我有一个在 Docker 容器中运行的本地 BIND9 DNS 服务器。在另一个容器中,我运行 Wireguard,我用它从外部连接到我的家庭网络。
我遇到的问题是,当我选择服务器IP作为wireguard的DNS时,BIND9一直拒绝查询。如果我选择我的路由器作为 DNS(然后转发到 BIND9 DNS),一切都会按预期工作。
命名.conf.选项
# BEGIN MANAGED HOMENETWORK BLOCK
acl homenetwork {
192.168.1.0/24; # home network
172.17.0.1; # docker host
192.168.4.0/24; # Wireguard network
localhost;
localnets;
};
# END MANAGED HOMENETWORK BLOCK
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
# BEGIN MANAGED CACHING BLOCK
recursion yes;
allow-query { homenetwork; };
auth-nxdomain no; # conform to rfc1035
# END MANAGED CACHING BLOCK
listen-on-v6 { any; };
};
有问题的 IP 是 BIND (Docker) 的 172.17.0.5、Wireguard (Docker) 的 172.17.0.7 和 192.168.4.2(Wireguard 客户端)。
错误
03-Oct-2023 20:44:52.999 client @0x7ff680007460 172.17.0.1#60081 (gitlab.lan): query 'gitlab.lan/A/IN' denied
我尝试将其设置acl为any;但产生了相同的错误,所以它一定是其他东西。有什么提示吗?
答案1
事实证明我zone也有这样的设置:
zone "lan" {
type master;
file "/var/lib/bind/lan.hosts";
allow-query {
192.168.1.0/24;
};
};
我还需要更新该允许查询才能使其正常工作。我的最终配置现在如下所示:
命名.conf.local
zone "lan" {
type master;
file "/var/lib/bind/lan.hosts";
allow-query {
192.168.1.0/24;
172.17.0.1;
};
};
命名.conf.选项
acl homenetwork {
# home network
192.168.1.0/24;
# docker host
172.17.0.1;
localhost;
localnets;
};