Ahoj, zacal se mi asi tak pred mesicem (nekdy behem zari, mozna driv) objevovat zajimavy problem s DNS v siti.
Popisu situaci:
na pude mam pocitac s debianem, co ma dve sitovky, jednou je pripichnutej k ISP, tam dostava IP adresu z rozsahu 10.x.x.x, druha je do domaci site, kde je rozsah 192.168.2.x.
na tomhle pocitaci (rikam mu gw jako gateway) bezi NAT s maskaradou, jednoduchy nftables firewall, dhcpd pro lokalni sit, a bind tez pro lokalni sit. Asi nic neobvykleho. Ten bind je tam proto, aby nejaky domeny .gw koncily na tomhle pocitaci, protoze tam mam nejaky sluzby, ktery chci takhle z lokalni site videt. Jinak chci, aby dns fungovalo to od ISP. DHCPd samozrejme jako dns server propaguje 192.168.2.1, coz je IP ty gw.
Od ISP ten pocitact dostava DNS servery, ktere zda se funguji v poradku:
root@router:/etc/bind# cat /etc/resolv.conf
domain unhfree.czf
search unhfree.czf
nameserver 10.98.231.66
nameserver 10.98.0.250
root@router:/etc/bind# dig www.ikea.com
; <<>> DiG 9.16.15-Debian <<>> www.ikea.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13450
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ikea.com. IN A
;; ANSWER SECTION:
www.ikea.com. 66303 IN CNAME san.ev11958.ikea.com.edgekey.net.
san.ev11958.ikea.com.edgekey.net. 1503 IN CNAME e11958.x.akamaiedge.net.
e11958.x.akamaiedge.net. 20 IN A 104.64.121.234
;; Query time: 8 msec
;; SERVER: 10.98.231.66#53(10.98.231.66)
;; WHEN: Ne říj 10 13:03:36 CEST 2021
;; MSG SIZE rcvd: 137
Jak je videt. IP dostanu, i na ten web se z linksu podivam.
Problem je ale na vsech pocitacich, ktery jsou v lokalni siti, a maji jako dns server tu gw.
hle:
Kdyz se zeptam z pocitace v siti, dostanu prd. (tohle je ubuntu, ktery ma asi nejakou mezivrstvu, bo ma resolf.conf tohle - ale treba androidi telefony maji stejny problem.
nameserver 127.0.0.53
options edns0 trust-ad
search kktnk.router
; <<>> DiG 9.16.1-Ubuntu <<>> www.ikea.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9152
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.ikea.com. IN A
;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Ne říj 10 13:07:49 CEST 2021
;; MSG SIZE rcvd: 41
Kdyz se zeptam pres gw, je to o chlup lepsi dostanu cname, ale to neni moc platny:
ktk@ktk-OptiPlex-7060:~$ dig @192.168.2.1 www.ikea.com
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.2.1 www.ikea.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0ff74caea2e2f63b010000006162c996b129e3df811a0bd4 (good)
;; QUESTION SECTION:
;www.ikea.com. IN A
;; ANSWER SECTION:
www.ikea.com. 66033 IN CNAME san.ev11958.ikea.com.edgekey.net.
;; Query time: 12 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Ne říj 10 13:08:06 CEST 2021
;; MSG SIZE rcvd: 115
ktk@ktk-OptiPlex-7060:~$ dig @192.168.2.1 san.ev11958.ikea.com.edgekey.net.
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.2.1 san.ev11958.ikea.com.edgekey.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40476
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d80f9182ab1f874e010000006162c9dc090adad20ae28151 (good)
;; QUESTION SECTION:
;san.ev11958.ikea.com.edgekey.net. IN A
;; Query time: 8 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Ne říj 10 13:09:16 CEST 2021
;; MSG SIZE rcvd: 89
Teprve kdyz se zeptam pres dns od ISP (nebo treba googlu), dostanu odpoved.
ktk@ktk-OptiPlex-7060:~$ dig @10.98.231.66 www.ikea.com
; <<>> DiG 9.16.1-Ubuntu <<>> @10.98.231.66 www.ikea.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33221
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ikea.com. IN A
;; ANSWER SECTION:
www.ikea.com. 65914 IN CNAME san.ev11958.ikea.com.edgekey.net.
san.ev11958.ikea.com.edgekey.net. 1114 IN CNAME e11958.x.akamaiedge.net.
e11958.x.akamaiedge.net. 20 IN A 104.64.121.234
;; Query time: 7 msec
;; SERVER: 10.98.231.66#53(10.98.231.66)
;; WHEN: Ne říj 10 13:10:05 CEST 2021
;; MSG SIZE rcvd: 137
Dela to vic webu, ne jen ta ikea, na vsech pocitacich v siti. A spolecny znak, ktery jsem zatim vypozoroval, ze jsou vesmes CNAME na jinou domenu s .net TLD. Ale to muze bejt falesna stopa. Prikladam i konfiguraky toho bindu, pokud to necemu pomuze.
Neni tu nekdo znalejsi nez ja, kdo by se kouknul a videl? Ja vidim prd.. :/