我正在尝试在 Kubuntu 22.04 kvm 虚拟机中设置 bind 9。
文件 /etc/bind/named.conf.options 包含
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// enable query log
querylog yes;
// forwarders {
// 0.0.0.0;
// };
forwarders {
1.0.0.1;
8.8.8.8;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
两家货运代理均能联系上
sysop@hserv:/etc/bind$ ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=15.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=14.8 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 14.758/15.171/15.584/0.413 ms
sysop@hserv:/etc/bind$ ping -c 2 1.0.0.1
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=54 time=7.94 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=54 time=7.40 ms
--- 1.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.399/7.669/7.940/0.270 ms
sysop@hserv:/etc/bind$
但尝试挖掘 debian.org 却没有结果
sysop@hserv:/etc/bind$ dig debian.org @192.168.101.20
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> debian.org @192.168.101.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18925
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f0fe1998e62cee720100000062e6675a2e4cc781dda787dd (good)
;; QUESTION SECTION:
;debian.org. IN A
;; Query time: 55 msec
;; SERVER: 192.168.101.20#53(192.168.101.20) (UDP)
;; WHEN: Sun Jul 31 13:28:26 CEST 2022
;; MSG SIZE rcvd: 67
sysop@hserv:/etc/bind$
我做错了什么?
框架:
文件 /etc/netplan/01-network-manager-all.yaml 包含
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager
ethernets:
enp1s0:
addresses:
- 192.168.100.20/24
nameservers:
addresses: [1.0.0.1, 192.168.101.20, ]
dhcp4: false
dhcp6: false
routes:
- to: default
via: 192.168.100.1
enp2s0:
dhcp4: false
dhcp6: false
addresses:
- 192.168.101.20/24
VM 有两个网络接口和地址
192.168.100.20(已进行网络地址转换,可以访问互联网)
192.168.101.20(与其他虚拟机通信的内部网络)
顺便说一句,当我在 Kubuntu 20.04 中设置 bind9 时,我没有遇到任何问题
日志只说有一个查询错误
sysop@hserv:/etc/bind$ sudo journalctl -eu named
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.33.4.12#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 199.7.91.13#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 198.97.190.53#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.36.148.17#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 202.12.27.33#53
lug 31 13:28:26 hserv named[1968]: validating org/DS: no valid signature found
lug 31 13:28:26 hserv named[1968]: no valid RRSIG resolving 'org/DS/IN': 8.8.8.8#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 199.9.14.201#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.5.5.241#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.203.230.10#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 199.7.83.42#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.112.36.4#53
lug 31 13:28:26 hserv named[1968]: validating org/DS: no valid signature found
lug 31 13:28:26 hserv named[1968]: no valid RRSIG resolving 'org/DS/IN': 1.0.0.1#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 192.58.128.30#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving 'org/DS/IN': 192.33.4.12#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 198.41.0.4#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving 'org/DS/IN': 199.7.91.13#53
lug 31 13:28:26 hserv named[1968]: SERVFAIL unexpected RCODE resolving './NS/IN': 193.0.14.129#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving './NS/IN': 2001:500:2::c#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
...
lug 31 13:28:26 hserv named[1968]: network unreachable resolving 'org/DS/IN': 2001:503:c27::2:30#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving 'org/DS/IN': 2001:503:ba3e::2:30#53
lug 31 13:28:26 hserv named[1968]: network unreachable resolving 'org/DS/IN': 2001:7fd::1#53
lug 31 13:28:26 hserv named[1968]: broken trust chain resolving 'debian.org/A/IN': 8.8.8.8#53
lug 31 13:28:26 hserv named[1968]: client @0x7f609001fb28 192.168.101.20#53751 (debian.org): query failed (broken trust chain) for debian.org/IN/A at query.c:7662
更新
我创建了两个只有一张网卡的虚拟机(网络被伪装来访问互联网)结果:
- 装有 Kubuntu 20.04.4 的虚拟机-正常工作
- 装有 Kubuntu 22.04 的虚拟机-查询错误
20.04 日志
sysop@testdns:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
sysop@testdns:~$ dig debian.org @102.168.102.10
; <<>> DiG 9.16.1-Ubuntu <<>> debian.org @102.168.102.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45565
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 1 IN A 149.20.4.15
debian.org. 1 IN A 128.31.0.62
debian.org. 1 IN A 130.89.148.77
;; Query time: 0 msec
;; SERVER: 102.168.102.10#53(102.168.102.10)
;; WHEN: dom lug 31 20:13:45 CEST 2022
;; MSG SIZE rcvd: 87
sysop@testdns:~$
22.04 日志
sysop@hserv:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
sysop@hserv:~$ dig debian.org @192.168.102.20
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> debian.org @192.168.102.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 289b06f4870f9b7e0100000062e6c63d34a4201a277a3486 (good)
;; QUESTION SECTION:
;debian.org. IN A
;; Query time: 1204 msec
;; SERVER: 192.168.102.20#53(192.168.102.20) (UDP)
;; WHEN: Sun Jul 31 20:13:17 CEST 2022
;; MSG SIZE rcvd: 67
sysop@hserv:~$
答案1
检查发生故障的服务器上的时间。我的笔记本电脑上运行着 bind9,dns 解析失败,直到我通过 netdate 和 ntp 服务器的 ip 设置时间。