V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
liemehoc
V2EX  ›  问与答

公司 DNS 请求包过防火墙问题求破

  •  
  •   liemehoc · 2014-05-15 22:42:00 +08:00 · 3504 次点击
    这是一个创建于 3605 天前的主题,其中的信息可能已经有所发展或是发生改变。
    公司的防火墙会检查dns请求包,经过实验发现,用nslookup发的包过不了墙,比如以下这个:

    No. Time Source Destination Protocol Length Info
    12 92.466635000 192.168.1.247 114.114.114.114 DNS 73 Standard query 0x3ada A www.yixun.com

    Frame 12: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface 0
    Ethernet II, Src: WistronI_fb:58:73 (f0:de:f1:fb:58:73), Dst: RalinkTe_30:52:77 (00:0c:43:30:52:77)
    Internet Protocol Version 4, Src: 192.168.1.247 (192.168.1.247), Dst: 114.114.114.114 (114.114.114.114)
    User Datagram Protocol, Src Port: 45139 (45139), Dst Port: domain (53)
    Domain Name System (query)
    Transaction ID: 0x3ada
    Flags: 0x0100 Standard query
    0... .... .... .... = Response: Message is a query
    .000 0... .... .... = Opcode: Standard query (0)
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... .0.. .... = Z: reserved (0)
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries

    0000 00 0c 43 30 52 77 f0 de f1 fb 58 73 08 00 45 00 ..C0Rw....Xs..E.
    0010 00 3b 56 77 00 00 40 11 7c b7 c0 a8 01 f7 72 72 .;Vw..@.|.....rr
    0020 72 72 b0 53 00 35 00 27 a7 bc 3a da 01 00 00 01 rr.S.5.'..:.....
    0030 00 00 00 00 00 00 03 77 77 77 05 79 69 78 75 6e .......www.yixun
    0040 03 63 6f 6d 00 00 01 00 01 .com.....


    但是如果用dig发的包就可以轻松过墙,比如以下这个:

    No. Time Source Destination Protocol Length Info
    13 116.257343000 192.168.1.247 114.114.114.114 DNS 84 Standard query 0xb62e A www.yixun.com

    Frame 13: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
    Ethernet II, Src: WistronI_fb:58:73 (f0:de:f1:fb:58:73), Dst: RalinkTe_30:52:77 (00:0c:43:30:52:77)
    Internet Protocol Version 4, Src: 192.168.1.247 (192.168.1.247), Dst: 114.114.114.114 (114.114.114.114)
    User Datagram Protocol, Src Port: 55735 (55735), Dst Port: domain (53)
    Domain Name System (query)
    [Response In: 14]
    Transaction ID: 0xb62e
    Flags: 0x0120 Standard query
    0... .... .... .... = Response: Message is a query
    .000 0... .... .... = Opcode: Standard query (0)
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...1 .... .... = Recursion desired: Do query recursively
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..1. .... = AD bit: Set
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    Additional records
    <Root>: type OPT
    Name: <Root>
    Type: OPT (EDNS0 option)
    UDP payload size: 4096
    Higher bits in extended RCODE: 0x0
    EDNS0 version: 0
    Z: 0x0
    Data length: 0

    0000 00 0c 43 30 52 77 f0 de f1 fb 58 73 08 00 45 00 ..C0Rw....Xs..E.
    0010 00 46 56 78 00 00 40 11 7c ab c0 a8 01 f7 72 72 .FVx..@.|.....rr
    0020 72 72 d9 b7 00 35 00 32 a7 c7 b6 2e 01 20 00 01 rr...5.2..... ..
    0030 00 00 00 00 00 01 03 77 77 77 05 79 69 78 75 6e .......www.yixun
    0040 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 .com.......)....
    0050 00 00 00 00 ....



    比较了一下,不同之处在于Flags字段,nslookup发的包是0x0100,dig发的包是0x0120,然后dig发的包多了一坨Additional records

    问题:0x0100、0x0120哪种是标准写法?
    目前的想法是,有没有可能在通过dnsmasq转发请求的时候直接改成dig的那种格式,直接绕过防火墙规则
    2 条回复    2014-05-15 23:17:32 +08:00
    likexian
        1
    likexian  
       2014-05-15 23:09:29 +08:00
    dig那个有个扩展字段,是google的那个edns协议,按说应该跟这个没有关系
    nslookup set 其它 server能出去吗?
    liemehoc
        2
    liemehoc  
    OP
       2014-05-15 23:17:32 +08:00
    @likexian +edns=### (Set EDNS version) [0]
    是这个吗?

    nslookup任何server(53 udp)都会被墙,猜测0x0100可能是特征
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   2789 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 11:48 · PVG 19:48 · LAX 04:48 · JFK 07:48
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.