最近发现内网用户淘宝主页不能访问,但是旺旺可以登录;但是直接将计算机接到外网,访问淘宝主页正常;
从而判断问题肯定出在内部。
我们网络内部架有自己的dns转发服务器,如果从内部解析,发现其他域名解析正常,而唯独www.******不能正常解析;
nslookup结果(直接用外网):
Server: cache3-ec
Address: 202.102.224.68
Non-authoritative answer:
Name: www.gslb.******
Addresses: 121.14.24.251, 121.14.63.241, 121.14.63.251, 121.194.7.241
121.194.7.251, 121.207.229.241, 121.207.229.251, 122.224.194.180, 122.224.194.190
122.224.194.200, 122.224.194.210, 123.129.244.241, 123.129.244.251, 124.232.159.241
124.232.159.251, 125.39.85.241, 125.39.85.251, 125.39.87.241, 125.39.87.251
125.76.224.241, 125.76.224.251, 211.138.122.241, 211.138.122.251, 218.108.237.226
220.181.78.241, 220.181.78.251, 58.215.106.241, 58.215.106.251, 61.55.165.241
61.55.165.251, 61.158.239.241, 61.158.239.251, 61.189.3.241, 61.189.3.251
114.80.174.241, 114.80.174.251, 114.80.182.241, 114.80.182.251, 118.123.202.241
118.123.202.251, 119.97.134.241, 119.97.134.251, 119.167.235.241, 119.167.235.251
121.0.23.78, 121.0.23.86, 121.14.24.241
Aliases: www.******
直接接到外网,用网通dns解析www.******可以正常解析,用netstat -an 查看发现解析时使用了tcp53,如下:
TCP 222.22.222.222:2627 202.102.224.68:53 TIME_WAIT
防火墙规则对外只开放了udp53,没有开放tcp53,原来使用一直正常,查了一下资料,原来www.******解析出来的ip太多,导致报文过长,而UDP的报文最大长度为512字节;解析器发现后,将使用TCP重发request,TCP允许报文长度超过512字节。
修改防火墙规则,允许dns使用tcp传输即可。 |
发表于 2010-9-1 09:41:51
发表于 2010-9-4 16:21:56
