BIND DNS（使用 IPA）無法轉發 DNS 請求

幾天來，我一直在嘗試在我的 CentOS 系統上安裝 IPA，但我一直遇到 DNS 轉發問題，因為我無法讓它工作。我已經使用兩個 DNS 命名空間進行了嘗試：

• ost.local
• ost.example.com（其中 example.com 是我擁有的域，但訪問權限很小，Web 管理面板通過 A 記錄指向我的公共 IP 的確切域）

當我安裝 IPA 並要求ipa-server-install配置 BIND 時，它確實如此。但是，當它詢問轉發器時，我輸入8.8.8.8和8.8.4.4（我也嘗試過使用我的路由器和 ISP DNS 地址），但我得到以下資訊：

Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder: 8.8.4.4
DNS forwarder 8.8.4.4 added
Enter IP address for a DNS forwarder: 
Checking forwarders, please wait ...
ipa         : ERROR    Forwarder 8.8.8.8 does not work
Forwarder 8.8.8.8 does not respond

此時安裝退出，但如果我在不配置 DNS 轉發器的情況下執行安裝，我可以，但是當我嘗試從 IPA 配置 DNS 轉發器時出現此錯誤：

如果我通過nslookup（本地或遠端）連接，我可以查詢本地區域，但如果我請求區域外的記錄，我會得到：

# nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> google.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.206.100

> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> directory.ost.example.com
Default server: 127.0.0.1
Address: 127.0.0.1#53

Name: directory.ost.example.com
Address: 192.168.0.2
> google.com
Default server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find google.com: NXDOMAIN

這是dig @127.0.0.1 google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> @127.0.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3132
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 1470 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 06 10:11:47 GMT 2015
;; MSG SIZE  rcvd: 39

有誰知道出了什麼問題？

---

我的named.conf文件看起來像：

options {
       listen-on-v6 {any;};

       directory "/var/named";
       dump-file               "data/cache_dump.db";
       statistics-file         "data/named_stats.txt";
       memstatistics-file      "data/named_mem_stats.txt";

       forward first;
       forwarders { };

       allow-query { 127.0.0.1; 192.168.0.0/24; };

       recursion yes;
       allow-recursion { 127.0.0.1; 192.168.0.0/24; };

       tkey-gssapi-keytab "/etc/named.keytab";
       pid-file "/run/named/named.pid";

       dnssec-enable no;
       dnssec-validation no;

       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";
};

logging {
       channel default_debug {
               file "data/named.run";
               severity dynamic;
               print-time yes;
       };
};

zone "." IN {
       type hint;
       file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

dynamic-db "ipa" {
       library "ldap.so";
       arg "uri ldapi://%2fvar%2frun%2fslapd-OST-EXAMPLE-COM.socket";
       arg "base cn=dns, dc=ost,dc=example,dc=com";
       arg "fake_mname directory.ost.example.com.";
       arg "auth_method sasl";
       arg "sasl_mech GSSAPI";
       arg "sasl_user DNS/directory.ost.example.com";
       arg "serial_autoincrement yes";
};

---

編輯

這是一個nslookupto microsoft.comvia期間的數據包跟踪127.0.0.1，但它仍然沒有報告任何內容：

# tcpdump -i eth0 udp port 53 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:11:46.398533 IP (tos 0x0, ttl 64, id 30233, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.44598 > google-public-dns-a.google.com.domain: 16053+ [1au] NS? . (28)
11:11:46.398550 IP (tos 0x0, ttl 64, id 30234, offset 0, flags [none], proto UDP (17), length 70)
   directory.ost.example.com.28345 > google-public-dns-a.google.com.domain: 1718+% [1au] A? microsoft.com. (42)
11:11:46.399423 IP (tos 0x0, ttl 64, id 47839, offset 0, flags [DF], proto UDP (17), length 66)
   directory.ost.example.com.49824 > router.domain: 62950+ PTR? 8.8.8.8.in-addr.arpa. (38)
11:11:46.400157 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   router.25830 > directory.ost.example.com.domain: 18328+ [1au] NS? . (28)
11:11:46.400675 IP (tos 0x0, ttl 64, id 30235, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.61359 > google-public-dns-a.google.com.domain: 9755+% [1au] NS? . (28)
11:11:46.400860 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
   router.47804 > directory.ost.example.com.domain: 7806+% [1au] A? microsoft.com. (42)
11:11:46.401766 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110)
   router.domain > directory.ost.example.com.49824: 62950 1/0/0 8.8.8.8.in-addr.arpa. PTR google-public-dns-a.google.com. (82)
11:11:46.402049 IP (tos 0x0, ttl 64, id 47840, offset 0, flags [DF], proto UDP (17), length 71)
   directory.ost.example.com.46228 > router.domain: 16395+ PTR? 1.10.168.192.in-addr.arpa. (43)
11:11:46.402586 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   router.dj-ice > directory.ost.example.com.domain: 51438+% [1au] NS? . (28)
11:11:46.403149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 91)
   router.domain > directory.ost.example.com.46228: 16395* 1/0/0 1.10.168.192.in-addr.arpa. PTR router. (63)
11:11:51.401318 IP (tos 0x0, ttl 64, id 12713, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.33381 > google-public-dns-b.google.com.domain: 47813+ [1au] NS? . (28)
11:11:51.401339 IP (tos 0x0, ttl 64, id 12714, offset 0, flags [none], proto UDP (17), length 70)
   directory.ost.example.com.15062 > google-public-dns-b.google.com.domain: 31947+% [1au] A? microsoft.com. (42)
11:11:51.401501 IP (tos 0x0, ttl 64, id 12715, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.21893 > google-public-dns-b.google.com.domain: 50112+% [1au] NS? . (28)
11:11:51.401690 IP (tos 0x0, ttl 64, id 47841, offset 0, flags [DF], proto UDP (17), length 66)
   directory.ost.example.com.36630 > router.domain: 10373+ PTR? 4.4.8.8.in-addr.arpa. (38)
11:11:51.403092 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   router.51126 > directory.ost.example.com.domain: 45362+ [1au] NS? . (28)
11:11:51.403831 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
   router.55917 > directory.ost.example.com.domain: 15092+% [1au] A? microsoft.com. (42)
11:11:51.404510 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   router.41956 > directory.ost.example.com.domain: 25944+% [1au] NS? . (28)
11:11:51.405130 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110)
   router.domain > directory.ost.example.com.36630: 10373 1/0/0 4.4.8.8.in-addr.arpa. PTR google-public-dns-b.google.com. (82)
11:11:56.400719 IP (tos 0x0, ttl 64, id 47842, offset 0, flags [none], proto UDP (17), length 70)
   directory.ost.example.com.domain > router.47804: 7806 ServFail 0/0/1 (42)
11:11:56.400754 IP (tos 0x0, ttl 64, id 47843, offset 0, flags [none], proto UDP (17), length 70)
   directory.ost.example.com.domain > router.55917: 15092 ServFail 0/0/1 (42)
11:11:56.401898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
   google-public-dns-a.google.com.domain > directory.ost.example.com.28345: 1718 ServFail 0/0/1 (42)
11:11:56.402396 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
   google-public-dns-b.google.com.domain > directory.ost.example.com.15062: 31947 ServFail 0/0/1 (42)
11:11:56.402620 IP (tos 0x0, ttl 64, id 47844, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.domain > router.25830: 18328 ServFail 0/0/1 (28)
11:11:56.402630 IP (tos 0x0, ttl 64, id 47845, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.domain > router.dj-ice: 51438 ServFail 0/0/1 (28)
11:11:56.402655 IP (tos 0x0, ttl 64, id 47846, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.domain > router.51126: 45362 ServFail 0/0/1 (28)
11:11:56.402661 IP (tos 0x0, ttl 64, id 47847, offset 0, flags [none], proto UDP (17), length 56)
   directory.ost.example.com.domain > router.41956: 25944 ServFail 0/0/1 (28)
11:11:56.403645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   google-public-dns-a.google.com.domain > directory.ost.example.com.44598: 16053 ServFail 0/0/1 (28)
11:11:56.403916 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   google-public-dns-a.google.com.domain > directory.ost.example.com.61359: 9755 ServFail 0/0/1 (28)
11:11:56.404643 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   google-public-dns-b.google.com.domain > directory.ost.example.com.33381: 47813 ServFail 0/0/1 (28)
11:11:56.404844 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
   google-public-dns-b.google.com.domain > directory.ost.example.com.21893: 50112 ServFail 0/0/1 (28)

抱歉各位，終於找到問題了。

我在 DD-WRT 路由器後面執行此服務，在路由器上，有一個選項（在Setup>下Basic Setup）標記為Forced DNS Redirection. 當我禁用此選項時，8.8.8.8並8.8.4.4開始再次響應。

引用自：https://serverfault.com/questions/741077