This topic created in 898 days ago, the information mentioned may be changed or developed.

一句话描述问题

H3C 的三层作为 DNS 的 proxy ，无法解析一些特定的域名，比如 home.console.aliyun.com

在三层上无法 ping 这个 ip ，但是直接向上游查询解析是 ok 的。

网络拓扑

PC:

192.168.0.100/24,gatway=192.168.0.50,vlan=20,access

H3C 三层：

vlan20 ip=192.168.0.50/24
vlan600 ip=10.0.0.50/24
静态路由下一跳=10.0.0.60
dns 代理开启

dns proxy enable
dns server 10.0.0.60

dhcp server 开启

iKuai:

lan1=10.0.0.20/24
静态路由:192.168.0.0/16 via 10.0.0.50 回程配置
dns 配置阿里云的 DoH(223.5.5.5)
配置双击热备,VIP=10.0.0.60

在 pc 上的测试

正常域名：百度

dig baidu.com 正常

dig @192.168.0.50 baidu.com 正常 via 三层

dig @10.0.0.50 baidu.com 正常 via 三层

dig @10.0.0.20 baidu.com 正常 via 爱快

dig @10.0.0.60 baidu.com 正常 via 爱快 VIP

异常域名：home.console.aliyun.com

dig home.console.aliyun.com 不正常

dig @192.168.0.50 home.console.aliyun.com 不正常 via 三层

dig @10.0.0.50 home.console.aliyun.com 不正常 via 三层

dig @10.0.0.20 home.console.aliyun.com 正常 via 爱快

dig @10.0.0.60 home.console.aliyun.com 正常 via 爱快 VIP

在三层上 telnet 的测试

<H3C>ping baidu.com
Ping baidu.com (39.156.66.10): 56 data bytes, press CTRL_C to break
56 bytes from 39.156.66.10: icmp_seq=0 ttl=55 time=7.154 ms
56 bytes from 39.156.66.10: icmp_seq=1 ttl=55 time=6.585 ms
56 bytes from 39.156.66.10: icmp_seq=2 ttl=55 time=6.816 ms
56 bytes from 39.156.66.10: icmp_seq=3 ttl=55 time=6.693 ms
56 bytes from 39.156.66.10: icmp_seq=4 ttl=55 time=6.885 ms

--- Ping statistics for baidu.com ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.585/6.827/7.154/0.193 ms
<H3C>ping home.console.aliyun.com
ping: Unknown host.
<H3C>ping www.aliyun.com
Ping www.aliyun.com (111.62.160.100): 56 data bytes, press CTRL_C to break
56 bytes from 111.62.160.100: icmp_seq=0 ttl=55 time=16.770 ms
56 bytes from 111.62.160.100: icmp_seq=1 ttl=55 time=16.701 ms
56 bytes from 111.62.160.100: icmp_seq=2 ttl=55 time=17.034 ms
56 bytes from 111.62.160.100: icmp_seq=3 ttl=55 time=16.447 ms
56 bytes from 111.62.160.100: icmp_seq=4 ttl=55 time=17.285 ms

--- Ping statistics for www.aliyun.com ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 16.447/16.847/17.285/0.288 ms

www.aliyun.com 的 dns 解析和 home.console.aliyun.com 的解析的区别

root@port:/etc/nginx/sites-enabled# dig @10.0.0.60 home.console.aliyun.com
;; Warning: Client COOKIE mismatch

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> @10.0.0.60 home.console.aliyun.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3431
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 83b36405866ca8bc (bad)
;; QUESTION SECTION:
;home.console.aliyun.com.       IN      A

;; ANSWER SECTION:
home.console.aliyun.com. 37     IN      CNAME   one-console-adns.console.aliyun.com.
one-console-adns.console.aliyun.com. 37 IN CNAME one-console-adns.console.aliyun.com.gds.alibabadns.com.
one-console-adns.console.aliyun.com.gds.alibabadns.com. 37 IN CNAME sh.wagbridge.aliyun.aliyun.com.
sh.wagbridge.aliyun.aliyun.com. 37 IN   CNAME   aliyun-adns.aliyun.com.
aliyun-adns.aliyun.com. 37      IN      CNAME   aliyun-adns.aliyun.com.gds.alibabadns.com.
aliyun-adns.aliyun.com.gds.alibabadns.com. 37 IN A 140.205.135.3

;; Query time: 0 msec
;; SERVER: 10.0.0.60#53(10.0.0.60) (UDP)
;; WHEN: Tue Dec 05 22:20:59 CST 2023
;; MSG SIZE  rcvd: 537

root@port:/etc/nginx/sites-enabled# dig @10.0.0.60 www.aliyun.com

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> @10.0.0.60 www.aliyun.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50166
;; flags: qr rd ra; QUERY: 1, ANSWER: 19, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.aliyun.com.                        IN      A

;; ANSWER SECTION:
www.aliyun.com.         245     IN      CNAME   www-jp-de-intl-adns.aliyun.com.
www-jp-de-intl-adns.aliyun.com. 245 IN  CNAME   www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com.
www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com. 245 IN CNAME www.aliyun.com.w.cdngslb.com.
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.210.193
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.209.196
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.209.192
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.209.194
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.209.197
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.210.189
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.210.188
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.32.210.192
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.96
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.94
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.98
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.97
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.95
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.99
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.93
www.aliyun.com.w.cdngslb.com. 245 IN    A       111.62.160.100

;; Query time: 0 msec
;; SERVER: 10.0.0.60#53(10.0.0.60) (UDP)
;; WHEN: Tue Dec 05 22:21:05 CST 2023
;; MSG SIZE  rcvd: 989

一些分析和猜测

和爱快的 vip 无关，我试着把三层的 proxy ip 改为 10.0.0.20 ，问题依旧
既然三层负责 dhcp ，理论上下发的 dns 地址也是三层的 vlanip 为好，虽然 dns 写爱快的 vip 能解决问题
怀疑和 dns 解析结果有关系？比如包长什么的？

Supplement 1 · Dec 5, 2023

这个版本有什么升级建议吗？

<H3C>dis version
H3C Comware Software, Version 7.1.070, Release 1312
Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.
H3C S5560-54QS-EI uptime is 14 weeks, 1 day, 13 hours, 10 minutes
Last reboot reason : Cold reboot

Boot image: flash:/s5560ei-cmw710-boot-r1312.bin
Boot image version: 7.1.070, Release 1312
  Compiled Nov 19 2019 11:00:00
System image: flash:/s5560ei-cmw710-system-r1312.bin
System image version: 7.1.070, Release 1312
  Compiled Nov 19 2019 11:00:00


Slot 1:
Uptime is 14 weeks,1 day,13 hours,10 minutes
S5560-54QS-EI with 2 Processor
BOARD TYPE:         S5560-54QS-EI
DRAM:               1984M bytes
FLASH:              512M bytes
PCB 1 Version:      VER.B
Bootrom Version:    128
CPLD 1 Version:     003
Release Version:    H3C S5560-54QS-EI-1312
Patch Version  :    None
Reboot Cause  :     ColdReboot
[SubSlot 0] 48GE+4SFP Plus+2QSFP Plus

在官网看了下：

H3C S5560-EI系列以太网交换机
H3C S5560EI-CMW710-R3507P10 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3507P08 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CWM710-R3507P06版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3507P02 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3507 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3506P12 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3506P10 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3506P07 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3506P02 版本软件及说明书 40 | 加密软件与手册等级下载

H3C S5560EI-CMW710-R3506 版本软件及说明书 40 | 加密软件与手册等级下载

感觉高我好多

4 replies • 2023-12-06 15:47:48 +08:00