Domain-Name-System

DNS 錯誤並且沒有返回任何正確的響應

  • September 23, 2019

我有一個新伺服器,我添加了一個 dns1.checkersinc.net, dns2.checkersinc.net to 69.64.33.255, 69.64.35.255 ,當我 在dnswatch.infodns1.checkersinc.net上測試和dns2.checkersinc.net 域時,我得到了成功的結果。但問題是,當我將一個新帳戶域(例如其中一個) 指向具有這些名稱伺服器的伺服器時,它不會以 DNS 錯誤打開!(tamamsouq.com)

當我將intoDNS.com用於 NSLOOKUP 時,出現以下錯誤:

Error   Mismatched NS records   WARNING: One or more of your nameservers did not return any of your NS records.
Error   DNS servers responded   ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
69.64.33.255 69.64.35.255

Error   Multiple Nameservers    ERROR: Looks like you have less than 2 nameservers. According to RFC2182 section 5 you must have at least 3 nameservers, and no more than 7. Having 2 nameservers is also ok by me.

Error   Missing nameservers reported by your nameservers    You should already know that your NS records at your nameservers are missing, so here it is again:

dns2.checkersinc.net.
dns1.checkersinc.net.


Error   SOA record  No valid SOA record came back!
MX  Error   MX Records  Oh well, I did not detect any MX records so you probably don't have any and if you know you should have then they may be missing at your nameservers!
WWW Error   WWW A Record    ERROR: I could not get any A records for www.tamamsouq.com!

當我執行 dig 命令時,我得到了這個結果:

server:~# dig @dns1.checkersinc.net tamamsouq.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns1.checkersinc.net tamamsouq.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns2.checkersinc.net tamamsouq.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns2.checkersinc.net tamamsouq.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

server:~# dig @dns1.checkersinc.net tamamsouq.com +answer +nocmd

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns1.checkersinc.net tamamsouq.com +answer +nocmd
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
server:~# dig @dns2.checkersinc.net tamamsouq.com +answer +nocmd

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @dns2.checkersinc.net tamamsouq.com +answer +nocmd
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

請注意,我有一個 Centos 7 作為帶有 WHM/cPanel 的作業系統請盡快幫助,我現在遇到了一個大問題,在此先感謝

你的域tamamsouq.com有一個與 DNSSEC 相關的問題,如果你去http://dnsviz.net/d/tamamsouq.com/dnssec/可以看到 這是第一個要解決的問題。

總之,您將 DS 記錄放在父區域,但您的名稱伺服器不發布任何相關的 DNSKEY 記錄。

這將使您的域對於任何檢查 DNSSEC 的遞歸名稱伺服器都失敗。

如果您對前面的所有內容一無所知:

  • 轉到您的註冊商,即“PDR Ltd. d/b/a PublicDomainRegistry.com”,基於 whois
  • 在那裡找到刪除 DS 記錄的位置
  • 等一下
  • 您的域現在將再次適用於任何遞歸名稱伺服器。

檢查/複製的簡單方法:

  1. 使用檢查 DNSSEC 的遞歸名稱伺服器:
$ dig @9.9.9.9 tamamsouq.com NS

; <<>> DiG 9.12.0 <<>> @9.9.9.9 tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65308
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65308

注意 SERVFAIL

  1. 執行相同的查詢但明確跳過 DNSSEC 檢查:
$ dig @9.9.9.9 tamamsouq.com NS +cd

; <<>> DiG 9.12.0 <<>> @9.9.9.9 tamamsouq.com NS +cd
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39591
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; QUERY SIZE: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39591

而且您仍然會收到 SERVFAIL,這意味著即使除了 DNSSEC 之外,您還有另一個問題。

讓我們手動解決。

系統資料庫說什麼

$ dig @a.gtld-servers.net tamamsouq.com NS

; <<>> DiG 9.12.0 <<>> @a.gtld-servers.net tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44900
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; QUERY SIZE: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44900
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tamamsouq.com.     IN NS

;; AUTHORITY SECTION:
tamamsouq.com.      2d IN NS dns1.checkersinc.net.
tamamsouq.com.      2d IN NS dns2.checkersinc.net.

直接查詢您的域名伺服器

dig @dns1.checkersinc.net. tamamsouq.com NS

; <<>> DiG 9.12.0 <<>> @dns1.checkersinc.net. tamamsouq.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38704
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

...

;; QUERY SIZE: 54

;; connection timed out; no servers could be reached

dns2. 使用+tcp強制 TCP 不會改變任何東西。

因此,您的伺服器根本不回复 DNS 查詢。

它們似乎位於 IP 地址69.64.35.25569.64.33.255.

您需要解決他們的連接問題,tcptraceroute 的最後步驟是:

8  * * *
9  ae5.cr-rigel.stl1.core.heg.com (4.35.182.58)  92.607 ms  92.283 ms  94.301 ms
10  207.38.95.10  94.115 ms  93.379 ms  93.532 ms
11  207.38.80.34  93.459 ms  94.508 ms  99.711 ms
12  static-ip-209-239-125-3.inaddr.ip-pool.com (209.239.125.3)  91.946 ms * *
13  * * *
14  * * *
15  * * *

所以你可能有一個防火牆在他們面前吃掉所有的 DNS 流量。

在 UDP 級別相同。

而且由於我們無法與他們聯繫,因此我們無法知道屆時是否有正確發布的 DNSKEY(應該是 key tag 2371),但是如果您對自己的 DNSSEC 體驗有疑問並且基於上述內容,我擔心您不會具有正確的 DNSKEY 記錄,因此上述在系統資料庫中刪除 DS 記錄的建議仍然有效。

引用自:https://serverfault.com/questions/985232