BIND DNS 问题,以及配置意见请求

BIND DNS 问题,以及配置意见请求

我对配置 BIND 还很陌生,而且我在使用的配置中遇到了一些问题。我已经在 Google 上搜索了一周了,要么是找不到正确的搜索词,要么是得到了相互矛盾的信息。我想知道是否有 DNS 专家可以浏览我的配置(粘贴在下面),看看是否有A)对我列出的两个问题有一个明显的解决方案,并且B)您还看到其他配置不正确的地方吗?我在 CentOS 6.4 x64 上使用 BIND 9.8.2。很明显,我在下面的文本中用 example.com 替换了我们的真实域名。

问题

  1. 我希望内部客户端能够解析example.comwww.example.com(我们外部服务的网站)。但是,当这是我的内部客户端的根域时,我不清楚如何做到这一点。这可能吗?目前,我刚刚告诉员工,他们必须使用www.example.com才能从我们的网络内部访问我们的外部网站。

区域文件example.com如下所示:

$ORIGIN .
$TTL 600        ; 10 minutes
example.com     IN SOA  ns1.example.com. root.example.com. (
                                5          ; serial
                                604800     ; refresh (1 week)
                                86400      ; retry (1 day)
                                2419200    ; expire (4 weeks)
                                604800     ; minimum (1 week)
                                )
                        NS      ns1.example.com.
                        A       10.2.2.44
$TTL 3600       ; 1 hour
                        MX      1 ASPMX.L.GOOGLE.COM.
                        MX      5 ALT1.ASPMX.L.GOOGLE.COM.
                        MX      5 ALT2.ASPMX.L.GOOGLE.COM.
                        MX      10 ASPMX2.GOOGLEMAIL.COM.
                        MX      10 ASPMX3.GOOGLEMAIL.COM.
$ORIGIN example.com.
$TTL 600        ; 10 minutes
myserver                A       10.2.2.5
test                    A       10.2.2.45
www                     A       123.12.34.32 // externally hosted www server

答案1

我希望内部客户端能够将 example.com 解析为 www.example.com(我们外部服务的网站)。

通常的做法是为 创建一个A记录example.com,并创建www.example.com一个CNAME指向该A记录的记录。
也可以让这两个A记录都指向同一个 IP 地址。

如果您有区域的内部和外部版本,example.com则必须在内部区域文件中复制外部地址(或将这些记录指向其内部/私有 IP 地址)。


请注意不得 CNAME基础域 ( example.com),每个RFC 1912

2.4 CNAME records

   A CNAME record is not allowed to coexist with any other data.  In
   other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
   can't also have an MX record for suzy.podunk.edu, or an A record, or
   even a TXT record.  Especially do not try to combine CNAMEs and NS
   records like this!:


           podunk.xx.      IN      NS      ns1
                           IN      NS      ns2
                           IN      CNAME   mary
           mary            IN      A       1.2.3.4


   This is often attempted by inexperienced administrators as an obvious
   way to allow your domain name to also be a host.  However, DNS
   servers like BIND will see the CNAME and refuse to add any other
   resources for that name.  Since no other records are allowed to
   coexist with a CNAME, the NS entries are ignored.  Therefore all the
   hosts in the podunk.xx domain are ignored as well!

   If you want to have your domain also be a host, do the following:

           podunk.xx.      IN      NS      ns1
                           IN      NS      ns2
                           IN      A       1.2.3.4
           mary            IN      A       1.2.3.4

   Don't go overboard with CNAMEs.  Use them when renaming hosts, but
   plan to get rid of them (and inform your users).  However CNAMEs are
   useful (and encouraged) for generalized names for servers -- `ftp'
   for your ftp server, `www' for your Web server, `gopher' for your
   Gopher server, `news' for your Usenet news server, etc.

   Don't forget to delete the CNAMEs associated with a host if you
   delete the host it is an alias for.  Such "stale CNAMEs" are a waste
   of resources.

答案2

对于问题 1,添加规范名称。

# cat /var/named/db.example.com

$ORIGIN .
$TTL 600        ; 10 minutes
example.com     IN SOA  ns1.example.com. root.example.com. (
                                6          ; serial
                                604800     ; refresh (1 week)
                                86400      ; retry (1 day)
                                2419200    ; expire (4 weeks)
                                604800     ; minimum (1 week)
                                )
                        NS      ns1.example.com.
                        A       10.2.2.44
$TTL 3600       ; 1 hour
                        MX      1 ASPMX.L.GOOGLE.COM.
                        MX      5 ALT1.ASPMX.L.GOOGLE.COM.
                        MX      5 ALT2.ASPMX.L.GOOGLE.COM.
                        MX      10 ASPMX2.GOOGLEMAIL.COM.
                        MX      10 ASPMX3.GOOGLEMAIL.COM.
$ORIGIN example.com.
$TTL 600        ; 10 minutes
myserver                A       10.2.2.5
test                    A       10.2.2.45
example.com.            A       123.12.34.32 // externally hosted www server
www                     CNAME   example.com.

问题 2:不能 100% 确定。在您的 /etc/named.conf 文件中,“IN”指令似乎很奇怪。不确定这是否合法,您可以尝试将其删除。

我之前没有看到过,在 /var/named/db.2.2.10.in-addr.arpa 中,倒数第二行是您的 NS 行。我认为该文件应该更像这样:

;
; BIND data file for example.com
;
$TTL 10m
@  IN  SOA ns1.example.com. root.example.com. (
            2           ; Serial
            604800      ; Refresh
            86400       ; Retry
            2419200     ; Expire
            604800 )    ; Negative Cache TTL

                        IN      NS      ns1.example.com.
;
;
;
5                       IN      PTR     myserver.example.com.

相关内容