如果没有 resolv.conf,named 就无法解析

tag-icon tag-icon centos bind
如果没有 resolv.conf,named 就无法解析

我有下一个文件

/etc/named.conf

options {
    listen-on port 53 { 10.11.22.16; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; 10.11.22.0/24; };
    forwarders      { 10.11.22.2; };
    allow-transfer  { 10.11.22.2; };

    recursion yes;
    allow-recursion { 10.11.22.0/24;  localhost; };

    dnssec-enable yes;
    dnssec-validation no;
    dnssec-lookaside auto;
    empty-zones-enable no;

    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "domen.lan" IN {
    type  master;
    file  "domen.lan";
    allow-update  { none; };
};

zone "22.11.10.in-addr.arpa" IN {
    type master;
    file "10.11.22.zone";
    allow-update { none; };
};

/var/named/domen.lan

$TTL 1D
@   IN  SOA     domen.lan.      admin.domen.lan. (
        2015031413  ; serial
        1D          ; refresh
        1H          ; retry
        1W          ; expire
        3H          ; minimum
)
;@               IN  NS      centos7s.domen.lan.
                    NS      centos7s.domen.lan.
gateway         IN  A       10.11.22.2

domen.lan.      IN  A       10.11.22.16
centos7s        IN  A       10.11.22.16
centos7c        IN  A       10.11.22.17
centos7d        IN  A       10.11.22.18
www.centos7s    IN  CNAME   centos7s.domen.lan.
www             IN  CNAME   centos7s
domen           IN  CNAME   centos7s.domen.lan.
domen1          IN  CNAME   centos7s.domen.lan.
domen2          IN  CNAME   centos7s.domen.lan.
domen2.lan      IN  CNAME   centos7s.domen.lan.
ldap            IN  CNAME   centos7s.domen.lan.
ldaps           IN  CNAME   centos7s.domen.lan.
ldap.centos7s   IN  CNAME   centos7s.domen.lan.

/etc/resolv.conf

search domen.lan
nameserver 10.11.22.16

/etc/sysconfig/网络脚本/ifcfg-eno16777736

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
PEERDNS=no
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=b6e9c673-e7bd-41b5-946b-cb2c37bb56ff
DEVICE=eno16777736
ONBOOT=yes
NM_CONTROLLED=no

IPADDR=10.11.22.16
NETMASK=255.255.255.0
NETWORK=10.11.22.0
GATEWAY=10.11.22.2
DNS1=127.0.0.1
DNS2=10.11.22.16

如果我做

dig www.oracle.com

我没有得到答案

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> www.oracle.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.oracle.com.                        IN      A

;; Query time: 3994 msec
;; SERVER: 10.11.22.16#53(10.11.22.16)
;; WHEN: Tue Sep 15 08:59:48 CEST 2015
;; MSG SIZE  rcvd: 43

但如果我把

nameserver 10.11.22.2


/etc/resolv.conf

可以。有没有办法输入nameserver 10.11.22.2命名?我使用的是 centos 7.1

/var/log/消息

Sep 11 10:51:28 centos7s named[1287]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
Sep 11 10:51:28 centos7s named[1287]: error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:503:ba3e::2:30#53
Sep 11 10:51:31 centos7s named[1287]: error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:500:2f::f#53
Sep 11 10:51:31 centos7s named[1287]: error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:500:1::803f:235#53
Sep 11 10:51:31 centos7s named[1287]: error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:7fe::53#53
Sep 11 10:51:31 centos7s named[1287]: error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53
Sep 11 10:51:31 centos7s named[1287]: error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53
Sep 11 10:51:31 centos7s named[1287]: error (network unreachable) resolving './NS/IN': 2001:7fe::53#53

/var/named/data/named.run

error (network unreachable) resolving 'centos7s/A/IN': 2001:7fd::1#53
error (network unreachable) resolving 'centos7s/AAAA/IN': 2001:7fd::1#53
error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:500:2f::f#53
error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving 'www.oracle.com/A/IN': 2001:7fe::53#53
error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53
error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving './NS/IN': 2001:7fe::53#53

ifconfig eno16777736

eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.11.22.16  netmask 255.255.255.0  broadcast 10.11.22.255
        inet6 fe80::250:56ff:fe37:6df3  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:37:6d:f3  txqueuelen 1000  (Ethernet)
        RX packets 43  bytes 5476 (5.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 173  bytes 17448 (17.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

挖掘@10.11.22.16 www.oracle.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> @10.11.22.16 www.oracle.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11700
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.oracle.com.                        IN      A

;; Query time: 0 msec
;; SERVER: 10.11.22.16#53(10.11.22.16)
;; WHEN: Tue Sep 15 08:57:26 CEST 2015
;; MSG SIZE  rcvd: 43

如果我在 resolv.conf 中有转发器或名称服务器,情况不是很类似,为什么第二个可以工作而第一个不可以?

答案1

确保您的 eth0 配置具有dns-nameservers 10.11.22.16或您想要使用的任何内容,/etc/resolv.conf 是从接口配置生成的。

然后告诉操作系统使用 bind(10.11.22.16)来解析 DNS。

确认绑定正在工作nslookup google.com 10.11.22.16

这是我的系统中的一个例子。

首先,配置接口属性来查看localhost。

[root@zbx ~]# cat /etc/sysconfig/network-scripts/ifcfg-em1
HWADDR=00:00:00:00:00:00
TYPE=Ethernet
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
NETWORK=10.0.0.0
GATEWAY=10.0.0.1
DNS1=127.0.0.1
DEFROUTE=yes
UUID=16785e5b-185d-4375-9b6e-7ed87f872d85
ONBOOT=yes

这是基本的命名配置

[root@zbx ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {type hint; file "named.ca"; };
include "/etc/named.root.key";

看看我的 DNS1 条目如何匹配我的监听 IP。

如果你好奇的话:

[root@zbx ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1

答案2

首先,如果这听起来过于简单,请原谅,请确保 eno16777736 已正确配置。您同时拥有 BOOTPROTO=dhcp 和静态配置这一事实有点可疑。不确定 Centos 将使用哪一个。“ifconfig eno16777736”将在这里为您提供帮助。

您可能需要考虑在本地主机上监听(如果没有其他原因,只是为了帮助排除故障):

listen-on port 53 { localhost; 10.11.22.16; };

查看 dig 手册页中的这段简介:

除非被告知查询特定名称服务器,否则 dig 将尝试 /etc/resolv.conf 中列出的每个服务器。如果未找到可用的服务器地址,dig 将向本地主机发送查询。

您是否注意到日志文件中您正尝试解析 www.oracle.com,而不是像您的 named.conf 所建议的那样将其转发到 10.11.22.2?要使这个(转发器)工作,您还需要一个“转发”(“first”或“only”)语句:

forward only;
forwarders { 10.11.22.2; };

但这可能不是您真正想要的,因为您还试图为“domen.lan”区域提供服务。您可以尝试配置为缓存名称服务器,这意味着摆脱“转发器”和“转发”语句,并让您的服务器有意执行递归查询(请参阅http://www.zytrax.com/books/dns/ch4/#caching

您可以通过仅使用 IPv4 协议来消除日志中烦人的 IPv6 相关消息。只需在 /etc/sysconfig/named 中已有的任何选项中添加“-4”(当然,除非您认为 IPv6 应该可以工作):

OPTIONS="-4 <whatever existing options you had here>"

祝你好运!

相关内容