为什么 dig @8.8.8.8 news.ycombinator.com 返回了错误的 ip

2019-08-05 15:50:07 +08:00
 tonywangcn

问题现象如下:

在境内的服务器上运行一下命令,针对 news.ycombinator.com 每次返回的都是不同的 ip,好像在 3-5 个之间,

而其实际地址应该是 209.216.230.240, 详细测试结果 ( https://tools.ipip.net/ping.php?view=news.ycombinator.com ).

dig @8.8.8.8 news.ycombinator.com

; <<>> DiG 9.14.1 <<>> @8.8.8.8 news.ycombinator.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33306
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;news.ycombinator.com.      IN  A

;; ANSWER SECTION:
news.ycombinator.com.   178 IN  A   67.228.221.221

;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Aug 05 07:19:26 UTC 2019
;; MSG SIZE  rcvd: 65


dig @8.8.8.8 news.ycombinator.com

; <<>> DiG 9.14.1 <<>> @8.8.8.8 news.ycombinator.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18922
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;news.ycombinator.com.      IN  A

;; ANSWER SECTION:
news.ycombinator.com.   130 IN  A   31.13.77.55

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Aug 05 07:19:58 UTC 2019
;; MSG SIZE  rcvd: 65

虽然 news.ycombinator.com 在境内被强,但是 8.8.8.8 及 1.1.1.1 均可正常使用,但为何针对 news.ycombinator.com 却返回错误 IP 呢?

这个问题会导致 curl https://news.ycombinator.com 出现报错 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to news.ycombinator.com:443

最初以为是本地 openssl 的问题,结果发现是 dns 返回了错误的 ip,疑为被投毒。

请问各位大佬,有没有解决方案,已测试过 alidns。

dig dns.google

; <<>> DiG 9.14.1 <<>> dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27355
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;dns.google.            IN  A

;; ANSWER SECTION:
dns.google.     729 IN  A   8.8.8.8
dns.google.     729 IN  A   8.8.4.4

;; Query time: 206 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Aug 05 07:26:26 UTC 2019
;; MSG SIZE  rcvd: 71


root @ / 
 [165] 🐳  → ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=37 time=5.92 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=37 time=11.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=37 time=7.29 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 5.917/8.085/11.053/2.172 ms
3755 次点击
所在节点    程序员
23 条回复
jamesliu96
2019-08-06 09:18:13 +08:00
dnssec dnsovertls 一日不普及国内 dns 一日不干净,不过有了也没卵用
leopku
2019-08-06 09:45:57 +08:00
@missdeer 狂点赞!!!
bclerdx
2019-08-06 16:39:17 +08:00
@CEBBCAT 怎么确认和测试抢答?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/589223

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX