Fórum Root.cz
Hlavní témata => Server => Téma založeno: Janko Hrasko 27. 04. 2021, 13:55:39
-
Dobry den.
Muzu se zeptat, jestly vam jde resolvovat chilske domeny z DNS servru ve stredni evrope? Urcite vim, ze existuje A zaznam na domenu www.movistar.cl. Google dns server to vidi. Ale jakykoliv dns server v CR mi rekurzivni dotaz na domenu www.movistar.cl vrati prazdnej zaznam. Nefunguje to ani z dns servru od nic.cz
Z dns od google to jde:
root@ns2:~# dig @8.8.8.8 www.movistar.cl
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> @8.8.8.8 www.movistar.cl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43814
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.movistar.cl. IN A
;; ANSWER SECTION:
www.movistar.cl. 4 IN A 200.54.125.173
;; Query time: 442 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 27 11:46:00 UTC 2021
;; MSG SIZE rcvd: 60
Dotaz na dns server od nic.cz nejde a ani dalsi ve stredni evrope, ktere jsem zkousel:
root@ns2:~# dig @193.17.47.1 www.movistar.cl
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> @193.17.47.1 www.movistar.cl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49770
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.movistar.cl. IN A
;; Query time: 2083 msec
;; SERVER: 193.17.47.1#53(193.17.47.1)
;; WHEN: Tue Apr 27 11:53:13 UTC 2021
;; MSG SIZE rcvd: 44
-
Ze sítě T-Mobilu:
$ dig www.movistar.cl @200.54.125.35
; <<>> DiG 9.10.6 <<>> www.movistar.cl @200.54.125.35
;; global options: +cmd
;; connection timed out; no servers could be reached
$ dig +tcp www.movistar.cl @200.54.125.35
;; Connection to 200.54.125.35#53(200.54.125.35) for www.movistar.cl failed: timed out.
;; Connection to 200.54.125.35#53(200.54.125.35) for www.movistar.cl failed: timed out.
; <<>> DiG 9.10.6 <<>> +tcp www.movistar.cl @200.54.125.35
;; global options: +cmd
;; connection timed out; no servers could be reached
;; Connection to 200.54.125.35#53(200.54.125.35) for www.movistar.cl failed: timed out.
$ dig www.movistar.cl @201.220.232.36
; <<>> DiG 9.10.6 <<>> www.movistar.cl @201.220.232.36
;; global options: +cmd
;; connection timed out; no servers could be reached
$ dig +tcp www.movistar.cl @201.220.232.36
;; Connection to 201.220.232.36#53(201.220.232.36) for www.movistar.cl failed: timed out.
;; Connection to 201.220.232.36#53(201.220.232.36) for www.movistar.cl failed: timed out.
; <<>> DiG 9.10.6 <<>> +tcp www.movistar.cl @201.220.232.36
;; global options: +cmd
;; connection timed out; no servers could be reached
;; Connection to 201.220.232.36#53(201.220.232.36) for www.movistar.cl failed: timed out.
Ovšem z jiné sítě, s relativně novými adresami (přiděleno RIPE NCC v roce 2018):
# dig www.movistar.cl @200.54.125.35
; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> www.movistar.cl @200.54.125.35
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61271
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3ed4f78bfb152eb191c7c2306087fb01ededa8c7de4336c7 (good)
;; QUESTION SECTION:
;www.movistar.cl. IN A
;; AUTHORITY SECTION:
www.movistar.cl. 600 IN NS dns-webmovistar-ext1.movistar.cl.
www.movistar.cl. 600 IN NS dns-webmovistar-ext2.movistar.cl.
;; ADDITIONAL SECTION:
dns-webmovistar-ext1.movistar.cl. 14400 IN A 200.54.125.32
dns-webmovistar-ext2.movistar.cl. 14400 IN A 186.148.3.14
;; Query time: 222 msec
;; SERVER: 200.54.125.35#53(200.54.125.35)
;; WHEN: Tue Apr 27 14:52:36 CEST 2021
;; MSG SIZE rcvd: 174
Takže: odněkud to jde, odjinud to nejde. Jak kdyby zablokovali některé české sítě.
Navíc: www.movistar.cl nemá záznam ani na autoritativních nameserverech, funguje jen movistar.cl:
# dig movistar.cl @200.54.125.35
; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> movistar.cl @200.54.125.35
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39649
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 277208bc5fd6270dd202036d6087fbcfacf5f01e5459fb54 (good)
;; QUESTION SECTION:
;movistar.cl. IN A
;; ANSWER SECTION:
movistar.cl. 14400 IN A 200.54.125.238
;; AUTHORITY SECTION:
movistar.cl. 14400 IN NS dns01.movistar.cl.
movistar.cl. 14400 IN NS dns02.movistar.cl.
;; ADDITIONAL SECTION:
dns02.movistar.cl. 14400 IN A 201.220.232.36
dns01.movistar.cl. 14400 IN A 200.54.125.35
;; Query time: 226 msec
;; SERVER: 200.54.125.35#53(200.54.125.35)
;; WHEN: Tue Apr 27 14:56:02 CEST 2021
;; MSG SIZE rcvd: 156
-
Ale jakykoliv dns server v CR mi rekurzivni dotaz na domenu www.movistar.cl vrati prazdnej zaznam.
Nevrací prázdný záznam, vrací chybu SERVFAIL. To může znamenat buď chybu validace DNSSEC, nebo neschopnost doptat se autoritativních serverů.
Výstup příkazu unbound-host -dd movistar.cl ukazuje, že se resolving zacyklí na dotazování adres 201.220.232.36 a 200.54.125.35. To jsou jediné dvě adresy autoritativních serverů pro doménu movistar.cl. Ty adresy ze zahraničí normálně odpovídají, odpovídají dokonce i na ping, zatímco pro dotazy z Česka končí vše v černé díře. Podle traceroute se provoz ztrácí až poměrně daleko, někde za sítí Telefóniky. Vypadá to tedy na nějakou blokaci na straně příjemce, nejspíš podle GeoIP.