挖掘警告:请求递归但不可用
我正在尝试编写DNS代理,以阻止ADS DNS请求(返回NXDOMAIN)以进行学习目的。
let mut request = request.clone(); // Clone the request received from client
request.take_queries(); // Remove all queries out of the request
request.add_query(query.to_owned()); // Add one query with the ads uri
request
.set_message_type(MessageType::Response) // Change the type to response
.set_response_code(ResponseCode::NXDomain); // Update response code in header to NxDomain
request // return
在使用DIG 2MDN.NET @0.0.0.0测试上述代码时,我收到了下面的响应
λ dig 2mdn.net @0.0.0.0
; <<>> DiG 9.10.6 <<>> 2mdn.net @0.0.0.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3685
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2mdn.net. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 28 01:02:17 PDT 2022
;; MSG SIZE rcvd: 37
,并警告了故障递归请求。
正如它在标头标志中所示的那样,没有ra标志正在设置,为什么客户在收到响应后会发送另一个请求?
ad(真实数据):指示解析器认为响应是真实的 - 也就通过dnssec
验证
上面示例中的ad标志属于请求,但是为什么请求携带此标志?
DNS解析器是否有必要设置这些标志(如果未设置)(QR),尽管ID是相同的,客户端是否会拒绝响应?
提前致谢!
I'm trying to write a DNS Proxy to block ads DNS requests (return NxDomain) for learning purpose.
let mut request = request.clone(); // Clone the request received from client
request.take_queries(); // Remove all queries out of the request
request.add_query(query.to_owned()); // Add one query with the ads uri
request
.set_message_type(MessageType::Response) // Change the type to response
.set_response_code(ResponseCode::NXDomain); // Update response code in header to NxDomain
request // return
When testing the code above with dig 2mdn.net @0.0.0.0, I received the response below
λ dig 2mdn.net @0.0.0.0
; <<>> DiG 9.10.6 <<>> 2mdn.net @0.0.0.0
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3685
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2mdn.net. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Thu Apr 28 01:02:17 PDT 2022
;; MSG SIZE rcvd: 37
And there's a warning of failure recursion request.
As it indicated in the HEADER flags, there's no ra flag being set, why would client send another request after receiving the response?
AD (Authentic Data): indicates the resolver believes the responses to be authentic - that is, validated by DNSSEC
The ad flag in the example above belongs to the request, but why would a request carry this flag?
Is it necessary for a DNS resolver to set those flags, if not set (except qr), would client reject the response despite id being the same?
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论