我对配置 BIND 还很陌生,而且我在使用的配置中遇到了一些问题。我已经在 Google 上搜索了一周了,要么是找不到正确的搜索词,要么是得到了相互矛盾的信息。我想知道是否有 DNS 专家可以浏览我的配置(粘贴在下面),看看是否有A)对我列出的两个问题有一个明显的解决方案,并且B)您还看到其他配置不正确的地方吗?我在 CentOS 6.4 x64 上使用 BIND 9.8.2。很明显,我在下面的文本中用 example.com 替换了我们的真实域名。
问题
- 我希望内部客户端能够解析
example.com到www.example.com(我们外部服务的网站)。但是,当这是我的内部客户端的根域时,我不清楚如何做到这一点。这可能吗?目前,我刚刚告诉员工,他们必须使用www.example.com才能从我们的网络内部访问我们的外部网站。
区域文件example.com如下所示:
$ORIGIN .
$TTL 600 ; 10 minutes
example.com IN SOA ns1.example.com. root.example.com. (
5 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns1.example.com.
A 10.2.2.44
$TTL 3600 ; 1 hour
MX 1 ASPMX.L.GOOGLE.COM.
MX 5 ALT1.ASPMX.L.GOOGLE.COM.
MX 5 ALT2.ASPMX.L.GOOGLE.COM.
MX 10 ASPMX2.GOOGLEMAIL.COM.
MX 10 ASPMX3.GOOGLEMAIL.COM.
$ORIGIN example.com.
$TTL 600 ; 10 minutes
myserver A 10.2.2.5
test A 10.2.2.45
www A 123.12.34.32 // externally hosted www server
答案1
我希望内部客户端能够将 example.com 解析为 www.example.com(我们外部服务的网站)。
通常的做法是为 创建一个A记录example.com,并创建www.example.com一个CNAME指向该A记录的记录。
也可以让这两个A记录都指向同一个 IP 地址。
如果您有区域的内部和外部版本,example.com则必须在内部区域文件中复制外部地址(或将这些记录指向其内部/私有 IP 地址)。
请注意不得 CNAME基础域 ( example.com),每个RFC 1912:
2.4 CNAME records
A CNAME record is not allowed to coexist with any other data. In
other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
can't also have an MX record for suzy.podunk.edu, or an A record, or
even a TXT record. Especially do not try to combine CNAMEs and NS
records like this!:
podunk.xx. IN NS ns1
IN NS ns2
IN CNAME mary
mary IN A 1.2.3.4
This is often attempted by inexperienced administrators as an obvious
way to allow your domain name to also be a host. However, DNS
servers like BIND will see the CNAME and refuse to add any other
resources for that name. Since no other records are allowed to
coexist with a CNAME, the NS entries are ignored. Therefore all the
hosts in the podunk.xx domain are ignored as well!
If you want to have your domain also be a host, do the following:
podunk.xx. IN NS ns1
IN NS ns2
IN A 1.2.3.4
mary IN A 1.2.3.4
Don't go overboard with CNAMEs. Use them when renaming hosts, but
plan to get rid of them (and inform your users). However CNAMEs are
useful (and encouraged) for generalized names for servers -- `ftp'
for your ftp server, `www' for your Web server, `gopher' for your
Gopher server, `news' for your Usenet news server, etc.
Don't forget to delete the CNAMEs associated with a host if you
delete the host it is an alias for. Such "stale CNAMEs" are a waste
of resources.
答案2
对于问题 1,添加规范名称。
# cat /var/named/db.example.com
$ORIGIN .
$TTL 600 ; 10 minutes
example.com IN SOA ns1.example.com. root.example.com. (
6 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns1.example.com.
A 10.2.2.44
$TTL 3600 ; 1 hour
MX 1 ASPMX.L.GOOGLE.COM.
MX 5 ALT1.ASPMX.L.GOOGLE.COM.
MX 5 ALT2.ASPMX.L.GOOGLE.COM.
MX 10 ASPMX2.GOOGLEMAIL.COM.
MX 10 ASPMX3.GOOGLEMAIL.COM.
$ORIGIN example.com.
$TTL 600 ; 10 minutes
myserver A 10.2.2.5
test A 10.2.2.45
example.com. A 123.12.34.32 // externally hosted www server
www CNAME example.com.
问题 2:不能 100% 确定。在您的 /etc/named.conf 文件中,“IN”指令似乎很奇怪。不确定这是否合法,您可以尝试将其删除。
我之前没有看到过,在 /var/named/db.2.2.10.in-addr.arpa 中,倒数第二行是您的 NS 行。我认为该文件应该更像这样:
;
; BIND data file for example.com
;
$TTL 10m
@ IN SOA ns1.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
IN NS ns1.example.com.
;
;
;
5 IN PTR myserver.example.com.