外部 DNS 伺服器（centos 命名）不一致地解析使用者查詢

我有一個位於公共 IP 後面的 DNS 伺服器集群。

這些伺服器有時會解決，但有時它們只是為任何查詢返回一個 ServFail 錯誤程式碼

我的設置不是典型的（這是繼承的）。

基本上在伺服器上有一個名為 gi 的命名空間，這裡是新服務呼叫 srv-gi ’’’ 使用命名服務的地方

#!/bin/sh

start_service() {
       ip netns exec gi /usr/sbin/zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf
       ip netns exec gi /usr/sbin/bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf 
       #DNS service
       ip netns exec gi  /usr/sbin/named -u named -c /etc/gi-named.conf
}

start_service

’''

named.conf 文件也已重命名為 gi-named.conf 文件。

// // named.conf // // 由 Red Hat 綁定包提供，用於將 ISC BIND named(8) DNS // 伺服器配置為僅記憶體名稱伺服器（僅作為 localhost DNS 解析器）。// // 參見 /usr/share/doc/bind*/sample/ 例如命名的配置文件。// // 有關位於 /usr/share/doc/bind-{version}/Bv9ARM.html 中的配置的詳細資訊，請參閱 BIND 管理員參考手冊 (ARM)

options {
       listen-on port 53 { Public IP; };
       #listen-on-v6 port 53 { ::1; };
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       recursing-file  "/var/named/data/named.recursing";
       secroots-file   "/var/named/data/named.secroots";
       allow-query     { any; };
       allow-query-on  { PublicIP; };

       /*
        - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
        - If you are building a RECURSIVE (caching) DNS server, you need to enable
          recursion.
        - If your recursive DNS server has a public IP address, you MUST enable access
          control to limit queries to your legitimate users. Failing to do so will
          cause your server to become part of large scale DNS amplification
          attacks. Implementing BCP38 within your network would greatly
          reduce such attack surface
       */
       recursion yes;
       allow-query-cache { Internal Range; };
       allow-query-cache-on  { PublicIP; };



       query-source address Public IP ;

       dnssec-enable yes;
       dnssec-validation yes;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";

       pid-file "/run/named/named.pid";
       session-keyfile "/run/named/session.key";
};


logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
*      named will try to write the 'named.run' file in the $directory (/var/named).
*      By default, SELinux policy does not allow named to modify the /var/named directory,
*      so put the default debug log file in data/ :
*/
       /*channel default_debug {
               print-time yes;
               print-category yes;
               print-severity yes;
               file "data/named.run";
               severity dynamic;
       };*/
       channel queries_log {
               file "/var/log/queries" versions 1 size 20m;
               print-time yes;
               print-category yes;
               print-severity yes;
               severity debug 3;
       };

       category queries { queries_log; };
       category client { queries_log;  };
};

zone "." IN {
       type hint;
       file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

另請注意，我有一個 quagga riuter 配置為允許通過公共 IP 進行 DNS 解析

/etc/quagga/bgpd.conf

!
! Zebra configuration saved from vty
!   2019/10/11 10:11:45
!
!
router bgp AS
bgp router-id PublicIP
network PublicIP/32
network CoreIP/32
neighbor DUB1-WGW peer-group
neighbor DUB1-WGW remote-as AS
neighbor DUB1-WGW soft-reconfiguration inbound
neighbor DUB1-WGW route-map XXXXX out
neighbor CoreBGPIP peer-group DUB1-WGW
neighbor CoreBGPIP peer-group DUB1-WGW
!
ip prefix-list XXXX seq 5 permit PublicIP/32
ip prefix-list XXXX seq 10 permit PrivateIP/32
!
route-map DNS_TO_GI permit 10
match ip address prefix-list XXXXX
!
line vty
!

/etc/quagga/zebra.conf

!
! Zebra configuration saved from vty
!   2019/10/11 10:11:45
!
hostname hostname
!
interface ens160
ipv6 nd suppress-ra
!
interface ens192
ipv6 nd suppress-ra
!
interface ens192.890
ipv6 nd suppress-ra
!
interface ens192.892
ipv6 nd suppress-ra
!
interface XX
ipv6 nd suppress-ra
!
interface lo
!
ip prefix-list XX seq 5 permit PublicIP3/32
ip prefix-list XX seq 10 permit PrivateIP/32
!
route-map XXXX permit 10
match ip address prefix-list XXX
!
!
!
line vty
!

# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
      O - OSPF, I - IS-IS, B - BGP, A - Babel,
      > - selected route, * - FIB route

B>* 0.0.0.0/0 [20/10] via neighbor IP, ens192.892, 00:02:18
C>* 127.0.0.0/8 is directly connected, lo
C>* Public IP/32 is directly connected, lo
C>* NeighborSubnet/30 is directly connected, ens192.890
C>* NeighborIP/30 is directly connected, ens192.892
C>* LocalIP/32 is directly connected, lo

我正在使用測試 APN 測試解析度，雖然當我引入第二個 APN 時我可以將一個 APN 作為 sson 獲得解析度，但我只是在 tcpdump 中遇到以下錯誤：

11:29:38.065284 IP PublicIP.domain > internal IP.p2pcommunity: 30622 ServFail 0/0/0 (44)
11:29:38.265736 IP PublicIP.domain > internal IP.32209: 12606 ServFail 0/0/0 (37)
11:29:38.266037 IP PublicIP.domain > internal IP.10793: 26678 ServFail 0/0/0 (37)
11:29:38.295727 IP PublicIP.domain > internal IP.ibm_wrless_lan: 23483 ServFail 0/0/0 (33)
11:29:38.296038 IP PublicIP.domain > internal IP.22097: 8347 ServFail 0/0/0 (33)
11:29:38.297532 IP PublicIP.domain > internal IP.31026: 23400 ServFail 0/0/0 (38)
11:29:38.298117 IP PublicIP.domain > internal IP.23707: 26481 ServFail 0/0/0 (38)

並從 /var/log/queries

22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): error
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): send
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): sendto
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): error
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): senddone
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): next
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): endrequest
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): send
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): sendto
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): senddone
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): next
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): endrequest

我真的不確定如何解決這個問題，任何指針或建議將不勝感激

dig 命令的輸出

dig facebook.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;facebook.com.          IN  A

;; ANSWER SECTION:
facebook.com.       93  IN  A   31.13.86.36

;; Query time: 2 msec
;; SERVER: internal DNS#53(Internal DNS)
;; WHEN: Tue Sep 22 19:38:58 UTC 2020
;; MSG SIZE  rcvd: 57


dig @PublicIP facebook.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @PublicIP facebook.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig @208.67.222.222 facebook.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @208.67.222.222 facebook.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

ip netns exec gi tcpdump -n -f 'port 53' -i any
09:55:35.676645 IP PublicIP.domain > InternalIP.46571: 36451 ServFail 0/0/0 (32)
09:55:35.676939 IP PublicIP.domain > InternalIP.37817: 52592 ServFail 0/0/0 (32)
09:55:35.677865 IP PublicIP.domain > InternalIP41737: 52624 ServFail 0/0/0 (32)
09:55:35.713870 IP PublicIP.34042 > 193.0.14.129.domain: 11264 [1au] A? mtalk.google.com. (45)
09:55:35.713914 IP PublicIP.11218 > 193.0.14.129.domain: 3623 [1au] NS? . (28)
09:55:35.768649 IP 193.0.14.129.domain > PublicIP.11218: 3623*-| 0/0/1 (28)
09:55:35.784456 IP 193.0.14.129.domain > PublicIP.34042: 11264-| 0/0/1 (45)
09:55:36.045130 IP PublicIP.wcbackup > 192.112.36.4.domain: 28368 A? update.googleapis.com. (39)
09:55:36.063323 IP InternalIP.49382 > PublicIP.domain: 57145+ A? accounts.google.com. (37)
09:55:36.064459 IP PublicIP.48169 > 193.0.14.129.domain: 15825 [1au] A? accounts.google.com. (48)
09:55:36.065883 IP APNIP.54312 > PublicIP.domain: 53585+ A? accounts.google.com. (37)
09:55:36.080202 IP 192.112.36.4.domain > PublicIP.wcbackup: 28368- 0/13/14 (499)
09:55:36.120905 IP 193.0.14.129.domain > PublicIP.48169: 15825- 0/15/27 (1182)
09:55:36.170289 IP InternalIP.59759 > PublicIP.domain: 52061+ A? www.google.com. (32)
09:55:36.224316 IP PublicIP.5346 > 192.112.36.4.domain: 40438 A? www.facebook.com. (34)
09:55:36.257993 IP 192.112.36.4.domain > PublicIP.5346: 40438- 0/13/14 (494)
09:55:36.441576 IP PublicIP.domain > InternalIP.65408: 45517 ServFail 0/0/0 (39)
09:55:36.441666 IP PublicIP.domain > InternalIP.60664: 54663 ServFail 0/0/0 (39)
09:55:36.442994 IP PublicIP.domain > InternalIP.48634: 56799 ServFail 0/0/0 (39)
09:55:36.443474 IP PublicIP.domain > InternalIP.36045: 34980 ServFail 0/0/0 (39)

所以我相信我會深入探討這個問題。

基本上這個錯誤來自我對linux和bind服務的誤解。

以前的一位同事建構了這些 DNS 伺服器並創建了一個服務，該服務搭載了命名服務 /usr/local/bin/service-gi

#!/bin/sh

start_service() {
       ip netns exec gi /usr/sbin/zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf
       ip netns exec gi /usr/sbin/bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf
       ip netns exec gi  /usr/sbin/named -4 -u named -c /etc/gi-named.conf
}

start_service

該服務本質上是使用我的 quagga 虛擬路由器執行命名服務，並且它作為轉發器工作（我必須更改配置，因此它現在是一個遞歸伺服器）。

但是我犯的錯誤是啟動和執行命名服務並與自定義服務並行執行（我這樣做是為了監控目的，因為我們使用的工具只能辨識通用命名服務而不是自定義服務）但是因為 2服務正在同時工作，無法解決查詢。

一旦命名服務停止並且我只使用自定義服務，查詢開始成功解決

引用自：https://serverfault.com/questions/1038959