Networking
無法解析除 ping 之外的所有程序中的域
我有一台用於 HPC 的伺服器,它是 RedHat。它似乎有一個奇怪的錯誤。我試過:
$ curl https://www.aliyun.com/ -vv Couldn't resolve host 'www.aliyun.com'我也試過這些:
wget https://www.aliyun.com/git clone https://github.com/my_username/my_repotelnet www.aliyun.com 80nc www.aliyun.com 80, ETC…他們都給出了類似的錯誤
getaddrinfo: Name or service not known.。如果我直接使用IP地址,一切正常。(例:)wget https://140.205.34.3/ --no-check-certificate不過,我可以成功ping www.aliyun.com。我試過
curl http://localhost/了,效果很好(localhost 是 中指定的域/etc/hosts)。誰可能是罪魁禍首?有沒有類似的經歷並提供幫助?
/etc/resolv.conf附在這裡:nameserver 11.11.4.1 nameserver 202.114.0.242 nameserver 8.8.8.8 nameserver 202.112.20.131
uname -a結果:Linux node111 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
lsb_release -a結果:LSB Version: :core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 6.2 (Santiago) Release: 6.2 Codename: Santiago
ip -a結果:(啟用 InfiniBand)1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:e0:81:e1:15:8d brd ff:ff:ff:ff:ff:ff inet 11.11.0.111/16 brd 11.11.255.255 scope global eth0 inet6 fe80::2e0:81ff:fee1:158d/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:e0:81:e1:15:8e brd ff:ff:ff:ff:ff:ff 4: ib0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast state UP qlen 256 link/infiniband 80:00:00:48:fe:80:00:00:00:00:00:00:46:d2:c9:20:00:00:38:b1 brd 00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff inet 10.10.0.111/16 brd 10.10.255.255 scope global ib0 inet6 fe80::46d2:c920:0:38b1/64 scope link valid_lft forever preferred_lft forever 5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether 52:54:00:7f:dc:4b brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 6: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500 link/ether 52:54:00:7f:dc:4b brd ff:ff:ff:ff:ff:ff**注意:**我沒有這台機器的 root 權限。
內容
/etc/nsswitch.conf:# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus編輯#1
$ getent hosts www.microsoft.com 218.58.101.49 e13678.ca.s.tl88.net www.microsoft.com www.microsoft.com-c-3.edgekey.net www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net $ getent hosts www.aliyun.com 2400:3200:1300::3e v6wagbridge.aliyun.com.gds.alibabadns.com www.aliyun.com www-jp-de-intl-adns.aliyun.com www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com v6wagbridge.aliyun.com編輯#2
getent hosts www.aliyun.com效果很好,但getaddrinfo報告name or service not known。(在這個簡單的 C 程序中測試過)編輯#3
我試過
dig了,似乎 DNS 伺服器11.11.4.1不適用於全球網際網路。這是我發現的。$ dig @11.11.4.1 www.aliyun.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @11.11.4.1 www.aliyun.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37272 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.aliyun.com. IN A ;; Query time: 1 msec ;; SERVER: 11.11.4.1#53(11.11.4.1) ;; WHEN: Mon Aug 20 14:48:37 2018 ;; MSG SIZE rcvd: 32 $ dig @1.1.1.1 www.aliyun.com ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> @1.1.1.1 www.aliyun.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64269 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.aliyun.com. IN A ;; ANSWER SECTION: www.aliyun.com. 113 IN CNAME www-jp-de-intl-adns.aliyun.com. www-jp-de-intl-adns.aliyun.com. 293 IN CNAME www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com. www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com. 113 IN CNAME xjp.wagbridge.aliyun.aliyun.com. xjp.wagbridge.aliyun.aliyun.com. 89 IN CNAME xjp-adns.aliyun.com. xjp-adns.aliyun.com. 89 IN CNAME xjp-adns.aliyun.com.gds.alibabadns.com. xjp-adns.aliyun.com.gds.alibabadns.com. 89 IN A 47.88.251.164 ;; Query time: 223 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Mon Aug 20 14:48:39 2018 ;; MSG SIZE rcvd: 256
這讓很多人感到困惑,但該
ping命令與文件有自己的集成,/etc/resolv.conf而您提到的其他工具使用名稱伺服器切換工具。如果您執行strace <cmd>並分析與命令互動的庫的輸出,您可以看到這一點。例如,這裡是
ping:$ strace ping -c 3 www.aliyun.com |& grep -E "ns|resolv" open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3這是
curl:$ strace curl -v www.aliyun.com |& grep -E "ns|resolv" open("/lib64/libnss3.so", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libnssutil3.so", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libnspr4.so", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("47.88.251.161")}, 16) = -1 EINPROGRESS (Operation now in progress) getpeername(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("47.88.251.161")}, [16]) = 0 getsockname(3, {sa_family=AF_INET, sin_port=htons(55876), sin_addr=inet_addr("10.0.2.15")}, [16]) = 0您可能想知道,但是等等,他們都在顯示對 的呼叫
libresolv,那麼問題是什麼?curl甚至知道打電話的原因libresolv是因為它被指示這樣做。為什麼?因為這個文件:$ grep host /etc/nsswitch.conf #hosts: db files nisplus nis dns hosts: files dns myhostname此文件中的
hosts:引用告訴呼叫 NSS(名稱伺服器交換機)的工具,它們應該files首先諮詢,然後再呼叫dns。
files引用意味著使用文件/etc/hosts,dns選項意味著諮詢/etc/resolv.confDNS 名稱伺服器並在那裡查找主機名。你的問題
因此,您的問題很可能是由於您的
/etc/nsswitch.conf文件缺少dns我上面顯示的條目。哪些執行檔使用 NSS?
您可以查看執行檔,使用
readelf它顯示執行檔需要哪些共享庫。$ type -f curl curl is /bin/curl $ readelf -d /bin/curl | grep -i shared 0x0000000000000001 (NEEDED) Shared library: [libcurl.so.4] 0x0000000000000001 (NEEDED) Shared library: [libssl3.so] 0x0000000000000001 (NEEDED) Shared library: [libsmime3.so] 0x0000000000000001 (NEEDED) Shared library: [libnss3.so] 0x0000000000000001 (NEEDED) Shared library: [libnssutil3.so] 0x0000000000000001 (NEEDED) Shared library: [libplds4.so] 0x0000000000000001 (NEEDED) Shared library: [libplc4.so] 0x0000000000000001 (NEEDED) Shared library: [libnspr4.so] 0x0000000000000001 (NEEDED) Shared library: [libpthread.so.0] 0x0000000000000001 (NEEDED) Shared library: [libdl.so.2] 0x0000000000000001 (NEEDED) Shared library: [libz.so.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] $ type -f ping ping is /bin/ping $ readelf -d /bin/ping | grep -i shared 0x0000000000000001 (NEEDED) Shared library: [libcap.so.2] 0x0000000000000001 (NEEDED) Shared library: [libidn.so.11] 0x0000000000000001 (NEEDED) Shared library: [libcrypto.so.10] 0x0000000000000001 (NEEDED) Shared library: [libresolv.so.2] 0x0000000000000001 (NEEDED) Shared library: [libm.so.6] 0x0000000000000001 (NEEDED) Shared library: [libc.so.6]類似的方法可以用於
ldd:$ ldd /bin/ping|grep -E "ns|resolv" libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fd144d40000) $ ldd /bin/curl|grep -E "ns|resolv" libnss3.so => /lib64/libnss3.so (0x00007f9795413000) libnssutil3.so => /lib64/libnssutil3.so (0x00007f97951e4000) libnspr4.so => /lib64/libnspr4.so (0x00007f9794b9d000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9792067000)DNS 似乎正在執行
如果您能夠執行這些命令並且它們可以工作:
$ getent hosts www.google.com 216.58.193.164 www.google.com $ getent hosts www.aliyun.com 47.88.198.17 xjp-adns.aliyun.com.gds.alibabadns.com www.aliyun.com然後嘗試使用
opennssl看看是否可以連接到這些服務:$ true | openssl s_client -connect www.aliyun.com:443 depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = "Alibaba (China) Technology Co., Ltd.", CN = *.aliyun.com 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.aliyun.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA subject=/C=CN/ST=ZheJiang/L=HangZhou/O=Alibaba (China) Technology Co., Ltd./CN=*.aliyun.com issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2參考