Freeshell/Blog 自定义未备案域名解析到国外

Freeshell 和 blog 上有些未备案的第三方域名引起了注意,我们现在把 proxy.freeshell.ustc.edu.cn 和 p.blog.ustc.edu.cn CNAME 到了国外的反向代理服务器 revproxy-sg.ustclug.org。该国外服务器反向代理回科大。这个改动不会对正常访问造成影响,可能会增加一些响应延迟和降低一些下载速度。如果访问存在问题,请联系我们:lug AT ustc.edu.cn。

《Freeshell/Blog 自定义未备案域名解析到国外》上有8条评论

  1. 这么做好像没有什么用处,第三方域名只需设置一个到 202.38.95.147 的A记录就行了。可能还需要修改blog/freeshell主机上相关的nginx配置,将第三方域名的反向代理服务器移到海外去。

  2. 另外,自从servers.ustclug.org被解析到国外以后,出现连接不稳定的情况,需要多次刷新才能正常显示

  3. 电信114.114.114.114查询Sservers.ustclug.org可以查到CNAME -> p.blog.ustc.edu.cn -> revproxy-sg.ustclug.org:
    revproxy-sg.ustclug.org. 600 IN AAAA 2400:6180:0:d0::27b:2001
    revproxy-sg.ustclug.org. 600 IN A 128.199.232.134
    ustclug.org. 600 IN NS dns.lug.ustc.edu.cn.
    ustclug.org. 600 IN NS dns-m.lug.ustc.edu.cn.

    A记录的IP128.199.232.134是英国的。
    使用LUG DNS查询结果相同。

    电信网络测试结果(未配置任何v6地址和隧道):
    swp@swp-server: ~$ curl -vv https://servers.ustclug.org
    * Rebuilt URL to: https://servers.ustclug.org/
    * Hostname was NOT found in DNS cache
    * Trying 128.199.232.134…
    * Trying 2400:6180:0:d0::27b:2001…
    * Immediate connect fail for 2400:6180:0:d0::27b:2001: 网络不可达
    * Connected to servers.ustclug.org (128.199.232.134) port 443 (#0)
    * successfully set certificate verify locations:
    * CAfile: none
    CApath: /etc/ssl/certs
    * SSLv3, TLS handshake, Client hello (1):
    * Operation timed out after 1 milliseconds with 0 out of 0 bytes received
    * Closing connection 0
    curl: (28) Operation timed out after 1 milliseconds with 0 out of 0 bytes received

    看起来像G·F·W拦截证书,其80端口同样不可达,但是G·F·W基本上封掉了所有的80端口,省级骨干路由连国内未备案的IP的HTTP协议都杀,无论是否有域名。

    ping结果(100次):
    1 swp@swp-server: ~$ ping servers.ustclug.org -c 100
    PING revproxy-sg.ustclug.org (128.199.232.134) 56(84) bytes of data.
    64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=1 ttl=128 time=120 ms
    64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=3 ttl=128 time=121 ms
    ……
    64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=98 ttl=128 time=114 ms
    64 bytes from revproxy-sg.ustclug.org (128.199.232.134): icmp_seq=100 ttl=128 time=169 ms

    — revproxy-sg.ustclug.org ping statistics —
    100 packets transmitted, 69 received, 31% packet loss, time 99216ms
    rtt min/avg/max/mdev = 105.494/121.064/206.846/18.125 ms

    1. 128.199.232.134 是 DigitalOcean 新加坡数据中心的。

      如果电信把国外的 80 端口都封了,那也太丧心病狂了,microsoft.com 都上不去?从学校网络访问 servers.ustclug.org 正常,DNSPod 监控服务测出来也是访问正常。

      1. 省内可以访问同运营商同省的非备案IP的80端口,跨省或者跨运营商(电信、联通)不可以,443端口可以访问。
        国际的IP不是很清楚。

        1. 解析到科大的很多域名都没备案,从各地也能正常访问。是不是 80 端口的备案检查是在靠近服务器端的省骨干网里检查的,而科大的接入线路是特殊处理的?

          1. servers.ustclug.org域名访问困难啊,还是改回来成servers.blog.ustc.edu.cn吧。
            ping通,但是curl 80 443 均被RESET!

            ^_^ swp@swp-server: /var/log/nginx$ curl -vv servers.ustclug.org
            * Rebuilt URL to: servers.ustclug.org/
            * Hostname was NOT found in DNS cache
            * Trying 128.199.232.134...
            * connect to 128.199.232.134 port 80 failed: 拒绝连接
            * Trying 2400:6180:0:d0::27b:2001...
            * Immediate connect fail for 2400:6180:0:d0::27b:2001: 网络不可达
            * Failed to connect to servers.ustclug.org port 80: 拒绝连接
            * Closing connection 0
            curl: (7) Failed to connect to servers.ustclug.org port 80: 拒绝连接
            1 swp@swp-server: /var/log/nginx$ curl -vv https://servers.ustclug.org
            * Rebuilt URL to: https://servers.ustclug.org/
            * Hostname was NOT found in DNS cache
            * Trying 128.199.232.134...
            * connect to 128.199.232.134 port 443 failed: 拒绝连接
            * Trying 2400:6180:0:d0::27b:2001...
            * Immediate connect fail for 2400:6180:0:d0::27b:2001: 网络不可达
            * Failed to connect to servers.ustclug.org port 443: 拒绝连接
            * Closing connection 0
            curl: (7) Failed to connect to servers.ustclug.org port 443: 拒绝连接

评论已关闭。