1
Server / Privátní adresy ve veřejném DNS, knot-resolver a apple.com
« Poslední příspěvek od pcmonkey kdy Dnes v 08:37:19 »Ahoj všem,
chtěl bych se podělit o jednu nepříjemnou zkušenost z počátku tohoto týdne. Zřejmě v souvislosti s novym iOS release upravil Apple DNS tak, ze v NS záznamy ess.apple.com směřují na privátní adresy dle RFC1918. Stalo se tak 16.9. cca v 1:20.
dig -4 +trace ns ess.apple.com.
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> -4 +trace ns ess.apple.com.
---cut ---
ess.apple.com. 43200 IN NS a.ns.apple.com.
ess.apple.com. 43200 IN NS b.ns.apple.com.
ess.apple.com. 43200 IN NS c.ns.apple.com.
ess.apple.com. 43200 IN NS d.ns.apple.com.
ess.apple.com. 43200 IN NS usmsc2-extxfr-001.dns.apple.com.
ess.apple.com. 43200 IN NS mressext-axfrdnsvip.mr.if.apple.com.
ess.apple.com. 43200 IN NS pvessext-axfrdnsvip.pv.if.apple.com.
ess.apple.com. 43200 IN NS stessext-axfrdnsvip.st.if.apple.com.
;; Received 499 bytes from 204.19.119.1#53(c.ns.apple.com) in 8 ms
;; communications error to 10.52.192.140#53: timed out
;; communications error to 10.52.192.140#53: timed out
;; communications error to 10.52.192.140#53: timed out
ess.apple.com. 43200 IN NS a.ns.apple.com.
ess.apple.com. 43200 IN NS b.ns.apple.com.
ess.apple.com. 43200 IN NS c.ns.apple.com.
ess.apple.com. 43200 IN NS d.ns.apple.com.
ess.apple.com. 43200 IN NS usmsc2-extxfr-001.dns.apple.com.
ess.apple.com. 43200 IN NS mressext-axfrdnsvip.mr.if.apple.com.
ess.apple.com. 43200 IN NS pvessext-axfrdnsvip.pv.if.apple.com.
ess.apple.com. 43200 IN NS stessext-axfrdnsvip.st.if.apple.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 499 bytes from 204.19.119.1#53(c.ns.apple.com) in 8 ms
;; communications error to 10.52.200.235#53: timed out
ess.apple.com. 300 IN NS a.ns.apple.com.
ess.apple.com. 300 IN NS b.ns.apple.com.
ess.apple.com. 300 IN NS c.ns.apple.com.
ess.apple.com. 300 IN NS d.ns.apple.com.
;; Received 137 bytes from 17.253.207.1#53(b.ns.apple.com) in 8 ms
Ty tři poslední NS pro ess.apple.com jsou na privátních adresách. Smutné...
Pokud používáte knot-resolver a máte zapnutý dns rebinding protection - modules.load('rebinding < iterate'), knot-resolver, přestoze vlatní výsledek rezoluce nevede na privátní adresu, posílá REFUSED (rcode 5).
Pokud máte vytíženější DNS resolvery, vede to k masivní amplifikaci provozu. Apple klienti to pak zkoušejí stále dokola. Unbound toto zresolví.
A.
chtěl bych se podělit o jednu nepříjemnou zkušenost z počátku tohoto týdne. Zřejmě v souvislosti s novym iOS release upravil Apple DNS tak, ze v NS záznamy ess.apple.com směřují na privátní adresy dle RFC1918. Stalo se tak 16.9. cca v 1:20.
dig -4 +trace ns ess.apple.com.
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> -4 +trace ns ess.apple.com.
---cut ---
ess.apple.com. 43200 IN NS a.ns.apple.com.
ess.apple.com. 43200 IN NS b.ns.apple.com.
ess.apple.com. 43200 IN NS c.ns.apple.com.
ess.apple.com. 43200 IN NS d.ns.apple.com.
ess.apple.com. 43200 IN NS usmsc2-extxfr-001.dns.apple.com.
ess.apple.com. 43200 IN NS mressext-axfrdnsvip.mr.if.apple.com.
ess.apple.com. 43200 IN NS pvessext-axfrdnsvip.pv.if.apple.com.
ess.apple.com. 43200 IN NS stessext-axfrdnsvip.st.if.apple.com.
;; Received 499 bytes from 204.19.119.1#53(c.ns.apple.com) in 8 ms
;; communications error to 10.52.192.140#53: timed out
;; communications error to 10.52.192.140#53: timed out
;; communications error to 10.52.192.140#53: timed out
ess.apple.com. 43200 IN NS a.ns.apple.com.
ess.apple.com. 43200 IN NS b.ns.apple.com.
ess.apple.com. 43200 IN NS c.ns.apple.com.
ess.apple.com. 43200 IN NS d.ns.apple.com.
ess.apple.com. 43200 IN NS usmsc2-extxfr-001.dns.apple.com.
ess.apple.com. 43200 IN NS mressext-axfrdnsvip.mr.if.apple.com.
ess.apple.com. 43200 IN NS pvessext-axfrdnsvip.pv.if.apple.com.
ess.apple.com. 43200 IN NS stessext-axfrdnsvip.st.if.apple.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 499 bytes from 204.19.119.1#53(c.ns.apple.com) in 8 ms
;; communications error to 10.52.200.235#53: timed out
ess.apple.com. 300 IN NS a.ns.apple.com.
ess.apple.com. 300 IN NS b.ns.apple.com.
ess.apple.com. 300 IN NS c.ns.apple.com.
ess.apple.com. 300 IN NS d.ns.apple.com.
;; Received 137 bytes from 17.253.207.1#53(b.ns.apple.com) in 8 ms
Ty tři poslední NS pro ess.apple.com jsou na privátních adresách. Smutné...
Pokud používáte knot-resolver a máte zapnutý dns rebinding protection - modules.load('rebinding < iterate'), knot-resolver, přestoze vlatní výsledek rezoluce nevede na privátní adresu, posílá REFUSED (rcode 5).
Pokud máte vytíženější DNS resolvery, vede to k masivní amplifikaci provozu. Apple klienti to pak zkoušejí stále dokola. Unbound toto zresolví.
A.