Kubuntu 22.04 bind9 转发器不起作用

我正在尝试在 Kubuntu 22.04 kvm 虚拟机中设置 bind 9。

文件 /etc/bind/named.conf.options 包含

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // enable query log
        querylog yes;

        // forwarders {
        //      0.0.0.0;
        // };

        forwarders {
                1.0.0.1;
                8.8.8.8;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };
};

两家货运代理均能联系上

sysop@hserv:/etc/bind$ ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=15.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=14.8 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 14.758/15.171/15.584/0.413 ms
sysop@hserv:/etc/bind$ ping -c 2 1.0.0.1
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=54 time=7.94 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=54 time=7.40 ms

--- 1.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.399/7.669/7.940/0.270 ms
sysop@hserv:/etc/bind$ 

但尝试挖掘 debian.org 却没有结果

sysop@hserv:/etc/bind$ dig debian.org @192.168.101.20

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> debian.org @192.168.101.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18925
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f0fe1998e62cee720100000062e6675a2e4cc781dda787dd (good)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 55 msec
;; SERVER: 192.168.101.20#53(192.168.101.20) (UDP)
;; WHEN: Sun Jul 31 13:28:26 CEST 2022
;; MSG SIZE  rcvd: 67

sysop@hserv:/etc/bind$ 

我做错了什么？

框架：

文件 /etc/netplan/01-network-manager-all.yaml 包含

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

  ethernets:
    enp1s0:
      addresses:
        - 192.168.100.20/24
      nameservers:
        addresses: [1.0.0.1, 192.168.101.20, ]
      dhcp4: false
      dhcp6: false
      routes:
      - to: default
        via: 192.168.100.1
        
    enp2s0:
      dhcp4: false
      dhcp6: false
      addresses:
        - 192.168.101.20/24

VM 有两个网络接口和地址

192.168.100.20（已进行网络地址转换，可以访问互联网）

192.168.101.20（与其他虚拟机通信的内部网络）

顺便说一句，当我在 Kubuntu 20.04 中设置 bind9 时，我没有遇到任何问题

日志只说有一个查询错误

sysop@hserv:/etc/bind$ sudo journalctl -eu named
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.33.4.12#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 199.7.91.13#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 198.97.190.53#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.36.148.17#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 202.12.27.33#53
lug 31 13:28:26 hserv named[1968]: validating org/DS: no valid signature found
lug 31 13:28:26 hserv named[1968]: no valid RRSIG resolving 'org/DS/IN': 8.8.8.8#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 199.9.14.201#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.5.5.241#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.203.230.10#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 199.7.83.42#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.112.36.4#53
lug 31 13:28:26 hserv named[1968]: validating org/DS: no valid signature found
lug 31 13:28:26 hserv named[1968]: no valid RRSIG resolving 'org/DS/IN': 1.0.0.1#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.58.128.30#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving 'org/DS/IN': 192.33.4.12#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 198.41.0.4#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving 'org/DS/IN': 199.7.91.13#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 193.0.14.129#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving './NS/IN': 2001:500:2::c#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving './NS/IN': 2001:500:2d::d#53

...

lug 31 13:28:26 hserv named[1968]: network unreachable resolving 'org/DS/IN': 2001:503:c27::2:30#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving 'org/DS/IN': 2001:503:ba3e::2:30#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving 'org/DS/IN': 2001:7fd::1#53
lug 31 13:28:26 hserv named[1968]: broken trust chain resolving 'debian.org/A/IN': 8.8.8.8#53
lug 31 13:28:26 hserv named[1968]: client @0x7f609001fb28 192.168.101.20#53751 (debian.org): query failed (broken trust chain) for debian.org/IN/A at query.c:7662

更新

我创建了两个只有一张网卡的虚拟机（网络被伪装来访问互联网）结果：

• 装有 Kubuntu 20.04.4 的虚拟机-正常工作
• 装有 Kubuntu 22.04 的虚拟机-查询错误

20.04 日志

sysop@testdns:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal
sysop@testdns:~$ dig debian.org @102.168.102.10

; <<>> DiG 9.16.1-Ubuntu <<>> debian.org @102.168.102.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45565
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             1       IN      A       149.20.4.15
debian.org.             1       IN      A       128.31.0.62
debian.org.             1       IN      A       130.89.148.77

;; Query time: 0 msec
;; SERVER: 102.168.102.10#53(102.168.102.10)
;; WHEN: dom lug 31 20:13:45 CEST 2022
;; MSG SIZE  rcvd: 87

sysop@testdns:~$

22.04 日志

sysop@hserv:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy
sysop@hserv:~$ dig debian.org @192.168.102.20

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> debian.org @192.168.102.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 289b06f4870f9b7e0100000062e6c63d34a4201a277a3486 (good)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 1204 msec
;; SERVER: 192.168.102.20#53(192.168.102.20) (UDP)
;; WHEN: Sun Jul 31 20:13:17 CEST 2022
;; MSG SIZE  rcvd: 67

sysop@hserv:~$