外部 DNS 管理域 // 測試自己的外部 DNS 伺服器的方法
我在 Strato 有幾個域名。我想設置自己的外部 DNS 來管理我的域。
為了在 Strato 做到這一點,我使用了“Domainverwaltung:NS-Records ändern”選項。我必須為此配置提供 2 個名稱伺服器。系統接受了我的配置。
我在 DEBIAN9 上有一個主(主)和一個輔助(從)BIND9 DNS。
root@server1:/etc/bind# named -v BIND 9.10.3-P4-Debian <id:ebd72b3>
MASTER的配置
/etc/bind/named.conf.options
acl trusted { 127.0.0.1; xxx.xxx.xxx.43; # NS1 xx.xx.xx.107; # NS2 81.169.148.38; # Strato DNS }; options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on port 53 { any; }; recursion no; allow-query { any; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-notify { trusted; }; allow-transfer { trusted; }; };
/etc/bind/named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "my-domain.com" { type master; file "/etc/bind/forward.my-domain.com"; allow-transfer { xx.xx.xx.107; }; };
/etc/bind/forward.my-domain.com
$TTL 604800 @ IN SOA primary.my-domain.com. root.primary.my-domain.com. ( 6 ; Serial 604820 ; Refresh 86600 ; Retry 2419600 ; Expire 604600 ) ; Negative Cache TTL ;Name Server Information @ IN NS primary.my-domain.com. @ IN NS secondary.my-domain.com. ;IP address of Your Domain Name Server(DNS) primary IN A xxx.xxx.xxx.43 secondary IN A xx.xx.xx.107 ;A Record for Host names @ IN A xxx.xxx.xxx.43 www IN A xxx.xxx.xxx.43 ;CNAME Record ftp IN CNAME www.my-domain.com.
從站的配置
/etc/bind/named.conf.options
acl trusted { 127.0.0.1; xxx.xxx.xxx.43; # NS1 xx.xx.xx.107; # NS2 81.169.148.38; # Strato DNS }; options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on port 53 { any; }; recursion no; allow-query { any; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-notify { trusted; }; allow-transfer { trusted; }; };
/etc/bind/named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "my-domain.com" { type slave; file "/etc/bind/forward.my-domain.com"; masters { xxx.xxx.xxx.43; }; };
/etc/bind/forward.my-domain.com
$TTL 604800 @ IN SOA primary.my-domain.com. root.primary.my-domain.com. ( 6 ; Serial 604820 ; Refresh 86600 ; Retry 2419600 ; Expire 604600 ) ; Negative Cache TTL ;Name Server Information @ IN NS primary.my-domain.com. @ IN NS secondary.my-domain.com. ;IP address of Your Domain Name Server(DNS) primary IN A xxx.xxx.xxx.43 secondary IN A xx.xx.xx.107 ;A Record for Host names @ IN A xxx.xxx.xxx.43 www IN A xxx.xxx.xxx.43 ;CNAME Record ftp IN CNAME www.my-domain.com.
為了測試這一點,我使用了:
你
~$ dig my-domain.com @xxx.xxx.xxx.43 ; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> my-domain.com @xxx.xxx.xxx.43 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31536 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;my-domain.com. IN A ;; ANSWER SECTION: my-domain.com. 604800 IN A xxx.xxx.xxx.43 ;; AUTHORITY SECTION: my-domain.com. 604800 IN NS secondary.my-domain.com. my-domain.com. 604800 IN NS primary.my-domain.com. ;; ADDITIONAL SECTION: primary.my-domain.com. 604800 IN A xxx.xxx.xxx.43 secondary.my-domain.com. 604800 IN A xx.xx.xx.107 ;; Query time: 16 msec ;; SERVER: xxx.xxx.xxx.43#53(xxx.xxx.xxx.43) ;; WHEN: Tue Oct 16 14:42:09 CEST 2018 ;; MSG SIZE rcvd: 136
和 NSLOOKUP:
~$ nslookup my-domain.com xxx.xxx.xxx.43 Server: xxx.xxx.xxx.43 Address: xxx.xxx.xxx.43#53 Name: my-domain.com Address: xxx.xxx.xxx.43
但是沒有直接指向我的 NS,我的提供者的 NS 正在回答:
你:
~$ dig my-domain.com ; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> my-domain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7286 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;my-domain.com. IN A ;; ANSWER SECTION: my-domain.com. 69 IN A 81.169.145.157 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Tue Oct 16 14:44:23 CEST 2018 ;; MSG SIZE rcvd: 58
NSLOOKUP:
~$ nslookup my-domain.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: my-domain.com Address: 81.169.145.157 Name: my-domain.com Address: 2a01:238:20a:202:1157::
Strato 表示:“請注意,由於 DNS 的分散結構,對這些設置的更改要到啟動後 24 小時才能完全生效。”
但即使在 24 小時後,我的支票也沒有指向我的 NS-Server。有沒有我可以執行的測試來發現可能的問題?
Strato 還指出:(對不起自動翻譯)這裡是原文。
設置記錄(僅適用於專用伺服器)
如果主名稱伺服器出現故障,您可以使用輔助名稱伺服器創建備份。這將確保仍然可以訪問該域。Primary和Secondary nameservers是冗餘的(通過區域傳輸,所有配置都與域同步),以便第二個名稱伺服器可以為域發布正確的DNS記錄,例如A-Record,MX-Record等。 STRATO 二級名稱伺服器 81.169.148.38 的 IP 地址必須允許傳輸。此 IP 地址是靜態的,因此以後不需要更改(對於 BIND,例如通過允許傳輸)。
使用 STRATO Secondary Nameserver 時,無需操作兩個自己的名稱伺服器。如果您允許從主名稱伺服器到 sns.serverkompetenz.de 的區域傳輸,它將獲取您在主名稱伺服器上設置的域的 DNS 配置。如果主名稱伺服器發生故障,這些域仍然可以訪問。
在域區域中,sns.serverkompetenz.de 也必須作為 NS 集中的名稱伺服器列出。
感謝 guzzijason 分享 dig 的 +trace 選項。
測試自己的名稱伺服器DENIC->SERVICE->TOOLS->NAST的另一個選項。這是denic 網站上的一項服務。
在那裡您可以輸入您正在設置的域、名稱伺服器 1、名稱伺服器 2 和您的名稱伺服器的 IP。在這裡查看結果:
這表明我的設置是正確的。所以我可以更深入地討論這個話題。
我的問題是:在我的域提供商 Strato 的 Web 界面中,我輸入了上面提到的根伺服器 xxx.xxx.xxx.43 和 xx.xx.xx.107 的 IP。
Strato 的正確配置是輸入 SERVER DNS-HOSTNAME,例如:“h1234567.stratoserver.net”用於 Strato 伺服器或“b123123.online-server.cloud”用於 1und1 伺服器。
也許這會幫助某人……
您可以從執行
dig +trace my-domain.com.
. 這將從 ROOT-SERVERS 名稱伺服器開始,然後跟踪 NS 委託路徑(希望如此)一直到您自己的名稱伺服器。確保在每個點返回的 NS 記錄是您希望看到的記錄。例如,這是我的域的(過濾的)跟踪的樣子:$ dig +trace guzzijason.com. | grep -E 'IN\s*NS' . 509129 IN NS b.root-servers.net. . 509129 IN NS h.root-servers.net. . 509129 IN NS g.root-servers.net. . 509129 IN NS i.root-servers.net. . 509129 IN NS m.root-servers.net. . 509129 IN NS k.root-servers.net. . 509129 IN NS f.root-servers.net. . 509129 IN NS j.root-servers.net. . 509129 IN NS e.root-servers.net. . 509129 IN NS c.root-servers.net. . 509129 IN NS d.root-servers.net. . 509129 IN NS l.root-servers.net. . 509129 IN NS a.root-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. guzzijason.com. 172800 IN NS ns01.guzzijason.com. # Note: delegation NS record hosted by gtld-servers guzzijason.com. 172800 IN NS ns02.guzzijason.com. # Note: delegation NS record hosted by gtld-servers guzzijason.com. 7200 IN NS ns01.guzzijason.com. # authoritative NS record served by guzzijason.com nameservers guzzijason.com. 7200 IN NS ns02.guzzijason.com. # authoritative NS record served by guzzijason.com nameservers
我還注意到哪些是上游委託記錄,哪些記錄是由我的權威名稱伺服器提供的。