我設定了 DNS,它將充當外部 DNS 伺服器。所有設定均為預設設置,管理員告訴我使用位於 /var/named/named.ca 下的根提示檔案。 /etc/named.conf 檔案中提到了根區域
options {
listen-on port 53 { 127.0.0.1; 192.168.161.1; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
filter-aaaa-on-v4 yes;
#OPTIONS = "-4"
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
我重新啟動命名服務,但是當我 ping 到任何網域系統時無法解析它
刪除 Google DNS 後
當我新增「127.0.0.1」和「192.168.161.1」並重新啟動網路服務。並挖掘 google.com @localhost。它給了這個回复
dig google.com @localhost
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> google.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24654
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 4001 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 22 16:46:48 +03 2020
;; MSG SIZE rcvd: 39
答案1
首先,ping這不是診斷 dns 問題的最佳方法;你要dig:
shadur@vigil:~$ dig google.com @localhost
; <<>> DiG 9.10.3-P4-Debian <<>> google.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55786
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 22 IN A 216.58.211.110
;; Query time: 90 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 22 14:02:39 CET 2020
;; MSG SIZE rcvd: 55
這會產生更多的信息,即使它對您還沒有幫助,但這些信息更有可能為試圖幫助您找出問題所在的人提供信息。
其次,根據您放在那裡的配置片段和您想要執行的操作的描述來判斷,您的問題是行
recursion no;
因為這告訴 BIND9 它應該只回答對其內部已知列表中的網域的查詢(上面的註釋稱為權威伺服器),並且您所描述的嘗試對 ping 嘗試執行的操作是將其視為循環伺服器。
(通常不建議在同一台電腦上運行兩者,或者如果您這樣做,請非常小心讓誰遞歸;開放遞歸對您的網路來說是個壞消息)。
另外,如果上述所有內容技術性太強而難以理解,我強烈建議pdns-recursor從強力DNS項目代替。