我有這樣的設定綁定:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
forwarders { 10.90.0.135; 10.90.0.174; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "appletop.local" IN {
type master;
file "appletop.local";
allow-update { none; };
};
但不轉發?
如果我只是將 DNS 伺服器位址放入resolv.conf另一台電腦上,我會得到正確的查找,因此DNS 伺服器必須能夠為我解析,但如果我隨後將另一台電腦指向這台計算機,它就無法解析名稱。
怎麼了?
經過 MadHatter 建議的更改後:
現在它啟動了,但掛在 dig +trace 上並且不轉發 - 為什麼我看不到下面的轉發器地址?
[root@ns1 ~]# ping www.yahoo.com
^C
[root@ns1 ~]# cd /etc/
[root@ns1 etc]# cp named.conf named.conf.last
[root@ns1 etc]# vi named.conf
[root@ns1 etc]# /etc/init.d/named reload
Reloading named-sdb: [ OK ]
[root@ns1 etc]# service named stop
Stopping named: . [ OK ]
[root@ns1 etc]# /etc/init.d/named start
Starting named: [ OK ]
[root@ns1 etc]# nslookup www.yahoo.com
;; connection timed out; trying next origin
Server: 10.138.10.30
Address: 10.138.10.30#53
** server can't find www.yahoo.com: NXDOMAIN
並用 +trace 進行挖掘:
[root@ns1 etc]# dig +trace www.yahoo.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> +trace www.yahoo.com
;; global options: +cmd
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
我的整個文件現在看起來像這樣 - 出了什麼問題?
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic"; };
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
}; };
zone "." IN {
type forward;
forward first;
forwarders { 10.90.0.135;
10.90.0.174;
} ; };
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
zone "appletop.local" IN {
type master;
file "appletop.local";
allow-update { none; }; };
答案1
您已經告訴它要使用哪些轉發器,但沒有告訴它何時使用它們。如果你想讓它們用於所有事情,而不是
zone "." IN {
type hint;
file "named.ca";
};
嘗試
zone "." {
type forward;
forward first;
forwarders { 10.90.0.135;
10.90.0.174;
} ;
} ;
編輯: 好吧,試試看上面的方法。不過,我不明白你所說的「首先嘗試在本地解決」是什麼意思;你說你希望它轉發。
答案2
就我而言,問題僅透過更改dnssec-validation yes;為解決dnssec-validation no;
答案3
以防萬一,MadHatter 的回覆下面的 OP 評論不清楚,“問題是 dnssec”,我明確發布這個答案,因為我也發現它解決了我的問題。
我已經設定了一個快取、僅轉發的 BIND 伺服器,但它不轉發。查詢發送到根伺服器時有幾秒鐘的延遲。停用 dnssec 選項可以修復此問題,現在它可以按預期工作。
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;