Linux

BIND 未指向正確的 IP

  • April 18, 2013

這更像是一個學習和理解 BIND/NAMED 的實驗,但這就是我所擁有的。

我將我的電腦 DNS 設置為我的 linux 伺服器的 IP。我使用以下條目執行 BIND9:

$TTL    1 @     IN      SOA     1.2.3.4. google.com. (
                             2013041602                ; Serial
                             1         ; Refresh
                             1         ; Retry
                             10000             ; Expire
                             1 )       ; Negative Cac
home       14400   IN      A       1.2.3.4
*       14400   IN      A       2.2.2.2
space     14400   IN      A       1.2.3.4


1.2.3.4 = My Server IP

如果我 ping home.google.com,我在家裡的電腦上什麼也得不到。如果我的 DNS 指向 BIND9 伺服器,它不應該使用那些 DNS 記錄嗎?

這是在伺服器上(Windows 有探勘嗎?)

我編輯了 /etc/resolv.conf 以使用我的 Linux 伺服器作為 DNS。

dig home.google.com

; <<>> DiG 9.8.1-P1 <<>> home.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2032
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;home.google.com.     IN      A

;; Query time: 0 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Wed Apr 17 10:00:59 2013
;; MSG SIZE  rcvd: 43

NSLOOKUP:

Server:  UnKnown
Address:  1.2.3.4

*** UnKnown can't find home.google.com: Server failed

命名.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

命名.conf.options:

options {
       directory "/var/cache/bind";

       // If there is a firewall between you and nameservers you want
       // to talk to, you may need to fix the firewall to allow multiple
       // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

       // If your ISP provided one or more IP addresses for stable
       // nameservers, you probably want to use them as forwarders.
       // Uncomment the following block, and insert the addresses replacing
       // the all-0's placeholder.

        forwarders {
               75.75.75.75;
               75.75.76.76;
        };

       //========================================================================
       // If BIND logs error messages about the root key being expired,
       // you will need to update your keys.  See https://www.isc.org/bind-keys
       //========================================================================
       dnssec-validation auto;

       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
};

命名.conf.local

zone "google.com" {
       type master;
       file "/etc/bind/db.google.com";
};

zone "2.3.4.in-addr.arpa" {
       type master;
       notify no;
       file "/etc/bind/db.192";
};

/etc/bind/named.conf.default-zones

zone "localhost" {
       type master;
       file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
       type master;
       file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
       type master;
       file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
       type master;
       file "/etc/bind/db.255";
};

您正在混合兩種截然不同的東西:DNS 伺服器可以是解析器(從所有可能的域接收名稱並通過詢問世界上的權威名稱伺服器來解析它們)或權威伺服器(將有關您自己區域的數據提供給解析器) . 我強烈建議將兩者分開(在不同的機器上)。否則調試真的很痛苦。

對於域 google.com 的權威伺服器,您的配置似乎沒問題,除了 dig 的輸出顯示遞歸可用。您應該禁用它 ( recursion no;)。

下一步是檢查該區域是否確實由名稱伺服器載入。請記住,Unix 系統管理人員整天都在查看日誌文件。檢查命名啟動消息的日誌文件,您可能會發現一條錯誤消息解釋為什麼未載入區域(或者,使用命名檢查區域測試區域)。

引用自:https://serverfault.com/questions/500070