适用于:Windows Server 2016
现象
你使用的是第三方 DNS 服务器解决方案,在使用条件转发时无法一致地解析名称。
本地 DNS 服务器(10.100.100.70)可以连接到配置为条件转发器(10.133.3.250)的 DNS 服务器。 从 DNS 服务器到条件转发器的第一个请求成功解析名称(例如,nbob1.contoso.com)。 一段时间后,名称解析将停止工作。 条件转发器的 nslookup 查询返回“不存在的域”错误消息。
如果清除转发计算机上的 DNS 服务器缓存(本地 DNS 服务器),名称解析将恢复。 但是,此修补程序是暂时的。
原因
DNS 服务器(10.100.100.70)将客户端的名称解析请求 nbob1.contoso.com 转发给配置的条件转发器(10.133.3.250)。 名称查询包含两个部分:A 查询(IPv4)和 AAAA 查询(IPv6)。
条件转发器返回 A 记录的正确响应。 例如,当 DNS 客户端发出 nslookup nbob1.contoso.com 命令时,DNS 服务器将从条件转发器报告以下响应:
10.100.100.70 10.133.3.250 DNS:QueryId = 0x78CB, QUERY (Standard query), Query for nbob1.contoso.com of type Host Addr on class Internet
10.133.3.250 10.100.100.70 DNS:QueryId = 0x78CB, QUERY (Standard query), Response - Success, 10.158.150.200
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[5C-B9-01-D0-00-E0],SourceAddress:[00-09-0F-09-00-02]
+ Ipv4: Src = 10.133.3.250, Dest = 10.100.100.70, Next Protocol = UDP, Packet ID = 16114, Total IP Length = 91
+ Udp: SrcPort = DNS(53), DstPort = 63344, Length = 71
- Dns: QueryId = 0x78CB, QUERY (Standard query), Response - Success, 10.158.150.200
QueryIdentifier: 30923 (0x78CB)
+ Flags: Response, Opcode - QUERY (Standard query), AA, RD, Rcode - Success
QuestionCount: 1 (0x1)
AnswerCount: 1 (0x1)
NameServerCount: 0 (0x0)
AdditionalCount: 1 (0x1)
- QRecord: nbob1.contoso.com of type Host Addr on class Internet
QuestionName: nbob1.contoso.com
QuestionType: A, IPv4 address, 1(0x1)
QuestionClass: Internet, 1(0x1)
- ARecord: nbob1.contoso.com of type Host Addr on class Internet: 10.158.150.200
ResourceName: nbob1.contoso.com
ResourceType: A, IPv4 address, 1(0x1)
ResourceClass: Internet, 1(0x1)
TimeToLive: 0 (0x0)
ResourceDataLength: 4 (0x4)
IPAddress: 10.158.150.200
这些响应是从本地 DNS 服务器上的服务器端 Wireshark 跟踪(10.100.100.70)中摘录的。
AAAA 查询的报告响应应类似于以下摘录:
10.10.10.100 10.10.10.10 DNS:QueryId = 0x21F1, QUERY (Standard query), Query for nbob1.contoso.com of type AAAA on class Internet
10.10.10.10 10.10.10.100 DNS:QueryId = 0x21F1, QUERY (Standard query), Response - Success
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-E4-19-07],SourceAddress:[00-15-5D-E4-19-00]
+ Ipv4: Src = 10.10.10.10, Dest = 10.10.10.100, Next Protocol = UDP, Packet ID = 9830, Total IP Length = 121
+ Udp: SrcPort = DNS(53), DstPort = 57256, Length = 101
- Dns: QueryId = 0x21F1, QUERY (Standard query), Response - Success
QueryIdentifier: 8689 (0x21F1)
- Flags: Response, Opcode - QUERY (Standard query), AA, RD, RA, Rcode - Success
QR: (1...............) Response
Opcode: (.0000...........) QUERY (Standard query) 0
AA: (.....1..........) Is authoritative
TC: (......0.........) Not truncated
RD: (.......1........) Recursion desired
RA: (........1.......) Recursive query support available
Zero: (.........0......) 0
AuthenticatedData: (..........0.....) Not AuthenticatedData
CheckingDisabled: (...........0....) Not CheckingDisabled
Rcode: (............0000) Success 0
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 1 (0x1)
AdditionalCount: 1 (0x1)
- QRecord: nbob1.contoso.com of type AAAA on class Internet
QuestionName: nbob1.contoso.com
QuestionType: AAAA, IPv6 Address, 28(0x1c)
QuestionClass: Internet, 1(0x1)
- AuthorityRecord: contoso.com of type SOA on class Internet: PrimaryNameServer: stdc, AuthoritativeMailbox: hostmaster
ResourceName: contoso.com
ResourceType: SOA, Marks the start of a zone of authority, 6(0x6)
ResourceClass: Internet, 1(0x1)
TimeToLive: 3600 (0xE10)
ResourceDataLength: 38 (0x26)
- SOARData: PrimaryNameServer: stdc, AuthoritativeMailbox: hostmaster
PrimaryNameServer: stdc
ResponsibleAuthoritativeMailbox: hostmaster
SerialNumber: 2 (0x2)
RefreshInterval: 900 (0x384)
RetryInterval: 600 (0x258)
ExpirationLimit: 86400 (0x15180)
MinimumTTL: 3600 (0xE10)
但是,本地 DNS 服务器实际上报告了 AAAA 记录的服务器故障(例如“域中没有记录”或“服务器故障”。 此响应会破坏本地 DNS 服务器缓存,并为主机 A 记录生成负缓存条目。 在此缓存更新后,本地 DNS 服务器不再解析 nbob1.contoso.com 的主机(A)名称解析请求。
10.100.100.170 10.133.3.250 DNS:QueryId = 0xC30F, QUERY (Standard query), Query for nbob1.contoso.com of type AAAA on class Internet
10.133.3.250 10.100.100.70 DNS:QueryId = 0xC30F, QUERY (Standard query), Response - Server failure
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[5C-B9-01-D0-00-E0],SourceAddress:[00-09-0F-09-00-02]
+ Ipv4: Src = 10.133.3.250, Dest = 10.100.100.70, Next Protocol = UDP, Packet ID = 32142, Total IP Length = 75
+ Udp: SrcPort = DNS(53), DstPort = 63171, Length = 55
- Dns: QueryId = 0xC30F, QUERY (Standard query), Response - Server failure
QueryIdentifier: 49935 (0xC30F)
- Flags: Response, Opcode - QUERY (Standard query), AA, RD, Rcode - Server failure
QR: (1...............) Response
Opcode: (.0000...........) QUERY (Standard query) 0
AA: (.....1..........) Is authoritative
TC: (......0.........) Not truncated
RD: (.......1........) Recursion desired
RA: (........0.......) Recursive query support not available
Zero: (.........0......) 0
AuthenticatedData: (..........0.....) Not AuthenticatedData
CheckingDisabled: (...........0....) Not CheckingDisabled
Rcode: (............0010) Server failure 2
QuestionCount: 1 (0x1)
AnswerCount: 0 (0x0)
NameServerCount: 0 (0x0)
AdditionalCount: 1 (0x1)
- QRecord: nbob1.contoso.com of type AAAA on class Internet
QuestionName: nbob1.contoso.com
QuestionType: AAAA, IPv6 Address, 28(0x1c)
QuestionClass: Internet, 1(0x1)
在这种情况下,根本问题是条件转发器响应的格式不正确。 本地 DNS 服务器将解释响应,表示找不到记录。
解决方法
请与第三方 DNS 服务器实现的供应商联系,了解此问题。
此外,可以使用 Windows PowerShell 实现以下 DNS 服务器递归策略,如下所示:
Add-DnsServerQueryResolutionPolicy -Name "BlockRecursionOfAAAA" -ApplyOnRecursion -Action Deny -QType "EQ,AAAA"
新策略可能会缓解此问题。
详细信息
RFC 2308(DNS 查询的负缓存)第 3 节描述了区域权威名称服务器预期的行为。 当 DNS 服务器报告 NXDOMAIN 或指示请求的类型没有数据时,响应必须包括在区域的颁发机构节(SOA)记录中。 这是必需的,以便可以缓存响应。
针对 IPv6 地址 的 DNS 查询的常见错误描述可能影响 AAAA 名称解析查询的特定问题。
第三方信息免责声明
本文中提到的第三方产品由 Microsoft 以外的其他公司提供。 Microsoft 不对这些产品的性能或可靠性提供任何明示或暗示性担保。