使用 dig 查詢 dns 遞歸查詢過程
DNS 查詢過程中如果沒有命中緩存,查詢實際上是一個遞歸過程。
DNS 解析工具 dig 提供了 trace 功能,可以展示遞歸查詢的整個過程。以查詢 www.baidu.com 爲例,查詢結果如下:
root@ubuntu:~# dig +trace +nodnssec www.baidu.com
;; communications error to 114.114.114.114#53: timed out
; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> +trace +nodnssec www.baidu.com
;; global options: +cmd
. 2822 IN NS c.root-servers.net.
. 2822 IN NS m.root-servers.net.
. 2822 IN NS i.root-servers.net.
. 2822 IN NS g.root-servers.net.
. 2822 IN NS b.root-servers.net.
. 2822 IN NS a.root-servers.net.
. 2822 IN NS j.root-servers.net.
. 2822 IN NS e.root-servers.net.
. 2822 IN NS l.root-servers.net.
. 2822 IN NS h.root-servers.net.
. 2822 IN NS d.root-servers.net.
. 2822 IN NS k.root-servers.net.
. 2822 IN NS f.root-servers.net.
;; Received 515 bytes from 114.114.114.114#53(114.114.114.114) in 156 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 838 bytes from 170.247.170.2#53(b.root-servers.net) in 368 ms
;; UDP setup with 2001:502:8cc::30#53(2001:502:8cc::30) for www.baidu.com failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:502:8cc::30#53(2001:502:8cc::30) for www.baidu.com failed: network unreachable.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns1.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 356 bytes from 192.54.112.30#53(h.gtld-servers.net) in 340 ms
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
;; Received 100 bytes from 180.76.76.92#53(ns7.baidu.com) in 132 msdig trace 的輸出,主要包括四部分:
-
從
114.114.114.114查到的一些根域名服務器(.)的NS記錄。 -
從
NS記錄結果中選一個根域名服務器b.root-servers.net,ip爲170.247.170.2,並查詢頂級域名com.的NS記錄。 -
從
com.的NS記錄中選擇一個定義域名服務器h.gtld-servers.net,ip爲192.54.112.30,並查詢二級域名baidu.com.的NS服務器。 -
從
baidu.com.的NS服務器ns7.baidu.com查詢最終主機www.baidu.com.的CNAME記錄。
整理成流程圖如下:
如果查詢返回的是A記錄,DNS 查詢流程就結束了。如果是返回的CNAME記錄,需要再次做 DNS 查詢,進一步得到目標主機的IP地址:
root@ubuntu:~# dig +trace +nodnssec www.a.shifen.com
; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> +trace +nodnssec www.a.shifen.com
;; global options: +cmd
. 234 IN NS i.root-servers.net.
. 234 IN NS a.root-servers.net.
. 234 IN NS m.root-servers.net.
. 234 IN NS c.root-servers.net.
. 234 IN NS f.root-servers.net.
. 234 IN NS b.root-servers.net.
. 234 IN NS j.root-servers.net.
. 234 IN NS e.root-servers.net.
. 234 IN NS d.root-servers.net.
. 234 IN NS h.root-servers.net.
. 234 IN NS l.root-servers.net.
. 234 IN NS g.root-servers.net.
. 234 IN NS k.root-servers.net.
;; Received 515 bytes from 114.114.114.114#53(114.114.114.114) in 20 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 841 bytes from 193.0.14.129#53(k.root-servers.net) in 4 ms
shifen.com. 172800 IN NS dns.baidu.com.
shifen.com. 172800 IN NS ns2.baidu.com.
shifen.com. 172800 IN NS ns3.baidu.com.
shifen.com. 172800 IN NS ns4.baidu.com.
;; Received 275 bytes from 192.5.6.30#53(a.gtld-servers.net) in 288 ms
;; UDP setup with 240e:bf:b801:1002:0:ff:b024:26de#53(240e:bf:b801:1002:0:ff:b024:26de) for www.a.shifen.com failed: network unreachable.
;; no servers could be reached
;; UDP setup with 240e:bf:b801:1002:0:ff:b024:26de#53(240e:bf:b801:1002:0:ff:b024:26de) for www.a.shifen.com failed: network unreachable.
;; no servers could be reached
;; UDP setup with 240e:bf:b801:1002:0:ff:b024:26de#53(240e:bf:b801:1002:0:ff:b024:26de) for www.a.shifen.com failed: network unreachable.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; Received 331 bytes from 36.155.132.78#53(ns3.baidu.com) in 40 ms
www.a.shifen.com. 120 IN A 110.242.69.21
www.a.shifen.com. 120 IN A 110.242.70.57
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
;; Received 363 bytes from 110.242.68.42#53(ns1.a.shifen.com) in 16 ms關於 CNAME 的說明
CNAME(Canonical Name)是域名的別名記錄,用於將一個域名指向另一個規範域名(主域名)。當查詢到 CNAME 記錄時,客戶端需進一步向該規範域名發起 DNS 查詢,以獲取最終的 IP 地址(A 記錄或 AAAA 記錄)。
大型站點,例如百度爲了實現負載均衡、CDN 加速或靈活管理域名,會將 www.baidu.com 配置爲 CNAME 記錄,指向後端的多箇中間域名(如 www.a.shifen.com、www.b.shifen.com 等)。
使用CNAME有如下優勢:
-
修改
CNAME指向的目標域名時,無需變更原域名的解析記錄,適合頻繁調整後端服務的場景(如切換CDN節點)。 -
這些中間域名最終會解析到不同的
IP地址(A記錄),從而實現流量分發和高可用性。 -
直接使用
A記錄時,若IP變更需等待全球DNS緩存過期,可能導致訪問中斷。而CNAME記錄的TTL(生存時間)通常較短,可更快刷新解析結果。
本文由 Readfog 進行 AMP 轉碼,版權歸原作者所有。
來源:https://mp.weixin.qq.com/s/lUO_cXBlp7kqZTLSMke55g