Jump to content
Калькуляторы

Отвал DNS-зоны

Имеем роутер на openbsd, на который делегирована зона bsd.ne-vlezay80.

Иногда зона перестаёт отвечать, в логах головного сервера наблюдается при этом:

Nov 17 00:33:19 localhost named[1391]: lame server resolving 'ws.bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53
Nov 17 00:33:19 localhost named[1391]: lame server resolving 'ws.bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:33:36 localhost named[1391]: received control channel command 'flush'
Nov 17 00:33:36 localhost named[1391]: flushing caches in all views succeeded
Nov 17 00:33:38 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53
Nov 17 00:33:38 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:34:40 localhost named[1391]: received control channel command 'flush'
Nov 17 00:34:40 localhost named[1391]: flushing caches in all views succeeded
Nov 17 00:34:53 localhost named[1391]: received control channel command 'flush'
Nov 17 00:34:53 localhost named[1391]: flushing caches in all views succeeded
Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53
Nov 17 00:40:05 localhost named[1391]: client 2a01:d0:xxxx:81:100::2#52361 (ne-vlezay80): query 'ne-vlezay80/SOA/IN' denied
Nov 17 00:40:05 localhost named[1391]: client 2a01:d0:xxxx:81:100::2#50811 (ne-vlezay80): transfer of 'ne


На роутере с openbsd поднят unbound, который перенаправляет запросы к данной зоне серверу nsd.
Самое интересное, что на других машинах, на которых linux и named, подобное не происходит.
По tcpdump видно, что unbound почему-то отправляет пустой ответ на запрос.

Вот конфиг unbound:


# $OpenBSD: unbound.conf,v 1.17 2019/08/25 15:50:21 ajacoutot Exp $

server:
    interface: 0.0.0.0@53
    interface: ::@53
    #interface: 127.0.0.1@5353    # listen on alternative port
    #interface: ::1
    #do-ip6: no

    do-not-query-localhost: no
    # override the default "any" address to send queries; if multiple
    # addresses are available, they are used randomly to counter spoofing
    #outgoing-interface: 192.0.2.1
    #outgoing-interface: 2001:db8::53

    #access-control-view: 0.0.0.0/0 global
        #access-control-view: ::/0 global
    access-control-view: 127.0.0.0/8 local

        access-control-view: 198.18.a.0/24 local
        access-control-view: 198.18.b.0/24 local

    access-control: 0.0.0.0/0 deny
    access-control: ::/0 deny
    access-control: 127.0.0.0/8 allow_snoop
    access-control: 198.18.53.0/24 allow_snoop
    access-control: 198.18.50.12 allow_snoop
    access-control: 198.18.51.3 allow_snoop
    access-control: 2a01:d0:xxxx:8::12/128 allow_snoop
    access-control: 2a01:d0:xxxx:9::4 allow_snoop
    access-control: ::0/0 refuse
    access-control: ::1 allow

    hide-identity: yes
    hide-version: yes

    # Uncomment to enable DNSSEC validation.
    #
    #auto-trust-anchor-file: "/var/unbound/db/root.key"
    #val-log-level: 2

    # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
    # https://tools.ietf.org/html/rfc8198
    #
    #aggressive-nsec: yes

    # Serve zones authoritatively from Unbound to resolver clients.
    # Not for external service.
    #
    #local-zone: "local." static
    #local-data: "mycomputer.local. IN A 192.0.2.51"
    #local-zone: "2.0.192.in-addr.arpa." static
    #local-data-ptr: "192.0.2.51 mycomputer.local"

    # UDP EDNS reassembly buffer advertised to peers. Default 4096.
    # May need lowering on broken networks with fragmentation/MTU issues,
    # particularly if validating DNSSEC.
    #
    #edns-buffer-size: 1480

    # Use TCP for "forward-zone" requests. Useful if you are making
    # DNS requests over an SSH port forwarding.
    #
    #tcp-upstream: yes

    # CA Certificates used for forward-tls-upstream (RFC7858) hostname
    # verification.  Since it's outside the chroot it is only loaded at
    # startup and thus cannot be changed via a reload.
    #tls-cert-bundle: "/etc/ssl/cert.pem"

    local-zone: "ne-vlezay80." transparent
    local-zone: "13.18.198.in-addr.arpa." transparent

    stub-zone:
        name: "bsd.ne-vlezay80."
        stub-addr: 127.0.0.1@1122


    stub-zone:
        name: "53.18.198.in-addr.arpa."
        stub-addr: 127.0.0.1@1122

view:
    name: "local"

    local-zone: "." transparent

        stub-zone:
                name: "ne-vlezay80."
                stub-addr: 198.18.50.12

    stub-zone:
        name: "bsd.ne-vlezay80."
        stub-addr: 127.0.0.1@1122

    stub-zone:
        name: "53.18.198.in-addr.arpa."
        stub-addr: 127.0.0.1@1122

    forward-zone:
        name: "."
            forward-addr: 1.1.1.1
            forward-first: yes

 

#stub-zone:
#    name: "."
#    stub-addr: 0.0.0.0

#local-zone: "." static

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
#    name: "."                # use for ALL queries
#    forward-addr: 192.0.2.53        # example address only
#    forward-first: yes            # try direct if forwarder fails

# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
#forward-zone:
#    name: "."
#    forward-tls-upstream: yes        # use DNS-over-TLS forwarder
#    forward-first: no            # do NOT send direct
#    # the hostname after "#" is not a comment, it is used for TLS checks:
#    forward-addr: 192.0.2.53@853#resolver.hostname.example

Share this post


Link to post
Share on other sites

11 часов назад, ne-vlezay80 сказал:

Nov 17 00:40:05 localhost named[1391]: client 2a01:d0:xxxx:81:100::2#52361 (ne-vlezay80): query 'ne-vlezay80/SOA/IN' denied

Ещё я бы EDNS размер раскоментил и поставил 1400.

А дальше включай логирование и читай.

Share this post


Link to post
Share on other sites

У меня в сети mtu 9000 байт

 

Я про:

Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 2a01:d0:xxxx:10::2#53
Nov 17 00:34:56 localhost named[1391]: lame server resolving 'bsd.ne-vlezay80' (in 'bsd.ne-vlezay80'?): 198.18.52.2#53

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.