Jump to content
Калькуляторы

Не разрешается доменное имя в BIND9

Сегодня вдруг перестали работать гуглосервисы.

На DNS-сервере BIND9 (10.1.128.11) получаю такое:

# nslookup apis.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find apis.google.com: NXDOMAIN

А Unbound (10.1.128.12) возвращает альяс:

# nslookup apis.google.com
;; Got SERVFAIL reply from 10.1.128.11, trying next server
Server:         10.1.128.12
Address:        10.1.128.12#53

Non-authoritative answer:
apis.google.com canonical name = plus.l.google.com.

А вот plus.l.google.com уже дает no-answer.

 

Отчего так, нет предположений?

Share this post


Link to post
Share on other sites

там секция ответа очень большая, не влезает в udp. host об этом предупреждает:

% host apis.google.com

apis.google.com is an alias for plus.l.google.com.

plus.l.google.com is an alias for plus-wide.l.google.com.

plus-wide.l.google.com has address 74.125.28.100

plus-wide.l.google.com has address 74.125.28.101

plus-wide.l.google.com has address 74.125.28.102

plus-wide.l.google.com has address 74.125.28.113

plus-wide.l.google.com has address 74.125.28.138

plus-wide.l.google.com has address 74.125.28.139

plus-wide.l.google.com has address 74.125.30.100

plus-wide.l.google.com has address 74.125.30.101

plus-wide.l.google.com has address 74.125.30.102

plus-wide.l.google.com has address 74.125.30.113

plus-wide.l.google.com has address 74.125.30.138

plus-wide.l.google.com has address 74.125.30.139

plus-wide.l.google.com has address 74.125.193.100

plus-wide.l.google.com has address 74.125.193.101

plus-wide.l.google.com has address 74.125.193.102

plus-wide.l.google.com has address 74.125.193.113

plus-wide.l.google.com has address 74.125.193.138

plus-wide.l.google.com has address 74.125.193.139

;; Truncated, retrying in TCP mode.

plus-wide.l.google.com has IPv6 address 2607:f8b0:4001:c05::66

plus-wide.l.google.com has IPv6 address 2607:f8b0:4001:c05::71

plus-wide.l.google.com has IPv6 address 2607:f8b0:4001:c05::8a

plus-wide.l.google.com has IPv6 address 2607:f8b0:4001:c05::8b

plus-wide.l.google.com has IPv6 address 2607:f8b0:4003:c03::64

plus-wide.l.google.com has IPv6 address 2607:f8b0:4003:c03::65

plus-wide.l.google.com has IPv6 address 2607:f8b0:4003:c03::66

plus-wide.l.google.com has IPv6 address 2607:f8b0:4003:c03::71

plus-wide.l.google.com has IPv6 address 2607:f8b0:4003:c03::8a

plus-wide.l.google.com has IPv6 address 2607:f8b0:4003:c03::8b

plus-wide.l.google.com has IPv6 address 2607:f8b0:400e:c04::64

plus-wide.l.google.com has IPv6 address 2607:f8b0:400e:c04::65

plus-wide.l.google.com has IPv6 address 2607:f8b0:400e:c04::66

plus-wide.l.google.com has IPv6 address 2607:f8b0:400e:c04::71

plus-wide.l.google.com has IPv6 address 2607:f8b0:400e:c04::8a

plus-wide.l.google.com has IPv6 address 2607:f8b0:400e:c04::8b

plus-wide.l.google.com has IPv6 address 2607:f8b0:4001:c05::64

plus-wide.l.google.com has IPv6 address 2607:f8b0:4001:c05::65

может, у вас отфильтрован 53/tcp?

Share this post


Link to post
Share on other sites

Нет, тут что-то другое.

% nslookup apis.google.com 10.1.128.12
Server:         10.1.128.12
Address:        10.1.128.12#53

Non-authoritative answer:
apis.google.com canonical name = plus.l.google.com.

alibek@srv-svc02:~ % nslookup apis.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
apis.google.com canonical name = plus.l.google.com.
Name:   plus.l.google.com
Address: 173.194.71.101
Name:   plus.l.google.com
Address: 173.194.71.139
Name:   plus.l.google.com
Address: 173.194.71.100
Name:   plus.l.google.com
Address: 173.194.71.113
Name:   plus.l.google.com
Address: 173.194.71.138
Name:   plus.l.google.com
Address: 173.194.71.102

% nslookup plus.l.google.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   plus.l.google.com
Address: 74.125.143.139
Name:   plus.l.google.com
Address: 74.125.143.101
Name:   plus.l.google.com
Address: 74.125.143.138
Name:   plus.l.google.com
Address: 74.125.143.102
Name:   plus.l.google.com
Address: 74.125.143.113
Name:   plus.l.google.com
Address: 74.125.143.100

alibek@srv-svc02:~ % nslookup plus.l.google.com 10.1.128.12
Server:         10.1.128.12
Address:        10.1.128.12#53

Non-authoritative answer:
*** Can't find plus.l.google.com: No answer

Если бы причина была в файрволе, то ответы от 8.8.8.8 тоже бы фильтровались.

Почему-то у кеша ответ отличается от 8.8.8.8.

Если же в конфигурации для зоны google.com я задаю форвардинг на 8.8.8.8, тогда из кеша ответы нормальные.

Но я бы не хотел сливать пользовательские запросы в гугл.

 

Сейчас временно на обоих серверах настроил форвардинг для зоны google.com.

Но хотелось бы разобраться, из-за чего сегодня этот сбой вылез.

Share this post


Link to post
Share on other sites

Наблюдается такая же проблема на всех DNS (bind, unbound).

 

plus.l.google.com - тишина

plus-wide.l.google.com - ресолвится без проблем.

Share this post


Link to post
Share on other sites

Если бы причина была в файрволе, то ответы от 8.8.8.8 тоже бы фильтровались.

8.8.8.8 отдает короткий ответ.

 

кстати, сейчас уже так:

% dig any plus.l.google.com.

 

; <<>> DiG 9.8.7 <<>> any plus.l.google.com.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55337

;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;plus.l.google.com. IN ANY

 

;; ANSWER SECTION:

plus.l.google.com. 8 IN AAAA 2a00:1450:4010:c07::71

plus.l.google.com. 238 IN A 145.255.14.24

plus.l.google.com. 238 IN A 145.255.14.25

plus.l.google.com. 238 IN A 145.255.14.29

plus.l.google.com. 238 IN A 145.255.14.30

plus.l.google.com. 238 IN A 145.255.14.34

plus.l.google.com. 238 IN A 145.255.14.35

plus.l.google.com. 238 IN A 145.255.14.39

plus.l.google.com. 238 IN A 145.255.14.40

plus.l.google.com. 238 IN A 145.255.14.44

plus.l.google.com. 238 IN A 145.255.14.45

plus.l.google.com. 238 IN A 145.255.14.49

plus.l.google.com. 238 IN A 145.255.14.50

plus.l.google.com. 238 IN A 145.255.14.54

plus.l.google.com. 238 IN A 145.255.14.55

plus.l.google.com. 238 IN A 145.255.14.59

plus.l.google.com. 238 IN A 145.255.14.20

 

;; Query time: 0 msec

;; SERVER: 81.30.x.x#53(81.30.x.x)

;; WHEN: Mon Dec 22 15:39:11 YEKT 2014

;; MSG SIZE rcvd: 319

а у 8.8.8.8 так:

% dig any plus.l.google.com. @8.8.8.8

 

; <<>> DiG 9.8.7 <<>> any plus.l.google.com. @8.8.8.8

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16768

;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0

 

;; QUESTION SECTION:

;plus.l.google.com. IN ANY

 

;; ANSWER SECTION:

plus.l.google.com. 240 IN A 145.255.14.59

plus.l.google.com. 240 IN A 145.255.14.35

plus.l.google.com. 240 IN A 145.255.14.34

plus.l.google.com. 240 IN A 145.255.14.44

plus.l.google.com. 240 IN A 145.255.14.54

plus.l.google.com. 240 IN A 145.255.14.29

plus.l.google.com. 240 IN A 145.255.14.20

plus.l.google.com. 240 IN A 145.255.14.30

plus.l.google.com. 240 IN A 145.255.14.24

plus.l.google.com. 240 IN A 145.255.14.39

plus.l.google.com. 240 IN A 145.255.14.40

plus.l.google.com. 240 IN A 145.255.14.45

plus.l.google.com. 240 IN A 145.255.14.50

plus.l.google.com. 240 IN A 145.255.14.49

plus.l.google.com. 240 IN A 145.255.14.25

plus.l.google.com. 240 IN A 145.255.14.55

 

;; Query time: 42 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Dec 22 15:39:49 YEKT 2014

;; MSG SIZE rcvd: 291

 

уже без plus-wide.l.google.com. видимо, эксперимент оказался неудачным

Share this post


Link to post
Share on other sites

уже без plus-wide.l.google.com. видимо, эксперимент оказался неудачным

Видимо да. Сейчас plus.l.google.com ресолвится и вывод похож на plus-wide.l.google.com с утра.

Share this post


Link to post
Share on other sites

Пользователи рунета пожаловались на недоступность сервисов Google.

 

У меня не резолвится только plus.google.com (no answer). Это на PDNS. Работающий параллельно BIND9 нормально резолвит %)

Share this post


Link to post
Share on other sites

Кривой патч на шейпинг рекурсии днс накатили в гугле?

 

зы: Тоже прописал форвард-зону... И не понял, почему запрос host с сервера работает, а бинду оно не отвечает.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.