这是一个创建于 1700 天前的主题,其中的信息可能已经有所发展或是发生改变。
解析商 dnspod,aliyun 和 cf 都试过,快一年了手机各个浏览器 wifi 访问如此
各家都会经常超时 5-20 秒,网站内容秒出,访问企业大站域名好像正常秒响应,
电信家宽软路由,换过不同编译系统,电脑端、手机移动流量正常秒开解析,,就是 wifi 不对劲换手机也是
域名隐藏 whois,控制台看全天 24 小时 60+解析这是被攻击了吗?我还试了几个你们小站也是这样。。。。
ocsp 已开,解析慢显示是 http 跳转前
第 1 条附言 2021-02-28 17:33:09 +08:00
ocsp 影响找到这个
For the status of Subscriber Certificates:
Prior to 2020-09-30: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.
Effective 2020-09-30:
OCSP responses MUST have a validity interval greater than or equal to eight hours;
OCSP responses MUST have a validity interval less than or equal to ten days;
For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate.
For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate.
apache 参数
Default: SSLStaplingStandardCacheTimeout 3600
修改为 SSLStaplingStandardCacheTimeout 864000
For the status of Subscriber Certificates:
Prior to 2020-09-30: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.
Effective 2020-09-30:
OCSP responses MUST have a validity interval greater than or equal to eight hours;
OCSP responses MUST have a validity interval less than or equal to ten days;
For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate.
For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate.
apache 参数
Default: SSLStaplingStandardCacheTimeout 3600
修改为 SSLStaplingStandardCacheTimeout 864000
第 2 条附言 2021-03-13 11:48:58 +08:00
终于找到原因就是电信运营商 dns 的 ipv6 解析超时达到 10s+,,,以前习惯关闭本地日志哎
解决办法:
添加 aaaa 解析 0000:0000:0000:0000:0000:ffff:xxxx:xxxx (xxxx:xxxx 为 ipv4 转换 v6 地址)
建议 @dnspod 推出建议的默认解析参考提示
解决办法:
添加 aaaa 解析 0000:0000:0000:0000:0000:ffff:xxxx:xxxx (xxxx:xxxx 为 ipv4 转换 v6 地址)
建议 @dnspod 推出建议的默认解析参考提示
第 3 条附言 2021-03-14 12:25:20 +08:00
这问题太麻烦还是全网影响
好像 edns 策略更新,,以及缓冲区大小默认值 1232 报文值变动
https://dnsflagday.net/2020/index-zh-CN.html
行动: 递归 DNS 运营者
对递归解析测来说,或多或少与权威的要求类似,即能够通过 TCP(53 端口)应答 DNS 查询,用固定的 EDNS 缓冲区大小 (大概 1232 字节)从而避免 IP 分片。记得要检查你的防火墙。
最重要的是,递归解析服务器必须要通过 TCP 重复查询,如果他们收到一个被截断的 UDP 应答报文( TC 被设置为 1 )!
行动: 权威 DNS 运营者
对于权威侧来说,需要你帮助做的是应答 DNS over TCP 的查询( 53 端口)。同时检查你的防火墙!
你也应该使用一个固定的 EDNS 缓冲区大小,那样就不会造成分片。这里建议采用大概 1232 字节,但是这个取值仍然在讨论中。
最后,权威 DNS 服务器不可以发送超过查询报文中请求的 EDNS 缓冲区大小的报文!
现在你可以测试检查你的域名了!通过在下面输入你的域名,然后按 Test! 这个测试使用了 ISC 的 EDNS 合规性测试器,它会从所有通用合规性测试例中选择 edns512tcp 来测试。
好像 edns 策略更新,,以及缓冲区大小默认值 1232 报文值变动
https://dnsflagday.net/2020/index-zh-CN.html
行动: 递归 DNS 运营者
对递归解析测来说,或多或少与权威的要求类似,即能够通过 TCP(53 端口)应答 DNS 查询,用固定的 EDNS 缓冲区大小 (大概 1232 字节)从而避免 IP 分片。记得要检查你的防火墙。
最重要的是,递归解析服务器必须要通过 TCP 重复查询,如果他们收到一个被截断的 UDP 应答报文( TC 被设置为 1 )!
行动: 权威 DNS 运营者
对于权威侧来说,需要你帮助做的是应答 DNS over TCP 的查询( 53 端口)。同时检查你的防火墙!
你也应该使用一个固定的 EDNS 缓冲区大小,那样就不会造成分片。这里建议采用大概 1232 字节,但是这个取值仍然在讨论中。
最后,权威 DNS 服务器不可以发送超过查询报文中请求的 EDNS 缓冲区大小的报文!
现在你可以测试检查你的域名了!通过在下面输入你的域名,然后按 Test! 这个测试使用了 ISC 的 EDNS 合规性测试器,它会从所有通用合规性测试例中选择 edns512tcp 来测试。
第 4 条附言 2021-03-30 11:48:24 +08:00
补充 openssl 1.1.1k [25 Mar 2021]
Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client. If a TLSv1.2
renegotiation ClientHello omits the signature_algorithms extension (where
it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will
result, leading to a crash and a denial of service attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted
by this issue.
(CVE-2021-3449)
[Peter Kstle and Samuel Sapalski]
到这应该差不多了,,其实还有。。。
nginx Changes
Bugfix: in the eventport method.
Bugfix: HTTP/2 connections were immediately closed when using
"keepalive_timeout 0"; the bug had appeared in 1.19.7.
Feature: now, if free worker connections are exhausted, nginx starts
closing not only keepalive connections, but also connections in
lingering close.
感叹还是迭代版本至少半年测试的必要性
Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client. If a TLSv1.2
renegotiation ClientHello omits the signature_algorithms extension (where
it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will
result, leading to a crash and a denial of service attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted
by this issue.
(CVE-2021-3449)
[Peter Kstle and Samuel Sapalski]
到这应该差不多了,,其实还有。。。
nginx Changes
Bugfix: in the eventport method.
Bugfix: HTTP/2 connections were immediately closed when using
"keepalive_timeout 0"; the bug had appeared in 1.19.7.
Feature: now, if free worker connections are exhausted, nginx starts
closing not only keepalive connections, but also connections in
lingering close.
感叹还是迭代版本至少半年测试的必要性
 | 1 ysc3839 2021-02-22 20:25:51 +08:00 说一个自己以前遇到过的问题:权威 DNS 用的是 Cloudflare,用学校的递归 DNS 解析就非常慢,怀疑是 DNS 缓存失效,后台把 TTL 设置成 Auto 或者 1 天都有这个问题,用三大运营商的移动网络就没问题。最后换成 Hurricane Electric DNS 就没问题了,不知道为什么用 Cloudflare 就会出问题。 |
 | 2 v2020 OP 因为这个问题我把软件硬件几层协议参数改个遍没用难受,有没可能权威 dns 关闭递归权限防止劫持,结果递 dns 缓存性能释放结果转发查询又瓶颈,, |
 | 3 Xusually 2021-02-22 20:52:20 +08:00 域名丢出来大家看看不就知道了。 到底是解析问题还是证书问题。 |
 | 4 systemcall 2021-02-22 21:08:09 +08:00 所以域名备案有什么好处吗? github pages,或者是 VPS 套个 cf,之类的,感觉就可以了吧 除非你有办法搞定企鹅之类的地方的良民证,不然你的网站,不懂这方面的人还是打不开。稍微懂点的,只要不是特别抠都有几个梯子吧,不用担心他们打不开 |
 | 5 dorothyREN 2021-02-22 21:16:20 +08:00 ocsp 的问题吧啊 |
 | 6 Patrick95 2021-02-23 10:25:10 +08:00 看起来像是 Let's Encrypt 的 OCSP 问题 |
 | 7 puzzle9 2021-02-23 14:10:22 +08:00 我遇到了 monster 后缀在 Cloudflare 也存在这问题 |
 | 8 yoyo111 2021-02-24 15:35:06 +08:00 via Android 你说的是手机或者平板在 wifi 下经常浏览网页卡住 10-30 秒么?但 pc 端 或者 手机走数据正常么?这个问题同样困扰了我很久,我测试过电信,移动,网通。电信路由器有公网 ip 访问都正常。移动网通内网 ip,wifi 链接后就出现上述问题。你可以测试看看 |
| 9 yoyo111 2021-02-24 15:36:29 +08:00 via Android 应该和 dns 解析没关系。 |
 | 10 Overfill3641 2021-03-02 19:19:39 +08:00 via iPhone 弄个测试子域名发出来看看吧,只言片语很难猜出来的。 |
Select Language