AWS Route53 区域委托给内部数据中心名称服务器
AWS Route53 Zone Delegation to internal datacenter nameservers
我正在尝试将 public 域的子区域委托给内部 dns 服务器,但是正常查询没有返回任何答案,但是当我进行跟踪时,我发现 dig 确实得到了 A我正在寻找的记录。
这是我从挖掘中发现的:
ubuntu@i-047646595b6398229:~$ dig svr-01.dc01.int.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> svr-01.dc01.int.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49045
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;svr-01.dc01.int.example.com. IN A
;; Query time: 24 msec
;; SERVER: 10.170.160.130#53(10.170.160.130)
;; WHEN: Fri Nov 10 12:46:51 UTC 2017
;; MSG SIZE rcvd: 56
这是痕迹:
ubuntu@i-047646595b6398229:~$ dig +trace svr-01.dc01.int.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace svr-01.dc01.int.example.com
;; global options: +cmd
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
;; Received 239 bytes from 10.170.160.130#53(10.170.160.130) in 0 ms
cc. 172800 IN NS ac1.nstld.com.
cc. 172800 IN NS ac2.nstld.com.
cc. 172800 IN NS ac3.nstld.com.
cc. 172800 IN NS ac4.nstld.com.
cc. 86400 IN DS 519 8 1 7285EF05E1B4E679D4F072EEA9B00953E01F3AE2
cc. 86400 IN DS 519 8 2 E1EC6495ABD34562E6F433DEE201E6C6A52CB10AF69C04D675DA692D 2D566897
cc. 86400 IN RRSIG DS 8 1 86400 20171123050000 20171110040000 46809 . kKdntWttTE8k6NOuX+WI2evpRSYwf96pIjsY+tQQkJQm8hrlYQ+uVc8k FJJFott3Ay5nEsDF4lgHD2IRhFwa4MeoFhwlcf7JsrGhZim6l4YMAMP9 FtxfGAJZH7tpzWAyjlL1zxoWoKlCaaAhrOins/zjrhM2vtlrc8LUGgTH Jvx1yQJlGxRShqeH+0CwGtIVeTiC9ZCT1FjW8OHKrzz9NmzrlN8HkB8n rx8zg+Ou7V5dxHwfJkAjxJtxNzIKqIBFoEjEHiG4FSjOmvpA0dsOwNCp yPhKlKM04dNtqDOLcO4b4Nk0Od1HSkLlSxpL66AG2Z0Wa8yW/ie+VC6e O24rvg==
;; Received 684 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 5 ms
example.com. 172800 IN NS ns-1534.awsdns-63.org.
example.com. 172800 IN NS ns-1596.awsdns-07.co.uk.
example.com. 172800 IN NS ns-892.awsdns-47.net.
example.com. 172800 IN NS ns-128.awsdns-16.com.
RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN NSEC3 1 1 0 - RRSUVU26OKK7UMMCD1PS20R9D7CKMGL2 NS SOA RRSIG DNSKEY NSEC3PARAM
RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN RRSIG NSEC3 8 2 86400 20171117090422 20171110090422 17360 cc. VWYfVQ17+bTxzgoOvbbxNf9i182V7YGSdRQAtHQ8UW6lGzhZblakIIDt i+scqEtYIJ71zpBZLDBKKh4Um6FU+d4W6dzCK4k/MmG7i3wDd2p5IfRr +Jb2V37ZRIMRXywba5ncbAvzwkkYHwdAp9H2+8pjCnK4yRJiT5LLL7jD lUo=
FTN65A4J3744VIBAAS976RBJOD2EV3AV.cc. 86400 IN NSEC3 1 1 0 - G012ESBJCNN8FQ9BK2UCR2M7LD2LINS8 NS DS RRSIG
FTN65A4J3744VIBAAS976RBJOD2EV3AV.cc. 86400 IN RRSIG NSEC3 8 2 86400 20171116174512 20171109174512 17360 cc. bL8TB0XAWA1mShJQ6Ln8KRjkQL9+08h2WeFoNFYAUinu3jdKuDcoOXbr 1ouyeW6KaETy0VHJc6p5RMGPbc6UHDwDtt1daDCWTv2YksfdD8wXDdbG lFzwC7pAzZemL2NCucaiJclFiH7E93Pb6eDUp2YgHMygQrJo52ogNbm1 P70=
;; Received 679 bytes from 192.42.173.30#53(ac1.nstld.com) in 2 ms
dc01.int.example.com. 30 IN NS 192.168.111.201.
dc01.int.example.com. 30 IN NS 192.168.111.202.
;; Received 114 bytes from 205.251.192.128#53(ns-128.awsdns-16.com) in 8 ms
svr-01.dc01.int.example.com. 300 IN A 192.168.111.1
int.example.com. 300 IN NS dns-01.dc01.int.example.com.
int.example.com. 300 IN NS dns-02.dc01.int.example.com.
;; Received 146 bytes from 192.168.111.201#53(192.168.111.201) in 14 ms
正如您在上面看到的,我要查找的 A 记录就在那里:svr-01.dc01.int.example.com。 300 输入 A 192.168.111.1
只是为了展示我可以直接查询这些内部服务器:
ubuntu@i-047646595b6398229:~$ dig any svr-01.dc01.int.example.com @192.168.111.202
; <<>> DiG 9.10.3-P4-Ubuntu <<>> any svr-01.dc01.int.example.com @192.168.111.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;svr-01.dc01.int.example.com. IN ANY
;; ANSWER SECTION:
svr-01.dc01.int.example.com. 300 IN A 192.168.111.1
;; AUTHORITY SECTION:
int.example.com. 300 IN NS dns-02.dc01.int.example.com.
int.example.com. 300 IN NS dns-01.dc01.int.example.com.
;; ADDITIONAL SECTION:
dns-01.dc01.int.example.com. 300 IN A 192.168.111.201
dns-02.dc01.int.example.com. 300 IN A 192.168.111.202
;; Query time: 14 msec
;; SERVER: 192.168.111.202#53(192.168.111.202)
;; WHEN: Fri Nov 10 12:48:50 UTC 2017
;; MSG SIZE rcvd: 146
ubuntu@i-047646595b6398229:~$
直接查询aws:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> svr-01.dc01.int.example.com @10.170.160.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60483
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;svr-01.dc01.int.example.com. IN A
;; Query time: 1482 msec
;; SERVER: 10.170.160.130#53(10.170.160.130)
;; WHEN: Fri Nov 10 15:29:33 UTC 2017
;; MSG SIZE rcvd: 56
为了使 AWS 递归解析器能够跟随您的委托,它需要能够访问您的子域的权威 DNS 服务器,这是它做不到的...因为它们不是可通过 public 互联网访问。
出于同样的原因,8.8.8.8 也无法解析查询。当您要求递归解析器进行查找时,它需要能够遍历整个路径,否则就会失败。
使用 dig +trace 成功,因为带有 dig 的机器可以访问它恰好所在的私人服务器 运行。
没有想到这个问题的解决方案 -- VPC 解析器假定所有内容(私有托管区域除外)都可以通过 Internet 访问。
请注意,此问题与父区域恰好托管在 Route 53 中这一事实无关。无论父区域托管在何处,该问题都是相同的。
我正在尝试将 public 域的子区域委托给内部 dns 服务器,但是正常查询没有返回任何答案,但是当我进行跟踪时,我发现 dig 确实得到了 A我正在寻找的记录。
这是我从挖掘中发现的:
ubuntu@i-047646595b6398229:~$ dig svr-01.dc01.int.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> svr-01.dc01.int.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49045
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;svr-01.dc01.int.example.com. IN A
;; Query time: 24 msec
;; SERVER: 10.170.160.130#53(10.170.160.130)
;; WHEN: Fri Nov 10 12:46:51 UTC 2017
;; MSG SIZE rcvd: 56
这是痕迹:
ubuntu@i-047646595b6398229:~$ dig +trace svr-01.dc01.int.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace svr-01.dc01.int.example.com
;; global options: +cmd
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
;; Received 239 bytes from 10.170.160.130#53(10.170.160.130) in 0 ms
cc. 172800 IN NS ac1.nstld.com.
cc. 172800 IN NS ac2.nstld.com.
cc. 172800 IN NS ac3.nstld.com.
cc. 172800 IN NS ac4.nstld.com.
cc. 86400 IN DS 519 8 1 7285EF05E1B4E679D4F072EEA9B00953E01F3AE2
cc. 86400 IN DS 519 8 2 E1EC6495ABD34562E6F433DEE201E6C6A52CB10AF69C04D675DA692D 2D566897
cc. 86400 IN RRSIG DS 8 1 86400 20171123050000 20171110040000 46809 . kKdntWttTE8k6NOuX+WI2evpRSYwf96pIjsY+tQQkJQm8hrlYQ+uVc8k FJJFott3Ay5nEsDF4lgHD2IRhFwa4MeoFhwlcf7JsrGhZim6l4YMAMP9 FtxfGAJZH7tpzWAyjlL1zxoWoKlCaaAhrOins/zjrhM2vtlrc8LUGgTH Jvx1yQJlGxRShqeH+0CwGtIVeTiC9ZCT1FjW8OHKrzz9NmzrlN8HkB8n rx8zg+Ou7V5dxHwfJkAjxJtxNzIKqIBFoEjEHiG4FSjOmvpA0dsOwNCp yPhKlKM04dNtqDOLcO4b4Nk0Od1HSkLlSxpL66AG2Z0Wa8yW/ie+VC6e O24rvg==
;; Received 684 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 5 ms
example.com. 172800 IN NS ns-1534.awsdns-63.org.
example.com. 172800 IN NS ns-1596.awsdns-07.co.uk.
example.com. 172800 IN NS ns-892.awsdns-47.net.
example.com. 172800 IN NS ns-128.awsdns-16.com.
RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN NSEC3 1 1 0 - RRSUVU26OKK7UMMCD1PS20R9D7CKMGL2 NS SOA RRSIG DNSKEY NSEC3PARAM
RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN RRSIG NSEC3 8 2 86400 20171117090422 20171110090422 17360 cc. VWYfVQ17+bTxzgoOvbbxNf9i182V7YGSdRQAtHQ8UW6lGzhZblakIIDt i+scqEtYIJ71zpBZLDBKKh4Um6FU+d4W6dzCK4k/MmG7i3wDd2p5IfRr +Jb2V37ZRIMRXywba5ncbAvzwkkYHwdAp9H2+8pjCnK4yRJiT5LLL7jD lUo=
FTN65A4J3744VIBAAS976RBJOD2EV3AV.cc. 86400 IN NSEC3 1 1 0 - G012ESBJCNN8FQ9BK2UCR2M7LD2LINS8 NS DS RRSIG
FTN65A4J3744VIBAAS976RBJOD2EV3AV.cc. 86400 IN RRSIG NSEC3 8 2 86400 20171116174512 20171109174512 17360 cc. bL8TB0XAWA1mShJQ6Ln8KRjkQL9+08h2WeFoNFYAUinu3jdKuDcoOXbr 1ouyeW6KaETy0VHJc6p5RMGPbc6UHDwDtt1daDCWTv2YksfdD8wXDdbG lFzwC7pAzZemL2NCucaiJclFiH7E93Pb6eDUp2YgHMygQrJo52ogNbm1 P70=
;; Received 679 bytes from 192.42.173.30#53(ac1.nstld.com) in 2 ms
dc01.int.example.com. 30 IN NS 192.168.111.201.
dc01.int.example.com. 30 IN NS 192.168.111.202.
;; Received 114 bytes from 205.251.192.128#53(ns-128.awsdns-16.com) in 8 ms
svr-01.dc01.int.example.com. 300 IN A 192.168.111.1
int.example.com. 300 IN NS dns-01.dc01.int.example.com.
int.example.com. 300 IN NS dns-02.dc01.int.example.com.
;; Received 146 bytes from 192.168.111.201#53(192.168.111.201) in 14 ms
正如您在上面看到的,我要查找的 A 记录就在那里:svr-01.dc01.int.example.com。 300 输入 A 192.168.111.1
只是为了展示我可以直接查询这些内部服务器:
ubuntu@i-047646595b6398229:~$ dig any svr-01.dc01.int.example.com @192.168.111.202
; <<>> DiG 9.10.3-P4-Ubuntu <<>> any svr-01.dc01.int.example.com @192.168.111.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;svr-01.dc01.int.example.com. IN ANY
;; ANSWER SECTION:
svr-01.dc01.int.example.com. 300 IN A 192.168.111.1
;; AUTHORITY SECTION:
int.example.com. 300 IN NS dns-02.dc01.int.example.com.
int.example.com. 300 IN NS dns-01.dc01.int.example.com.
;; ADDITIONAL SECTION:
dns-01.dc01.int.example.com. 300 IN A 192.168.111.201
dns-02.dc01.int.example.com. 300 IN A 192.168.111.202
;; Query time: 14 msec
;; SERVER: 192.168.111.202#53(192.168.111.202)
;; WHEN: Fri Nov 10 12:48:50 UTC 2017
;; MSG SIZE rcvd: 146
ubuntu@i-047646595b6398229:~$
直接查询aws:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> svr-01.dc01.int.example.com @10.170.160.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60483
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;svr-01.dc01.int.example.com. IN A
;; Query time: 1482 msec
;; SERVER: 10.170.160.130#53(10.170.160.130)
;; WHEN: Fri Nov 10 15:29:33 UTC 2017
;; MSG SIZE rcvd: 56
为了使 AWS 递归解析器能够跟随您的委托,它需要能够访问您的子域的权威 DNS 服务器,这是它做不到的...因为它们不是可通过 public 互联网访问。
出于同样的原因,8.8.8.8 也无法解析查询。当您要求递归解析器进行查找时,它需要能够遍历整个路径,否则就会失败。
使用 dig +trace 成功,因为带有 dig 的机器可以访问它恰好所在的私人服务器 运行。
没有想到这个问题的解决方案 -- VPC 解析器假定所有内容(私有托管区域除外)都可以通过 Internet 访问。
请注意,此问题与父区域恰好托管在 Route 53 中这一事实无关。无论父区域托管在何处,该问题都是相同的。