Different manifestations of ECS
83 vues
Accéder directement au premier message non lu
qiao...@126.com
14 mars 2022, 09:53:5714/03/2022
à public-dns-discuss
Hello
I have some public DNS questions about ECS implementation.
background:
www.a.shifen.com :For Chinese IP, you can directly parse IP. For non Chinese IP, CNAME to another domain name
xiaodu.a.shifen.com:For all regional IP, It`s IP can be directly resolved
Both domain names support different resolutions in different regions. The only difference is www.a.shifen.com for non Chinese IP is CNAME to another domain name. But when I parse through 8.8.8.8 recursion. Whether ECS is added or not, xiaodu a.shifen. com can be parsed correctly. But www.a.shifen.com will appear unexpected parsing.
for example:
1)
dig @8.8.8.8 xiaodu.a.shifen.com
; <<>> DiG 9.16.8 <<>> @8.8.8.8 xiaodu.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4481
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xiaodu.a.shifen.com. IN A
;; ANSWER SECTION:
xiaodu.a.shifen.com. 291 IN A 180.101.49.145
; <<>> DiG 9.16.8 <<>> @8.8.8.8 xiaodu.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4481
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xiaodu.a.shifen.com. IN A
;; ANSWER SECTION:
xiaodu.a.shifen.com. 291 IN A 180.101.49.145
OR
dig @8.8.8.8 xiaodu.a.shifen.com +subnet=180.101.49.11/24
; <<>> DiG 9.16.8 <<>> @8.8.8.8 xiaodu.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/14
;; QUESTION SECTION:
;xiaodu.a.shifen.com. IN A
;; ANSWER SECTION:
xiaodu.a.shifen.com. 296 IN A 180.101.49.145
;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:18:30 CST 2022
;; MSG SIZE rcvd: 75
; <<>> DiG 9.16.8 <<>> @8.8.8.8 xiaodu.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/14
;; QUESTION SECTION:
;xiaodu.a.shifen.com. IN A
;; ANSWER SECTION:
xiaodu.a.shifen.com. 296 IN A 180.101.49.145
;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:18:30 CST 2022
;; MSG SIZE rcvd: 75
dig @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15300
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/14
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 300 IN A 180.101.49.11
www.a.shifen.com. 300 IN A 180.101.49.12
;; Query time: 103 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:19:00 CST 2022
;; MSG SIZE rcvd: 88
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15300
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/14
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 300 IN A 180.101.49.11
www.a.shifen.com. 300 IN A 180.101.49.12
;; Query time: 103 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:19:00 CST 2022
;; MSG SIZE rcvd: 88
Another different analysis(This is unexpected due to the direct proxy ECS option in the request.):
dig @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26758
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/0
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 163 IN CNAME www.wshifen.com.
www.wshifen.com. 51 IN A 45.113.192.102
www.wshifen.com. 51 IN A 45.113.192.101
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com +subnet=180.101.49.11/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26758
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; CLIENT-SUBNET: 180.101.49.0/24/0
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 163 IN CNAME www.wshifen.com.
www.wshifen.com. 51 IN A 45.113.192.102
www.wshifen.com. 51 IN A 45.113.192.101
The performance of 8.8.8.8 without ECS request will also appear in both cases:
dig @8.8.8.8 www.a.shifen.com
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52049
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 300 IN A 180.101.49.11
www.a.shifen.com. 300 IN A 180.101.49.12
;; Query time: 150 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:39:04 CST 2022
;; MSG SIZE rcvd: 77
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52049
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 300 IN A 180.101.49.11
www.a.shifen.com. 300 IN A 180.101.49.12
;; Query time: 150 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 14 15:39:04 CST 2022
;; MSG SIZE rcvd: 77
Another
dig @8.8.8.8 www.a.shifen.com
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44119
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 255 IN CNAME www.wshifen.com.
www.wshifen.com. 239 IN A 45.113.192.102
www.wshifen.com. 239 IN A 45.113.192.101
; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.a.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44119
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.a.shifen.com. IN A
;; ANSWER SECTION:
www.a.shifen.com. 255 IN CNAME www.wshifen.com.
www.wshifen.com. 239 IN A 45.113.192.102
www.wshifen.com. 239 IN A 45.113.192.101
All the above requests are made on the same device at the same time. Because my export IP is Chinese mainland, the response with CNAME is unanticipated. It should be noted here that The authority of a.shifen.com is to support IPv4 and IPv6 ECs. wshifen. The authority of COM supports IPv4 ECs.
It seems strange that if my domain name does not have CNAME in any ACL match, but directly returns the resolved IP according to different request IP, then the response is expected. like the domain xiaodu.a.shifen.com.
Could you please explain the reason for this situation and how to realize it? If I want to support CNAME, how can I modify it?
Répondre à tous
Répondre à l'auteur
Transférer
0 nouveau message