我已经在 Centos8 上配置了 Bind 服务器,并且昨天在我的网站上更新了名称服务器。现在我的网站宕机了:当我 ping 到 IP 或 ping 网站时,它不会回复。
以下是我的配置。有人可以告诉我哪里错了吗?
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
//listen-on port 53 { 172.31.46.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 172.31.46.1; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "vimtrading.com" {
type master;
file "/var/named/named.vimtrading.com";
allow-query { any; };
allow-transfer { 87.101.216.99; };
};
zone "1.158.137.3.in-addr.arpa" IN {
type master;
file "/var/named/named.vimtrading.com";
allow-update { none; };
};
/vav/named/named.vimtrading.com
; zone file for vimtrading.com
; default TTL for this zone
$TTL 3H
@ IN SOA ns1.vimtrading.com. hostmaster.vimtrading.com. (
2020111220 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H) ; Negative cache TTL
; Name servers for this domain
IN NS ns1.vimtrading.com.
IN NS ns2.vimtrading.com.
; Mail server for this domain. A small number (0) implies higher priority.
IN MX 10 mail.vimtrading.com.
IN MX 10 mail2.vimtrading.com.
; A records
www IN A 3.137.158.1
@ IN A 3.137.158.1
ns1 IN A 3.137.158.1
ns2 IN A 3.137.158.1
mail IN A 3.137.158.1
mail2 IN A 3.137.158.1
; AAAA records
mail IN AAAA 2001:16a2:cf3b:f00:7c0f:8033:c42:8da5
; CNAME records
ftp IN CNAME www.vimtrading.com
;TXT records (SPF, DKIM, DMARC, etc)
@ IN TXT "v=spf1 mx ~all"
dkim._domainkey IN TXT ("v=DKIM1; k=rsa; "
"v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiiweYt0xL3x2EuGUCpm8p35C10x7i25jHR66V7/PDSCVouLOrb8UlNkx/R5WQnflic9+TOR8+O+tR/xqnIqC/011cK/y+wiwa0n9/c5c1tqc8HJlCSy2Ym4h3KYflVc6AwBwdlrX6Sx4VdjQUsrcR8NWU6DoQOZsAdzZ+QbVYmwIDAQAB")
_dmarc IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:[email protected].”
Journalctl -eu 命名
-- Logs begin at Sat 2021-03-13 09:59:01 UTC, end at Sun 2021-03-14 06:22:21 UTC. --
Mar 13 17:15:26 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 192.241.227.135#53473 (VERSION.BIND): query 'VERSION.BIND/TXT/CH' denied
Mar 13 21:41:43 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 157.245.89.85#59460 (googleadservices.com): query (cache) 'googleadservices.com/A/IN' denied
Mar 13 21:59:38 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 209.17.96.250#63361 (version.bind): query 'version.bind/TXT/CH' denied
Mar 13 22:41:26 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 18.236.135.177#44799 (ec2-18-236-135-177.us-west-2.compute.amazonaws.com): query (cache) 'ec2-18-236-135-177.us-west-2.compute.amazonaws.co>
Mar 14 00:03:13 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 92.118.161.33#64674 (version.bind): query 'version.bind/TXT/CH' denied
Mar 14 00:35:22 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 162.142.125.157#59162 (213.1.168.192.in-addr.arpa): query (cache) '213.1.168.192.in-addr.arpa/PTR/IN' denied
Mar 14 00:39:06 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 162.142.125.53#43631 (invalid.parrotdns.com): query (cache) 'invalid.parrotdns.com/A/IN' denied
Mar 14 02:04:19 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 74.82.47.30#43641 (dnsscan.shadowserver.org): query (cache) 'dnsscan.shadowserver.org/A/IN' denied
Mar 14 02:52:46 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 88.80.186.137#63454 (amazon.com): query (cache) 'amazon.com/A/IN' denied
Mar 14 02:52:47 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 88.80.186.137#63454 (1.158.137.3.in-addr.arpa): query '1.158.137.3.in-addr.arpa/PTR/IN' denied
Mar 14 02:52:47 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 88.80.186.137#63454 (3-137-158-1-604d6011.spiderprobe.com): query (cache) '3-137-158-1-604d6011.spiderprobe.com/A/IN' denied
Mar 14 03:02:08 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 185.94.111.1#56201 (com): query (cache) 'com/ANY/IN' denied
Mar 14 03:28:01 ns1.vimtrading.com systemd[1]: Reloading Berkeley Internet Name Domain (DNS).
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: received control channel command 'reload'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: loading configuration from '/etc/named.conf'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: unable to open '/etc/bind.keys'; using built-in keys instead
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: using default UDP/IPv4 port range: [32768, 60999]
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: using default UDP/IPv6 port range: [32768, 60999]
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: sizing zone task pool based on 8 zones
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: none:104: 'max-cache-size 90%' - setting to 727MB (out of 807MB)
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: none:104: 'max-cache-size 90%' - setting to 727MB (out of 807MB)
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: configuring command channel from '/etc/rndc.key'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: configuring command channel from '/etc/rndc.key'
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: reloading configuration succeeded
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: reloading zones succeeded
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: all zones loaded
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: running
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Mar 14 03:28:01 ns1.vimtrading.com sh[14614]: server reload successful
Mar 14 03:28:01 ns1.vimtrading.com systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).
Mar 14 03:28:01 ns1.vimtrading.com named[6155]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Mar 14 04:16:22 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 209.17.97.114#53378 (VERSION.BIND): query 'VERSION.BIND/TXT/CH' denied
Mar 14 05:26:06 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 129.250.206.86#58289 (4ac0d748.openresolverproject.org): query (cache) '4ac0d748.openresolverproject.org/A/IN' denied
Mar 14 05:31:35 ns1.vimtrading.com named[6155]: client @0x7fbc400bfd20 192.35.168.75#39305 (c.afekv.com): query (cache) 'c.afekv.com/A/IN' denied
挖掘 ajsaudi.com
rizwan@MacBook-Pro ~ % dig ajsaudi.com
; <<>> DiG 9.10.6 <<>> ajsaudi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14367
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ajsaudi.com. IN A
;; ANSWER SECTION:
ajsaudi.com. 3600 IN A 3.137.158.1
;; Query time: 144 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Mar 14 09:36:48 +03 2021
;; MSG SIZE rcvd: 56
挖掘 NS ajsaudi.com
; <<>> DiG 9.10.6 <<>> NS ajsaudi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30838
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ajsaudi.com. IN NS
;; ANSWER SECTION:
ajsaudi.com. 86400 IN NS ns1.vimtrading.com.
ajsaudi.com. 86400 IN NS ns2.vimtrading.com.
;; Query time: 89 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Mar 14 10:32:19 +03 2021
;; MSG SIZE rcvd: 87