权威服务器
权威服务器是保存 DNS 名称记录(包括 A、AAAA 和 CNAME)的服务器,简单地说,DNS 记录归它管。非权威服务器根据以前的域名查询来构建缓存文件。它不存放原始名称记录。我们平时使用的如腾讯 DNS (119.29.29.29)、114 DNS (114.114.114.114)均是非权威服务器,负责转发查询与缓存 DNS 记录。
在上一篇《网站安全的一点思考》探究的过程中,我们通过 Wireshark 抓包了解了 DNS 递归查询过程,概述如下:
查询时会携带期望得到的记录,如正常查询时会请求对应域名的 A 记录。
客户端会首先查询根域名服务器列表,并从中选择一个;此后,它向所有遇到的服务器查询
sunnysab.cn所对应的 A 记录。根域名服务器自然不知道,于是返回了cn对应的名称服务器(NS 记录)a.dns.cn、b.dns.cn等等;紧接着,它向a.dns.cn查询sunnysab.cn所对应A的记录,以此类推。接第二条,如果我查询一个三级域名,如
a.b.example.com,就要看哪一级别的名称服务器存储了对应的记录。
看上去,权威服务器一般为该层级的 NS 记录,并被上一层域名所知。如,cn. 这一层级知晓 sunnysab.cn. 的 NS 记录并能向查询者返回它。其实,这是由域名注册商(domain name registrar)向域名注册管理局(也称注册局,domain name registry)登记的,且一般 TTL 较长。
那么,怎样自己搭建域名解析服务呢?
抓包分析
我们不妨通过抓包来回顾一下整个过程,以下的数据是我在完成配置后所截。由于数据包过多不便于截图,这里以文本方式引用抓包数据。其中,desktop.lan 是我的笔记本名称,dns.google 是 Google DNS (8.8.8.8)的名称,XiaoQiang.lan 是路由器的名称。路由器内的网段为 192.168.31.0/24。
实验时执行的命令为:
dig +trace dorm.host.sunnysab.cn @8.8.8.8
由于打开了 +trace 选项,dig 工具将尝试迭代查询过程。
+[no]trace
This option toggles tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It follows referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
If @server is also specified, it affects only the initial query for the root zone name servers.
+dnssec is also set when +trace is set, to better emulate the default queries from a name server.
抓包内容:
| 序号 | 时间戳 | 源 | 目标 | 协议 | 大小 | 摘要 |
|---|---|---|---|---|---|---|
| 1. 查询根域名服务器列表,并得到对应的 IP 地址 | ||||||
| 1 | 0 | desktop.lan | dns.google | DNS | 82 | Standard query 0xbf88 NS |
| 2 | 0.064575467 | dns.google | desktop.lan | DNS | 567 | Standard query response 0xbf88 NS |
| 3 | 0.066227105 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x7845 A e.root-servers.net |
| 4 | 0.066250139 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xe45a AAAA e.root-servers.net |
| 5 | 0.07043768 | XiaoQiang.lan | desktop.lan | DNS | 105 | Standard query response 0x7845 A e.root-servers.net A 192.203.230.10 OPT |
| 6 | 0.071267312 | XiaoQiang.lan | desktop.lan | DNS | 856 | Standard query response 0xe45a AAAA e.root-servers.net AAAA 2001:500:a8::e NS m.root-servers.net NS e.root-servers.net NS a.root-servers.net NS i.root-servers.net NS c.root-servers.net NS d.root-servers.net NS f.root-servers.net NS b.root-servers.net NS g.root-servers.net NS k.root-servers.net NS j.root-servers.net NS h.root-servers.net NS l.root-servers.net A 192.33.4.12 A 193.0.14.129 A 192.36.148.17 A 202.12.27.33 A 192.203.230.10 A 192.112.36.4 A 192.5.5.241 A 199.9.14.201 A 199.7.91.13 A 198.97.190.53 A 192.58.128.30 A 198.41.0.4 A 199.7.83.42 AAAA 2001:500:2::c AAAA 2001:7fd::1 AAAA 2001:7fe::53 AAAA 2001:dc3::35 AAAA 2001:500:12::d0d AAAA 2001:500:2f::f AAAA 2001:500:200::b AAAA 2001:500:2d::d AAAA 2001:500:1::53 AAAA 2001:503:c27::2:30 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:9f::42 |
| 7 | 0.07137724 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xa1cb A h.root-servers.net |
| 8 | 0.071383532 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xaeca AAAA h.root-servers.net |
| 9 | 0.07640378 | XiaoQiang.lan | desktop.lan | DNS | 105 | Standard query response 0xa1cb A h.root-servers.net A 198.97.190.53 OPT |
| 10 | 0.077062568 | XiaoQiang.lan | desktop.lan | DNS | 885 | Standard query response 0xaeca AAAA h.root-servers.net AAAA 2001:500:1::53 NS i.root-servers.net NS h.root-servers.net NS m.root-servers.net NS e.root-servers.net NS g.root-servers.net NS f.root-servers.net NS c.root-servers.net NS a.root-servers.net NS l.root-servers.net NS k.root-servers.net NS b.root-servers.net NS j.root-servers.net NS d.root-servers.net A 192.33.4.12 A 193.0.14.129 A 192.36.148.17 A 202.12.27.33 A 192.203.230.10 A 192.112.36.4 A 192.5.5.241 A 199.9.14.201 A 199.7.91.13 A 198.97.190.53 A 192.58.128.30 A 198.41.0.4 A 199.7.83.42 AAAA 2001:500:2::c AAAA 2001:7fd::1 AAAA 2001:7fe::53 AAAA 2001:dc3::35 AAAA 2001:500:a8::e AAAA 2001:500:12::d0d AAAA 2001:500:2f::f AAAA 2001:500:200::b AAAA 2001:500:2d::d AAAA 2001:503:c27::2:30 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:9f::42 OPT |
| 11 | 0.077180982 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x8d16 A l.root-servers.net |
| 12 | 0.077190009 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xe119 AAAA l.root-servers.net |
| 13 | 0.08203686 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x8d16 A l.root-servers.net A 199.7.83.42 |
| 14 | 0.08203703 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0xe119 AAAA l.root-servers.net AAAA 2001:500:9f::42 |
| 15 | 0.08220076 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x0c6f A i.root-servers.net |
| 16 | 0.082211721 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xde6c AAAA i.root-servers.net |
| 17 | 0.087168108 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x0c6f A i.root-servers.net A 192.36.148.17 |
| 18 | 0.087168289 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0xde6c AAAA i.root-servers.net AAAA 2001:7fe::53 |
| 19 | 0.087318513 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x471f A a.root-servers.net |
| 20 | 0.087328372 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x7e19 AAAA a.root-servers.net |
| 21 | 0.092162538 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x471f A a.root-servers.net A 198.41.0.4 |
| 22 | 0.092162738 | XiaoQiang.lan | desktop.lan | DNS | 856 | Standard query response 0x7e19 AAAA a.root-servers.net AAAA 2001:503:ba3e::2:30 NS m.root-servers.net NS h.root-servers.net NS l.root-servers.net NS a.root-servers.net NS f.root-servers.net NS c.root-servers.net NS g.root-servers.net NS i.root-servers.net NS e.root-servers.net NS b.root-servers.net NS d.root-servers.net NS j.root-servers.net NS k.root-servers.net A 192.33.4.12 A 193.0.14.129 A 192.36.148.17 A 202.12.27.33 A 192.203.230.10 A 192.112.36.4 A 192.5.5.241 A 199.9.14.201 A 199.7.91.13 A 198.97.190.53 A 192.58.128.30 A 198.41.0.4 A 199.7.83.42 AAAA 2001:500:2::c AAAA 2001:7fd::1 AAAA 2001:7fe::53 AAAA 2001:dc3::35 AAAA 2001:500:a8::e AAAA 2001:500:12::d0d AAAA 2001:500:2f::f AAAA 2001:500:200::b AAAA 2001:500:2d::d AAAA 2001:500:1::53 AAAA 2001:503:c27::2:30 AAAA 2001:500:9f::42 |
| 23 | 0.092354121 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x59ba A d.root-servers.net |
| 24 | 0.092360453 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x62bd AAAA d.root-servers.net |
| 25 | 0.103212206 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x59ba A d.root-servers.net A 199.7.91.13 |
| 26 | 0.103212366 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0x62bd AAAA d.root-servers.net AAAA 2001:500:2d::d |
| 27 | 0.103383531 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xafe6 A c.root-servers.net |
| 28 | 0.103394471 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x5aeb AAAA c.root-servers.net |
| 29 | 0.108075097 | XiaoQiang.lan | desktop.lan | DNS | 105 | Standard query response 0xafe6 A c.root-servers.net A 192.33.4.12 OPT |
| 30 | 0.108075217 | XiaoQiang.lan | desktop.lan | DNS | 856 | Standard query response 0x5aeb AAAA c.root-servers.net AAAA 2001:500:2::c NS i.root-servers.net NS m.root-servers.net NS d.root-servers.net NS b.root-servers.net NS k.root-servers.net NS l.root-servers.net NS g.root-servers.net NS a.root-servers.net NS e.root-servers.net NS j.root-servers.net NS c.root-servers.net NS f.root-servers.net NS h.root-servers.net A 192.33.4.12 A 193.0.14.129 A 192.36.148.17 A 202.12.27.33 A 192.203.230.10 A 192.112.36.4 A 192.5.5.241 A 199.9.14.201 A 199.7.91.13 A 198.97.190.53 A 192.58.128.30 A 198.41.0.4 A 199.7.83.42 AAAA 2001:7fd::1 AAAA 2001:7fe::53 AAAA 2001:dc3::35 AAAA 2001:500:a8::e AAAA 2001:500:12::d0d AAAA 2001:500:2f::f AAAA 2001:500:200::b AAAA 2001:500:2d::d AAAA 2001:500:1::53 AAAA 2001:503:c27::2:30 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:9f::42 |
| 31 | 0.108234028 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xb632 A b.root-servers.net |
| 32 | 0.108245249 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x9b30 AAAA b.root-servers.net |
| 33 | 0.113622944 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0xb632 A b.root-servers.net A 199.9.14.201 |
| 34 | 0.113623115 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0x9b30 AAAA b.root-servers.net AAAA 2001:500:200::b |
| 35 | 0.113719477 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x297b A j.root-servers.net |
| 36 | 0.113725899 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xd07b AAAA j.root-servers.net |
| 37 | 0.117963526 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x297b A j.root-servers.net A 192.58.128.30 |
| 38 | 0.117963726 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0xd07b AAAA j.root-servers.net AAAA 2001:503:c27::2:30 |
| 39 | 0.118079004 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x81b7 A k.root-servers.net |
| 40 | 0.118086699 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xd5b6 AAAA k.root-servers.net |
| 41 | 0.122862825 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x81b7 A k.root-servers.net A 193.0.14.129 |
| 42 | 0.122862965 | XiaoQiang.lan | desktop.lan | DNS | 117 | Standard query response 0xd5b6 AAAA k.root-servers.net AAAA 2001:7fd::1 OPT |
| 43 | 0.122991378 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x1058 A g.root-servers.net |
| 44 | 0.122999354 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x2559 AAAA g.root-servers.net |
| 45 | 0.127718111 | XiaoQiang.lan | desktop.lan | DNS | 117 | Standard query response 0x2559 AAAA g.root-servers.net AAAA 2001:500:12::d0d OPT |
| 46 | 0.127718351 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x1058 A g.root-servers.net A 192.112.36.4 |
| 47 | 0.127880689 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xa58f A m.root-servers.net |
| 48 | 0.127889446 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xcb8e AAAA m.root-servers.net |
| 49 | 0.132909514 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0xa58f A m.root-servers.net A 202.12.27.33 |
| 50 | 0.133511734 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0xcb8e AAAA m.root-servers.net AAAA 2001:dc3::35 |
| 51 | 0.133615932 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x81df A f.root-servers.net |
| 52 | 0.133624147 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x2bdc AAAA f.root-servers.net |
| 53 | 0.138568863 | XiaoQiang.lan | desktop.lan | DNS | 94 | Standard query response 0x81df A f.root-servers.net A 192.5.5.241 |
| 54 | 0.138569003 | XiaoQiang.lan | desktop.lan | DNS | 117 | Standard query response 0x2bdc AAAA f.root-servers.net AAAA 2001:500:2f::f OPT |
向根域名服务器发起查询,服务器k 返回了 cn. 对应的 NS 记录客户端紧接着解析所有 NS 记录 | ||||||
| 55 | 0.138852069 | desktop.lan | k.root-servers.net | DNS | 104 | Standard query 0xd286 A dorm.host.sunnysab.cn OPT |
| 56 | 0.173844015 | k.root-servers.net | desktop.lan | DNS | 754 | Standard query response 0xd286 A dorm.host.sunnysab.cn NS a.dns.cn NS b.dns.cn NS c.dns.cn NS d.dns.cn NS e.dns.cn NS f.dns.cn NS g.dns.cn NS ns.cernet.net DS RRSIG A 203.119.25.1 AAAA 2001:dc7::1 A 203.119.26.1 A 203.119.27.1 A 203.119.28.1 AAAA 2001:dc7:1000::1 A 203.119.29.1 A 195.219.8.90 A 66.198.183.65 A 202.112.0.44 OPT |
| 57 | 0.174508103 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x6780 A a.dns.cn |
| 58 | 0.174526307 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0xc88e AAAA a.dns.cn |
| 59 | 0.179711708 | XiaoQiang.lan | desktop.lan | DNS | 84 | Standard query response 0x6780 A a.dns.cn A 203.119.25.1 |
| 60 | 0.179711919 | XiaoQiang.lan | desktop.lan | DNS | 96 | Standard query response 0xc88e AAAA a.dns.cn AAAA 2001:dc7::1 |
| 61 | 0.179840272 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x1ca1 A b.dns.cn |
| 62 | 0.179848427 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x55a2 AAAA b.dns.cn |
| 63 | 0.184846684 | XiaoQiang.lan | desktop.lan | DNS | 95 | Standard query response 0x1ca1 A b.dns.cn A 203.119.26.1 OPT |
| 64 | 0.184846814 | XiaoQiang.lan | desktop.lan | DNS | 128 | Standard query response 0x55a2 AAAA b.dns.cn SOA a.dns.cn OPT |
| 65 | 0.184949318 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x1968 A c.dns.cn |
| 66 | 0.184956903 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0xc769 AAAA c.dns.cn |
| 67 | 0.190545508 | XiaoQiang.lan | desktop.lan | DNS | 84 | Standard query response 0x1968 A c.dns.cn A 203.119.27.1 |
| 68 | 0.190545698 | XiaoQiang.lan | desktop.lan | DNS | 117 | Standard query response 0xc769 AAAA c.dns.cn SOA a.dns.cn |
| 69 | 0.190664112 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x48d7 A d.dns.cn |
| 70 | 0.190673009 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x83d6 AAAA d.dns.cn |
| 71 | 0.195572028 | XiaoQiang.lan | desktop.lan | DNS | 84 | Standard query response 0x48d7 A d.dns.cn A 203.119.28.1 |
| 72 | 0.195572178 | XiaoQiang.lan | desktop.lan | DNS | 107 | Standard query response 0x83d6 AAAA d.dns.cn AAAA 2001:dc7:1000::1 OPT |
| 73 | 0.195759453 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x4aef A e.dns.cn |
| 74 | 0.195771336 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0xa1ee AAAA e.dns.cn |
| 75 | 0.204773215 | XiaoQiang.lan | desktop.lan | DNS | 84 | Standard query response 0x4aef A e.dns.cn A 203.119.29.1 |
| 76 | 0.204773316 | XiaoQiang.lan | desktop.lan | DNS | 117 | Standard query response 0xa1ee AAAA e.dns.cn SOA a.dns.cn |
| 77 | 0.204847005 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x078f A f.dns.cn |
| 78 | 0.204852957 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x218e AAAA f.dns.cn |
| 79 | 0.209290952 | XiaoQiang.lan | desktop.lan | DNS | 84 | Standard query response 0x078f A f.dns.cn A 195.219.8.90 |
| 80 | 0.209291173 | XiaoQiang.lan | desktop.lan | DNS | 128 | Standard query response 0x218e AAAA f.dns.cn SOA a.dns.cn OPT |
| 81 | 0.209406982 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0x78c9 A g.dns.cn |
| 82 | 0.20941653 | desktop.lan | XiaoQiang.lan | DNS | 68 | Standard query 0xe0c8 AAAA g.dns.cn |
| 83 | 0.215702997 | XiaoQiang.lan | desktop.lan | DNS | 95 | Standard query response 0x78c9 A g.dns.cn A 66.198.183.65 OPT |
| 84 | 0.215703147 | XiaoQiang.lan | desktop.lan | DNS | 117 | Standard query response 0xe0c8 AAAA g.dns.cn SOA a.dns.cn |
| 85 | 0.21583149 | desktop.lan | XiaoQiang.lan | DNS | 73 | Standard query 0xc954 A ns.cernet.net |
| 86 | 0.21584197 | desktop.lan | XiaoQiang.lan | DNS | 73 | Standard query 0xa056 AAAA ns.cernet.net |
| 87 | 0.219789697 | XiaoQiang.lan | desktop.lan | DNS | 100 | Standard query response 0xc954 A ns.cernet.net A 103.137.60.44 OPT |
| 88 | 0.221121159 | XiaoQiang.lan | desktop.lan | DNS | 112 | Standard query response 0xa056 AAAA ns.cernet.net AAAA 2001:dd9::44 OPT |
客户端向 cn. 对应的 NS 服务器e.dns.cn 发送查询,对方返回了 sunnysab.cn. 对应的 NS 服务器随后,客户端开始解析所有得到的 NS 服务器 | ||||||
| 89 | 0.221379989 | desktop.lan | e.dns.cn | DNS | 104 | Standard query 0x7ba3 A dorm.host.sunnysab.cn OPT |
| 90 | 0.226745842 | e.dns.cn | desktop.lan | DNS | 713 | Standard query response 0x7ba3 A dorm.host.sunnysab.cn NS f1g1ns1.dnspod.net NS f1g1ns2.dnspod.net NSEC3 RRSIG NSEC3 RRSIG OPT |
| 91 | 0.227232093 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0xbde1 A f1g1ns1.dnspod.net |
| 92 | 0.22725739 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x0be5 AAAA f1g1ns1.dnspod.net |
| 93 | 0.231917437 | XiaoQiang.lan | desktop.lan | DNS | 174 | Standard query response 0xbde1 A f1g1ns1.dnspod.net A 129.211.176.187 A 183.192.164.118 A 162.14.25.230 A 59.36.120.152 A 58.247.212.36 A 61.151.180.44 |
| 94 | 0.232527883 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0x0be5 AAAA f1g1ns1.dnspod.net AAAA 2402:4e00:1430:1102:0:9136:2b30:e554 |
| 95 | 0.232661125 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x0c76 A f1g1ns2.dnspod.net |
| 96 | 0.232669481 | desktop.lan | XiaoQiang.lan | DNS | 78 | Standard query 0x2577 AAAA f1g1ns2.dnspod.net |
| 97 | 0.237553211 | XiaoQiang.lan | desktop.lan | DNS | 190 | Standard query response 0x0c76 A f1g1ns2.dnspod.net A 129.211.176.224 A 183.192.201.91 A 58.251.121.111 A 58.247.212.48 A 162.14.24.230 A 223.166.151.21 A 101.226.220.16 |
| 98 | 0.237553371 | XiaoQiang.lan | desktop.lan | DNS | 106 | Standard query response 0x2577 AAAA f1g1ns2.dnspod.net AAAA 2402:4e00:1020:1264:0:9136:29bc:87f9 |
客户端向 sunnysab.cn. 对应的 NS 服务器(归属于 Dnspod)发起查询,对方返回了 NS 记录sync.sunnysab.cn随后,客户端将解析该域名 | ||||||
| 99 | 0.237865493 | desktop.lan | f1g1ns2.dnspod.net | DNS | 104 | Standard query 0x8b49 A dorm.host.sunnysab.cn OPT |
| 100 | 0.248780746 | f1g1ns2.dnspod.net | desktop.lan | DNS | 122 | Standard query response 0x8b49 A dorm.host.sunnysab.cn NS sync.sunnysab.cn OPT |
| 101 | 0.249081105 | desktop.lan | XiaoQiang.lan | DNS | 76 | Standard query 0x04a9 A sync.sunnysab.cn |
| 102 | 0.249098769 | desktop.lan | XiaoQiang.lan | DNS | 76 | Standard query 0xf2ac AAAA sync.sunnysab.cn |
| 103 | 0.260753072 | XiaoQiang.lan | desktop.lan | DNS | 153 | Standard query response 0xf2ac AAAA sync.sunnysab.cn SOA f1g1ns1.dnspod.net |
| 104 | 0.260753212 | XiaoQiang.lan | desktop.lan | DNS | 92 | Standard query response 0x04a9 A sync.sunnysab.cn A 124.221.129.111 |
客户端向 sync.sunnysab.cn 请求目标域名,得到最终结果 | ||||||
| 105 | 0.260916171 | desktop.lan | sync.sunnysab.cn | DNS | 104 | Standard query 0xc3e7 A dorm.host.sunnysab.cn OPT |
| 106 | 0.271458859 | sync.sunnysab.cn | desktop.lan | DNS | 164 | Standard query response 0xc3e7 A dorm.host.sunnysab.cn A 101.94.47.143 NS ns.sunnysab.cn OPT |
至此,经过 106 个 DNS 请求/响应,我们得到了 dorm.host.sunnysab.cn 最终的 IP 地址。
尝试
我使用的域名解析机构是 Dnspod。一个简单的思路是,在 Dnspod 中新建一条类型为 NS 的解析记录,如:
添加完成后,尝试使用 dig 命令检查效果:
dig +trace host.sunnysab.cn @119.29.29.29
; <<>> DiG 9.18.0 <<>> +trace host.sunnysab.cn @119.29.29.29
;; global options: +cmd
. 37118 IN NS a.root-servers.net.
. 37118 IN NS d.root-servers.net.
. 37118 IN NS l.root-servers.net.
. 37118 IN NS g.root-servers.net.
. 37118 IN NS j.root-servers.net.
. 37118 IN NS h.root-servers.net.
. 37118 IN NS e.root-servers.net.
. 37118 IN NS i.root-servers.net.
. 37118 IN NS b.root-servers.net.
. 37118 IN NS c.root-servers.net.
. 37118 IN NS k.root-servers.net.
. 37118 IN NS m.root-servers.net.
. 37118 IN NS f.root-servers.net.
;; Received 251 bytes from 119.29.29.29#53(119.29.29.29) in 13 ms
cn. 172800 IN NS e.dns.cn.
cn. 172800 IN NS a.dns.cn.
cn. 172800 IN NS b.dns.cn.
cn. 172800 IN NS ns.cernet.net.
cn. 172800 IN NS c.dns.cn.
cn. 172800 IN NS d.dns.cn.
cn. 172800 IN NS g.dns.cn.
cn. 172800 IN NS f.dns.cn.
cn. 86400 IN DS 57724 8 2 5D0423633EB24A499BE78AA22D1C0C9BA36218FF49FD95A4CDF1A4AD 97C67044
cn. 86400 IN RRSIG DS 8 1 86400 20220423050000 20220410040000 47671 . FfHCYmoGEWX2HFrefiPsgk7HUMOxPrwTgUIIzz5HThgWn+I8CIJ2Igs6 BfzxWuxlveLaGIbwBXI7YaylRiXOnR2f9JmjzhXHBfUrnmFd4WN/9aRD 8KYwz0EUGmOQwfXhVZkKLeJMfL6ANtuoPfizv1XJUDCXoBUv3xKvjyKe BY0EV8cD/jdNXDrQgJcaT5LY4qXinVfXXMsFaU2gESJfaNEhyK7HMNxr KiIlj9FWBDGA/UH+aijlwauvNOIFXpDWV3mGGgBw2eG0rQsFNN1Lepm7 oNVl2oC0D24os9gUFHpBfEvbdeHBmxd4me+hEtBtnUuPHFfq+xydb62k HYCi6Q==
couldn't get address for 'f.dns.cn': not found
;; Received 739 bytes from 192.112.36.4#53(g.root-servers.net) in 193 ms
sunnysab.cn. 86400 IN NS f1g1ns1.dnspod.net.
sunnysab.cn. 86400 IN NS f1g1ns2.dnspod.net.
3qdaqa092ee5belp64a74ebnb8j53d7e.cn. 21600 IN NSEC3 1 1 10 AEF123AB 3QHKTF6LTFG8AAFUUAJSR8RVAJP99SFU NS SOA RRSIG DNSKEY NSEC3PARAM
3qdaqa092ee5belp64a74ebnb8j53d7e.cn. 21600 IN RRSIG NSEC3 8 2 21600 20220421020437 20220322010437 38388 cn. h8l0G9BHCfmmihReDucaiq7ZGQVaLbZMg00XJW0S0ueVhyvgFGtobZrS zAw4TgiKkQ4RzVMIaQDCpl9Ndj1gvhGvK9tmO3DxRLMTs2EfhbS4oaAW J5ZPgtNZWe9UnmNYShX1a7BvWLAuF+yx4ZhP/pxd5LLbdpIO4FLGBIkl JKE=
460ma1kn9rcs318kuu45f11o2mjgt558.cn. 21600 IN NSEC3 1 1 10 AEF123AB 46F805934J5U26CSL3LRD98GD3IJC8R8 NS DS RRSIG
460ma1kn9rcs318kuu45f11o2mjgt558.cn. 21600 IN RRSIG NSEC3 8 2 21600 20220421020437 20220322010437 38388 cn. hfaIKR67Vm4pnSy8ScHFEJ55K1hjG2u49euVOJ7W6d1N5GnLF6Tn5JxF X/BfScthNSnLCQl/5c3AE//pUTuviDQePG4syifn58ljjV/hSV1ARprG PY+DA+VPLE6bVX1RV5P7kcGtHIFZxHWhHnGgB5irC6PuEkqWrx9RM1QX fWg=
;; Received 666 bytes from 203.119.29.1#53(e.dns.cn) in 6 ms
嗯?后面没有了??其实这时候我应该反应过来是 Dnspod 没有及时刷新缓存,将 DNS 服务器设为 8.8.8.8 后会变得正常,但是因为当时没有考虑到,走了些弯路。
找到一片知乎提问 如何为二级域名设置不同的NS服务器? - 知乎 倒是有网友成功使用的例子,但是查看腾讯云(Dnspod)的 帮助文档,里面有这样的描述:
注意:
要授权的 DNS 服务器域名不能是私建的 DNS 服务器域名,必须是解析商的权威 DNS 服务器域名。
莫非腾讯云不允许我使用自己的 NS 服务器?观察到网友使用的 NS 服务器地址是阿里云和 dns.com 的 DNS 解析服务器,帮助文档上说的应该没错。 但是,腾讯云不会还维护了一份合法 DNS 名称服务器的列表吧?如果遇上个别小国家偏远的 DNS 提供商怎么办?做软件应该不会这么做的,可事实上直接添加 NS 记录的方法又用不了。
附加 DNS 记录(胶水记录)
期间了解了一个 DNS 中常用的技术。设想这样的场景:我域名的权威名称服务器为 ns.sunnysab.cn,整个域名的解析任务都落在它身上,但是要获取它的地址,又需要它本身的配合。即,我需要向 ns 主机查询 ns 主机的地址——这将陷入一个循环。
胶水记录可以解决这个问题:它将被注册到上级 DNS 域名解析服务器中。当有范围内的 DNS 查询时,上级服务器会返回这些记录。胶水记录直接记录了主机名到 IP 地址的映射关系,以避免客户端陷入其中。此外,它还有减少递归查询次数,加快 DNS 递归查询的作用。
胶水记录在腾讯云中被称为 “自定义 DNS Host”,这个名称……我看了半天才理解……
按照文档的说法,“如果使用 DNS Host 来解析域名,必须在对应域名服务器上添加对应 A 记录(IP 地址保持一致)。”,但是实际操作时,不管我怎么试都没有在 DNS 响应中发现胶水记录,可能因为腾讯云向上级同步时间太长所致吧。遂放弃。
本节只是一个小小的尝试,与最终解决方案无关。
峰回路转
此时发现 dig +trace host.sunnysab.cn @8.8.8.8 (之前尝试时用的是 119.29.29.29)正常,可以返回 DNS 记录,dig www.host.sunnysab.cn 时会查询 host.sunnysab.cn 对应的 NS 记录并引导客户端向 sync.sunnysab.cn 查询 www.host.sunnysab.cn。怀疑之前可能是 119.29.29.29 缓存未刷新导致的同步问题。
安装并配置 Bind9
Bind 是一款由互联网系统联盟/协会(Internet Systems Consortium)开发的 DNS 服务器软件,历史悠久,使用广泛,这里就用它了。
还有一款名为 PowerDNS 的产品也很不错,可以了解一下。由于我这里使用场景有限,就不引入庞然大物了。
安装
使用 apt 命令搜索:
# apt search bind9
bind9/stable,now 1:9.16.27-1~deb11u1 amd64
Internet Domain Name Server
bind9-dev/stable 1:9.16.27-1~deb11u1 amd64
Static Libraries and Headers used by BIND 9
bind9-dnsutils/stable,now 1:9.16.27-1~deb11u1 amd64 [installed]
Clients provided with BIND 9
bind9-doc/stable 1:9.16.27-1~deb11u1 all
Documentation for BIND 9
bind9-dyndb-ldap/stable 11.6-3 amd64
LDAP back-end plug-in for BIND
bind9-host/stable,now 1:9.16.27-1~deb11u1 amd64 [installed]
DNS Lookup Utility
bind9-libs/stable,now 1:9.16.27-1~deb11u1 amd64 [installed,automatic]
Shared Libraries used by BIND 9
bind9-utils/stable,now 1:9.16.27-1~deb11u1 amd64 [installed,automatic]
Utilities for BIND 9
bind9utils/stable 1:9.16.27-1~deb11u1 all
Transitional package for bind9-utils
安装:
# apt install bind9
配置
这里参考了 使用Bind9搭建权威DNS服务器 一文,区域文件如下:
root@VM-16-5-debian:/etc/bind# cat host.sunnysab.cn.zone
$TTL 300
$ORIGIN host.sunnysab.cn.
; SOA record
; name class type nameserver contact (sn ref ret ex min)
@ IN SOA ns.sunnysab.cn. sunnysab.cn. (
2017031088 ; serial number
3600 ; refresh
180 ; update retry
1209600 ; expiry
300 ; nxdomain ttl
)
; [name] [ttl] [class] type data
; NS records
@ 36000 IN NS ns.sunnysab.cn.
; A records or CNAME records
ns 3600 IN A 124.221.129.111
dorm 60 IN A 101.94.47.143
完成后使用 named-checkzone 命令校验一下。
动态管理
要想动态修改 DNS 记录,有三种方法:
- 修改 zone 文件,使用命令
rndc reload重新加载区域文件 - 使用
nsupdate命令动态修改 DNS 记录 - 使用封装好的 RESTful 接口动态修改 DNS 记录
考虑到与本篇主题无关,这里暂且略过,后续有机会再写吧。通过自己的 DNS 服务器,倒是可以自建一个动态域名解析的平台 :D
参考资料
在 “瞎折腾” 的过程中,碰到了很多问题,所遇到的资料也较少,感谢素未谋面的网友提供的帮助。主要参考资料如下:
- 域名注册局 - 维基百科
- DNS 一般概览 - Google Cloud
- Debian9 Bind9管理工具详解
- 如何为二级域名设置不同的NS服务器? - 知乎
- 设置 NS 记录 - 腾讯云帮助文档
- 自建DNS权威服务器全过程(多域名解析) - 开发说,该文档源码安装 bind9,没必要
- Glue Records and Why They are Crucial
- 胶水记录(Glue Record)是什么?有什么作用?
- 使用自建DNS服务器解析自己的域名(Windows操作系统环境下),这位同学使用的是阿里云
- 使用Bind9搭建权威DNS服务器
- 去Cloudflare化的第一步 自建权威DNS服务器
- 自定义 DNS Host 的胶水记录(Glue Record)