权威 DNS 相关问题
Q2h1Cg opened this issue · 2 comments
Q2h1Cg commented
枚举 shifen.com 时注意到一个问题:
➜ ~ dig ns shifen.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns shifen.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64331
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;shifen.com. IN NS
;; ANSWER SECTION:
shifen.com. 86400 IN NS ns3.baidu.com.
shifen.com. 86400 IN NS ns2.baidu.com.
shifen.com. 86400 IN NS ns4.baidu.com.
shifen.com. 86400 IN NS ns1.baidu.com.
;; Query time: 39 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 23 04:41:34 CST 2017
;; MSG SIZE rcvd: 117
➜ ~ dig @ns1.baidu.com xi.n.shifen.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.baidu.com xi.n.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39548
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xi.n.shifen.com. IN A
;; AUTHORITY SECTION:
n.shifen.com. 86400 IN NS ns3.n.shifen.com.
n.shifen.com. 86400 IN NS ns4.n.shifen.com.
n.shifen.com. 86400 IN NS ns5.n.shifen.com.
n.shifen.com. 86400 IN NS ns2.n.shifen.com.
n.shifen.com. 86400 IN NS ns1.n.shifen.com.
;; ADDITIONAL SECTION:
ns1.n.shifen.com. 600 IN A 61.135.165.226
ns2.n.shifen.com. 600 IN A 180.149.133.243
ns3.n.shifen.com. 1200 IN A 61.135.162.218
ns4.n.shifen.com. 1200 IN A 115.239.210.178
ns5.n.shifen.com. 1200 IN A 119.75.222.14
;; Query time: 15 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun Apr 23 04:41:42 CST 2017
;; MSG SIZE rcvd: 214
可以看到虽然 ns1.baidu.com 是 shifen.com 的权威 DNS,但其并不是 n.shifen.com 的权威 DNS。
而因为程序是通过权威 DNS 来进行查询的(枚举前获取根域名的权威 DNS),但权威 DNS 并不会递归查询,这导致在 ns1.baidu.com 上查询 xi.n.shifen.com 结果为空:
➜ ~ dig @ns1.baidu.com xi.n.shifen.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.baidu.com xi.n.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1341
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xi.n.shifen.com. IN A
;; AUTHORITY SECTION:
n.shifen.com. 86400 IN NS ns1.n.shifen.com.
n.shifen.com. 86400 IN NS ns4.n.shifen.com.
n.shifen.com. 86400 IN NS ns5.n.shifen.com.
n.shifen.com. 86400 IN NS ns2.n.shifen.com.
n.shifen.com. 86400 IN NS ns3.n.shifen.com.
;; ADDITIONAL SECTION:
ns1.n.shifen.com. 600 IN A 61.135.165.226
ns2.n.shifen.com. 600 IN A 180.149.133.243
ns3.n.shifen.com. 1200 IN A 61.135.162.218
ns4.n.shifen.com. 1200 IN A 115.239.210.178
ns5.n.shifen.com. 1200 IN A 119.75.222.14
;; Query time: 5 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun Apr 23 04:49:16 CST 2017
;; MSG SIZE rcvd: 214
这个问题最好的解决办法是自己去实现递归查询的过程,但这将严重拖慢整体速度(成倍增长)且工作量略大(可能需要调整程序架构),拖慢整体速度这个点我是接受不了的。
考虑到引入权威 DNS 的原因是为了获取 DNS 记录真正的 TTL,用于泛解析域名黑名单指纹,而实际中真实存在的 DNS 记录指向泛解析记录的情况很少(此种情况采取判断 TTL)。所以最后还是考虑采用折中的解决办法:舍弃权威 DNS,恢复原始的公共 DNS 的方式。
Q2h1Cg commented
接受受不了折中,速度与准确率都应该保证。
如下解决方式:
- 发现某子域名 DNS 响应不是权威 DNS 后将其父级域名的权威 DNS 保存至hash表、新建连接并枚举其
- 对接下来的子域名判断其父域名是否存在于表中,若存在则通过已有连接枚举;若不存在则进行第一步
这样可以避免对每个域名都去获取其权威 DNS,只获取一次对整体速度的影响不大。
需要修改程序整体架构,慢慢改吧,实在是改不好的时候再去考虑折中 : )
Q2h1Cg commented
新版本已解决