707 > pdns09.domaincontrol.com.domain: 24787 [1au] DNSKEY? friendsadventure.com. (61)
17:01:22.798638 IP (tos 0x0, ttl 57, id 63148, offset 0, flags [DF], proto UDP (17), length 353)
   pdns09.domaincontrol.com.domain > extsmtp3.mydomain.com.36707: 24787*-| 1/0/1 friendsadventure.com. DNSKEY (325)
17:01:22.822719 IP (tos 0x0, ttl 64, id 56419, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.50584 > pdns10.domaincontrol.com.domain: 47747 [1au] DNSKEY? friendsadventure.com. (61)
17:01:26.022966 IP (tos 0x0, ttl 64, id 58373, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.43097 > pdns09.domaincontrol.com.domain: 54884 [1au] DNSKEY? friendsadventure.com. (61)
17:01:26.041384 IP (tos 0x0, ttl 55, id 50247, offset 0, flags [DF], proto UDP (17), length 353)
   pdns09.domaincontrol.com.domain > extsmtp3.mydomain.com.43097: 54884*-| 1/0/1 friendsadventure.com. DNSKEY (325)
17:01:26.068980 IP (tos 0x0, ttl 64, id 57148, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.48112 > pdns10.domaincontrol.com.domain: 39385 [1au] DNSKEY? friendsadventure.com. (61)
17:01:26.078022 IP (tos 0x0, ttl 55, id 30505, offset 0, flags [DF], proto UDP (17), length 1181)
   pdns10.domaincontrol.com.domain > extsmtp3.mydomain.com.48112: 39385*-| 4/0/1 friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY (1153)
17:01:26.097372 IP (tos 0x0, ttl 64, id 58379, offset 0, flags [none], proto UDP (17), length 89)
   extsmtp3.mydomain.com.57062 > pdns09.domaincontrol.com.domain: 27082 [1au] DNSKEY? friendsadventure.com. (61)

配置是 ubuntu 安裝的所有預設設置,除了在發生此問題後我確實禁用了 IPV6:

named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options:
   options {
           directory "/var/cache/bind";
           dnssec-validation auto;
           filter-aaaa-on-v4 yes;
           listen-on-v6 { none; };
   };

named.conf.local: empty
named.conf.default-zones:
zone "." {
       type hint;
       file "/usr/share/dns/root.hints";
};

zone "localhost" {
       type master;
       file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
       type master;
       file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
       type master;
       file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
       type master;
       file "/etc/bind/db.255";
};

我在您的 tcpdump 中發現的是,您與伺服器的 TCP 連接似乎已斷開。你得到一個最大(1500 MTU 為 1460)字節的 TCP 包,然後連接被斷開,確認它,你得到的下一個包已經是 FIN:

12:52:10.773476 IP (tos 0x0, ttl 64, id 30033, offset 0, flags [DF], proto TCP (6), length 60)
   172.16.255.11.53639 > 173.201.78.54.53: Flags [S], cksum 0xa74a (incorrect -> 0xfc0e), seq 1207191269, win 64240, options [mss 1460,sackOK,TS val 2622008582 ecr 0,nop,wscale 6], length 0
12:52:10.784310 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 52)
   173.201.78.54.53 > 172.16.255.11.53639: Flags [S.], cksum 0x5de3 (correct), seq 3333869771, ack 1207191270, win 29200, options [mss 1420,nop,nop,sackOK,nop,wscale 7], length 0
12:52:10.784356 IP (tos 0x0, ttl 64, id 30034, offset 0, flags [DF], proto TCP (6), length 40)
   172.16.255.11.53639 > 173.201.78.54.53: Flags [.], cksum 0xa736 (incorrect -> 0x0cb2), ack 1, win 1004, length 0
12:52:10.784493 IP (tos 0x0, ttl 64, id 30035, offset 0, flags [DF], proto TCP (6), length 103)
   172.16.255.11.53639 > 173.201.78.54.53: Flags [P.], cksum 0xa775 (incorrect -> 0x24cf), seq 1:64, ack 1, win 1004, length 6337614 [1au] DNSKEY? friendsadventure.com. (61)
12:52:10.805803 IP (tos 0x0, ttl 255, id 38197, offset 0, flags [none], proto TCP (6), length 1460)
   173.201.78.54.53 > 172.16.255.11.53639: Flags [.], cksum 0xeeaf (correct), seq 1:1421, ack 64, win 227, length 142037614*- 5/3/1 friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. DNSKEY, friendsadventure.com. RRSIG[|domain]
12:52:10.805837 IP (tos 0x0, ttl 64, id 30036, offset 0, flags [DF], proto TCP (6), length 40)
   172.16.255.11.53639 > 173.201.78.54.53: Flags [.], cksum 0xa736 (incorrect -> 0x06e9), ack 1421, win 1002, length 0
12:52:10.805842 IP (tos 0x0, ttl 255, id 38198, offset 0, flags [none], proto TCP (6), length 40)
   173.201.78.54.53 > 172.16.255.11.53639: Flags [FP.], cksum 0x09e7 (correct), seq 1421, ack 64, win 227, length 0
12:52:10.806044 IP (tos 0x0, ttl 64, id 30037, offset 0, flags [DF], proto TCP (6), length 40)
   172.16.255.11.53639 > 173.201.78.54.53: Flags [F.], cksum 0xa736 (incorrect -> 0x06e7), seq 64, ack 1422, win 1002, length 0
12:52:10.806085 IP (tos 0x0, ttl 64, id 44626, offset 0, flags [none], proto UDP (17), length 89)
   172.16.255.11.34136 > 97.74.110.54.53: 26250 [1au] DNSKEY? friendsadventure.com. (61)
12:52:10.806877 IP (tos 0x0, ttl 255, id 38199, offset 0, flags [none], proto TCP (6), length 40)
   173.201.78.54.53 > 172.16.255.11.53639: Flags [.], cksum 0x09ee (correct), ack 65, win 227, length 0

您得到正好 1460 字節有效載荷的機率不是很高。此外,我可以通過我的伺服器確認響應更大,並且對於同一查詢(1857)並不完全在 1460 字節邊界上。

我對該部分的 DNS 通信如下所示:

00:57:17.692876 IP6 (flowlabel 0x936c6, hlim 64, next-header TCP (6) payload length: 40) myserver.mydomain.net.eu.org.44427 > pdns10.domaincontrol.com.domain: Flags [S], cksum 0x794a (incorrect -> 0x23b5), seq 3083934744, win 64660, options [mss 1220,sackOK,TS val 27470909 ecr 0,nop,wscale 7], length 0
00:57:17.696289 IP6 (hlim 54, next-header TCP (6) payload length: 40) pdns10.domaincontrol.com.domain > myserver.mydomain.net.eu.org.44427: Flags [S.], cksum 0x5462 (correct), seq 1600069237, ack 3083934745, win 28560, options [mss 1440,sackOK,TS val 1680374125 ecr 27470909,nop,wscale 7], length 0
00:57:17.696384 IP6 (flowlabel 0x936c6, hlim 64, next-header TCP (6) payload length: 32) myserver.mydomain.net.eu.org.44427 > pdns10.domaincontrol.com.domain: Flags [.], cksum 0x7942 (incorrect -> 0xf0ad), seq 1, ack 1, win 506, options [nop,nop,TS val 27470912 ecr 1680374125], length 0
00:57:17.696634 IP6 (flowlabel 0x936c6, hlim 64, next-header TCP (6) payload length: 95) myserver.mydomain.net.eu.org.44427 > pdns10.domaincontrol.com.domain: Flags [P.], cksum 0x7981 (incorrect -> 0xc999), seq 1:64, ack 1, win 506, options [nop,nop,TS val 27470912 ecr 1680374125], length 63 17914 [1au] DNSKEY? friendsadventure.com. ar: . OPT UDPsize=4096 DO (61)
00:57:17.700005 IP6 (hlim 54, next-header TCP (6) payload length: 32) pdns10.domaincontrol.com.domain > myserver.mydomain.net.eu.org.44427: Flags [.], cksum 0xf185 (correct), seq 1, ack 64, win 224, options [nop,nop,TS val 1680374128 ecr 27470912], length 0
00:57:17.700961 IP6 (hlim 54, next-header TCP (6) payload length: 34) pdns10.domaincontrol.com.domain > myserver.mydomain.net.eu.org.44427: Flags [P.], cksum 0xea59 (correct), seq 1:3, ack 64, win 224, options [nop,nop,TS val 1680374129 ecr 27470912], length 2
00:57:17.700986 IP6 (flowlabel 0x936c6, hlim 64, next-header TCP (6) payload length: 32) myserver.mydomain.net.eu.org.44427 > pdns10.domaincontrol.com.domain: Flags [.], cksum 0x7942 (incorrect -> 0xf063), seq 64, ack 3, win 506, options [nop,nop,TS val 27470917 ecr 1680374129], length 0
00:57:17.701005 IP6 (hlim 54, next-header TCP (6) payload length: 1857) pdns10.domaincontrol.com.domain > myserver.mydomain.net.eu.org.44427: Flags [FP.], cksum 0x8063 (incorrect -> 0x768f), seq 3:1828, ack 64, win 224, options [nop,nop,TS val 1680374129 ecr 27470912], length 1825 33792 [b2&3=0x1] [3a] [5q] [1n] [4198au][|domain]
00:57:17.701106 IP6 (flowlabel 0x936c6, hlim 64, next-header TCP (6) payload length: 32) myserver.mydomain.net.eu.org.44427 > pdns10.domaincontrol.com.domain: Flags [.], cksum 0x7942 (incorrect -> 0xe94c), seq 64, ack 1829, win 495, options [nop,nop,TS val 27470917 ecr 1680374129], length 0
00:57:17.701932 IP6 (flowlabel 0x936c6, hlim 64, next-header TCP (6) payload length: 32) myserver.mydomain.net.eu.org.44427 > pdns10.domaincontrol.com.domain: Flags [F.], cksum 0x7942 (incorrect -> 0xe942), seq 64, ack 1829, win 503, options [nop,nop,TS val 27470918 ecr 1680374129], length 0

如果您有 DNSSEC(在我的情況下見相同),那麼 UDP 在某些或許多情況下不會成功並不少見。

所以我們需要專注於為什麼你沒有得到完整的 TCP 響應。

我想知道為什麼您的機器將 DF 設置為所有傳出包。(也許是因為路徑 MTU 發現?)

您的伺服器和定義明確的公共網際網路之間有哪些設備?

請問您的網卡有問題嗎?您擁有哪種類型的 NIC 以及哪種類型的硬體/VM?

您的 NIC ( ) 上啟用了哪些功能ethtool -k ethX

有時,如果 NIC 不是您的 NIC 和公共 Internet 之間的設備,則某些功能已損壞並且可以/應該禁用。

在我的情況下,您會看到 NIC 正在發送我的核心超大包,認為 MTU 在本地是 1500(通常在 Internet 中相同)。這些功能有時也會引起麻煩,在這種情況下需要禁用。

引用自:https://serverfault.com/questions/989291