Domain-Name-System
CentOS 7 BIND DNS SERVFAIL 當 nslookup 為內部伺服器
我正在嘗試在 Vbox VM 上的 Cent OS 7(Scientific Linux 7.3)上設置內部 DNS 伺服器,以便稍後在…上安裝 puppet 伺服器
我遇到的問題是 DNS 似乎能夠解決 google.com 之類的問題,並且看起來它正在從本地 DNS 中提取答案,但是當我嘗試對 DNS 伺服器本身進行 nslookup 時,我不斷得到一條 SERVFAIL 消息,它解析為一些瘋狂的 IP 地址,而我的內部 IP 地址在哪裡……這裡是一些 nslookup 範例,我正在從 DNS 伺服器本身進行探勘(automation.cylonhive.net ip 192.168.0.28 )
# nslookup and dig examples from automation.cylonhive.net [root@automation automation ~]# nslookup www.cnn.com Server: 192.168.0.28 Address: 192.168.0.28#53 Non-authoritative answer: www.cnn.com canonical name = turner-tls.map.fastly.net. Name: turner-tls.map.fastly.net Address: 151.101.49.67 [root@automation automation ~]# nslookup www.google.com Server: 192.168.0.28 Address: 192.168.0.28#53 Non-authoritative answer: Name: www.google.com Address: 172.217.5.68 # This is where is starts to give the wrong answer [root@automation automation ~]# nslookup automation.cylonhive.net ;; Got SERVFAIL reply from 192.168.0.28, trying next server Server: 68.105.29.11 Address: 68.105.29.11#53 Non-authoritative answer: Name: automation.cylonhive.net Address: 92.242.140.2 # this is not the ip address of the server [root@automation automation ~]# nslookup automation ;; Got SERVFAIL reply from 192.168.0.28, trying next server Server: 68.105.29.11 Address: 68.105.29.11#53 Non-authoritative answer: Name: automation.cylonhive.net Address: 92.242.140.2 # this is not the ip address of the server [root@automation automation ~]# dig www.cnn.com ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> www.cnn.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26705 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cnn.com. IN A ;; ANSWER SECTION: www.cnn.com. 85 IN CNAME turner-tls.map.fastly.net. turner-tls.map.fastly.net. 11 IN A 151.101.49.67 ;; Query time: 23 msec ;; SERVER: 192.168.0.28#53(192.168.0.28) ;; WHEN: Fri Jul 14 11:53:02 CDT 2017 ;; MSG SIZE rcvd: 95 [root@automation automation ~]# dig www.google.com ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38036 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 270 IN A 172.217.5.68 ;; Query time: 17 msec ;; SERVER: 192.168.0.28#53(192.168.0.28) ;; WHEN: Fri Jul 14 11:53:09 CDT 2017 ;; MSG SIZE rcvd: 59 [root@automation automation ~]# dig automation.cylonhive.net ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> automation.cylonhive.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40428 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;automation.cylonhive.net. IN A ;; Query time: 1 msec ;; SERVER: 192.168.0.28#53(192.168.0.28) # this is the ip address of the server but it is still showing a SERVFAIL message ;; WHEN: Fri Jul 14 11:53:20 CDT 2017 ;; MSG SIZE rcvd: 53這是我的 /etc/named.conf 文件:
[root@automation automation ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation no; forward only; forwarders { 68.105.28.11; 68.105.29.11; 68.105.28.12; }; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; // put zones here: //------------------------------------------------- zone "cylonhive.net" { type master; file "cylonhive.net.zone"; allow-update {none; }; }; zone "0.168.192.in-addr.arpa" { type master; file "cylonhive.net.revzone"; allow-update {none; }; }; //----------------------------------------------------- zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";這是我的命名區域文件:
[root@automation automation ~]# cat /var/named/cylonhive.net.zone $TTL 86400 @ IN SOA cylonhive.net. root.cylonhive.net. ( 2017071401 ; Serial 1d ; refresh 2h ; retry 4w ; expire 1h ) ; min cache IN NS automation.cylonhive.net. IN MX 10 automation.cylonhive.net. gateway IN A 192.168.0.1 dns IN A 192.168.0.28 automation IN A 192.168.0.28 ns IN CNAME automation mail IN A 192.168.0.28 client01 IN A 192.168.0.36這是反向區域文件:
[root@automation automation ~]# cat /var/named/cylonhive.net.revzone $TTL 86400 @ IN SOA cylonhive.net. root.cylonhive.net. ( 2017071401 ; Serial 1d ; refresh 2h ; retry 4w ; expire 1h ) ; min cache IN NS automation.cylonhive.net. 1 IN PTR gateway.cylonhive.net. 5 IN PTR automation.cylonhive.net. 15 IN PTR client01.cylonhive.net.這是 /etc/resolv.conf、/etc/hosts 和 /etc/hostname 文件:
[root@automation automation ~]# cat /etc/resolv.conf # Generated by NetworkManager search cylonhive.net 192.168.0.28 nameserver 192.168.0.28 nameserver 68.105.29.11 nameserver 68.105.28.12 .............................................. [root@automation automation ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 # Puppet Master 192.168.0.28 automation automation.cylonhive.net # Puppet Node 192.168.0.36 client01 client01.cylonhive.net .............................................. [root@automation automation ~]# cat /etc/hostname automation automation.cylonhive.net 192.168.0.28我已經為此工作了 3 天,我正在絞盡腦汁想弄清楚這一點……這是一次令人毛骨悚然的經歷。任何幫助,將不勝感激。知道我的運氣,這可能是我的眼睛呆滯而錯過的簡單事情。這是我第一次設置內部 DNS 伺服器,所以我知道可能會有一些學習曲線。謝謝大家!
貓消息| grep 命名 | 尾巴 -50
[root@automation automation log]# cat messages | grep named | tail -50 Jul 14 20:25:10 automation automation named[2022]: BIND 9 is maintained by Internet Systems Consortium, Jul 14 20:25:10 automation automation named[2022]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jul 14 20:25:10 automation automation named[2022]: corporation. Support and training for BIND 9 are Jul 14 20:25:10 automation automation named[2022]: available at https://www.isc.org/support Jul 14 20:25:10 automation automation named[2022]: ---------------------------------------------------- Jul 14 20:25:10 automation automation named[2022]: adjusted limit on open files from 4096 to 1048576 Jul 14 20:25:10 automation automation named[2022]: found 1 CPU, using 1 worker thread Jul 14 20:25:10 automation automation named[2022]: using 1 UDP listener per interface Jul 14 20:25:10 automation automation named[2022]: using up to 4096 sockets Jul 14 20:25:10 automation automation named[2022]: loading configuration from '/etc/named.conf' Jul 14 20:25:10 automation automation named[2022]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jul 14 20:25:10 automation automation named[2022]: initializing GeoIP Country (IPv4) (type 1) DB Jul 14 20:25:10 automation automation named[2022]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMind Jul 14 20:25:10 automation automation named[2022]: initializing GeoIP Country (IPv6) (type 12) DB Jul 14 20:25:10 automation automation named[2022]: GEO-106FREE 20160607 Build 1 Copy Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv4) (type 2) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv4) (type 6) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv6) (type 30) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv6) (type 31) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP Region (type 3) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP Region (type 7) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP ISP (type 4) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP Org (type 5) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP AS (type 9) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP Domain (type 11) DB not available Jul 14 20:25:10 automation automation named[2022]: GeoIP NetSpeed (type 10) DB not available Jul 14 20:25:10 automation automation named[2022]: using default UDP/IPv4 port range: [1024, 65535] Jul 14 20:25:10 automation automation named[2022]: using default UDP/IPv6 port range: [1024, 65535] Jul 14 20:25:10 automation automation named[2022]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 14 20:25:10 automation automation named[2022]: listening on IPv4 interface enp0s17, 192.168.0.28#53 Jul 14 20:25:10 automation automation named[2022]: listening on IPv6 interface lo, ::1#53 Jul 14 20:25:10 automation automation named[2022]: generating session key for dynamic DNS Jul 14 20:25:10 automation automation named[2022]: sizing zone task pool based on 8 zones Jul 14 20:25:10 automation automation named[2022]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jul 14 20:25:10 automation automation named[2022]: command channel listening on 127.0.0.1#953 Jul 14 20:25:10 automation automation named[2022]: command channel listening on ::1#953 Jul 14 20:25:10 automation automation named[2022]: managed-keys-zone: journal file is out of date: removing journal file Jul 14 20:25:10 automation automation named[2022]: managed-keys-zone: loaded serial 14 Jul 14 20:25:10 automation automation named[2022]: zone 0.in-addr.arpa/IN: loaded serial 0 Jul 14 20:25:10 automation automation named[2022]: zone 0.168.192.in-addr.arpa/IN: loading from master file cylonhive.net.revzone failed: permission denied Jul 14 20:25:10 automation automation named[2022]: zone 0.168.192.in-addr.arpa/IN: not loaded due to errors. Jul 14 20:25:10 automation automation named[2022]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jul 14 20:25:10 automation automation named[2022]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jul 14 20:25:10 automation automation named[2022]: zone localhost.localdomain/IN: loaded serial 0 Jul 14 20:25:10 automation automation named[2022]: zone localhost/IN: loaded serial 0 Jul 14 20:25:10 automation automation named[2022]: zone cylonhive.net/IN: loading from master file cylonhive.net.zone failed: permission denied Jul 14 20:25:10 automation automation named[2022]: zone cylonhive.net/IN: not loaded due to errors. Jul 14 20:25:10 automation automation named[2022]: all zones loaded Jul 14 20:25:10 automation automation named[2022]: running Jul 14 20:25:10 automation automation audispd: node=automationautomation.cylonhive.net192.168.0.28 type=SERVICE_START msg=audit(1500081910.057:1587): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [root@automation automation log]#
Jul 14 20:25:10 automation automation named[2022]: zone 0.168.192.in-addr.arpa/IN: loading from master file cylonhive.net.revzone failed: permission denied Jul 14 20:25:10 automation automation named[2022]: zone 0.168.192.in-addr.arpa/IN: not loaded due to errors. Jul 14 20:25:10 automation automation named[2022]: zone cylonhive.net/IN: loading from master file cylonhive.net.zone failed: permission denied Jul 14 20:25:10 automation automation named[2022]: zone cylonhive.net/IN: not loaded due to errors.由於文件權限問題,您的區域文件未載入。檢查文件並確保它們可以被
named執行為的使用者讀取。如果您不確定是哪個使用者,請在啟動後檢查程序表。