公司的防火墙会检查dns请求包,经过实验发现,用nslookup发的包过不了墙,比如以下这个:
No. Time Source Destination Protocol Length Info
12 92.466635000 192.168.1.247 114.114.114.114 DNS 73 Standard query 0x3ada A
www.yixun.comFrame 12: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface 0
Ethernet II, Src: WistronI_fb:58:73 (f0:de:f1:fb:58:73), Dst: RalinkTe_30:52:77 (00:0c:43:30:52:77)
Internet Protocol Version 4, Src: 192.168.1.247 (192.168.1.247), Dst: 114.114.114.114 (114.114.114.114)
User Datagram Protocol, Src Port: 45139 (45139), Dst Port: domain (53)
Domain Name System (query)
Transaction ID: 0x3ada
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
0000 00 0c 43 30 52 77 f0 de f1 fb 58 73 08 00 45 00 ..C0Rw....Xs..E.
0010 00 3b 56 77 00 00 40 11 7c b7 c0 a8 01 f7 72 72 .;Vw..@.|.....rr
0020 72 72 b0 53 00 35 00 27 a7 bc 3a da 01 00 00 01 rr.S.5.'..:.....
0030 00 00 00 00 00 00 03 77 77 77 05 79 69 78 75 6e .......www.yixun
0040 03 63 6f 6d 00 00 01 00 01 .com.....
但是如果用dig发的包就可以轻松过墙,比如以下这个:
No. Time Source Destination Protocol Length Info
13 116.257343000 192.168.1.247 114.114.114.114 DNS 84 Standard query 0xb62e A
www.yixun.comFrame 13: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: WistronI_fb:58:73 (f0:de:f1:fb:58:73), Dst: RalinkTe_30:52:77 (00:0c:43:30:52:77)
Internet Protocol Version 4, Src: 192.168.1.247 (192.168.1.247), Dst: 114.114.114.114 (114.114.114.114)
User Datagram Protocol, Src Port: 55735 (55735), Dst Port: domain (53)
Domain Name System (query)
[Response In: 14]
Transaction ID: 0xb62e
Flags: 0x0120 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ..1. .... = AD bit: Set
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (EDNS0 option)
UDP payload size: 4096
Higher bits in extended RCODE: 0x0
EDNS0 version: 0
Z: 0x0
Data length: 0
0000 00 0c 43 30 52 77 f0 de f1 fb 58 73 08 00 45 00 ..C0Rw....Xs..E.
0010 00 46 56 78 00 00 40 11 7c ab c0 a8 01 f7 72 72 .FVx..@.|.....rr
0020 72 72 d9 b7 00 35 00 32 a7 c7 b6 2e 01 20 00 01 rr...5.2..... ..
0030 00 00 00 00 00 01 03 77 77 77 05 79 69 78 75 6e .......www.yixun
0040 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 .com.......)....
0050 00 00 00 00 ....
比较了一下,不同之处在于Flags字段,nslookup发的包是0x0100,dig发的包是0x0120,然后dig发的包多了一坨Additional records
问题:0x0100、0x0120哪种是标准写法?
目前的想法是,有没有可能在通过dnsmasq转发请求的时候直接改成dig的那种格式,直接绕过防火墙规则
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.