测试命令:
dig +subnet=173.255.220.0/24 www.jd.com @119.29.29.29
DiG 9.11.2 似乎默认会带 subnet 信息
直接使用这个版本的 dig 也不会有什么返回
dig www.jd.com @119.29.29.29
另一个问题
使用 unbound 自建 DNS,上游延迟 300 msec 左右,unbound 无缓存时延迟会增加到 1500 msec 左右。有人遇到过么?
1
johnjiang85 2017-11-22 16:56:16 +08:00
9.11 版本的 dig 有问题,请使用 9.10 版本
|
2
legendt 2017-11-22 17:13:11 +08:00
```
; <<>> DiG 9.11.2 <<>> +subnet=173.255.220.0/24 www.jd.com @119.29.29.29 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56025 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 173.255.220.0/24/24 ; COOKIE: c46745b4083842f4 (echoed) ;; QUESTION SECTION: ;www.jd.com. IN A ;; ANSWER SECTION: www.jd.com. 55 IN CNAME www.jdcdn.com. www.jdcdn.com. 607 IN CNAME cs803.wac.systemcdn.net. cs803.wac.systemcdn.net. 3487 IN A 152.195.61.12 ;; Query time: 6 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ``` 有的啊 |
3
sublimevsatom 2017-11-22 17:41:48 +08:00
```bash
; <<>> DiG 9.11.2 <<>> jd.com @119.29.29.29 ;; global options: +cmd ;; connection timed out; no servers could be reached ; <<>> DiG 9.11.2 <<>> jd.com @114.114.114.114 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39415 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2d8cd171133e2d54 (echoed) ;; QUESTION SECTION: ;jd.com. IN A ;; ANSWER SECTION: jd.com. 43 IN A 106.39.167.118 ;; Query time: 25 msec ;; SERVER: 114.114.114.114#53(114.114.114.114) ; <<>> DiG 9.9.3 <<>> jd.com @119.29.29.29 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44763 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;jd.com. IN A ;; ANSWER SECTION: jd.com. 102 IN A 106.39.167.118 ;; Query time: 26 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ``` |
4
a86913179 2017-11-22 19:44:35 +08:00
我这边时不时地会出现 2 种解析结果,一会儿 CDN 正常,一会儿跳去外省,已经换用 180.76.76.76
|
5
raysonx 2017-11-22 19:50:56 +08:00 via iPad
用 mtr udp 53 端口追踪看一下是不是被运营商劫持了 dns
|
6
AntonChen OP |
7
johnjiang85 2017-11-23 11:21:18 +08:00
|
8
johnjiang85 2017-11-23 11:42:01 +08:00
@AntonChen
我们在校验 dns 请求的时候非常严格,只要是非已经支持的协议,全部做丢弃处理,比如 cookie。我们会兼容下,评估是忽略掉 cookie 选项还是原样返回。 |
9
AntonChen OP @johnjiang85 感谢解答,通过添加 +nocookie 测试发现 ECS 只支持 173.255.220.2/32 ? 但是百度居然可以 dig www.baidu.com @119.29.29.29 +subnet=218.92.128.0/24 +nocookie
0x416E746F6E0A ~ Anton ➜ dig a100.phobos.apple.com @119.29.29.29 +subnet=218.92.128.0/32 +nocookie ; <<>> DiG 9.11.2 <<>> a100.phobos.apple.com @119.29.29.29 +subnet=218.92.128.0/32 +nocookie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14233 ;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; CLIENT-SUBNET: 218.92.128.0/32/18 ;; QUESTION SECTION: ;a100.phobos.apple.com. IN A ;; ANSWER SECTION: a100.phobos.apple.com. 0 IN CNAME a2.phobos.g.aaplimg.com. a2.phobos.g.aaplimg.com. 0 IN CNAME a1-a200.itunes-apple.com.akadns.net. a1-a200.itunes-apple.com.akadns.net. 0 IN CNAME 0gq2p7eckbs26f.mwcname.com. 0gq2p7eckbs26f.mwcname.com. 0 IN CNAME app.dlmix.ourdvs.com. app.dlmix.ourdvs.com. 60 IN A 58.222.45.104 app.dlmix.ourdvs.com. 60 IN A 114.236.140.93 app.dlmix.ourdvs.com. 60 IN A 221.230.141.224 app.dlmix.ourdvs.com. 60 IN A 58.223.166.224 app.dlmix.ourdvs.com. 60 IN A 180.101.30.72 app.dlmix.ourdvs.com. 60 IN A 218.92.128.214 app.dlmix.ourdvs.com. 60 IN A 180.101.30.34 app.dlmix.ourdvs.com. 60 IN A 218.92.226.97 app.dlmix.ourdvs.com. 60 IN A 61.147.210.178 app.dlmix.ourdvs.com. 60 IN A 61.147.227.239 app.dlmix.ourdvs.com. 60 IN A 58.223.166.232 app.dlmix.ourdvs.com. 60 IN A 58.222.45.106 app.dlmix.ourdvs.com. 60 IN A 218.92.226.86 ;; Query time: 488 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: Thu Nov 23 14:50:29 CST 2017 ;; MSG SIZE rcvd: 421 0x416E746F6E0A ~ Anton ➜ dig a100.phobos.apple.com @119.29.29.29 +subnet=218.92.128.0/24 +nocookie ; <<>> DiG 9.11.2 <<>> a100.phobos.apple.com @119.29.29.29 +subnet=218.92.128.0/24 +nocookie ;; global options: +cmd ;; connection timed out; no servers could be reached |
10
johnjiang85 2017-11-24 09:47:39 +08:00 1
@AntonChen
ecs 传 mask 进去,dns 识别并没有太大的实际意义,会进行评估,但可能不会进行支持。 另外公共 DNS 支持客户端传 ecs ip 非常容易导致随机 IP 的攻击,行业比较大的玩家( google,opendns )早都关闭了该功能,目前 119 的体量还比较小,暂时还没有关闭。但是如果后续出现比较多的随机 IP 攻击,不排除关闭该功能的可能性。 |
11
AntonChen OP @johnjiang85 感谢解答,我目前用着没什么大问题了,ECS 一直能用就好了,如你所说 ECS 看起来不会长久。
|
12
AntonChen OP @johnjiang85 发现有提供 httpdns 似乎只是个 demo 有什么限制么?仅提供 http ?
|
13
hoty 2019-05-13 19:28:05 +08:00
您好,我最近在研究关于 IPv6 的 DNS 方向的安全内容,其中有一个安全问题就涉及到 v6 条件下的 edns-client-subnet 是否会造成大量真实 v6 地址泄露的问题。但我个人现在对于其总体部署情况并不是特别了解,想向您请教一下这方面的部署情况
|
14
hoty 2019-05-13 19:29:15 +08:00
@johnjiang85
您好,我最近在研究关于 IPv6 的 DNS 方向的安全内容,其中有一个安全问题就涉及到 v6 条件下的 edns-client-subnet 是否会造成大量真实 v6 地址泄露的问题。但我个人现在对于其总体部署情况并不是特别了解,想向您请教一下这方面的部署情况 |