DNS多出口分析

DNS多出口分问题现象：当dns解析出的ip非域名的本地覆盖组，则怀疑是DNS多出口或者DNS劫持。接下来判断该ip是否为网宿ip，如果不是，则是劫持问题，走劫持流程进行反馈。如果是网宿ip，则用以下方法进行DNS多出口确认。

方法一：通过抓包的方式判断多出口
以测试8.8.8.8多出口为例：
登录机器：122.136.46.146（多出口DNS IP抓包专用测试机），
执行：
sudo tcpdump -nn dst port 53 and udp |grep testdns
在其他机器，连续dig 8.8.8.8，需要构造不同的前缀名，以免结果被缓存，所以构造命令如下：

for i in {1..20}; do dig @8.8.8.8 wangsutest${i}.testdns.lxdns.com ; done

[fush@xm35 ~ 14:21:42]$ for i in {1..20}; do dig @8.8.8.8 wangsutest${i}.testdns.lxdns.com ; done

在122.136.46.146就可以看到源源不断的dig请求了，上面便有来源IP：

[watch@yb146 ~]$ sudo tcpdump -nn dst port 53 and udp |grep testdns
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:04:24.757489 IP 74.125.47.137.60718 > 122.136.46.146.53: 41700 [1au] A? wangsutest1.testdns.lxdns.com. (69)
14:04:25.716976 IP 74.125.47.2.49631 > 122.136.46.146.53: 44566 [1au] A? wangsutest1.testdns.lxdns.com. (58)
14:04:26.750757 IP 74.125.181.3.50040 > 122.136.46.146.53: 53990 A? wangsutest1.testdns.lxdns.com. (47)
14:04:28.224020 IP 74.125.47.135.62744 > 122.136.46.146.53: 40516 [1au] A? wangsutest2.testdns.lxdns.com. (69)
14:04:29.255839 IP 74.125.181.2.59749 > 122.136.46.146.53: 40176 [1au] A? wangsutest2.testdns.lxdns.com. (58)
14:04:30.206371 IP 74.125.47.145.39762 > 122.136.46.146.53: 14996 A? wangsutest2.testdns.lxdns.com. (47)
14:04:31.669964 IP 74.125.47.142.46313 > 122.136.46.146.53: 33430 [1au] A? wangsutest3.testdns.lxdns.com. (69)
14:04:32.681943 IP 74.125.181.15.40614 > 122.136.46.146.53: 63315 [1au] A? wangsutest3.testdns.lxdns.com. (58)
14:04:33.638824 IP 74.125.47.138.49140 > 122.136.46.146.53: 46887 A? wangsutest3.testdns.lxdns.com. (47)
14:04:35.447495 IP 74.125.47.3.46831 > 122.136.46.146.53: 63691 [1au] A? wangsutest4.testdns.lxdns.com. (69)
14:04:36.454706 IP 74.125.181.10.51442 > 122.136.46.146.53: 2562 [1au] A? wangsutest4.testdns.lxdns.com. (58)
14:04:38.820076 IP 74.125.47.11.36014 > 122.136.46.146.53: 36575 [1au] A? wangsutest5.testdns.lxdns.com. (69)
14:04:39.876869 IP 74.125.181.2.63350 > 122.136.46.146.53: 2701 [1au] A? wangsutest5.testdns.lxdns.com. (58)
14:04:40.842737 IP 74.125.73.68.47832 > 122.136.46.146.53: 21859 A? wangsutest5.testdns.lxdns.com. (47)
14:04:43.843789 IP 74.125.47.140.34852 > 122.136.46.146.53: 15856 [1au] A? wangsutest5.testdns.lxdns.com. (69)
14:04:44.793616 IP 74.125.47.129.37043 > 122.136.46.146.53: 51990 [1au] A? wangsutest5.testdns.lxdns.com. (58)
14:04:45.817476 IP 74.125.181.9.61970 > 122.136.46.146.53: 58166 A? wangsutest5.testdns.lxdns.com. (47)
14:04:47.239946 IP 74.125.47.142.46096 > 122.136.46.146.53: 50182 [1au] A? wangsutest6.testdns.lxdns.com. (69)
14:04:48.240700 IP 74.125.47.142.64726 > 122.136.46.146.53: 1427 [1au] A? wangsutest6.testdns.lxdns.com. (58)
14:04:49.183595 IP 74.125.181.3.36549 > 122.136.46.146.53: 35110 A? wangsutest6.testdns.lxdns.com. (47)
14:04:50.478652 IP 74.125.73.73.51076 > 122.136.46.146.53: 31433 [1au] A? wangsutest7.testdns.lxdns.com. (69)
14:04:51.519810 IP 74.125.47.15.40705 > 122.136.46.146.53: 45115 [1au] A? wangsutest7.testdns.lxdns.com. (58)
14:04:52.497886 IP 74.125.47.143.35166 > 122.136.46.146.53: 62820 A? wangsutest7.testdns.lxdns.com. (47)
14:04:53.936080 IP 74.125.73.70.47566 > 122.136.46.146.53: 61608 [1au] A? wangsutest8.testdns.lxdns.com. (69)
14:04:54.986093 IP 74.125.47.12.63747 > 122.136.46.146.53: 50695 [1au] A? wangsutest8.testdns.lxdns.com. (58)
14:04:55.967277 IP 74.125.73.75.34890 > 122.136.46.146.53: 29681 A? wangsutest8.testdns.lxdns.com. (47)
14:04:57.312838 IP 74.125.47.143.46604 > 122.136.46.146.53: 58335 [1au] A? wangsutest9.testdns.lxdns.com. (69)
14:04:58.361482 IP 74.125.73.84.62433 > 122.136.46.146.53: 48089 [1au] A? wangsutest9.testdns.lxdns.com. (58)
14:04:59.365100 IP 74.125.47.1.47087 > 122.136.46.146.53: 59125 A? wangsutest9.testdns.lxdns.com. (47)
14:05:00.801741 IP 74.125.47.14.34812 > 122.136.46.146.53: 339 [1au] A? wangsutest10.testdns.lxdns.com. (70)
14:05:01.785453 IP 74.125.47.146.61843 > 122.136.46.146.53: 21701 [1au] A? wangsutest10.testdns.lxdns.com. (5

抓包获取的ip，可以看到有多个 
该方法的原理是：8.8.8.8在解析wangsutest.testdns.lxdns.com这个域名时，会去lxdns的DNS服务器上去请求wangsutest.testdns.lxdns.com对应的A记录，而lxdns的DNS为122.136.46.146（即是多出口DNS IP抓包专用测试机），我们所抓取的包，这是8.8.8.8对122.136.46.146的请求记录，而请求ip即是DNS出口ip。 

二.查询机器使用的dns出口IP

[root@zhjhzh16 ~]# dig whoami.ultradns.net @8.8.8.8

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> whoami.ultradns.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64327
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whoami.ultradns.net. IN A

;; ANSWER SECTION:
whoami.ultradns.net. 0 IN A 74.125.47.11             #74.125.47.11 为dns服务器8.8.8.8 的其中一个出口IP

;; Query time: 372 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu May 25 14:36:39 2017
;; MSG SIZE rcvd: 53

[root@zhjhzh16 ~]# dig whoami.akamai.net @8.8.8.8

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> whoami.akamai.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whoami.akamai.net. IN A

;; ANSWER SECTION:
whoami.akamai.net. 163 IN A 74.125.47.140          #74.125.47.140 为dns服务器8.8.8.8 的其中一个出口IP

;; Query time: 344 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu May 25 14:38:23 2017
;; MSG SIZE rcvd: 51