因地缘因素,两地的DNS在解析公网域名的时候,例如解析www.baidu.com,会出现在台湾会被解析到香港的IP,在成都会被解析到北京的IP,并且两台DNS Server同时存活的时候也会出现解析错误的情况,导致访问www.baidu.com非常缓慢(从成都访问百度香港站点,不慢才奇怪)。
在Windows Server 2012 R2的DNS服务更新中,有一项名为Dynamic DNS Forwarders的功能更新,官方是这样说明的:
在Windows Server 2012 R2的DNS服务器的设置中添加多个转发器时,
DNS服务会根据列表中每个服务器的响应时间对转发器列表中的服务器列表进行重新排序。
默认情况下,Windows Server 2012 R2中启用了重新排序和响应检查操作。
如果希望禁用此功能,则需要将下列注册表DWORD值更改为0:
HKLM\System\CurrentControlSet\Services\DNS\Parameters\EnableForwarderReordering很明显,两地互指Forwarder的同时,两台DNS服务器因为响应时间有快有慢,造成了优先级重排。
为了验证这一点,我们在测试环境中创建了一台DNS Server,并添加了三条DNS Forwarder记录,
其中第一条DNS Server 10.16.75.52中,添加本地163.com的DNS Zone,并添加了www.163.com和ffff.163.com两条A记录。其他域名不能解析。
另外两台可以正常解析外网域名。(记住现在的Forwarder优先级)
然后我们到客户机上进行域名解析测试:
在连续解析了4条记录之后,再回到DNS Server上来看一下Forwarder优先级果然发生了变化:
禁用Dynamic DNS Forwarders,将HKLM\System\CurrentControlSet\Services\DNS\Parameters\EnableForwarderReordering
值更改为0(若没有该项值,则创建)
或者直接执行命令:Set-DnsServerForwarder -EnableReordering $false
为了方便抓包,我们将该数值更改为7s,然后在客户端请求www.baidu.com域名:
可以看到,客户端10.16.75.55向DNS Server 10.16.75.50发起DNS解析请求,请求解析www.baidu.com域名,10.16.75.50向第一个Forwarder 服务器转发请求,在7s内一直等待回复,7s之后马上向第二个forwarder服务器10.16.42.8转发请求,然后10.16.42.8很快回复了解析结果,这种响应时间的变化,就会导致DNS Forwarder重新排序。
看下结果:
那这个值设置的时间多少合适呢?
默认值是3s,一般情况下保持默认即可,如果网络状况不好的情况下,可以适当增加。网络状态越好,可以适当调低,以优化访问速度。
参考链接:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn305898(v=ws.11)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772774(v=ws.10)?redirectedfrom=MSDN
nameserver Name server IP address
Internet address of a name server that the resolver should
query, either an IPv4 address (in dot notation), or an
IPv6 address in colon (and possibly dot) notation as per
RFC 2373. Up to MAXNS (currently 3, see <resolv.h>) name
servers may be listed, one per keyword. If there are
multiple servers, the resolver library queries them in the
order listed. If no nameserver entries are present, the
default is to use the name server on the local machine.
(The algorithm used is to try a name server, and if the
query times out, try the next, until out of name servers,
then repeat trying all the name servers until a maximum
number of retries are made.)
options
Options allows certain internal resolver variables to be
modified. The syntax is
options option
where option is one of the following:
timeout:n
Sets the amount of time the resolver will wait for
a response from a remote name server before
retrying the query via a different name server.
This may not be the total time taken by any
resolver API call and there is no guarantee that a
single resolver API call maps to a single timeout.
Measured in seconds, the default is RES_TIMEOUT
(currently 5, see <resolv.h>). The value for this
option is silently capped to 30.为了把这个实验验证完,我们也在Linux下抓包进行了分析,证明切换时间确为5s
纯技术研究,如有错误,欢迎指正。
原文:https://blog.51cto.com/13741006/2674671