Name test.com (SOA) not subdomain of zone www.test.com -- invalid response

已于 2025-04-06 23:21:37 修改
阅读量962 收藏 18
点赞数 9
文章标签: DNS
于 2025-04-04 23:50:16 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/ssxzui/article/details/147004263
版权

权威递归合一服务器(10.100.8.71),配置test.com,将www.test.com进行子域授权:

test.com.    3600    IN    SOA    ns.test.com. mail.test.com. 19 300 100 400 1800
test.com.    3600    IN    NS    ns.test.com.
ns.test.com.    3600    IN    A    127.0.0.1
gslb.test.com.    3600    IN    A    10.100.8.10
www.test.com.    3600    IN    NS    gslb.test.com.

权威服务器(10.100.8.10)配置test.com,配置www.test.com的A记录

test.com.    3600    IN    SOA    ns.test.com. mail.test.com. 4 28800 3600 604800 1800
test.com.    3600    IN    NS    ns.test.com.
ns.test.com.    3600    IN    A    127.0.0.1
www.test.com.    3600    IN    A    3.3.3.3 

 使用终端向权威递归合一服务器发起AAAA解析,解析状态为SERVFAIL

C:\Users\pc>dig www.test.com @10.100.8.71 aaaa

; <<>> DiG 9.17.0 <<>> www.test.com @10.100.8.71 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58419
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com.                  IN      AAAA

;; Query time: 35 msec
;; SERVER: 10.100.8.71#53(10.100.8.71)

 权威递归合一服务器resolver.log会报错:

DNS format error from 10.100.8.10 53 resolving www.test.com/AAAA for client 10.100.0.2 55443: Name test.com (SOA) not subdomain of zone www.test.com -- invalid response

 原因分析,使用终端直接向权威服务器发起www.test.com的AAAA解析,解析状态为NOERROR,AUTHORITY SECTION字段返回SOA记录。

C:\Users\pc>dig www.test.com @10.100.8.10 aaaa

; <<>> DiG 9.17.0 <<>> www.test.com @10.100.8.10 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40533
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com.                  IN      AAAA

;; AUTHORITY SECTION:
test.com.               1800    IN      SOA     ns.test.com. mail.test.com. 4 28800 3600 604800 1800

;; Query time: 36 msec
;; SERVER: 10.100.8.10#53(10.100.8.10)

 在递归服务器进行SOA校验时,由于www.test.com作为一个子域被授权出去,因此权威返回符合规范的SOA应该是 www.test.com ,而不是test.com。

www.test.com.               1800    IN      SOA     ns.www.test.com. mail.test.com. 4 28800 3600 604800 1800

 影响:如果权威服务器有多台,将会导致递归服务器向各个权威服务器都请求一次,将会产生解析延时。

例如向递归服务器ns-open3.qq.com 的AAAA记录请求,延时达到1.4秒。由于权威服务器回复不规范,导致递归服务器向每台权威都发起了请求,每台权威都回复不规范,给终端应答servfail。

C:\Users\pc>dig ns-open3.qq.com @10.100.8.71 aaaa

; <<>> DiG 9.17.0 <<>> ns-open3.qq.com @10.100.8.71 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10361
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns-open3.qq.com.               IN      AAAA

;; Query time: 1407 msec
;; SERVER: 10.100.8.71#53(10.100.8.71)

04-Apr-2025 23:17:18.431 DNS format error from 14.116.238.220 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.439 DNS format error from 43.140.54.204 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.450 DNS format error from 2402:4e00:111:ff4::3 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.479 DNS format error from 240e:e1:aa00:2002::3 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.509 DNS format error from 101.227.161.254 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.522 DNS format error from 2402:4e00:111:ff4::3 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.748 DNS format error from 170.106.32.16 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.808 DNS format error from 140.207.180.96 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.839 DNS format error from 240e:e1:aa00:2002::3 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:18.868 DNS format error from 43.142.212.27 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:19.090 DNS format error from 49.51.76.46 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:19.155 DNS format error from 218.68.91.139 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:19.196 DNS format error from 211.100.32.220 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:19.238 DNS format error from 121.51.49.22 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:19.400 DNS format error from 203.205.220.26 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:19.435 DNS format error from 157.255.6.102 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
04-Apr-2025 23:17:24.807 DNS format error from 43.129.131.16 53 resolving ns-open3.qq.com/AAAA for client 10.100.0.2 55703: Name qq.com (SOA) not subdomain of zone ns-open3.qq.com -- invalid response
 

通过对此域名的dig发现,此域名做了子域授权,但回复的soa仍然是父域的

C:\Users\pc>dig ns-open3.qq.com +trace +nodnssec aaaa

; <<>> DiG 9.17.0 <<>> ns-open3.qq.com +trace +nodnssec aaaa
;; global options: +cmd
.                       87203   IN      NS      l.root-servers.net.
.                       87203   IN      NS      a.root-servers.net.
.                       87203   IN      NS      j.root-servers.net.
.                       87203   IN      NS      h.root-servers.net.
.                       87203   IN      NS      f.root-servers.net.
.                       87203   IN      NS      c.root-servers.net.
.                       87203   IN      NS      d.root-servers.net.
.                       87203   IN      NS      i.root-servers.net.
.                       87203   IN      NS      e.root-servers.net.
.                       87203   IN      NS      m.root-servers.net.
.                       87203   IN      NS      g.root-servers.net.
.                       87203   IN      NS      k.root-servers.net.
.                       87203   IN      NS      b.root-servers.net.
;; Received 239 bytes from 8.8.8.8#53(8.8.8.8) in 43 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
;; Received 840 bytes from 198.41.0.4#53(a.root-servers.net) in 259 ms

qq.com.                 172800  IN      NS      ns1.qq.com.
qq.com.                 172800  IN      NS      ns2.qq.com.
qq.com.                 172800  IN      NS      ns3.qq.com.
qq.com.                 172800  IN      NS      ns4.qq.com.
;; Received 396 bytes from 192.35.51.30#53(f.gtld-servers.net) in 217 ms

ns-open3.qq.com.        86400   IN      NS      ns-cnc1.qq.com.
ns-open3.qq.com.        86400   IN      NS      ns-os1.qq.com.
ns-open3.qq.com.        86400   IN      NS      ns-cmn1.qq.com.
ns-open3.qq.com.        86400   IN      NS      ns-tel1.qq.com.
;; Received 463 bytes from 112.60.1.69#53(ns3.qq.com) in 15 ms

qq.com.                 300     IN      SOA     ns1.qq.com. webmaster.qq.com. 1350444472 300 600 86400 300
;; Received 106 bytes from 218.68.91.139#53(ns-cnc1.qq.com) in 57 ms

以上为bind的实验效果。  通过向223.5.5.5 、8.8.8.8 发起解析请求,解析结果返回NOERRO。显然223.5.5.5和8.8.8.8对SOA的规范性并未进行校验。

但使用百度与广东移动公共DNS进行测试,发现返回结果为Servfail,且解析延时较大。

C:\Users\pc>dig ns-open3.qq.com @223.5.5.5 aaaa

; <<>> DiG 9.17.0 <<>> ns-open3.qq.com @223.5.5.5 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns-open3.qq.com.               IN      AAAA

;; Query time: 15 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
;; WHEN: Fri Apr 04 23:26:42 ;; MSG SIZE  rcvd: 44

C:\Users\pc>dig ns-open3.qq.com aaaa @8.8.8.8

; <<>> DiG 9.17.0 <<>> ns-open3.qq.com aaaa @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63831
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns-open3.qq.com.               IN      AAAA

;; AUTHORITY SECTION:
qq.com.                 300     IN      SOA     ns1.qq.com. webmaster.qq.com. 1350444472 300 600 86400 300

;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 04 23:36:00 ;; MSG SIZE  rcvd: 94

百度DNS 

C:\Users\pc>dig ns-open3.qq.com aaaa @180.76.76.76

; <<>> DiG 9.17.0 <<>> ns-open3.qq.com aaaa @180.76.76.76
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11810
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns-open3.qq.com.               IN      AAAA

;; Query time: 2788 msec
;; SERVER: 180.76.76.76#53(180.76.76.76)
;; WHEN: Fri Apr 04 23:29:45 ;; MSG SIZE  rcvd: 33

广东移动DNS

C:\Users\pc>dig ns-open3.qq.com aaaa @211.136.192.6

; <<>> DiG 9.17.0 <<>> ns-open3.qq.com aaaa @211.136.192.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58809
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns-open3.qq.com.               IN      AAAA

;; Query time: 1004 msec
;; SERVER: 211.136.192.6#53(211.136.192.6)
;; WHEN: Fri Apr 04 23:32:37 ;; MSG SIZE  rcvd: 44

经验总结:

域名NS主要作用是标识权威服务器,父域对子域进行NS授权。 显然导致这一问题的原因是子域配置的区与父域的区一样导致的。

问题场景:目前有部分域名采用动静分离架构,及将域名分为静态解析域名与需要进行全局负载解析的动态域名,静态解析采用专业DNS设备,动态解析采用专业全局负载设备。 静态权威配置NS授权将域名转发给动态权威解析。

优化方案: 动态权威配置一个父域的一个子域或与父域不同的其它权威区,静态权威针对动态域名配置CNAME,在保持客户端解析域名不变的情况下,将解析跳转至动态权威。

百年狐寂
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值