未绑定未解析某些域

Posted 2023-02-23

【中文标题】未绑定未解析某些域

【英文标题】：Unbound not resolving some domains

【发布时间】：2021-09-13 13:04:39

【问题描述】：

我在测试服务器上运行了一个 Unbound 容器来代理 DNS 流量。问题是它在某些域中失败，而在其他所有域中都可以正常工作。

这是使用 dig 对失败域的响应：

dig @127.0.0.1 mail.protonmail.com

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @127.0.0.1 mail.protonmail.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24960
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.protonmail.com.       IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 01 11:56:23 UTC 2021
;; MSG SIZE  rcvd: 48

查看日志我得到了一些有趣的信息：

info: resolving mail.protonmail.com. A IN
info: error sending query to auth server 2001:503:39c1::30 port 53
info: error sending query to auth server 2001:503:a83e::2:30 port 53
info: error sending query to auth server 2001:502:7094::30 port 53
info: error sending query to auth server 2001:503:39c1::30 port 53
info: resolving com. DNSKEY IN
info: response for mail.protonmail.com. A IN
info: reply from <com.> 192.35.51.30#53
info: query response was REFERRAL
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving protonmail.com. DNSKEY IN
info: resolving ns1.protonmail.com. AAAA IN
info: response for ns3.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 3.127.12.149#53
info: query response was ANSWER
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
info: response for mail.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: validated DS protonmail.com. DS IN
info: response for ns2.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was ANSWER
info: response for ns1.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was ANSWER
info: response for ns3.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was nodata ANSWER
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
info: response for ns2.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was nodata ANSWER
info: response for ns1.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was nodata ANSWER
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
info: resolving ns2.protonmail.com. AAAA IN
info: resolving protonmail.com. DNSKEY IN
info: response for protonmail.com. DNSKEY IN
info: reply from <com.> 192.48.79.30#53
info: query response was REFERRAL
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns2.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. A IN
info: error sending query to auth server 2001:502:7094::30 port 53
info: response for ns3.protonmail.com. AAAA IN
info: reply from <com.> 192.41.162.30#53
info: query response was REFERRAL
info: resolving ns1.protonmail.com. AAAA IN
info: response for ns3.protonmail.com. A IN
info: reply from <com.> 192.31.80.30#53
info: query response was REFERRAL
info: resolving ns2.protonmail.com. AAAA IN
info: response for ns3.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was nodata ANSWER
info: response for ns3.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: resolving ns2.protonmail.com. AAAA IN
info: error sending query to auth server 2001:500:d937::30 port 53
info: resolving ns2.protonmail.com. A IN
info: response for ns2.protonmail.com. A IN
info: reply from <com.> 192.43.172.30#53
info: query response was REFERRAL
info: response for ns2.protonmail.com. AAAA IN
info: reply from <com.> 192.43.172.30#53
info: query response was REFERRAL
info: response for ns2.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 3.127.12.149#53
info: query response was nodata ANSWER
info: response for ns2.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: resolving ns1.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. A IN
info: error sending query to auth server 2001:503:d2d::30 port 53
info: error sending query to auth server 2001:500:d937::30 port 53
info: error sending query to auth server 2001:503:eea3::30 port 53
info: error sending query to auth server 2001:501:b1f9::30 port 53
info: response for ns1.protonmail.com. A IN
info: reply from <com.> 192.43.172.30#53
info: query response was REFERRAL
info: response for ns1.protonmail.com. AAAA IN
info: reply from <com.> 192.55.83.30#53
info: query response was REFERRAL
info: response for ns1.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 3.127.12.149#53
info: query response was nodata ANSWER
info: response for ns1.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
info: **Missing DNSKEY RRset in response to DNSKEY query.**
info: **Could not establish a chain of trust to keys for protonmail.com. DNSKEY IN**

Unbound 在 docker 容器内运行，它与主机在本地时间同步（最初是不同步的，但我想我应该尝试看看是否存在错误）。

未绑定配置：

server:
    cache-max-ttl: 86400
    cache-min-ttl: 300
    directory: "/opt/unbound/etc/unbound"
    edns-buffer-size: 1232
    interface: 0.0.0.0@53
    rrset-roundrobin: yes
    username: "_unbound"
    log-local-actions: no
    log-queries: no
    log-replies: no
    log-servfail: no
    logfile: /var/log/unbound.log
    verbosity: 2
    aggressive-nsec: yes
    delay-close: 10000
    do-daemonize: no
    do-not-query-localhost: no
    neg-cache-size: 4M
    qname-minimisation: yes
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    auto-trust-anchor-file: "var/root.key"
    chroot: "/opt/unbound/etc/unbound"
    deny-any: yes
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-glue: yes
    harden-large-queries: yes
    harden-referral-path: no
    harden-short-bufsize: yes
    hide-identity: yes
    hide-version: yes
    identity: "foo"
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    private-address: ::ffff:0:0/96
    ratelimit: 1000
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    unwanted-reply-threshold: 10000
    use-caps-for-id: no
    val-clean-additional: yes
    infra-cache-slabs: 2
    incoming-num-tcp: 10
    key-cache-slabs: 2
    msg-cache-size: 275724970
    msg-cache-slabs: 2
    num-queries-per-thread: 4096
    num-threads: 1
    outgoing-range: 8192
    rrset-cache-size: 551449941
    rrset-cache-slabs: 2
    minimal-responses: yes
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    so-reuseport: yes
remote-control:
    control-enable: no

有什么想法吗？

编辑：如果我在我的 PC 上运行相同的容器 - 查询有效，所以我猜它是 docker 主机上的某种服务器配置

【参考方案1】：

您的问题很可能在于以下几行：

error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53

这表明您的 DNS 服务器未能通过 TCP 出站发送 DNS 查询，这是与任何返回带有 TC（截断）位设置的 DNS 响应的 DNS 服务器对话所必需的，这表明它需要发送的数据多于将适合响应[警告：省略有关如何在服务器端决定的许多细节]。由于您的 DNS 解析器正在使用 DNSSEC 验证查询（理想情况下是您想要的），因此某些响应很大并且需要 TCP（DNSKEY 很大以进行传输）也就不足为奇了。

按优先顺序排列的解决方案：

修复主机或 docker 容器中的一个/两个上的输出 TCP 将edns-buffer-size: 1232 增加到 4096 之类的值。这会导致 UDP 数据包碎片化，但它至少对您有用。理想情况下，1232 是一个更好的值，但如果您无法修复 TCP，这可能是唯一的选择 关闭 DNSSEC 验证。您可以通过在配置文件中设置 module-config: "iterator" 选项来做到这一点，但随后您将失去 DNSSEC 为您提供的安全支持。

【讨论】：

我在运行dig +bufsize=512 mail.protonmail.com的容器上进行了尝试，结果符合预期。然后我尝试了容器，但指向未绑定地址localhost，但没有返回响应：dig @localhost +bufsize=512 mail.protonmail.com。这挑出了任何潜在的 TCP 问题 AFAIK，因为该主机上的所有其他内容都会相应地回复，除非查询未绑定，因此未绑定本身不喜欢某些东西，但是......它是什么？

【参考方案2】：

1。 2020 年 DNS 国旗日edns-buffer-size: 1232

2。需要添加forward-zone：

`

#legend:
# N   : place number in the test
# TO  : timeout count
# #!  : speedup parametr
forward-zone:   

# Forward all queries (except those in cache and local zone) to 
# upstream recursive servers    
name: "."   
# Queries to this forward zone use TLS  
# forward-tls-upstream: no  

forward-first: yes
#!  параметр forward-no-cache с значением no уменьшил время выдачи адресов до нуля!
#!  the forward-no-cache parameter with a value of no reduced the address issuance time to zero!
forward-no-cache: no

#time:1ms;TTL:system;
#   google-250-set.1    ;Avg.ms:156.58;Min.ms:0.5;Max.ms:1350.6;
#   cachehit-250-set.1  N:1;Avg.ms:0.67;Min.ms:0.6;Max.ms:1.3;
forward-addr: 127.0.0.1
# ...........................................................................
#           AU;US;CLOUDFLARENETUS (Cloudflare DNS)
# ...........................................................................
#   ru: Standard
#   en: Обычный
# ....
#   cachehit-250-set.1  N:24;Avg.ms:74.14;Min.ms:3.8;Max.ms:3500.0;TO:5
#   time:3ms;TTL:56;
#   URL:    one.one.one.one
forward-addr: 1.0.0.1
#   cachehit-250-set.1  N:31;Avg.ms:93.37;Min.ms:37.2;Max.ms:3500.0;TO:4
#   time:36ms;TTL:56;
#   URL:    one.one.one.one 
#        forward-addr: 1.1.1.1

# ...........................................................................
#           DE;EU;CWVodafoneGroupPLC
# ...........................................................................
#   name:   Cable & Wireless DE
#   cachehit-250-set.1  N:7;Avg.ms:22.03;Min.ms:21.4;Max.ms:23.0;
#   20ms;TTL:58;
#   URL:     euro-cns1.cw.net
forward-addr: 141.1.27.249
#20ms;TTL:58;
forward-addr: 195.27.1.1
#   name:   Cable & Wireless DE-3
#   cachehit-250-set.1  N:8;Avg.ms:22.05;Min.ms:21.3;Max.ms:24.1;
#21ms;TTL:58;
#   URL:     cns1.cw.net
forward-addr: 141.1.1.1
# ...........................................................................
#           US;DYNDNS
#@  Planned shutdown on May 31, 2022
# ...........................................................................
#   name: DynGuide-2
#   cachehit-250-set.1  N:11;Avg.ms:41.36;Min.ms:9.4;Max.ms:45.2;
# time:43ms;TTL:53;
#   URL:     rdns.dynect.net
forward-addr: 216.146.36.36
# ...........................................................................
#           US;Google DNS
# ...........................................................................
#   name:   Google Public DNS-2
#   cachehit-250-set.1  N:10;Avg.ms:31.83;Min.ms:14.9;Max.ms:3500.0;TO:1
#   time:19ms;TTL:107;
#   URL:    dns.google
    forward-addr: 8.8.4.4
#
#   name:   Google Public DNS
# warn: Slower replica of Google Public DNS-2 [8.8.4.4]
#   cachehit-250-set.1  N:39;Avg.ms:647.68;Min.ms:19.0;Max.ms:NA;TO:17
#   time:14ms;TTL:59;
#   URL:    dns.google.
    forward-addr: 8.8.8.8

`