Bind
BIND DNS(使用 IPA)無法轉發 DNS 請求
幾天來,我一直在嘗試在我的 CentOS 系統上安裝 IPA,但我一直遇到 DNS 轉發問題,因為我無法讓它工作。我已經使用兩個 DNS 命名空間進行了嘗試:
- ost.local
- ost.example.com(其中 example.com 是我擁有的域,但訪問權限很小,Web 管理面板通過 A 記錄指向我的公共 IP 的確切域)
當我安裝 IPA 並要求
ipa-server-install
配置 BIND 時,它確實如此。但是,當它詢問轉發器時,我輸入8.8.8.8
和8.8.4.4
(我也嘗試過使用我的路由器和 ISP DNS 地址),但我得到以下資訊:Do you want to configure DNS forwarders? [yes]: Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 8.8.8.8 DNS forwarder 8.8.8.8 added Enter IP address for a DNS forwarder: 8.8.4.4 DNS forwarder 8.8.4.4 added Enter IP address for a DNS forwarder: Checking forwarders, please wait ... ipa : ERROR Forwarder 8.8.8.8 does not work Forwarder 8.8.8.8 does not respond
此時安裝退出,但如果我在不配置 DNS 轉發器的情況下執行安裝,我可以,但是當我嘗試從 IPA 配置 DNS 轉發器時出現此錯誤:
如果我通過
nslookup
(本地或遠端)連接,我可以查詢本地區域,但如果我請求區域外的記錄,我會得到:# nslookup > server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > google.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: google.com Address: 74.125.206.100 > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > directory.ost.example.com Default server: 127.0.0.1 Address: 127.0.0.1#53 Name: directory.ost.example.com Address: 192.168.0.2 > google.com Default server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find google.com: NXDOMAIN
這是
dig @127.0.0.1 google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> @127.0.0.1 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3132 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; Query time: 1470 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 06 10:11:47 GMT 2015 ;; MSG SIZE rcvd: 39
有誰知道出了什麼問題?
我的
named.conf
文件看起來像:options { listen-on-v6 {any;}; directory "/var/named"; dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward first; forwarders { }; allow-query { 127.0.0.1; 192.168.0.0/24; }; recursion yes; allow-recursion { 127.0.0.1; 192.168.0.0/24; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable no; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-OST-EXAMPLE-COM.socket"; arg "base cn=dns, dc=ost,dc=example,dc=com"; arg "fake_mname directory.ost.example.com."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/directory.ost.example.com"; arg "serial_autoincrement yes"; };
編輯
這是一個
nslookup
tomicrosoft.com
via期間的數據包跟踪127.0.0.1
,但它仍然沒有報告任何內容:# tcpdump -i eth0 udp port 53 -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:11:46.398533 IP (tos 0x0, ttl 64, id 30233, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.44598 > google-public-dns-a.google.com.domain: 16053+ [1au] NS? . (28) 11:11:46.398550 IP (tos 0x0, ttl 64, id 30234, offset 0, flags [none], proto UDP (17), length 70) directory.ost.example.com.28345 > google-public-dns-a.google.com.domain: 1718+% [1au] A? microsoft.com. (42) 11:11:46.399423 IP (tos 0x0, ttl 64, id 47839, offset 0, flags [DF], proto UDP (17), length 66) directory.ost.example.com.49824 > router.domain: 62950+ PTR? 8.8.8.8.in-addr.arpa. (38) 11:11:46.400157 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) router.25830 > directory.ost.example.com.domain: 18328+ [1au] NS? . (28) 11:11:46.400675 IP (tos 0x0, ttl 64, id 30235, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.61359 > google-public-dns-a.google.com.domain: 9755+% [1au] NS? . (28) 11:11:46.400860 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) router.47804 > directory.ost.example.com.domain: 7806+% [1au] A? microsoft.com. (42) 11:11:46.401766 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110) router.domain > directory.ost.example.com.49824: 62950 1/0/0 8.8.8.8.in-addr.arpa. PTR google-public-dns-a.google.com. (82) 11:11:46.402049 IP (tos 0x0, ttl 64, id 47840, offset 0, flags [DF], proto UDP (17), length 71) directory.ost.example.com.46228 > router.domain: 16395+ PTR? 1.10.168.192.in-addr.arpa. (43) 11:11:46.402586 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) router.dj-ice > directory.ost.example.com.domain: 51438+% [1au] NS? . (28) 11:11:46.403149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 91) router.domain > directory.ost.example.com.46228: 16395* 1/0/0 1.10.168.192.in-addr.arpa. PTR router. (63) 11:11:51.401318 IP (tos 0x0, ttl 64, id 12713, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.33381 > google-public-dns-b.google.com.domain: 47813+ [1au] NS? . (28) 11:11:51.401339 IP (tos 0x0, ttl 64, id 12714, offset 0, flags [none], proto UDP (17), length 70) directory.ost.example.com.15062 > google-public-dns-b.google.com.domain: 31947+% [1au] A? microsoft.com. (42) 11:11:51.401501 IP (tos 0x0, ttl 64, id 12715, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.21893 > google-public-dns-b.google.com.domain: 50112+% [1au] NS? . (28) 11:11:51.401690 IP (tos 0x0, ttl 64, id 47841, offset 0, flags [DF], proto UDP (17), length 66) directory.ost.example.com.36630 > router.domain: 10373+ PTR? 4.4.8.8.in-addr.arpa. (38) 11:11:51.403092 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) router.51126 > directory.ost.example.com.domain: 45362+ [1au] NS? . (28) 11:11:51.403831 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) router.55917 > directory.ost.example.com.domain: 15092+% [1au] A? microsoft.com. (42) 11:11:51.404510 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) router.41956 > directory.ost.example.com.domain: 25944+% [1au] NS? . (28) 11:11:51.405130 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110) router.domain > directory.ost.example.com.36630: 10373 1/0/0 4.4.8.8.in-addr.arpa. PTR google-public-dns-b.google.com. (82) 11:11:56.400719 IP (tos 0x0, ttl 64, id 47842, offset 0, flags [none], proto UDP (17), length 70) directory.ost.example.com.domain > router.47804: 7806 ServFail 0/0/1 (42) 11:11:56.400754 IP (tos 0x0, ttl 64, id 47843, offset 0, flags [none], proto UDP (17), length 70) directory.ost.example.com.domain > router.55917: 15092 ServFail 0/0/1 (42) 11:11:56.401898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) google-public-dns-a.google.com.domain > directory.ost.example.com.28345: 1718 ServFail 0/0/1 (42) 11:11:56.402396 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) google-public-dns-b.google.com.domain > directory.ost.example.com.15062: 31947 ServFail 0/0/1 (42) 11:11:56.402620 IP (tos 0x0, ttl 64, id 47844, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.domain > router.25830: 18328 ServFail 0/0/1 (28) 11:11:56.402630 IP (tos 0x0, ttl 64, id 47845, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.domain > router.dj-ice: 51438 ServFail 0/0/1 (28) 11:11:56.402655 IP (tos 0x0, ttl 64, id 47846, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.domain > router.51126: 45362 ServFail 0/0/1 (28) 11:11:56.402661 IP (tos 0x0, ttl 64, id 47847, offset 0, flags [none], proto UDP (17), length 56) directory.ost.example.com.domain > router.41956: 25944 ServFail 0/0/1 (28) 11:11:56.403645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) google-public-dns-a.google.com.domain > directory.ost.example.com.44598: 16053 ServFail 0/0/1 (28) 11:11:56.403916 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) google-public-dns-a.google.com.domain > directory.ost.example.com.61359: 9755 ServFail 0/0/1 (28) 11:11:56.404643 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) google-public-dns-b.google.com.domain > directory.ost.example.com.33381: 47813 ServFail 0/0/1 (28) 11:11:56.404844 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56) google-public-dns-b.google.com.domain > directory.ost.example.com.21893: 50112 ServFail 0/0/1 (28)
抱歉各位,終於找到問題了。
我在 DD-WRT 路由器後面執行此服務,在路由器上,有一個選項(在
Setup
>下Basic Setup
)標記為Forced DNS Redirection
. 當我禁用此選項時,8.8.8.8
並8.8.4.4
開始再次響應。