Por que esses pacotes UDP estão sendo descartados?

2

Ao tentar resolver dnsviz.net de um host usando um resolvedor Unbound configurado para usar a validação DNSSEC, o resultado é "nenhum servidor pôde ser alcançado":

$ dig -t soa dnsviz.net
; <<>> DiG 9.6-ESV-R4 <<>> -t soa dnsviz.net
;; global options: +cmd
;; connection timed out; no servers could be reached

Nada é registrado pelo Unbound para sugerir porque é esse o caso.

Aqui está o /etc/unbound/unbound.conf :

server:
    verbosity: 1
    interface: 192.168.0.8
    interface: 127.0.0.1
    interface: ::0
    access-control: 0.0.0.0/0      refuse
    access-control: ::0/0          refuse
    access-control: 127.0.0.0/8    allow_snoop
    access-control: 192.168.0.0/16 allow_snoop
    chroot: ""
    auto-trust-anchor-file: "/etc/unbound/root.key"
    val-log-level: 2
python:
remote-control:
    control-enable: yes

Se eu adicionar:

module-config: "iterator"

(desativando assim a validação DNSSEC), então eu sou capaz de resolver esse host normalmente.

O domínio e seu DNSSEC conferem a multa de acordo com link então deve haver algo errado com meu configuração do resolver.

O que é e como faço para depurar isso?

Atualização:

Alguém sugeriu que eu use unbound-host no modo de depuração para obter mais informações. Aqui vamos nós:

$ /usr/local/sbin/unbound-host -d -4 -v -C /etc/unbound/unbound.conf -t a dnsviz.net
[1341735286] libunbound[27690:0] notice: init module 0: validator
[1341735286] libunbound[27690:0] notice: init module 1: iterator
[1341735286] libunbound[27690:0] info: resolving dnsviz.net. A IN
[1341735286] libunbound[27690:0] info: priming . IN NS
[1341735288] libunbound[27690:0] info: response for . NS IN
[1341735288] libunbound[27690:0] info: reply from <.> 192.5.5.241#53
[1341735288] libunbound[27690:0] info: query response was ANSWER
[1341735288] libunbound[27690:0] info: priming successful for . NS IN
[1341735288] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735288] libunbound[27690:0] info: reply from <.> 128.8.10.90#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735288] libunbound[27690:0] info: reply from <net.> 192.42.93.30#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: resolving ns8.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: resolving ns9.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: resolving ns2.ca.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: response for ns9.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: reply from <.> 199.7.83.42#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: response for ns8.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: reply from <.> 192.58.128.30#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: reply from <.> 192.112.36.4#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: response for ns9.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: reply from <gov.> 209.112.123.30#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: response for ns8.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: reply from <gov.> 209.112.123.30#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735288] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN
[1341735288] libunbound[27690:0] info: reply from <gov.> 209.112.123.30#53
[1341735288] libunbound[27690:0] info: query response was REFERRAL
[1341735300] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.29 port 53
[1341735300] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN
[1341735300] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.29#53
[1341735300] libunbound[27690:0] info: query response was ANSWER
[1341735300] libunbound[27690:0] info: resolving ns1.ca.sandia.gov. A IN
[1341735301] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.66 port 53
[1341735301] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735301] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.66#53
[1341735301] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53
[1341735310] libunbound[27690:0] info: response for ns9.sandia.gov. A IN
[1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.206.219.65#53
[1341735310] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53
[1341735310] libunbound[27690:0] info: response for ns8.sandia.gov. A IN
[1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.206.219.65#53
[1341735310] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.28 port 53
[1341735310] libunbound[27690:0] info: response for ns9.sandia.gov. A IN
[1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53
[1341735310] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.28 port 53
[1341735310] libunbound[27690:0] info: response for ns8.sandia.gov. A IN
[1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53
[1341735310] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735310] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.29 port 53
[1341735310] libunbound[27690:0] info: response for ns9.sandia.gov. A IN
[1341735310] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.29#53
[1341735310] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735311] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.66 port 53
[1341735311] libunbound[27690:0] info: response for ns8.sandia.gov. A IN
[1341735311] libunbound[27690:0] info: reply from <sandia.gov.> 198.206.219.66#53
[1341735311] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735315] libunbound[27690:0] info: resolving ns2.ca.sandia.gov. A IN
[1341735315] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN
[1341735315] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53
[1341735315] libunbound[27690:0] info: query response was REFERRAL
[1341735328] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.28 port 53
[1341735328] libunbound[27690:0] info: response for ns1.ca.sandia.gov. A IN
[1341735328] libunbound[27690:0] info: reply from <ca.sandia.gov.> 198.102.153.28#53
[1341735328] libunbound[27690:0] info: query response was ANSWER
[1341735328] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53
[1341735328] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735328] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.65#53
[1341735328] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735332] libunbound[27690:0] info: response for ns2.ca.sandia.gov. A IN
[1341735332] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53
[1341735332] libunbound[27690:0] info: query response was ANSWER
[1341735332] libunbound[27690:0] info: resolving ns1.ca.sandia.gov. A IN
[1341735332] libunbound[27690:0] info: response for ns1.ca.sandia.gov. A IN
[1341735332] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53
[1341735332] libunbound[27690:0] info: query response was REFERRAL
[1341735332] libunbound[27690:0] info: response for ns1.ca.sandia.gov. A IN
[1341735332] libunbound[27690:0] info: reply from <sandia.gov.> 198.102.153.28#53
[1341735332] libunbound[27690:0] info: query response was ANSWER
[1341735333] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.28#53
[1341735333] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735333] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.102.153.29 port 53
[1341735333] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.29#53
[1341735333] libunbound[27690:0] info: query response was DNSSEC LAME
[1341735333] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.28#53
[1341735333] libunbound[27690:0] info: query response was ANSWER
[1341735333] libunbound[27690:0] info: prime trust anchor
[1341735333] libunbound[27690:0] info: resolving . DNSKEY IN
[1341735333] libunbound[27690:0] info: response for . DNSKEY IN
[1341735333] libunbound[27690:0] info: reply from <.> 192.5.5.241#53
[1341735333] libunbound[27690:0] info: query response was ANSWER
[1341735333] libunbound[27690:0] error: Could not open autotrust file for writing, /etc/unbound/root.key: Permission denied
[1341735333] libunbound[27690:0] info: validate keys with anchor(DS): sec_status_secure
[1341735333] libunbound[27690:0] info: Successfully primed trust anchor . DNSKEY IN
[1341735333] libunbound[27690:0] info: validated DS net. DS IN
[1341735333] libunbound[27690:0] info: resolving net. DNSKEY IN
[1341735333] libunbound[27690:0] info: response for net. DNSKEY IN
[1341735333] libunbound[27690:0] info: reply from <net.> 192.48.79.30#53
[1341735333] libunbound[27690:0] info: query response was ANSWER
[1341735333] libunbound[27690:0] info: validated DNSKEY net. DNSKEY IN
[1341735333] libunbound[27690:0] info: validated DS dnsviz.net. DS IN
[1341735333] libunbound[27690:0] info: resolving dnsviz.net. DNSKEY IN
[1341735333] libunbound[27690:0] info: response for dnsviz.net. DNSKEY IN
[1341735333] libunbound[27690:0] info: reply from <dnsviz.net.> 198.102.153.29#53
[1341735333] libunbound[27690:0] info: query response was ANSWER
[1341735333] libunbound[27690:0] info: validated DNSKEY dnsviz.net. DNSKEY IN
[1341735333] libunbound[27690:0] info: Could not establish validation of INSECURE status of unsigned response.
[1341735333] libunbound[27690:0] info: resolving dnsviz.net. A IN
[1341735358] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.66 port 53
[1341735358] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735358] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.66#53
[1341735358] libunbound[27690:0] info: query response was ANSWER
[1341735358] libunbound[27690:0] info: Could not establish validation of INSECURE status of unsigned response.
[1341735358] libunbound[27690:0] info: resolving dnsviz.net. A IN
[1341735358] libunbound[27690:0] info: timeouts, concluded that connection to host drops EDNS packets 198.206.219.65 port 53
[1341735358] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735358] libunbound[27690:0] info: reply from <dnsviz.net.> 198.206.219.65#53
[1341735358] libunbound[27690:0] info: query response was ANSWER
[1341735358] libunbound[27690:0] info: Could not establish validation of INSECURE status of unsigned response.
[1341735358] libunbound[27690:0] info: resolving dnsviz.net. A IN
[1341735374] libunbound[27690:0] info: resolving dnsviz.net. A IN
[1341735375] libunbound[27690:0] info: response for dnsviz.net. A IN
[1341735375] libunbound[27690:0] info: reply from <net.> 192.54.112.30#53
[1341735375] libunbound[27690:0] info: query response was REFERRAL
[1341735375] libunbound[27690:0] info: resolving ns9.sandia.gov. A IN
[1341735375] libunbound[27690:0] info: response for ns9.sandia.gov. A IN
[1341735375] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53
[1341735375] libunbound[27690:0] info: query response was REFERRAL
[1341735375] libunbound[27690:0] info: resolving ns8.sandia.gov. A IN
[1341735375] libunbound[27690:0] info: response for ns8.sandia.gov. A IN
[1341735375] libunbound[27690:0] info: reply from <gov.> 69.36.157.30#53
[1341735375] libunbound[27690:0] info: query response was REFERRAL
Host dnsviz.net not found: 2(SERVFAIL). (insecure)

Eu ainda não tive a chance de escolher isso corretamente, mas o concluded that connection to host drops EDNS packets bit salta para mim.

Atualização:

Isso não tem nada a ver com o Unbound - meu host de firewall não está encaminhando alguns pacotes UDP.

eth0 é o lado da Internet do firewall, eth1 é o lado da LAN. tcpdump de ambas as interfaces ao emitir dig +norec +dnssec @198.102.153.29 sandia.gov em uma máquina na LAN (o servidor DNS da pergunta):

# tcpdump -vpni eth0 'host 198.102.153.29'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:37:57.234085 IP (tos 0x0, ttl  63, id 32258, offset 0, flags [none], length: 67) 82.69.129.108.37722 > 198.102.153.29.53: [udp sum ok]  24755 [1au] A? sandia.gov. (39)
09:37:57.387165 IP (tos 0x4, ttl  47, id 48355, offset 0, flags [+], length: 1196) 198.102.153.29.53 > 82.69.129.108.37722:  24755*- 2/5/13 sandia.gov. A 132.175.81.4, sandia.gov. (1168)
09:37:57.387502 IP (tos 0x4, ttl  47, id 48355, offset 1176, flags [none], length: 1498) 198.102.153.29 > 82.69.129.108: udp
09:38:02.234014 IP (tos 0x0, ttl  63, id 32259, offset 0, flags [none], length: 67) 82.69.129.108.37722 > 198.102.153.29.53: [udp sum ok]  24755 [1au] A? sandia.gov. (39)
09:38:02.386762 IP (tos 0x4, ttl  47, id 48356, offset 0, flags [+], length: 1196) 198.102.153.29.53 > 82.69.129.108.37722:  24755*- 2/5/13 sandia.gov. A 132.175.81.4, sandia.gov. (1168)
09:38:02.387101 IP (tos 0x4, ttl  47, id 48356, offset 1176, flags [none], length: 1498) 198.102.153.29 > 82.69.129.108: udp
09:38:07.260492 IP (tos 0x0, ttl  63, id 32260, offset 0, flags [none], length: 67) 82.69.129.108.37722 > 198.102.153.29.53: [udp sum ok]  24755 [1au] A? sandia.gov. (39)
09:38:07.433906 IP (tos 0x4, ttl  47, id 48357, offset 0, flags [+], length: 1196) 198.102.153.29.53 > 82.69.129.108.37722:  24755*- 2/5/13 sandia.gov. A 132.175.81.4, sandia.gov. (1168)
09:38:07.434244 IP (tos 0x4, ttl  47, id 48357, offset 1176, flags [none], length: 1498) 198.102.153.29 > 82.69.129.108: udp

9 packets captured
9 packets received by filter
0 packets dropped by kernel
# tcpdump -vpni eth1 'host 198.102.153.29'                                                                                                          
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:38:20.646202 IP (tos 0x0, ttl  64, id 32261, offset 0, flags [none], length: 67) 192.168.0.8.54056 > 198.102.153.29.53: [udp sum ok]  31422 [1au] A? sandia.gov. (39)
09:38:25.645589 IP (tos 0x0, ttl  64, id 32262, offset 0, flags [none], length: 67) 192.168.0.8.54056 > 198.102.153.29.53: [udp sum ok]  31422 [1au] A? sandia.gov. (39)
09:38:30.645640 IP (tos 0x0, ttl  64, id 32263, offset 0, flags [none], length: 67) 192.168.0.8.54056 > 198.102.153.29.53: [udp sum ok]  31422 [1au] A? sandia.gov. (39)

Observe que a eth0 recebe vários pacotes UDP que não estão sendo encaminhados.

As regras de firewall são bem simples, sendo basicamente "tudo NAT para / de 192.168.0.8 a 82.69.129.108, NAT tudo mais para 82.69.129.105, bloqueie todo o tráfego depois de permitir que alguns portas / protocolos ".

Aqui está uma lista de regras:

# iptables -vnL
Chain INPUT (policy DROP 87 packets, 5073 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1010  216K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   58  4408 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:123 
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
   87  5073 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix 'INPUT: ' 

Chain FORWARD (policy DROP 6 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2  1383 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix 'New but not syn: ' 
    2  1383 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x16/0x02 state NEW 
78595   75M ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
58873   13M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    9   576 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.8         tcp dpt:22 
    4   240 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.8         tcp dpt:80 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.8         tcp dpt:443 
    2   120 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.8         tcp dpt:25 
    0     0 ACCEPT     udp  --  eth0   *       192.168.2.1          192.168.0.8         udp dpt:514 
    2   152 ACCEPT     udp  --  eth0   *       192.168.2.1          192.168.0.8         udp dpt:123 
    0     0 ACCEPT     all  --  eth0   *       192.168.1.1          0.0.0.0/0           
    6   300 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix 'FORWARD: ' 

Chain OUTPUT (policy ACCEPT 460 packets, 67812 bytes)
 pkts bytes target     prot opt in     out     source               destination

# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2696K packets, 192M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  1236 DNAT       all  --  eth0   *       0.0.0.0/0            82.69.129.108       to:192.168.0.8 

Chain POSTROUTING (policy ACCEPT 108K packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1549  115K SNAT       all  --  *      eth0    192.168.0.8          0.0.0.0/0           to:82.69.129.108 
  709 42396 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           to:82.69.129.105 

Chain OUTPUT (policy ACCEPT 19719 packets, 3998K bytes)
 pkts bytes target     prot opt in     out     source               destination

Nada útil está sendo registrado por essas regras de LOG.

O firewall é uma instalação do Linux, mas está sendo executado em um dispositivo Soekris somente leitura. de um cartão CF; como tal eu trato isso mais como um aparelho e não atualizei desde que foi instalado. É, portanto, uma instalação muito antiga do Debian etch com um kernel 2.6.12. Isso pode ser um bug do kernel relacionado à fragmentação ou conexão UDP rastreamento?

De qualquer forma, removerei as tags DNSSEC e Unbound e adicionarei iptables, etc.

    
por grifferz 07.07.2012 / 13:17

2 respostas

4

Eu tive o problema exato e descobri que as informações do link resolveram o problema problema para mim:

Your trace shows that unbound thinks the connection drops MTU 1500+ packets. Faa.gov uses large keys and has a lot of answers above 1480 - i.e. DNSKEY, NXDOMAIN answers. Thus your trouble likely stems from fragmentation issues. Your server cannot receive UDP DNS responses that are larger than 1480 or so.

A simple dig @..faaserver faa.gov DNSKEY +dnssec from the server shows the timeout it produces, likely.

The best solution is to fix the path that is dropping UDP fragments. Fix your firewall, upgrade it, change cisco router rules on old equipment. It must be close to your end, because I can get the fragments just fine. This is the best fix, because it allows your server to run better with large responses, and generally cleans up your network.

The workaround is edns-buffer-size: 1280 in unbound.conf.

A code fix, is in svn trunk development version of unbound. That version should fallback to smaller edns size automatically for you.

And there are useful MTU size test sites out there too.

    
por 11.07.2012 / 01:18
3

Você se certificou de que o cliente, ao entrar em contato com o não acoplado e o não acoplado ao tentar entrar em contato com servidores externos, possa usar o TCP? Você pode experimentar com dig +tcp @server example.com , alterar server .

O DNSSEC torna as solicitações muito grandes para caber no UDP.

    
por 08.07.2012 / 01:27