我一直在使用 unbound 作为本地递归 DNS 服务器。刚刚添加了 nsd 来设置本地 LAN DNS。nsd 正在监听端口 53530,并且运行正常:
$ dig @127.0.0.1 data2.datanet.home -p 53530
; <<>> DiG 9.9.2-P2 <<>> @127.0.0.1 data2.datanet.home -p 53530
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59577
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;data2.datanet.home. IN A
;; ANSWER SECTION:
data2.datanet.home. 600 IN A 192.168.1.62
;; AUTHORITY SECTION:
datanet.home. 600 IN NS ns1.datanet.home.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53530(127.0.0.1)
;; WHEN: Mon Jun 15 07:16:24 2015
;; MSG SIZE rcvd: 81
当通过本地未绑定时,它不起作用:
$ dig @127.0.0.1 data2.datanet.home
; <<>> DiG 9.9.2-P2 <<>> @127.0.0.1 data2.datanet.home
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47645
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;data2.datanet.home. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 07:18:02 2015
;; MSG SIZE rcvd: 47
以下是我在未绑定日志中获得的详细内容:4
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: validator operate: query router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: validator: pass to next module
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: mesh_run: validator module exit state is module_wait_module
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iterator[module 1] operate: extstate:module_state_initial event:
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: process_request: new external request event
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state INIT REQUEST STATE
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: resolving router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: request has dependency depth of 0
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: use stub datanet.home. NS IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: cache delegation returns delegpt
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: DelegationPoint<datanet.home.>: 0 names (0 missing), 1 addrs (0 r
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: ip4 127.0.0.1 port 53530 (len 16)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state INIT REQUEST STATE (stage 2)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: resolving (init part 2): router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: use stub datanet.home. NS IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state INIT REQUEST STATE (stage 3)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: resolving (init part 3): router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: processQueryTargets: router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: DelegationPoint<datanet.home.>: 0 names (0 missing), 1 addrs (0 r
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: ip4 127.0.0.1 port 53530 (len 16)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: attempt to get extra 3 targets
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: skip addr on the donotquery list ip4 127.0.0.1 port 53530 (len 1
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: No more query targets, attempting last resort
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: configured stub servers failed -- returning SERVFAIL
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: store error response in message cache
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: return error response SERVFAIL
具体来说,这是怎么回事?[1947:0]调试:跳过donotquery列表ip4 127.0.0.1端口53530上的地址(长度1)这似乎是关键,但我真的不确定它为什么这么说。
这是我的整个 unbound.conf:
server:
interface: 127.0.0.1
interface: 192.168.1.50
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
access-control: 192.168.1.0/24 allow
verbosity: 2
local-zone: "1.168.192.in-addr.arpa" nodefault
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
stub-zone:
name: "datanet.home"
stub-addr: 127.0.0.1@53530
# stub-first: yes
stub-zone:
name: "1.168.192.in-addr.arpa"
stub-addr: 127.0.0.1@53530
nsd.conf 有很多注释,所以我不确定是否应该粘贴它,但无论如何 nsd 似乎工作正常。除了更改端口、启用控制内容和添加区域外,它与包含的示例 conf 几乎相同。
我对此感到困惑,因此,如果能提供任何想法我将不胜感激!
答案1
日志中的这一行指出了问题:
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: skip addr on the donotquery list ip4 127.0.0.1 port 53530 (len 1
Unbound 默认拒绝向 localhost 发送任何 DNS 查询。要使其能够查询 localhost,请在Unbound 配置的 -section中将其设置do-not-query-localhost为:noserver
server:
interface: 127.0.0.1
interface: 192.168.1.50
[...]
do-not-query-localhost: no
请参阅文档未绑定的配置文件查看该选项的描述。
答案2
我在水平分割 DNS 环境中遇到了同样的问题——Unbound 日志表明“传入的已清理数据包”(从 NSD 获得)包含有问题的 IP 地址/CNAME 条目,但之后“精加工”,后者将不会被通过。
最终,使用 Unbound v1.12.0 和 NSD v4.3.3 添加等效功能domain-insecure: "datanet.home"为我解决了这个问题。
答案3
我收到了类似的错误消息,配置几乎相同,只是我有以下选项:
tls-upstream: yes
该选项导致 unbound 期望转发区域和存根区域的上游查询仅通过 TLS 进行传输。但是,托管存根区域的 NSD 权威服务器仅配置为本地连接,并且没有 TLS。这也可能导致 SERVFAIL 响应。
正确的配置是设置tls-upstream为,如果存根区域未配置为 TLS 传输,no则在部分内将设置forward-tls-upstream为。yesforward-zone