Jump to content
Калькуляторы

Отвал DNS-зоны

Имеем роутер на openbsd, на который делегирована зона bsd.ne-vlezay80.

Иногда зона перестаёт отвечать, в логах головного сервера наблюдается при этом:

Nov 17 00:33:19 localhost named[1391]: lame server resolving 'ws.bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53
Nov 17 00:33:19 localhost named[1391]: lame server resolving 'ws.bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:33:36 localhost named[1391]: received control channel command 'flush'
Nov 17 00:33:36 localhost named[1391]: flushing caches in all views succeeded
Nov 17 00:33:38 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53
Nov 17 00:33:38 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:34:40 localhost named[1391]: received control channel command 'flush'
Nov 17 00:34:40 localhost named[1391]: flushing caches in all views succeeded
Nov 17 00:34:53 localhost named[1391]: received control channel command 'flush'
Nov 17 00:34:53 localhost named[1391]: flushing caches in all views succeeded
Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53
Nov 17 00:40:05 localhost named[1391]: client 2a01:d0:xxxx:81:100::2#52361 (ne-vlezay80): query 'ne-vlezay80/SOA/IN' denied
Nov 17 00:40:05 localhost named[1391]: client 2a01:d0:xxxx:81:100::2#50811 (ne-vlezay80): transfer of 'ne


На роутере с openbsd поднят unbound, который перенаправляет запросы к данной зоне серверу nsd.
Самое интересное, что на других машинах, на которых linux и named, подобное не происходит.
По tcpdump видно, что unbound почему-то отправляет пустой ответ на запрос.

Вот конфиг unbound:


# $OpenBSD: unbound.conf,v 1.17 2019/08/25 15:50:21 ajacoutot Exp $

server:
    interface: 0.0.0.0@53
    interface: ::@53
    #interface: 127.0.0.1@5353    # listen on alternative port
    #interface: ::1
    #do-ip6: no

    do-not-query-localhost: no
    # override the default "any" address to send queries; if multiple
    # addresses are available, they are used randomly to counter spoofing
    #outgoing-interface: 192.0.2.1
    #outgoing-interface: 2001:db8::53

    #access-control-view: 0.0.0.0/0 global
        #access-control-view: ::/0 global
    access-control-view: 127.0.0.0/8 local

        access-control-view: 198.18.a.0/24 local
        access-control-view: 198.18.b.0/24 local

    access-control: 0.0.0.0/0 deny
    access-control: ::/0 deny
    access-control: 127.0.0.0/8 allow_snoop
    access-control: 198.18.53.0/24 allow_snoop
    access-control: 198.18.50.12 allow_snoop
    access-control: 198.18.51.3 allow_snoop
    access-control: 2a01:d0:xxxx:8::12/128 allow_snoop
    access-control: 2a01:d0:xxxx:9::4 allow_snoop
    access-control: ::0/0 refuse
    access-control: ::1 allow

    hide-identity: yes
    hide-version: yes

    # Uncomment to enable DNSSEC validation.
    #
    #auto-trust-anchor-file: "/var/unbound/db/root.key"
    #val-log-level: 2

    # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
    # https://tools.ietf.org/html/rfc8198
    #
    #aggressive-nsec: yes

    # Serve zones authoritatively from Unbound to resolver clients.
    # Not for external service.
    #
    #local-zone: "local." static
    #local-data: "mycomputer.local. IN A 192.0.2.51"
    #local-zone: "2.0.192.in-addr.arpa." static
    #local-data-ptr: "192.0.2.51 mycomputer.local"

    # UDP EDNS reassembly buffer advertised to peers. Default 4096.
    # May need lowering on broken networks with fragmentation/MTU issues,
    # particularly if validating DNSSEC.
    #
    #edns-buffer-size: 1480

    # Use TCP for "forward-zone" requests. Useful if you are making
    # DNS requests over an SSH port forwarding.
    #
    #tcp-upstream: yes

    # CA Certificates used for forward-tls-upstream (RFC7858) hostname
    # verification.  Since it's outside the chroot it is only loaded at
    # startup and thus cannot be changed via a reload.
    #tls-cert-bundle: "/etc/ssl/cert.pem"

    local-zone: "ne-vlezay80." transparent
    local-zone: "13.18.198.in-addr.arpa." transparent

    stub-zone:
        name: "bsd.ne-vlezay80."
        stub-addr: 127.0.0.1@1122


    stub-zone:
        name: "53.18.198.in-addr.arpa."
        stub-addr: 127.0.0.1@1122

view:
    name: "local"

    local-zone: "." transparent

        stub-zone:
                name: "ne-vlezay80."
                stub-addr: 198.18.50.12

    stub-zone:
        name: "bsd.ne-vlezay80."
        stub-addr: 127.0.0.1@1122

    stub-zone:
        name: "53.18.198.in-addr.arpa."
        stub-addr: 127.0.0.1@1122

    forward-zone:
        name: "."
            forward-addr: 1.1.1.1
            forward-first: yes

 

#stub-zone:
#    name: "."
#    stub-addr: 0.0.0.0

#local-zone: "." static

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
#    name: "."                # use for ALL queries
#    forward-addr: 192.0.2.53        # example address only
#    forward-first: yes            # try direct if forwarder fails

# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
#forward-zone:
#    name: "."
#    forward-tls-upstream: yes        # use DNS-over-TLS forwarder
#    forward-first: no            # do NOT send direct
#    # the hostname after "#" is not a comment, it is used for TLS checks:
#    forward-addr: 192.0.2.53@853#resolver.hostname.example

Share this post


Link to post
Share on other sites
11 часов назад, ne-vlezay80 сказал:

Nov 17 00:40:05 localhost named[1391]: client 2a01:d0:xxxx:81:100::2#52361 (ne-vlezay80): query 'ne-vlezay80/SOA/IN' denied

Ещё я бы EDNS размер раскоментил и поставил 1400.

А дальше включай логирование и читай.

Share this post


Link to post
Share on other sites

У меня в сети mtu 9000 байт

 

Я про:

Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this