如何设置 VLAN 转发？

Question

Sun Bear

Asked: 2024-10-30 21:29:40 +0800 CST2024-10-30 21:29:40 +0800 CST 2024-10-30 21:29:40 +0800 CST

当 Unbound 配置为转发域查询时，如何验证所有解析的域 IP 是否来自外部 DNS 解析器？

772

我已将 Unbound 配置为：

在 LAN 的所有接口上监听域查询，
通过 TLS 将这些域查询转发到外部 DNS 解析器，
从外部DNS解析器接收解析后的域名IP并返回给相应的客户端。

如何验证此类配置是否有效？特别是，如何验证：

Unbound 是否已通过 TLS 将域查询转发到所需的外部 DNS 解析器？
解析的域名 IPS 来自外部 DNS 解析器，并且不由 Unbound 解析？

dig以下是来自ging的两个结果google.com。我如何使用这些结果进行上述验证？

root@DNS:/etc/unbound# dig google.com A @192.168.1.50 -p 3000

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> google.com A @192.168.1.50 -p 3000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22452
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     300 IN  A   142.251.175.138
google.com.     300 IN  A   142.251.175.100
google.com.     300 IN  A   142.251.175.113
google.com.     300 IN  A   142.251.175.101
google.com.     300 IN  A   142.251.175.139
google.com.     300 IN  A   142.251.175.102

;; Query time: 12 msec
;; SERVER: 192.168.1.50#3000(192.168.1.50) (UDP)
;; WHEN: Wed Oct 30 14:04:16 UTC 2024
;; MSG SIZE  rcvd: 135

root@DNS:/etc/unbound# dig google.com A @192.168.1.50 -p 3000

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> google.com A @192.168.1.50 -p 3000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39764
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     300 IN  A   142.251.175.139
google.com.     300 IN  A   142.251.175.113
google.com.     300 IN  A   142.251.175.100
google.com.     300 IN  A   142.251.175.101
google.com.     300 IN  A   142.251.175.138
google.com.     300 IN  A   142.251.175.102

;; Query time: 184 msec
;; SERVER: 192.168.1.50#3000(192.168.1.50) (UDP)
;; WHEN: Wed Oct 30 14:05:30 UTC 2024
;; MSG SIZE  rcvd: 135

以下是重新启动并运行上述 dig 命令两次后的unbound.log日志。我可以看到提到了外部 DNS 解析器，但我不明白哪一行显示它已解析域并将结果返回给 unbound。verbosity: 3unbound.service

[1730296502] unbound[6506:0] info: service stopped (unbound 1.19.2).
[1730296502] unbound[6506:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1730296502] unbound[6506:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
[1730296502] unbound[6506:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1730296502] unbound[6506:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
[1730296502] unbound[6506:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1730296502] unbound[6506:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
[1730296502] unbound[6506:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1730296502] unbound[6506:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
[1730296503] unbound[6658:0] debug: module config: "subnetcache validator iterator"
[1730296503] unbound[6658:0] notice: init module 0: subnetcache
[1730296503] unbound[6658:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache.
[1730296503] unbound[6658:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
[1730296503] unbound[6658:0] debug: subnetcache: option registered (8)
[1730296503] unbound[6658:0] notice: init module 1: validator
[1730296503] unbound[6658:0] notice: init module 2: iterator
[1730296503] unbound[6658:0] debug: target fetch policy for level 0 is 3
[1730296503] unbound[6658:0] debug: target fetch policy for level 1 is 2
[1730296503] unbound[6658:0] debug: target fetch policy for level 2 is 1
[1730296503] unbound[6658:0] debug: target fetch policy for level 3 is 0
[1730296503] unbound[6658:0] debug: target fetch policy for level 4 is 0
[1730296503] unbound[6658:0] debug: Forward zone server list:
[1730296503] unbound[6658:0] info: DelegationPoint<dns.quad9.net.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
[1730296503] unbound[6658:2] debug: Forward zone server list:
[1730296503] unbound[6658:2] info: DelegationPoint<dns.quad9.net.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
[1730296503] unbound[6658:0] debug: cache memory msg=66104 rrset=66104 infra=7952 val=66400 subnet=74536
[1730296503] unbound[6658:1] debug: Forward zone server list:
[1730296503] unbound[6658:1] info: DelegationPoint<dns.quad9.net.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
[1730296503] unbound[6658:0] info: start of service (unbound 1.19.2).
[1730296503] unbound[6658:2] debug: cache memory msg=66104 rrset=66104 infra=7952 val=66400 subnet=74536
[1730296503] unbound[6658:3] debug: Forward zone server list:
[1730296503] unbound[6658:3] info: DelegationPoint<dns.quad9.net.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
[1730296503] unbound[6658:1] debug: cache memory msg=66104 rrset=66104 infra=7952 val=66400 subnet=74536
[1730296503] unbound[6658:3] debug: cache memory msg=66104 rrset=66104 infra=7952 val=66400 subnet=74536
[1730297056] unbound[5388:0] debug: subnetcache[module 0] operate: extstate:module_state_initial event:module_event_new
[1730297056] unbound[5388:0] info: subnetcache operate: query google.com. A IN
[1730297056] unbound[5388:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1730297056] unbound[5388:0] info: validator operate: query google.com. A IN
[1730297056] unbound[5388:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1730297056] unbound[5388:0] info: resolving google.com. A IN
[1730297056] unbound[5388:0] info: resolving (init part 2):  google.com. A IN
[1730297056] unbound[5388:0] info: resolving (init part 3):  google.com. A IN
[1730297056] unbound[5388:0] info: processQueryTargets: google.com. A IN
[1730297056] unbound[5388:0] info: sending query: google.com. A IN
[1730297056] unbound[5388:0] debug: sending to target: <google.com.> 216.239.38.10#53
[1730297056] unbound[5388:0] debug: cache memory msg=70045 rrset=100203 infra=29147 val=67208 subnet=74536
[1730297056] unbound[5388:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1730297056] unbound[5388:0] info: iterator operate: query google.com. A IN
[1730297056] unbound[5388:0] info: response for google.com. A IN
[1730297056] unbound[5388:0] info: reply from <google.com.> 216.239.38.10#53
[1730297056] unbound[5388:0] info: query response was ANSWER
[1730297056] unbound[5388:0] info: finishing processing for google.com. A IN
[1730297056] unbound[5388:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1730297056] unbound[5388:0] info: validator operate: query google.com. A IN
[1730297056] unbound[5388:0] debug: subnetcache[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1730297056] unbound[5388:0] info: subnetcache operate: query google.com. A IN
[1730297056] unbound[5388:0] debug: cache memory msg=70045 rrset=100203 infra=29147 val=67208 subnet=74536
[1730297130] unbound[5379:0] debug: subnetcache[module 0] operate: extstate:module_state_initial event:module_event_new
[1730297130] unbound[5379:0] info: subnetcache operate: query google.com. A IN
[1730297130] unbound[5379:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1730297130] unbound[5379:0] info: validator operate: query google.com. A IN
[1730297130] unbound[5379:0] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
[1730297130] unbound[5379:0] info: resolving google.com. A IN
[1730297130] unbound[5379:0] info: resolving (init part 2):  google.com. A IN
[1730297130] unbound[5379:0] info: resolving (init part 3):  google.com. A IN
[1730297130] unbound[5379:0] info: processQueryTargets: google.com. A IN
[1730297130] unbound[5379:0] info: sending query: google.com. A IN
[1730297130] unbound[5379:0] debug: sending to target: <com.> 2001:503:83eb::30#53
[1730297130] unbound[5379:0] debug: cache memory msg=78073 rrset=130165 infra=41184 val=69264 subnet=74536
[1730297130] unbound[5379:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
[1730297130] unbound[5379:0] info: iterator operate: query google.com. A IN
[1730297130] unbound[5379:0] info: processQueryTargets: google.com. A IN
[1730297130] unbound[5379:0] info: sending query: google.com. A IN
[1730297130] unbound[5379:0] debug: sending to target: <com.> 192.41.162.30#53
[1730297130] unbound[5379:0] debug: cache memory msg=78073 rrset=130165 infra=41184 val=69264 subnet=74536
[1730297130] unbound[5379:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1730297130] unbound[5379:0] info: iterator operate: query google.com. A IN
[1730297130] unbound[5379:0] info: response for google.com. A IN
[1730297130] unbound[5379:0] info: reply from <com.> 192.41.162.30#53
[1730297130] unbound[5379:0] info: query response was REFERRAL
[1730297130] unbound[5379:0] info: processQueryTargets: google.com. A IN
[1730297130] unbound[5379:0] info: sending query: google.com. A IN
[1730297130] unbound[5379:0] debug: sending to target: <google.com.> 216.239.32.10#53
[1730297130] unbound[5379:0] debug: cache memory msg=78073 rrset=132972 infra=41184 val=69414 subnet=74536
[1730297130] unbound[5379:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
[1730297130] unbound[5379:0] info: iterator operate: query google.com. A IN
[1730297130] unbound[5379:0] info: response for google.com. A IN
[1730297130] unbound[5379:0] info: reply from <google.com.> 216.239.32.10#53
[1730297130] unbound[5379:0] info: query response was ANSWER
[1730297130] unbound[5379:0] info: finishing processing for google.com. A IN
[1730297130] unbound[5379:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1730297130] unbound[5379:0] info: validator operate: query google.com. A IN
[1730297130] unbound[5379:0] debug: subnetcache[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1730297130] unbound[5379:0] info: subnetcache operate: query google.com. A IN
[1730297130] unbound[5379:0] debug: cache memory msg=78333 rrset=133364 infra=41492 val=69414 subnet=74536

2 个回答

Voted

kos · Answer 1 · 2024-10-31T14:06:58+08:00

您可以tshark在服务器上运行，同时使用以下命令解析客户端的名称dig：

sudo tshark -i eth0 -Y'ip.src == 192.168.1.50 and dns.qry.type == 1'

在服务器上（替换eth0为 Unbound 用于与外部解析器通信的接口），例如

dig @192.168.1.50 -p3000 askubuntu.com A

在客户端上。

-Y'ip.src == 192.168.1.50 and dns.qry.type == 1'：设置过滤器以仅显示来自 IP 192.168.1.50（服务器）的类型 1（A）DNS 请求

通过tshark这种方式设置，任何来自 IP 192.168.1.50（服务器）通过eth0服务器接口的类型 1（A）DNS 请求都将显示出来，让您轻松了解请求是否由 Unbound 本身转发或解析，因为 Unbound 本身对该名称具有权威性/该名称已被缓存。

例如，如果我sudo tshark -i wlo1 -Y'ip.src == 192.168.1.93 and dns.qry.type == 1'在一个终端上停止运行并dig askubuntu.com A在另一个终端上运行，则会显示以下内容（我的机器在 192.168.1.93 上，并设置为通过查询 192.168.1.254 来解析名称）：

% sudo resolvectl flush-caches && sudo tshark -i wlo1 -Y'ip.src == 192.168.1.93 and dns.qry.type == 1'
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlo1'
    4 2.092316755 192.168.1.93 → 192.168.1.254 DNS 84 Standard query 0xa9f9 A askubuntu.com OPT
1 packet captured

Sun Bear · Answer 2 · 2024-11-07T23:49:03+08:00

我发现了一种方法来检查这一点/etc/unbound/unbound.log。文件/etc/unbound/unbound.conf必须声明这些属性。

server:
    # For debugging
    verbosity: 4   # default is 1
    log-time-ascii:     yes
    log-queries:        yes
    log-replies:        yes
    log-tag-queryreply: yes
    #log-destaddr:       yes  # not working
    log-local-actions:  yes
    log-servfail:       yes

unbound.log将包含以下日志：

查询通过 TLS 转发到外部 DNS。

info: sending query: cnn.com. A IN
debug: sending to target: <.> 9.9.9.9#853
...
debug: the query is using TLS encryption, for dns.quad9.net
...
debug: SSL connection to dns.quad9.net authenticated ip4 9.9.9.9 port 853 (len 16)

外部DNS回复：

  debug: process_response: new external response event
  ...
  info: response for cnn.com. A IN
  info: reply from <.> 9.9.9.9#853

查询域名的ip地址：

  ;; ANSWER SECTION:
  cnn.com.   43  IN  A   151.101.195.5
  cnn.com.   43  IN  A   151.101.67.5
  cnn.com.   43  IN  A   151.101.131.5
  cnn.com.   43  IN  A   151.101.3.5

我的问题中显示的日志不包含这些行，因为它们不是使用这些属性生成的。

当 Unbound 配置为转发域查询时，如何验证所有解析的域 IP 是否来自外部 DNS 解析器？

如何运行 .sh 脚本？

如何安装 .tar.gz（或 .tar.bz2）文件？

如何列出所有已安装的软件包

无法锁定管理目录 (/var/lib/dpkg/) 是另一个进程在使用它吗？

当 Unbound 配置为转发域查询时，如何验证所有解析的域 IP 是否来自外部 DNS 解析器？

2 个回答

相关问题