我在使用 Ubuntu 18.04 时遇到了一个奇怪的问题。我使用 openfortivpn 连接到我的公司资源,一切正常。我还使用 openvpn 连接到一些不同的资源,有时甚至是同时连接。今天,vpn 后面的所有资源都无法访问,我发现这与我电脑上的某些 DNS 设置有关。
没有活动的 openfortivpn 连接:
ll /etc/resolv.conf
lrwxrwxrwx 1 root root 37 Jan 9 10:52 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
grep name /run/systemd/resolve/*.conf
/run/systemd/resolve/resolv.conf:nameserver 192.168.139.2
/run/systemd/resolve/stub-resolv.conf:nameserver 127.0.0.53
使用活动的 openfortivpn:
ll /etc/resolv.conf
lrwxrwxrwx 1 root root 37 Jan 9 10:52 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
grep name /run/systemd/resolve/*.conf
resolv.conf:nameserver 192.168.139.2
stub-resolv.conf:nameserver 10.220.64.161
stub-resolv.conf:nameserver 10.220.64.162
sudo systemd-resolve --status
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 6 (ppp0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (ens33)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.139.2
DNS Domain: localdomain
因此我尝试将 DNS 手动添加到 systemd-resolve 中:
sudo systemd-resolve --set-dns=10.220.64.161 --set-domain=localdomain --set-llmnr=yes --set-mdns=no --set-dnssec=no --interface=ppp0
systemd-resolve --status
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 6 (ppp0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.220.64.161
DNS Domain: localdomain
Link 2 (ens33)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 192.168.139.2
DNS Domain: localdomain
非常感谢您的建议。Michal。
答案1
使用 18.10 时,我遇到了类似的问题。我通过使用 dns 服务器和搜索域信息修改 /etc/systemd/resolved.conf 解决了我的问题。根据手册页,这看起来是正确的行为,
联系的 DNS 服务器由 /etc/systemd/resolved.conf 中的全局设置、/etc/systemd/network/*.network 文件中的每链接静态设置(如果使用 systemd-networkd.service(8))、通过 DHCP 接收的每链接动态设置以及其他系统服务提供的任何 DNS 服务器信息确定。有关 systemd 自己的 DNS 服务器配置文件的详细信息,请参阅 solved.conf(5) 和 systemd.network(5)。为了提高兼容性,会读取 /etc/resolv.conf 以发现已配置的系统 DNS 服务器,但前提是它不是指向 /run/systemd/resolve/stub-resolv.conf 或 /run/systemd/resolve/resolv.conf 的符号链接(见下文)。
我的配置如下,请根据你的环境进行调整,
192.168.1.1 是您的私人 DNS
域语法很重要,不要忘记结尾的点“。”
#/etc/systemd/resolved.conf
[Resolve]
DNS=192.168.1.1
#FallbackDNS=
Domains=blah.mydomain.com. blahblah.mydomain.com.
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=yes
#DNSStubListener=yes
然后重启服务
sudo systemctl restart systemd-resolved.service
验证服务是否正在运行。语法错误可能会导致您在此处看到的问题。
sudo systemctl status systemd-resolved.service
尝试查找本地域名
nslookup blah.mydomain.com
如果不起作用,则验证查询是否超时。手动指定 DNS 服务器
nslookup blah.mydomain.com 192.168.1.1
solved 有一个内置的查询功能,很有用
% resolvectl query fedoraproject.org
fedoraproject.org: 2605:bc80:3010:600:dead:beef:cafe:fed9 -- link: enp5s0
2620:52:3:1:dead:beef:cafe:fed7 -- link: enp5s0
2610:28:3090:3001:dead:beef:cafe:fed3 -- link: enp5s0
2604:1580:fe00:0:dead:beef:cafe:fed1 -- link: enp5s0
2605:bc80:3010:600:dead:beef:cafe:feda -- link: enp5s0
2620:52:3:1:dead:beef:cafe:fed6 -- link: enp5s0
209.132.190.2 -- link: enp5s0
8.43.85.67 -- link: enp5s0
38.145.60.21 -- link: enp5s0
67.219.144.68 -- link: enp5s0
140.211.169.196 -- link: enp5s0
140.211.169.206 -- link: enp5s0
152.19.134.142 -- link: enp5s0
38.145.60.20 -- link: enp5s0
152.19.134.198 -- link: enp5s0
8.43.85.73 -- link: enp5s0
-- Information acquired via protocol DNS in 99.8ms.
-- Data is authenticated: no