8月27、28日,LUG VPN 分别中断 20 分钟和 1 小时。经查,是由于 blog 上的 DNS 递归服务器增加了 DNSSec 相关配置(如下部分)。


dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

启用 DNSSec 后,查询域名会到所有权威域名服务器查询 DS 记录,而 .com 的权威域名服务器(x.gtld-servers.net)有十几台,依次查询所用的时间很长,导致 DNS 查询超时。DNS 查询超时导致自动监控脚本认为国外 VPS 挂了,从而尝试重启 VPS,重启之后当然还无法解决,只好关闭国外隧道,导致 VPN 国外访问中断。

事实上正常情况下 DNSSec 应该查询 DLV 记录,为什么 bind9 没有去查询,目前尚不清楚。也没有发现 DLV 记录查询被污染的情况。前些天已经发现偶尔的 DNS 查询超时,但没有引起重视,应该就是 DNSSec 搞的鬼。非常抱歉此问题给您带来的麻烦。

由于全球范围内 DNSSec 尚未部署,DNSSec 的检查不能起到安全作用,还会降低性能,因此关闭了 DNS 递归服务器上的 DNSSec。

未启用 DNSSec 前(已开启国外隧道):


$ time host digitalocean.com
digitalocean.com has address 190.93.247.7
digitalocean.com has address 141.101.115.8
digitalocean.com has address 141.101.114.8
digitalocean.com has address 190.93.246.7
digitalocean.com has address 190.93.245.7
digitalocean.com mail is handled by 5 ALT1.ASPMX.L.GOOGLE.com.
digitalocean.com mail is handled by 5 alt2.aspmx.l.google.com.
digitalocean.com mail is handled by 10 aspmx2.googlemail.com.
digitalocean.com mail is handled by 1 aspmx.l.google.com.
digitalocean.com mail is handled by 10 aspmx3.googlemail.com.

real    0m0.280s
user    0m0.000s
sys     0m0.004s

启用 DNSSec 后(同样开启了国外隧道),DNS 首次查询时间增加了一个数量级:


$ time host digitalocean.com
digitalocean.com has address 190.93.245.7
digitalocean.com has address 190.93.247.7
digitalocean.com has address 141.101.115.8
digitalocean.com has address 141.101.114.8
digitalocean.com has address 190.93.246.7
digitalocean.com mail is handled by 10 aspmx2.googlemail.com.
digitalocean.com mail is handled by 1 aspmx.l.google.com.
digitalocean.com mail is handled by 10 aspmx3.googlemail.com.
digitalocean.com mail is handled by 5 ALT1.ASPMX.L.GOOGLE.com.
digitalocean.com mail is handled by 5 alt2.aspmx.l.google.com.

real    0m2.536s
user    0m0.004s
sys     0m0.000s

下面是相关抓包记录(省略了回复包,基本是上一个回复包刚到,下一次请求就发出)


550   4.060161 202.141.176.99 -> 192.5.5.241  DNS 76 Standard query 0xbab4  DS digitalocean.com    # 这些都是 gtld-servers.net,.com 权威域名服务器
553   4.087681 202.141.176.99 -> 192.55.83.30 DNS 76 Standard query 0x6c73  DS digitalocean.com
563   4.150887 202.141.176.99 -> 192.48.79.30 DNS 76 Standard query 0x92c1  DS digitalocean.com
570   4.234462 202.141.176.99 -> 192.43.172.30 DNS 76 Standard query 0x3410  DS digitalocean.com
613   4.456467 202.141.176.99 -> 192.33.14.30 DNS 76 Standard query 0x0d12  DS digitalocean.com
618   4.484891 202.141.176.99 -> 192.52.178.30 DNS 76 Standard query 0x0569  DS digitalocean.com
656   4.769479 202.141.176.99 -> 192.12.94.30 DNS 76 Standard query 0x8045  DS digitalocean.com
695   5.131597 202.141.176.99 -> 192.35.51.30 DNS 76 Standard query 0xb5af  DS digitalocean.com
727   5.354713 202.141.176.99 -> 192.41.162.30 DNS 76 Standard query 0x3fc4  DS digitalocean.com
781   5.602758 202.141.176.99 -> 192.54.112.30 DNS 76 Standard query 0xac2d  DS digitalocean.com
884   5.978858 202.141.176.99 -> 192.42.93.30 DNS 76 Standard query 0xb656  DS digitalocean.com
916   6.201677 202.141.176.99 -> 192.31.80.30 DNS 76 Standard query 0x7106  DS digitalocean.com
979   6.439279 202.141.176.99 -> 192.5.6.30   DNS 76 Standard query 0xa60c  DS digitalocean.com
1067   6.681580 202.141.176.99 -> 192.26.92.30 DNS 76 Standard query 0xe18c  DS digitalocean.com
1156   6.948875 202.141.176.99 -> 192.5.5.241  DNS 76 Standard query 0x0a0c  DS digitalocean.com
1163   6.977318 202.141.176.99 -> 192.33.14.30 DNS 76 Standard query 0x7d4e  DS digitalocean.com
1170   7.010780 202.141.176.99 -> 192.55.83.30 DNS 76 Standard query 0x84f6  DS digitalocean.com
1191   7.074379 202.141.176.99 -> 192.48.79.30 DNS 76 Standard query 0x26a6  DS digitalocean.com
1213   7.161079 202.141.176.99 -> 192.43.172.30 DNS 76 Standard query 0xe177  DS digitalocean.com
1259   7.388771 202.141.176.99 -> 192.52.178.30 DNS 76 Standard query 0xd91d  DS digitalocean.com
1305   7.670330 202.141.176.99 -> 192.42.93.30 DNS 76 Standard query 0xbe65  DS digitalocean.com
1344   7.894323 202.141.176.99 -> 192.35.51.30 DNS 76 Standard query 0x6300  DS digitalocean.com
1380   8.111826 202.141.176.99 -> 192.31.80.30 DNS 76 Standard query 0x5a06  DS digitalocean.com
1497   8.348409 202.141.176.99 -> 192.41.162.30 DNS 76 Standard query 0x886d  DS digitalocean.com
1578   8.596737 202.141.176.99 -> 192.5.6.30   DNS 76 Standard query 0x75d0  DS digitalocean.com
1621   8.838294 202.141.176.99 -> 192.54.112.30 DNS 76 Standard query 0x5908  DS digitalocean.com
1724   9.227071 202.141.176.99 -> 192.26.92.30 DNS 76 Standard query 0xfab1  DS digitalocean.com
1794   9.486494 202.141.176.99 -> 192.12.94.30 DNS 76 Standard query 0x6e70  DS digitalocean.com
1893   9.851287 202.141.176.99 -> 192.55.83.30 DNS 80 Standard query 0xae3b  A api.digitalocean.com     # 这里是到 x,gtld-servers.net 查询权威域名
1911   9.913810 202.141.176.99 -> 173.245.58.126 DNS 91 Standard query 0x5c56  A api.digitalocean.com   # 这里是到 digitalocean 的权威 DNS 服务器(cloudflare)查询域名
1973  10.139070 202.141.176.99 -> 192.36.148.17 DNS 76 Standard query 0x7a1d  DS digitalocean.com
1983  10.165931 202.141.176.99 -> 192.33.14.30 DNS 76 Standard query 0x3a1a  DS digitalocean.com
1995  10.199602 202.141.176.99 -> 192.55.83.30 DNS 76 Standard query 0x83f8  DS digitalocean.com
2025  10.263564 202.141.176.99 -> 192.48.79.30 DNS 76 Standard query 0x84b2  DS digitalocean.com
2049  10.352034 202.141.176.99 -> 192.43.172.30 DNS 76 Standard query 0x361a  DS digitalocean.com
2125  10.579081 202.141.176.99 -> 192.35.51.30 DNS 76 Standard query 0xc257  DS digitalocean.com
2181  10.794755 202.141.176.99 -> 192.42.93.30 DNS 76 Standard query 0xcf84  DS digitalocean.com
2251  11.017524 202.141.176.99 -> 192.31.80.30 DNS 76 Standard query 0x7000  DS digitalocean.com
2327  11.255360 202.141.176.99 -> 192.5.6.30   DNS 76 Standard query 0xba19  DS digitalocean.com
2378  11.497069 202.141.176.99 -> 192.41.162.30 DNS 76 Standard query 0xdd7f  DS digitalocean.com
2427  11.743191 202.141.176.99 -> 192.52.178.30 DNS 76 Standard query 0x1bb8  DS digitalocean.com
2463  12.022767 202.141.176.99 -> 192.26.92.30 DNS 76 Standard query 0x2985  DS digitalocean.com
2512  12.289135 202.141.176.99 -> 192.54.112.30 DNS 76 Standard query 0x74a3  DS digitalocean.com
2616  12.657349 202.141.176.99 -> 192.12.94.30 DNS 76 Standard query 0x72bd  DS digitalocean.com
2701  13.019408 202.141.176.99 -> 173.245.59.148 DNS 91 Standard query 0xa48a  A api.digitalocean.com   # 到 digitalocean 的另一个权威域名服务器查询(Frame 2743 得到回复)
2744  13.241959 202.141.176.99 -> 192.36.148.17 DNS 76 Standard query 0x743d  DS digitalocean.com
2748  13.270452 202.141.176.99 -> 192.33.14.30 DNS 76 Standard query 0x05cf  DS digitalocean.com
2760  13.297826 202.141.176.99 -> 192.55.83.30 DNS 76 Standard query 0xd005  DS digitalocean.com
2780  13.357873 202.141.176.99 -> 192.48.79.30 DNS 76 Standard query 0x7750  DS digitalocean.com
2816  13.443167 202.141.176.99 -> 192.43.172.30 DNS 76 Standard query 0x39e5  DS digitalocean.com
2897  13.669781 202.141.176.99 -> 192.35.51.30 DNS 76 Standard query 0x1a3c  DS digitalocean.com
2991  13.887893 202.141.176.99 -> 192.42.93.30 DNS 76 Standard query 0xff25  DS digitalocean.com