我最近使用 Bind (v9.18.28-1) 建立了一个新的 DNS 服务器,并且在我的“常规”日志文件中出现了重复的错误块:
02-Oct-2024 09:49:09.723 resolver: DNS format error from 2001:7fe::53#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.755 resolver: DNS format error from 2001:dc3::35#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.787 resolver: DNS format error from 2001:500:2f::f#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.819 resolver: DNS format error from 2001:500:12::d0d#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.851 resolver: DNS format error from 2001:503:c27::2:30#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.883 resolver: DNS format error from 2001:500:2::c#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.919 resolver: DNS format error from 2001:500:2d::d#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.951 resolver: DNS format error from 2001:7fd::1#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.991 resolver: DNS format error from 2001:500:9f::42#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.027 resolver: DNS format error from 2801:1b8:10::b#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.059 resolver: DNS format error from 2001:500:a8::e#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.095 resolver: DNS format error from 2001:500:1::53#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.127 resolver: DNS format error from 2001:503:ba3e::2:30#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.163 resolver: DNS format error from 192.36.148.17#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.183 resolver: DNS format error from 202.12.27.33#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.207 resolver: DNS format error from 192.5.5.241#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.227 resolver: DNS format error from 192.112.36.4#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.251 resolver: DNS format error from 192.58.128.30#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.275 resolver: DNS format error from 192.33.4.12#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.299 resolver: DNS format error from 199.7.91.13#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.323 resolver: DNS format error from 193.0.14.129#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.347 resolver: DNS format error from 199.7.83.42#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.371 resolver: DNS format error from 170.247.170.2#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.395 resolver: DNS format error from 192.203.230.10#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.423 resolver: DNS format error from 198.97.190.53#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.447 resolver: DNS format error from 198.41.0.4#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.447 resolver: resolver priming query complete: failure
看来这些都是我在 /usr/share/dns/root.hints 文件中列出的所有根名称服务器。
该文件通过我的命名配置文件中的这个区域块引用:
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
以下是我设置的选项:
options {
directory "/var/cache/bind";
allow-query {
any;
};
forwarders {
1.1.1.1;
};
allow-recursion {
xx.xx.xx.xx/29;
//10.0.0.0/8;
10.1.0.0/16;
};
// hide version #
version "unknown";
dnssec-validation auto;
};
知道是什么原因导致这些格式错误吗?我能做些什么来解决?
谢谢大家!
听起来好像某些东西(您的防火墙,或者您的 ISP 的防火墙等)正在拦截您的所有 DNS 查询并将其重定向到另一个解析器。
运行
dig . ns @a.root-servers.net
。你应该看到:aa
标头中的标志(“根”服务器具有权威性.
),ra
标志(“根”服务器从不提供递归服务),ad
标志(权威服务器不会通过 DNSSEC 验证自己的数据),如果结果与上面列出的不同,那么您的查询很可能被重定向到其他服务器。
要进一步调查,请运行:
dig +short hostname.bind CH TXT @a.root-servers.net
dig +short version.bind CH TXT @a.root-servers.net
对每个 重复上述操作
{a..m}.root-servers.net
。您应该会得到每个服务器的不同结果(B-root 运行“knot 3.x”,D-root 运行“NSD 4”等等)。如果结果相同,则意味着所有查询都已重定向,并且报告的主机名可能暗示坏服务器的所有者(如果他们忘记隐藏它)。有时 DNS 拦截仅针对 UDP 而非 TCP 设置(尽管所有服务器都支持这两者),因此
dig +vc <query> @<server>
可能会绕过它。此外,B 根支持 DNS-over-TLS,因此您可以尝试dig +tls <query> @b.root-servers.net
将结果与“正常”获得的结果进行比较。由于您的 BIND 似乎配置为始终依赖于将查询转发到 1.1.1.1(而不是作为独立的解析器),因此您可以通过删除整个
zone "."
定义来关闭消息。