labunix's blog

labunixのラボUnix

digコマンドでEDNS0の動作を確認する。

■EDNS0に対応しているかdigコマンドで確認してみる。
 512オクテット(=バイト)を超え、4096バイトまでの名前解決結果を受け取れるかがメイン。
 以下総務省の中尉喚起にある「別紙2」、『「鍵の移行期間」のデータ量増大に対応』について確認する。

 DNSの世界的な運用変更に伴うキャッシュDNSサーバーの設定更新の必要性
 http://www.soumu.go.jp/menu_news/s-news/02kiban04_04000212.html

■単純にフラグで、「ANSWER: n」を受け取れるか、
 「aa」フラグが無いキャッシュ(権威DNSサーバでない)か、
 「EDNS: version: 0」でEDNS0に対応しているか、
 「udp: 4096」オクテットのメッセージサイズの受信が可能か、
 を通信経路上問題ないかを含めてテストする。

$ dig +bufsize=4096 rs.dns-oarc.net txt | awk '/flags/'
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4096

■パケットキャプチャの準備

# tshark -i 1 -V -P -x -w dns.log -n port 53

■テスト

$ dig +bufsize=4096 +short rs.dns-oarc.net txt
rst.x4050.rs.dns-oarc.net.
rst.x4060.x4050.rs.dns-oarc.net.
rst.x4066.x4060.x4050.rs.dns-oarc.net.
"2400:2000:bb1b:13::f4 sent EDNS buffer size 4096"
"Tested at 2017-07-25 16:11:27 UTC"
"2400:2000:bb1b:13::f4 DNS reply size limit is at least 4066"

■パケットキャプチャ結果

# tshark -i 1 -V -P -x -r dns.log 2>/dev/null | awk '!/Address|^0|Source:|Destination:/' | tail -59 | nl
     1	    0100 .... = Version: 4
     2	    .... 0101 = Header Length: 20 bytes (5)
     3	    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
     4	        0000 00.. = Differentiated Services Codepoint: Default (0)
     5	        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
     6	    Total Length: 72
     7	    Identification: 0x2b66 (11110)
     8	    Flags: 0x00
     9	        0... .... = Reserved bit: Not set
    10	        .0.. .... = Don't fragment: Not set
    11	        ..0. .... = More fragments: Not set
    12	    Fragment offset: 0
    13	    Time to live: 64
    14	    Protocol: UDP (17)
    15	    Header checksum: 0xb7c9 [validation disabled]
    16	    [Header checksum status: Unverified]
    17	    [Source GeoIP: Unknown]
    18	    [Destination GeoIP: Unknown]
    19	User Datagram Protocol, Src Port: 55059, Dst Port: 53
    20	    Source Port: 55059
    21	    Destination Port: 53
    22	    Length: 52
    23	    Checksum: 0x97bb [unverified]
    24	    [Checksum Status: Unverified]
    25	    [Stream index: 0]
    26	Domain Name System (query)
    27	    Transaction ID: 0x3f9e
    28	    Flags: 0x0120 Standard query
    29	        0... .... .... .... = Response: Message is a query
    30	        .000 0... .... .... = Opcode: Standard query (0)
    31	        .... ..0. .... .... = Truncated: Message is not truncated
    32	        .... ...1 .... .... = Recursion desired: Do query recursively
    33	        .... .... .0.. .... = Z: reserved (0)
    34	        .... .... ..1. .... = AD bit: Set
    35	        .... .... ...0 .... = Non-authenticated data: Unacceptable
    36	    Questions: 1
    37	    Answer RRs: 0
    38	    Authority RRs: 0
    39	    Additional RRs: 1
    40	    Queries
    41	        rs.dns-oarc.net: type TXT, class IN
    42	            Name: rs.dns-oarc.net
    43	            [Name Length: 15]
    44	            [Label Count: 3]
    45	            Type: TXT (Text strings) (16)
    46	            Class: IN (0x0001)
    47	    Additional records
    48	        <Root>: type OPT
    49	            Name: <Root>
    50	            Type: OPT (41)
    51	            UDP payload size: 4096
    52	            Higher bits in extended RCODE: 0x00
    53	            EDNS0 version: 0
    54	            Z: 0x0000
    55	                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
    56	                .000 0000 0000 0000 = Reserved: 0x0000
    57	            Data length: 0

■おまけ
 以下を元に「traceroute」や「traceroute -p 53」で確認すれば、
 上位DNSサーバもある程度は見つかるかも知れない。

$ dig +bufsize=4096 +trace +ans +noall rs.dns-oarc.net txt
;; Received 733 bytes from 192.168.1.254#53(192.168.1.254) in 13 ms

;; Received 1172 bytes from 202.12.27.33#53(m.root-servers.net) in 10 ms

;; Received 456 bytes from 192.26.92.30#53(c.gtld-servers.net) in 11 ms

;; Received 317 bytes from 77.72.225.243#53(ns3.dns-oarc.net) in 305 ms

;; Received 1013 bytes from 64.191.0.133#53(ns00.rs.dns-oarc.net) in 235 ms

$ dig +bufsize=4096 +trace +all rs.dns-oarc.net txt | awk '/^;;/'
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392
;; flags: qr ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 14
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; ANSWER SECTION:
;; ADDITIONAL SECTION:
;; Query time: 21 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jul 26 02:09:15 JST 2017
;; MSG SIZE  rcvd: 733
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55780
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 189 msec
;; SERVER: 198.97.190.53#53(198.97.190.53)
;; WHEN: Wed Jul 26 02:09:15 JST 2017
;; MSG SIZE  rcvd: 1172
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35300
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 145 msec
;; SERVER: 192.35.51.30#53(192.35.51.30)
;; WHEN: Wed Jul 26 02:09:16 JST 2017
;; MSG SIZE  rcvd: 456
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55158
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 197 msec
;; SERVER: 192.211.126.36#53(192.211.126.36)
;; WHEN: Wed Jul 26 02:09:17 JST 2017
;; MSG SIZE  rcvd: 317
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60781
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 27, ADDITIONAL: 28
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 430 msec
;; SERVER: 64.191.0.133#53(64.191.0.133)
;; WHEN: Wed Jul 26 02:09:17 JST 2017
;; MSG SIZE  rcvd: 1013