Office DNS问题

发表于2016/04/01风河

今天发现办公室访问公司网站,DNS解析多次发生问题。由于最近工信部推出国内网站需在国内注册商登记的调查问卷,怀疑网络封锁与此有关。我们看到com域有如下NS服务器:

com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.

运行如下查询,可看到这13台NS服务器有10台从办公室网络(电信光纤)无法抵达。

$ for i in i m f c g e b j l a k h d;do dig duowan.com @$i.gtld-servers.net;echo;done

; <<>> DiG 9.8.1-P1 <<>> duowan.com @i.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39534
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;duowan.com. IN A

;; AUTHORITY SECTION:
duowan.com. 172800 IN NS ns1.duowanns.com.
duowan.com. 172800 IN NS ns2.duowanns.com.
duowan.com. 172800 IN NS ns3.duowanns.com.

;; ADDITIONAL SECTION:
ns1.duowanns.com. 172800 IN A 119.188.71.249
ns1.duowanns.com. 172800 IN A 124.95.153.169
ns1.duowanns.com. 172800 IN A 183.61.2.249
ns1.duowanns.com. 172800 IN A 222.73.62.136
ns2.duowanns.com. 172800 IN A 119.188.71.250
ns2.duowanns.com. 172800 IN A 124.95.153.170
ns2.duowanns.com. 172800 IN A 183.61.2.250
ns2.duowanns.com. 172800 IN A 222.73.62.137
ns3.duowanns.com. 172800 IN A 119.188.71.251
ns3.duowanns.com. 172800 IN A 124.95.153.171
ns3.duowanns.com. 172800 IN A 183.61.2.251
ns3.duowanns.com. 172800 IN A 222.73.62.138

;; Query time: 68 msec
;; SERVER: 192.43.172.30#53(192.43.172.30)
;; WHEN: Fri Apr 1 11:20:23 2016
;; MSG SIZE rcvd: 283

; <<>> DiG 9.8.1-P1 <<>> duowan.com @m.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @f.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @c.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @g.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @e.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @b.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3644
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;duowan.com. IN A

;; AUTHORITY SECTION:
duowan.com. 172800 IN NS ns1.duowanns.com.
duowan.com. 172800 IN NS ns2.duowanns.com.
duowan.com. 172800 IN NS ns3.duowanns.com.

;; ADDITIONAL SECTION:
ns1.duowanns.com. 172800 IN A 119.188.71.249
ns1.duowanns.com. 172800 IN A 124.95.153.169
ns1.duowanns.com. 172800 IN A 183.61.2.249
ns1.duowanns.com. 172800 IN A 222.73.62.136
ns2.duowanns.com. 172800 IN A 119.188.71.250
ns2.duowanns.com. 172800 IN A 124.95.153.170
ns2.duowanns.com. 172800 IN A 183.61.2.250
ns2.duowanns.com. 172800 IN A 222.73.62.137
ns3.duowanns.com. 172800 IN A 119.188.71.251
ns3.duowanns.com. 172800 IN A 124.95.153.171
ns3.duowanns.com. 172800 IN A 183.61.2.251
ns3.duowanns.com. 172800 IN A 222.73.62.138

;; Query time: 75 msec
;; SERVER: 192.33.14.30#53(192.33.14.30)
;; WHEN: Fri Apr 1 11:21:43 2016
;; MSG SIZE rcvd: 283

; <<>> DiG 9.8.1-P1 <<>> duowan.com @j.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @l.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @a.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @k.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62769
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;duowan.com. IN A

;; AUTHORITY SECTION:
duowan.com. 172800 IN NS ns1.duowanns.com.
duowan.com. 172800 IN NS ns2.duowanns.com.
duowan.com. 172800 IN NS ns3.duowanns.com.

;; ADDITIONAL SECTION:
ns1.duowanns.com. 172800 IN A 119.188.71.249
ns1.duowanns.com. 172800 IN A 124.95.153.169
ns1.duowanns.com. 172800 IN A 183.61.2.249
ns1.duowanns.com. 172800 IN A 222.73.62.136
ns2.duowanns.com. 172800 IN A 119.188.71.250
ns2.duowanns.com. 172800 IN A 124.95.153.170
ns2.duowanns.com. 172800 IN A 183.61.2.250
ns2.duowanns.com. 172800 IN A 222.73.62.137
ns3.duowanns.com. 172800 IN A 119.188.71.251
ns3.duowanns.com. 172800 IN A 124.95.153.171
ns3.duowanns.com. 172800 IN A 183.61.2.251
ns3.duowanns.com. 172800 IN A 222.73.62.138

;; Query time: 208 msec
;; SERVER: 192.52.178.30#53(192.52.178.30)
;; WHEN: Fri Apr 1 11:22:28 2016
;; MSG SIZE rcvd: 283

; <<>> DiG 9.8.1-P1 <<>> duowan.com @h.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.8.1-P1 <<>> duowan.com @d.gtld-servers.net
;; global options: +cmd
;; connection timed out; no servers could be reached

作为对比,运行如下命令查了13台root NS服务器,基本都正常。

for i in i d f l e h k g b c m j a;do dig duowan.com @$i.root-servers.net;echo;done

由于com域的权威NS被墙的严重,导致办公室网络DNS解析各种超时,从而引发问题。

目前的解决方案是使用阿里、腾讯、114等第三方公共DNS,不过这样一些内部OA子系统无法使用。

此条目发表在Common分类目录,贴了, 标签。将固定链接加入收藏夹。