我已经像这样设置绑定:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
forwarders { 10.90.0.135; 10.90.0.174; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "appletop.local" IN {
type master;
file "appletop.local";
allow-update { none; };
};
但它不转发?
如果我只是将 DNS 服务器地址放入resolv.conf
另一台机器上,我会得到正确的查找,因此 DNS 服务器必须能够为我解析,但如果我将另一台机器指向这台机器,它就无法解析名称。
怎么了?
根据 MadHatter 的建议进行修改后:
现在它启动了,但挂在 dig +trace 上并且没有转发 - 为什么我看不到下面的转发器地址?
[root@ns1 ~]# ping www.yahoo.com
^C
[root@ns1 ~]# cd /etc/
[root@ns1 etc]# cp named.conf named.conf.last
[root@ns1 etc]# vi named.conf
[root@ns1 etc]# /etc/init.d/named reload
Reloading named-sdb: [ OK ]
[root@ns1 etc]# service named stop
Stopping named: . [ OK ]
[root@ns1 etc]# /etc/init.d/named start
Starting named: [ OK ]
[root@ns1 etc]# nslookup www.yahoo.com
;; connection timed out; trying next origin
Server: 10.138.10.30
Address: 10.138.10.30#53
** server can't find www.yahoo.com: NXDOMAIN
使用 +trace 进行挖掘:
[root@ns1 etc]# dig +trace www.yahoo.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> +trace www.yahoo.com
;; global options: +cmd
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
我的整个文件现在看起来像这样 - 有什么问题?
options {
listen-on port 53 { any; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic"; };
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
}; };
zone "." IN {
type forward;
forward first;
forwarders { 10.90.0.135;
10.90.0.174;
} ; };
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
zone "appletop.local" IN {
type master;
file "appletop.local";
allow-update { none; }; };
答案1
您已告诉它要使用哪些转发器,但未告诉它何时使用它们。如果您希望它将它们用于所有事情,而不是
zone "." IN {
type hint;
file "named.ca";
};
尝试
zone "." {
type forward;
forward first;
forwarders { 10.90.0.135;
10.90.0.174;
} ;
} ;
编辑:好的,请尝试上述方法。但我不明白您所说的“首先尝试本地解析”是什么意思;您说的是您希望它转发。
答案2
就我而言,问题已得到解决,只需更改dnssec-validation yes;
为dnssec-validation no;
答案3
万一 OP 在 MadHatter 的回复下方的评论“问题出在 dnssec”没有明确说明,我明确发布了这个答案,因为我也发现它解决了我的问题。
我设置了一个缓存、仅转发的 BIND 服务器,但它没有转发。查询以几秒钟的延迟到达根服务器。禁用 dnssec 选项可以解决这个问题,现在它可以按预期工作了。
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;