Domain-Name-System

外部 DNS 管理域 // 測試自己的外部 DNS 伺服器的方法

  • October 17, 2018

我在 Strato 有幾個域名。我想設置自己的外部 DNS 來管理我的域。

為了在 Strato 做到這一點,我使用了“Domainverwaltung:NS-Records ändern”選項。我必須為此配置提供 2 個名稱伺服器。系統接受了我的配置。

我在 DEBIAN9 上有一個主(主)和一個輔助(從)BIND9 DNS。

root@server1:/etc/bind# named -v
BIND 9.10.3-P4-Debian <id:ebd72b3>

MASTER的配置

/etc/bind/named.conf.options

acl trusted {
       127.0.0.1;
       xxx.xxx.xxx.43; # NS1
       xx.xx.xx.107; # NS2
       81.169.148.38; # Strato DNS
};

options {
       directory "/var/cache/bind";

       // If there is a firewall between you and nameservers you want
       // to talk to, you may need to fix the firewall to allow multiple
       // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

       // If your ISP provided one or more IP addresses for stable
       // nameservers, you probably want to use them as forwarders.
       // Uncomment the following block, and insert the addresses replacing
       // the all-0's placeholder.

       // forwarders {
       //             0.0.0.0;
       // };

       //========================================================================
       // If BIND logs error messages about the root key being expired,
       // you will need to update your keys.  See https://www.isc.org/bind-keys
       //========================================================================
       dnssec-validation auto;
       listen-on port 53 { any; };
        recursion no;
        allow-query { any; };
       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
       allow-notify { trusted; };
       allow-transfer { trusted; };
};

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone    "my-domain.com"   {
       type master;
       file    "/etc/bind/forward.my-domain.com";
       allow-transfer { xx.xx.xx.107; };
};

/etc/bind/forward.my-domain.com

$TTL    604800

@       IN      SOA     primary.my-domain.com. root.primary.my-domain.com. (
                             6         ; Serial
                        604820         ; Refresh
                         86600         ; Retry
                       2419600         ; Expire
                        604600 )       ; Negative Cache TTL

;Name Server Information
@       IN      NS      primary.my-domain.com.
@       IN      NS      secondary.my-domain.com.

;IP address of Your Domain Name Server(DNS)
primary IN       A      xxx.xxx.xxx.43
secondary IN     A      xx.xx.xx.107

;A Record for Host names
@       IN       A       xxx.xxx.xxx.43
www     IN       A       xxx.xxx.xxx.43

;CNAME Record
ftp     IN      CNAME    www.my-domain.com.

從站的配置

/etc/bind/named.conf.options

acl trusted {
       127.0.0.1;
       xxx.xxx.xxx.43; # NS1
       xx.xx.xx.107; # NS2
       81.169.148.38; # Strato DNS
};

options {
       directory "/var/cache/bind";

       // If there is a firewall between you and nameservers you want
       // to talk to, you may need to fix the firewall to allow multiple
       // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

       // If your ISP provided one or more IP addresses for stable
       // nameservers, you probably want to use them as forwarders.
       // Uncomment the following block, and insert the addresses replacing
       // the all-0's placeholder.

       // forwarders {
       //             0.0.0.0;
       // };

       //========================================================================
       // If BIND logs error messages about the root key being expired,
       // you will need to update your keys.  See https://www.isc.org/bind-keys
       //========================================================================
       dnssec-validation auto;
       listen-on port 53 { any; };
        recursion no;
        allow-query { any; };
       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
       allow-notify { trusted; };
       allow-transfer { trusted; };
};

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone    "my-domain.com"   {
       type slave;
       file    "/etc/bind/forward.my-domain.com";
        masters { xxx.xxx.xxx.43; };
};

/etc/bind/forward.my-domain.com

$TTL    604800

@       IN      SOA     primary.my-domain.com. root.primary.my-domain.com. (
                             6         ; Serial
                        604820         ; Refresh
                         86600         ; Retry
                       2419600         ; Expire
                        604600 )       ; Negative Cache TTL

;Name Server Information
@       IN      NS      primary.my-domain.com.
@       IN      NS      secondary.my-domain.com.

;IP address of Your Domain Name Server(DNS)
primary IN       A      xxx.xxx.xxx.43
secondary IN     A      xx.xx.xx.107

;A Record for Host names
@       IN       A       xxx.xxx.xxx.43
www     IN       A       xxx.xxx.xxx.43

;CNAME Record
ftp     IN      CNAME    www.my-domain.com.

為了測試這一點,我使用了:

~$ dig my-domain.com @xxx.xxx.xxx.43

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> my-domain.com @xxx.xxx.xxx.43
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31536
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;my-domain.com.         IN  A

;; ANSWER SECTION:
my-domain.com.      604800  IN  A   xxx.xxx.xxx.43

;; AUTHORITY SECTION:
my-domain.com.      604800  IN  NS  secondary.my-domain.com.
my-domain.com.      604800  IN  NS  primary.my-domain.com.

;; ADDITIONAL SECTION:
primary.my-domain.com.  604800  IN  A   xxx.xxx.xxx.43
secondary.my-domain.com. 604800 IN  A   xx.xx.xx.107

;; Query time: 16 msec
;; SERVER: xxx.xxx.xxx.43#53(xxx.xxx.xxx.43)
;; WHEN: Tue Oct 16 14:42:09 CEST 2018
;; MSG SIZE  rcvd: 136

和 NSLOOKUP:

~$ nslookup my-domain.com xxx.xxx.xxx.43
Server:     xxx.xxx.xxx.43
Address:    xxx.xxx.xxx.43#53

Name:   my-domain.com
Address: xxx.xxx.xxx.43

但是沒有直接指向我的 NS,我的提供者的 NS 正在回答:

你:

~$ dig my-domain.com

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> my-domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7286
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;my-domain.com.         IN  A

;; ANSWER SECTION:
my-domain.com.      69  IN  A   81.169.145.157

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 16 14:44:23 CEST 2018
;; MSG SIZE  rcvd: 58

NSLOOKUP:

~$ nslookup my-domain.com
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   my-domain.com
Address: 81.169.145.157
Name:   my-domain.com
Address: 2a01:238:20a:202:1157::

Strato 表示:“請注意,由於 DNS 的分散結構,對這些設置的更改要到啟動後 24 小時才能完全生效。”

但即使在 24 小時後,我的支票也沒有指向我的 NS-Server。有沒有我可以執行的測試來發現可能的問題?

Strato 還指出:(對不起自動翻譯)這裡是原文

設置記錄(僅適用於專用伺服器)

如果主名稱伺服器出現故障,您可以使用輔助名稱伺服器創建備份。這將確保仍然可以訪問該域。Primary和Secondary nameservers是冗餘的(通過區域傳輸,所有配置都與域同步),以便第二個名稱伺服器可以為域發布正確的DNS記錄,例如A-Record,MX-Record等。 STRATO 二級名稱伺服器 81.169.148.38 的 IP 地址必須允許傳輸。此 IP 地址是靜態的,因此以後不需要更改(對於 BIND,例如通過允許傳輸)。

使用 STRATO Secondary Nameserver 時,無需操作兩個自己的名稱伺服器。如果您允許從主名稱伺服器到 sns.serverkompetenz.de 的區域傳輸,它將獲取您在主名稱伺服器上設置的域的 DNS 配置。如果主名稱伺服器發生故障,這些域仍然可以訪問。

在域區域中,sns.serverkompetenz.de 也必須作為 NS 集中的名稱伺服器列出。

感謝 guzzijason 分享 dig 的 +trace 選項。

測試自己的名稱伺服器DENIC->SERVICE->TOOLS->NAST的另一個選項。這是denic 網站上的一項服務。

在那裡您可以輸入您正在設置的域、名稱伺服器 1、名稱伺服器 2 和您的名稱伺服器的 IP。在這裡查看結果:

DENIC 網站上的 NAST 測試

這表明我的設置是正確的。所以我可以更深入地討論這個話題。

我的問題是:在我的域提供商 Strato 的 Web 界面中,我輸入了上面提到的根伺服器 xxx.xxx.xxx.43 和 xx.xx.xx.107 的 IP。

Strato 的正確配置是輸入 SERVER DNS-HOSTNAME,例如:“h1234567.stratoserver.net”用於 Strato 伺服器或“b123123.online-server.cloud”用於 1und1 伺服器。

也許這會幫助某人……

您可以從執行dig +trace my-domain.com.. 這將從 ROOT-SERVERS 名稱伺服器開始,然後跟踪 NS 委託路徑(希望如此)一直到您自己的名稱伺服器。確保在每個點返回的 NS 記錄是您希望看到的記錄。例如,這是我的域的(過濾的)跟踪的樣子:

$ dig +trace guzzijason.com. | grep -E 'IN\s*NS'
.           509129  IN  NS  b.root-servers.net.
.           509129  IN  NS  h.root-servers.net.
.           509129  IN  NS  g.root-servers.net.
.           509129  IN  NS  i.root-servers.net.
.           509129  IN  NS  m.root-servers.net.
.           509129  IN  NS  k.root-servers.net.
.           509129  IN  NS  f.root-servers.net.
.           509129  IN  NS  j.root-servers.net.
.           509129  IN  NS  e.root-servers.net.
.           509129  IN  NS  c.root-servers.net.
.           509129  IN  NS  d.root-servers.net.
.           509129  IN  NS  l.root-servers.net.
.           509129  IN  NS  a.root-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
guzzijason.com.     172800  IN  NS  ns01.guzzijason.com. # Note: delegation NS record hosted by gtld-servers
guzzijason.com.     172800  IN  NS  ns02.guzzijason.com. # Note: delegation NS record hosted by gtld-servers
guzzijason.com.     7200    IN  NS  ns01.guzzijason.com. # authoritative NS record served by guzzijason.com nameservers
guzzijason.com.     7200    IN  NS  ns02.guzzijason.com. # authoritative NS record served by guzzijason.com nameservers

我還注意到哪些是上游委託記錄,哪些記錄是由我的權威名稱伺服器提供的。

引用自:https://serverfault.com/questions/935744