我在 Ubunto 20 上安装了它,并配置了两个区域选项配置文件
acl internal {
localhost;
localnets;
192.168.70.0/24;
10.200.157.0/24;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
9.9.9.9;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
//auth-nxdomain no;
listen-on { 127.0.0.1; 192.168.70.66; };
listen-on-v6 { ::1; };
allow-recursion { any; };
allow-query-cache { any; };
allow-query { any; };
};
本地配置文件
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "wisam.rph" {
type master;
file "/etc/bind/forward.wisam.rph";
allow-query { any; };
};
zone "70.168.192.in-addr.arpa" {
type master;
file "/etc/bind/reverse.wisam.rph";
allow-query { any; };
};
logging {
channel query.log {
file "/var/log/named/query.log";
// Set the severity to dynamic to see all the debug messages.
severity dynamic;
};
};
前进区
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA vmubuntuauthserver.wisam.rph. root.vmubuntuauthserver.wisam.rph. (
4 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
vmubuntuauthserver IN A 192.168.70.66
;
@ IN NS vmubuntuauthserver.wisam.rph.
nameserver IN A 192.168.70.66
www IN A 192.168.70.66
@ IN AAAA ::1
反向区域
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA nameserver.wisam.rph. root.nameserver.wisam.rph. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS nameserver.wisam.rph.
66 IN PTR nameserver.wisam.rph.
注意服务器的 IP 是 192.168.70.66 我已禁用 systemd-resolved,删除了 resolv.conf 文件,并使用以下内容重新创建了 resolv.conf
nameserver 192.168.70.66
search wisam.rph
在服务器中,如果我执行“dig nameserver.wisam.rph”,我得到的结果是
; <<>> DiG 9.16.1-Ubuntu <<>> nameserver.wisam.rph
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61584
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 32e45ecf7d5069f601000000653a9e7e43d963d1c233e471 (good)
;; QUESTION SECTION:
;nameserver.wisam.rph. IN A
;; ANSWER SECTION:
nameserver.wisam.rph. 604800 IN A 192.168.70.66
;; Query time: 0 msec
;; SERVER: 192.168.70.66#53(192.168.70.66)
;; WHEN: Thu Oct 26 17:14:38 UTC 2023
;; MSG SIZE rcvd: 93
对于反向“dig -x 192.168.70.66”,我得到
; <<>> DiG 9.16.1-Ubuntu <<>> -x 192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45455
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: add17d7373cfe21c01000000653a9ed0d83ec9b4b4f3cfb0 (good)
;; QUESTION SECTION:
;66.70.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
66.70.168.192.in-addr.arpa. 604800 IN PTR nameserver.wisam.rph.
;; Query time: 0 msec
;; SERVER: 192.168.70.66#53(192.168.70.66)
;; WHEN: Thu Oct 26 17:16:00 UTC 2023
;; MSG SIZE rcvd: 117
此时我找不到任何问题,我确实运行了命令“sudo ufw allow Bind9”以确保允许流量,但在另一个 ubuntu 20 桌面上将 dns 设置为 192.168.70.66 并尝试执行此命令“dig nameserver.wisam.rph @192.168.70.66”,我得到了
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> nameserver.wisam.rph @192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46698
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nameserver.wisam.rph. IN A
;; Query time: 4 msec
;; SERVER: 192.168.70.66#53(192.168.70.66) (UDP)
;; WHEN: Thu Oct 26 13:19:36 EDT 2023
;; MSG SIZE rcvd: 49
但如果我 ping 它,我会得到
PING 192.168.70.66 (192.168.70.66) 56(84) bytes of data.
64 bytes from 192.168.70.66: icmp_seq=1 ttl=64 time=0.937 ms
64 bytes from 192.168.70.66: icmp_seq=2 ttl=64 time=0.644 ms
64 bytes from 192.168.70.66: icmp_seq=3 ttl=64 time=0.803 ms
64 bytes from 192.168.70.66: icmp_seq=4 ttl=64 time=0.707 ms
64 bytes from 192.168.70.66: icmp_seq=5 ttl=64 time=0.660 ms
64 bytes from 192.168.70.66: icmp_seq=6 ttl=64 time=0.690 ms
64 bytes from 192.168.70.66: icmp_seq=7 ttl=64 time=0.751 ms
64 bytes from 192.168.70.66: icmp_seq=8 ttl=64 time=0.784 ms
64 bytes from 192.168.70.66: icmp_seq=9 ttl=64 time=0.675 ms
64 bytes from 192.168.70.66: icmp_seq=10 ttl=64 time=0.384 ms
64 bytes from 192.168.70.66: icmp_seq=11 ttl=64 time=0.504 ms
64 bytes from 192.168.70.66: icmp_seq=12 ttl=64 time=0.378 ms
64 bytes from 192.168.70.66: icmp_seq=13 ttl=64 time=0.558 ms
64 bytes from 192.168.70.66: icmp_seq=14 ttl=64 time=0.401 ms
64 bytes from 192.168.70.66: icmp_seq=15 ttl=64 time=1.13 ms
64 bytes from 192.168.70.66: icmp_seq=16 ttl=64 time=0.355 ms
64 bytes from 192.168.70.66: icmp_seq=17 ttl=64 time=0.340 ms
64 bytes from 192.168.70.66: icmp_seq=18 ttl=64 time=0.359 ms
64 bytes from 192.168.70.66: icmp_seq=19 ttl=64 time=0.290 ms
64 bytes from 192.168.70.66: icmp_seq=20 ttl=64 time=0.410 ms
64 bytes from 192.168.70.66: icmp_seq=21 ttl=64 time=0.426 ms
64 bytes from 192.168.70.66: icmp_seq=22 ttl=64 time=0.605 ms
64 bytes from 192.168.70.66: icmp_seq=23 ttl=64 time=0.420 ms
64 bytes from 192.168.70.66: icmp_seq=24 ttl=64 time=0.412 ms
64 bytes from 192.168.70.66: icmp_seq=25 ttl=64 time=0.428 ms
如果我执行“dig google.com @192.168.70.66”,我会得到
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> google.com @192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57387
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 33 IN A 142.250.176.206
;; Query time: 12 msec
;; SERVER: 192.168.70.66#53(192.168.70.66) (UDP)
;; WHEN: Thu Oct 26 13:21:55 EDT 2023
;; MSG SIZE rcvd: 55
“netstat -lnptu | grep 53”的结果是
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 192.168.70.66:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:53 :::* LISTEN -
tcp6 0 0 ::1:953 :::* LISTEN -
udp 0 0 192.168.70.66:53 0.0.0.0:* -
udp 0 0 192.168.70.66:53 0.0.0.0:* -
udp 0 0 192.168.70.66:53 0.0.0.0:* -
udp 0 0 192.168.70.66:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp6 0 0 ::1:53 :::* -
udp6 0 0 ::1:53 :::* -
udp6 0 0 ::1:53 :::* -
udp6 0 0 ::1:53 :::* -
udp6 0 0 :::5353 :::* -
通过使用 wireshark,以下是尝试 ping namespace.wisam.rph 的响应
Domain Name System (response)
Transaction ID: 0x56ba
Flags: 0x8183 Standard query response, No such name
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0011 = Reply code: No such name (3)
Questions: 1
Answer RRs: 0
Authority RRs: 1
Additional RRs: 0
Queries
namespace.wisam.rph: type A, class IN
Authoritative nameservers
<Root>: type SOA, class IN, mname a.root-servers.net
[Request In: 187889]
[Time: 0.016853000 seconds]
运行“sudo systemctl status named”时我得到的结果如下
named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-10-29 23:25:46 UTC; 1s ago
Docs: man:named(8)
Main PID: 51693 (named)
Tasks: 14 (limit: 19082)
Memory: 26.6M
CGroup: /system.slice/named.service
└─51693 /usr/sbin/named -f -u bind
Oct 29 23:25:46 vmubuntuauthserver named[51693]: command channel listening on ::1#953
Oct 29 23:25:46 vmubuntuauthserver named[51693]: managed-keys-zone: loaded serial 6
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 0.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone localhost/IN: loaded serial 2
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 70.168.192.in-addr.arpa/IN: loaded serial 2
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone wisam.rph/IN: loaded serial 4
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 127.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 255.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: all zones loaded
Oct 29 23:25:46 vmubuntuauthserver named[51693]: running
我遗漏了什么?对于我评论过的行,我尝试过,但结果和没有相同的结果 [请注意,我添加了监听和转发的行,将它们注释掉,目前已取消注释]
答案1
仅为其创建 SOA(授权起始点)记录wisam.rph,并为其指定 IP 地址。然后创建名称服务器记录。因此,如下所示:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA wisam.rph. root.wisam.rph. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
IN A 192.168.70.66
;
@ IN NS nameserver.wisam.rph.
nameserver IN A 192.168.70.66
www IN A 192.168.70.66
@ IN AAAA ::1
您的反向文件不应包含正向类型记录。因此,如下所示:
;
; BIND reverse data file for local 192.168.70.XXX net
;
$TTL 604800
@ IN SOA nameserver.wisam.rph. root.wisam.rph. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS nameserver.wisam.rph.
66 IN PTR nameserver.wisam.rph.