unbound_subnet请求分析

测试请求命令如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
[root@whb-dev-1eaf52c0a packaging]# ./dig @127.0.0.1  -p 10054  www.baidu.com. +subnet=182.61.128.241

; <<>> DiG 9.11.0.1 <<>> @127.0.0.1 -p 10054 www.baidu.com. +subnet=182.61.128.241
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24481
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; CLIENT-SUBNET: 182.61.128.241/32/27
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1200	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	300	IN	A	14.119.104.254
www.a.shifen.com.	300	IN	A	14.119.104.189

;; Query time: 762 msec
;; SERVER: 127.0.0.1#10054(127.0.0.1)
;; WHEN: Tue May 09 09:29:16 CST 2023
;; MSG SIZE  rcvd: 113

[root@whb-dev-1eaf52c0a packaging]# ./dig @127.0.0.1  -p 10054  www.baidu.com. +subnet=0.0.0.0

; <<>> DiG 9.11.0.1 <<>> @127.0.0.1 -p 10054 www.baidu.com. +subnet=0.0.0.0
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44788
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; CLIENT-SUBNET: 0.0.0.0/32/24
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1200	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	300	IN	A	180.101.50.188
www.a.shifen.com.	300	IN	A	180.101.50.242

;; Query time: 977 msec
;; SERVER: 127.0.0.1#10054(127.0.0.1)
;; WHEN: Tue May 09 09:29:27 CST 2023
;; MSG SIZE  rcvd: 113

[root@whb-dev-1eaf52c0a packaging]# ./dig @127.0.0.1  -p 10054  www.baidu.com.

; <<>> DiG 9.11.0.1 <<>> @127.0.0.1 -p 10054 www.baidu.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1793
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1200	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	300	IN	A	180.101.50.242
www.a.shifen.com.	300	IN	A	180.101.50.188

;; Query time: 19 msec
;; SERVER: 127.0.0.1#10054(127.0.0.1)
;; WHEN: Tue May 09 09:29:31 CST 2023
;; MSG SIZE  rcvd: 101

[root@whb-dev-1eaf52c0a packaging]# ./dig @127.0.0.1  -p 10054  www.baidu.com. +subnet=43.225.211.37

; <<>> DiG 9.11.0.1 <<>> @127.0.0.1 -p 10054 www.baidu.com. +subnet=43.225.211.37
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40316
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; CLIENT-SUBNET: 43.225.211.37/32/22
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1200	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	300	IN	A	182.61.200.6
www.a.shifen.com.	300	IN	A	182.61.200.7

;; Query time: 89 msec
;; SERVER: 127.0.0.1#10054(127.0.0.1)
;; WHEN: Tue May 09 09:29:40 CST 2023
;; MSG SIZE  rcvd: 113

[root@whb-dev-1eaf52c0a packaging]# ./dig @127.0.0.1  -p 10054  www.baidu.com. +subnet=1.225.211.37

; <<>> DiG 9.11.0.1 <<>> @127.0.0.1 -p 10054 www.baidu.com. +subnet=1.225.211.37
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25463
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; CLIENT-SUBNET: 1.225.211.37/32/12
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1200	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	30	IN	CNAME	www.wshifen.com.
www.wshifen.com.	300	IN	A	119.63.197.151
www.wshifen.com.	300	IN	A	119.63.197.139

;; Query time: 552 msec
;; SERVER: 127.0.0.1#10054(127.0.0.1)
;; WHEN: Tue May 09 09:29:46 CST 2023
;; MSG SIZE  rcvd: 139

分析

通过上述结果知道一共做了5次dig查询

次数 携带subnet信息 耗时(msec) 分析说明
1 +subnet=182.61.128.241 762 耗时较长说明做了递归查询
2 +subnet=0.0.0.0 977
3 19 耗时较短说明没有做递归查询直接命中
4 +subnet=43.225.211.37 89
5 +subnet=1.225.211.37 552

第一个请求分析

  1. dig 向本地的10054端口 发起A记录查询

  2. unbound向权威 192.58.128.30 发起ns请求查询
    其中192.58.128.30为unbound配置文件中指定的root.hints文件中配置的13个根地址信息。此请求可以获取到最新的13个根配置数据信息

  3. 收到权威NS请求应答数据,包含13个根的NS信息,Additional 信息中包含27条记录信息,分别是13条A记录,13条AAAA记录和1条subnet信息

  4. 发起递归查询com的A记录查询

携带subnet信息向13个根中的某一个(192.33.4.13)发起 com 的A记录查询

  1. 获取到com A记录查询结果
    返回获取到的com的A的查询结果,返回com的13个ns信息,在Additional包含27条记录,其中13条com的A记录记过,13条AAAA记录结果和1条原始subnet信息

  2. 向com结果中某一个地址发起(192.54.112.30) baidu.com的A记录查询
    查询时携带客户端subnet信息

  3. 获取到baidu.com的A记录结果

    从结果中可以看到baidu.com返回的subnet为0

  4. 向baidu.com某个地址发起查询www.baidu.com 的A记录查询
    发起查询时携带subnet记录信息

  5. 获取到cname的结果www.a.shifen.com
    返回携带subnet信息,scope mask为0

  6. 向某个com地址发起 shifen.com 的A记录查询
    查询时携带客户端subnet信息

  7. 获取shifen.com的A记录查询结果

  8. 向某个 shifen.com 地址发起 a.shifen.com 的A记录查询

  9. 获取到a.shifen.com 的A记录查询结果

  10. 根据a.shifen.com的结果向180.76.76.95发起www.a.shifen.com的A记录查询

  11. 获取到www.a.shifen.com的A记录查询结果

    获取到www.a.shifen.com的结果,且scope mask为27

结论

  • 当用户请求携带subnet信息时, 递归查询时也会携带用户的subnet信息
  • 当用户请求携带subnet信息时,结果有cname时, unbound做cname递归查询解析时仍然会携带客户端传递的cname信息
devops
dns unbound

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!