Ubuntu

ubuntu上的bind9不能從bind9伺服器ping通(但可以從其他機器ping通)(noob)

  • July 10, 2018

如題。是否可以在 bind9 伺服器機器上 ping 到 dns 服務?

我想要做:

ping hpc.lan

PING hpc.lan (12.1.1.1) 56(84) bytes of data.
64 bytes from M.hpc.lan (12.1.1.1): icmp_seq=1 ttl=64 time=0.146 ms
64 bytes from M.hpc.lan (12.1.1.1): icmp_seq=2 ttl=64 time=0.171 ms
64 bytes from M.hpc.lan (12.1.1.1): icmp_seq=3 ttl=64 time=0.175 ms

並且它在具有bind9的伺服器機器之外工作。

可能是什麼原因。我弄亂了綁定的配置,還是應該在主機中說明它?我可以ping到我區域網路中的主機名…我是網路新手,就像有一天這個區域網路+ dhcp + dns一樣,所以請表現出一些同情心:D

當我從其他機器上探勘時,我有:

dig hpc.lan

; <<>> DiG 9.10.3-P4-Ubuntu <<>> hpc.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50994
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hpc.lan.           IN  A

;; ANSWER SECTION:
hpc.lan.        604800  IN  A   12.1.1.1

;; AUTHORITY SECTION:
hpc.lan.        604800  IN  NS  M.hpc.lan.

;; ADDITIONAL SECTION:
M.hpc.lan.      604800  IN  A   12.1.1.1

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sun Jul 01 10:49:52 CEST 2018
;; MSG SIZE  rcvd: 84

也來自Windows機器:

nslookup hpc.lan

Server: gateway.hpc.lan
Address: 12.1.1.1

Name: hpc.lan
Address: 12.1.1.1

或反向

nslookup 12.1.1.1
Server:     127.0.1.1
Address:    127.0.1.1#53

1.1.1.12.in-addr.arpa   name = M.hpc.lan.
1.1.1.12.in-addr.arpa   name = gateway.hpc.lan.

但是從bind9伺服器機器探勘給出:

dig hpc.lan


; <<>> DiG 9.10.3-P4-Ubuntu <<>> hpc.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6784
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hpc.lan.           IN  A

;; AUTHORITY SECTION:
.           86398   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2018063002 1800 900 604800 86400

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul 01 10:58:31 CEST 2018
;; MSG SIZE  rcvd: 111

對於 nslookup

nslookup hpc.lan
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find hpc.lan: NXDOMAIN

a@M:~$ nslookup 12.1.1.1
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find 1.1.1.12.in-addr.arpa: NXDOMAIN

a@M:~$ nslookup 12.1.1.50
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find 50.1.1.12.in-addr.arpa: NXDOMAIN

a@M:~$ nslookup 12.1.1.90
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find 90.1.1.12.in-addr.arpa: NXDOMAIN

或反轉一個

nslookup 12.1.1.1
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find 1.1.1.12.in-addr.arpa: NXDOMAIN

顯然它沒有看到我的區域網路的dns,然後進入天空……

我在 bind9 伺服器上的配置如下:

sudo nano /etc/bind/named.conf.options

acl "trusted" {
   12.1.1.0/24; # ns1
   //192.168.1.0/24;
   localhost;
   localnets;
};

options {
   directory "/var/cache/bind";

   recursion yes;
   allow-recursion { trusted; };
   listen-on { trusted; };
   //allow-transfer { none; };

   //allow-recursion { any; };
   allow-query { trusted; };
   allow-query-cache { any; };

   forwarders {
       12.1.1.1;
       8.8.8.8;
       8.8.4.4;
   };

   dnssec-validation auto;

   auth-nxdomain no;    # conform to RFC1035
   listen-on-v6 { any; };
};

sudo nano /etc/bind/named.conf.local

include "/etc/bind/zones.rfc1918";

// send ads to black hole
include "/etc/bind/ad-blacklist";


// our local zone
zone "hpc.lan" {
   type master;
   file "/etc/bind/db.hpc.lan";
};


// reverse for .hpc domain
zone "1.1.12.in-addr.arpa" {
   type master;
   notify yes;
   file "/etc/bind/db.hpc.lan.r";
};

須藤納米/etc/bind/db.hpc.lan

;
; BIND data file for local loopback interface
;
$TTL    604800
@   IN  SOA M.hpc.lan. root.hpc.lan. (
                 2     ; Serial
            604800     ; Refresh
             86400     ; Retry
           2419200     ; Expire
            604800 )   ; Negative Cache TTL
;
hpc.lan.    IN  NS  M.hpc.lan.
hpc.lan.    IN  A   12.1.1.1
;@      IN  NS  localhost.
;@      IN  A   127.0.0.1
;@      IN  AAAA    ::1
M       IN  A   12.1.1.1
N0      IN  A   12.1.1.55
L0      IN  A   12.1.1.90
www     IN  CNAME   hpc.lan.
gateway     IN  A   192.168.1.1

須藤納米/etc/hpc/db.hpc.lan.r

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@   IN  SOA M.hpc.lan. root.hpc.lan. (
                 2     ; Serial
            604800     ; Refresh
             86400     ; Retry
           2419200     ; Expire
            604800 )   ; Negative Cache TTL
;
@   IN  NS  M.
1   IN  PTR gateway.hpc.lan.
1   IN  PTR M.hpc.lan.
55  IN  PTR N0.hpc.lan.
90  IN  PTR L0.hpc.lan.

須藤納米 /etc/hosts

127.0.0.1   localhost
127.0.1.1   M #VN278AA-UUW-m9860sc
12.1.1.1    M #VN278AA-UUW-m9860sc-enp1s10
192.168.1.106   MS #VN278AA-UUW-m9860sc-enp0s10

須藤納米 /etc/主機名

M

sudo nano /etc/network/interfaces

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


# external
auto enp0s10
iface enp0s10 inet dhcp
#iface enp0s10 inet static
#   address 192.168.1.106
#   gateway 192.168.1.1
#   mtu 1500
#   metric 1000
#   dns-nameservers 8.8.8.8 4.4.4.4

# internal 
auto enp1s10
iface enp1s10 inet static
   address 12.1.1.1
   network 12.1.1.0
   netmask 255.255.255.0
   gateway 192.168.1.106
   broadcast 12.1.0.255
   mtu 7152
   dns-nameservers 12.1.1.1
   metric 100

sudo nano /etc/apparmor.d/usr.sbin.named

... 
 /var/log/bind/** rw,
 /var/log/bind/ rw,

}

須藤納米/etc/dhcp/dhcpd.conf

ddns-update-style none;

option domain-name "hpc.lan";
option domain-name-servers 12.1.1.1;

default-lease-time 86400;
max-lease-time 172800;

authoritative;

log-facility local7;

# wan network, we dont provide service here
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# lan network we provide service for
subnet 12.1.1.0 netmask 255.255.255.0 {
   range 12.1.1.50 12.1.1.99;
   option routers 12.1.1.1;
   option subnet-mask 255.255.255.0;
   option broadcast-address 12.1.0.255;
}

host N0 {
   hardware ethernet 00:25:11:4f:9d:92;
   fixed-address 12.1.1.55;
}

host L0 {
   hardware ethernet f0:de:f1:5b:d3:da;
   fixed-address 12.1.1.90;
}

編輯

通過他們的方式 nslookup 工作 dns 和反向 dns 工作,但問題是在伺服器機器上,查找跳過 12.1.1.1 並直接轉到 8.8.8.8

這裡轉發可能有問題嗎?

我的 iptables 是

貓 /etc/iptables.conf

# Generated by iptables-save v1.6.0 on Mon Jul  2 01:22:43 2018
*nat
:PREROUTING ACCEPT [406:28839]
:INPUT ACCEPT [180:15615]
:OUTPUT ACCEPT [2024:169350]
:POSTROUTING ACCEPT [66:3986]
-A POSTROUTING -o enp0s10 -j MASQUERADE
-A POSTROUTING -o enp1s10 -j MASQUERADE
COMMIT
# Completed on Mon Jul  2 01:22:43 2018
# Generated by iptables-save v1.6.0 on Mon Jul  2 01:22:43 2018
*filter
:INPUT ACCEPT [1211066:4289490990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [750206:1045506458]
-A FORWARD -i enp1s10 -o enp0s10 -j ACCEPT
-A FORWARD -i enp0s10 -o enp1s10 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Jul  2 01:22:43 2018

好的,所以最好的方法就是這樣做(我不知道它有多糟糕,沒有經驗,但它似乎有效)

sudo nano /etc/network/interfaces

GNU nano 2.5.3         File: /etc/network/interfaces                          

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback


# external
# auto enp0s10
# iface enp0s10 inet dhcp


auto enp0s10
iface enp0s10 inet static
       address 192.168.1.106
       gateway 192.168.1.1
       mtu 1500
       metric 100
       up ethtool -s enp0s10 wol g
       dns-nameservers 12.1.1.1
       ifdown enp0s10 --ignore-errors
       ifup enp0s10 --ignore-errors


# internal
allow-hotplug enp1s10
iface enp1s10 inet static
       address 12.1.1.1
       network 12.1.1.0
       netmask 255.255.255.0
       gateway 192.168.1.106
       broadcast 12.1.0.255
       mtu 7152
       dns-nameservers 12.1.1.1
       metric 0
       up ethtool -s enp1s10 wol g
       ifdown enp1s10 --ignore-errors
       ifup enp1s10 --ignore-errors

然後我沒有問題sudo service network restart,在它出現一些錯誤之前(即使在重新啟動時):

文件存在… 介面 enp1s10 已啟動… 無法提升介面 enp1s10…

然後更新resolvconf

sudo resolvconf -u

那會變成

貓 /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 12.1.1.1

另請注意,它可能配置為 dhcp 模式,如

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback


#external eth0
allow-hotplug enp0s10
iface enp0s10 inet dhcp
#allow-hotplug enp0s10
#iface enp0s10 inet static
#       address 192.168.1.106
#       gateway 192.168.1.1
       mtu 1500
       metric 100
#       dns-nameservers 10.10.1.1
       up ethtool -s enp0s10 wol g
       up ifdown enp0s10 --ignore-errors
       up ifup enp0s10 --ignore-errors
       pre-up iptables-restore < /etc/network/iptables.rules

#internal eth1
allow-hotplug enp1s10
iface enp1s10 inet static
       address 10.10.1.1
       network 10.10.1.0
       netmask 255.255.255.0
       gateway 192.168.1.106
       broadcast 10.10.0.255
       mtu 7152
       metric 0
       dns-nameservers 10.10.1.1
       up ethtool -s enp1s10 wol g
       up ifdown enp1s10 --ignore-errors
       up ifup enp1s10 --ignore-errors
       up resolvconf -u

但是之後

resolvconf -u

將導致

貓 /etc/resolv.conf

root@M:/home/a# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
nameserver 4.4.4.4
search zyxel.com

所以結果會很糟糕!那麼天空界面必須是靜態的(為什麼?)……

BIND9 伺服器上的解析器顯然配置為使用 Google 名稱伺服器 8.8.8.8。您需要將其更改為使用其本地 BIND9 實例。在文件/etc/resolv.conf中,更改行

nameserver 8.8.8.8

nameserver 127.0.0.1

引用自:https://serverfault.com/questions/919026