Domain-Name-System
Windows DNS 從 VPN 回答本地區域的 NXDOMAIN
注意:錯誤的假設
事實證明,VPN 被配置為將所有名稱查找重定向到不同的伺服器。所以問題不是 Windows DNS,而是 VPN 網關。
原始問題
我有一個帶有 Windows 域控制器 (SBS 2011) 和 VPN 網關的遠端網路 10.12.0.0/16。某些 Windows PC(無域成員)使用 l2tp VPN 連接到 SBS。它在 10.14.0.0/24 中獲得一個虛擬 IP。VPN 網關是 SBS 的預設網關和兩個網路之間的路由。SBS 和客戶端可以互相ping 通。
域控制器擁有 Active Directory 域
company.local。如果我在 SBS 上對其進行 nslookup,它會正確解析為 SBS 的 IP。來自 VPN 網關的查詢也有效。但是nslookup company.local 10.12.0.5來自客戶端的(後來是 SBS IP)將響應找不到域。通過 VPN 網關上的 tcpdump,我可以看到 SBS 確實返回了NXDOMAIN 0/0/0。正如您可能已經猜到的那樣,目標是通過連接 VPN 的電腦加入域。
為什麼 DNS 伺服器沒有返回正確的 A 記錄?我唯一的想法是查詢來自未知的專用網路。
更新01
來自客戶端電腦的完整查詢:
C:\Users\abc>nslookup -debug company.local 10.12.0.5 ------------ Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 5.0.12.10.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 5.0.12.10.in-addr.arpa name = xyz.cloud.internal ttl = 0 (0 secs) ------------ Server: xyz.cloud.internal Address: 10.12.0.5 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = AAAA, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 4, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 5, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = AAAA, class = IN ------------ *** xyz.cloud.internal can't find company.local: Non-existent domain更新 02
C:\Users\abc>nslookup -debug _ldap._tcp.dc._msdcs.company.local. ------------ Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 5.0.12.10.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 5.0.12.10.in-addr.arpa name = xyz.cloud.internal ttl = 0 (0 secs) ------------ Server: xyz.cloud.internal Address: 10.12.0.5 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: _ldap._tcp.dc._msdcs.company.local, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: _ldap._tcp.dc._msdcs.company.local, type = AAAA, class = IN AUTHORITY RECORDS: -> (root) ttl = 10789 (2 hours 59 mins 49 secs) primary name server = a.root-servers.net responsible mail addr = nstld.verisign-grs.com serial = 2013011600 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) ------------ *** xyz.cloud.internal can't find _ldap._tcp.dc._msdcs.company.local.: Non-existent domain
問題(如評論中的問題)最終是 VPN 網關攔截了 DNS 查詢。