公司 DNS 请求包过防火墙问题求破

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

这是一个创建于 3839 天前的主题，其中的信息可能已经有所发展或是发生改变。

公司的防火墙会检查dns请求包，经过实验发现，用nslookup发的包过不了墙，比如以下这个：

No. Time Source Destination Protocol Length Info
12 92.466635000 192.168.1.247 114.114.114.114 DNS 73 Standard query 0x3ada A www.yixun.com

Frame 12: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface 0
Ethernet II, Src: WistronI_fb:58:73 (f0:de:f1:fb:58:73), Dst: RalinkTe_30:52:77 (00:0c:43:30:52:77)
Internet Protocol Version 4, Src: 192.168.1.247 (192.168.1.247), Dst: 114.114.114.114 (114.114.114.114)
User Datagram Protocol, Src Port: 45139 (45139), Dst Port: domain (53)
Domain Name System (query)
Transaction ID: 0x3ada
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries

0000 00 0c 43 30 52 77 f0 de f1 fb 58 73 08 00 45 00 ..C0Rw....Xs..E.
0010 00 3b 56 77 00 00 40 11 7c b7 c0 a8 01 f7 72 72 .;Vw..@.|.....rr
0020 72 72 b0 53 00 35 00 27 a7 bc 3a da 01 00 00 01 rr.S.5.'..:.....
0030 00 00 00 00 00 00 03 77 77 77 05 79 69 78 75 6e .......www.yixun
0040 03 63 6f 6d 00 00 01 00 01 .com.....

但是如果用dig发的包就可以轻松过墙，比如以下这个：

No. Time Source Destination Protocol Length Info
13 116.257343000 192.168.1.247 114.114.114.114 DNS 84 Standard query 0xb62e A www.yixun.com

Frame 13: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) on interface 0
Ethernet II, Src: WistronI_fb:58:73 (f0:de:f1:fb:58:73), Dst: RalinkTe_30:52:77 (00:0c:43:30:52:77)
Internet Protocol Version 4, Src: 192.168.1.247 (192.168.1.247), Dst: 114.114.114.114 (114.114.114.114)
User Datagram Protocol, Src Port: 55735 (55735), Dst Port: domain (53)
Domain Name System (query)
[Response In: 14]
Transaction ID: 0xb62e
Flags: 0x0120 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ..1. .... = AD bit: Set
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (EDNS0 option)
UDP payload size: 4096
Higher bits in extended RCODE: 0x0
EDNS0 version: 0
Z: 0x0
Data length: 0

0000 00 0c 43 30 52 77 f0 de f1 fb 58 73 08 00 45 00 ..C0Rw....Xs..E.
0010 00 46 56 78 00 00 40 11 7c ab c0 a8 01 f7 72 72 .FVx..@.|.....rr
0020 72 72 d9 b7 00 35 00 32 a7 c7 b6 2e 01 20 00 01 rr...5.2..... ..
0030 00 00 00 00 00 01 03 77 77 77 05 79 69 78 75 6e .......www.yixun
0040 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 .com.......)....
0050 00 00 00 00 ....

比较了一下，不同之处在于Flags字段，nslookup发的包是0x0100，dig发的包是0x0120，然后dig发的包多了一坨Additional records

问题：0x0100、0x0120哪种是标准写法？
目前的想法是，有没有可能在通过dnsmasq转发请求的时候直接改成dig的那种格式，直接绕过防火墙规则

....

2 条回复 • 2014-05-15 23:17:32 +08:00

likexian

2014-05-15 23:09:29 +08:00

dig那个有个扩展字段，是google的那个edns协议，按说应该跟这个没有关系
nslookup set 其它 server能出去吗？

liemehoc

2014-05-15 23:17:32 +08:00

@likexian +edns=### (Set EDNS version) [0]
是这个吗？

nslookup任何server（53 udp）都会被墙，猜测0x0100可能是特征