刚接触 Linux 并寻求友好的帮助。
我的公司正在重新配置我们的网络 DNS 基础架构,以将我们的内部 DNS 服务器指向 DMZ 中的两台新 CentOS 7/BIND 9 计算机,而不是直接联系以解析未知主机。我已经安装了 CentOS 核心,为服务器所在的网络配置了 IP、掩码和 GW,并验证了 IP 连接是否正常。
# cat /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="ens160"
UUID="939ac388-1804-487d-a38c-307b7fa8ac18"
DEVICE="ens160"
ONBOOT="yes"
IPADDR="10.1xx.x.x"
PREFIX="24"
GATEWAY="10.1xx.x.1"
DNS1="127.0.0.1"
DNS2="8.8.8.8"
DNS3="198.41.0.4"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_PRIVACY="no"
然后我就可以安装 BIND 和 BIND-UTILS。之后一切都变得一团糟。我无法从任何服务器或我的内部测试 DNS 服务器对任何内容执行 nslookup。我与我们的防火墙工程师合作,他已验证允许在我的内部测试 DNS 服务器与两个 DMZ DNS 缓存服务器之间以及从它们向外传输 DNS 流量;现在尝试联系他以确保外部 NAT 正常工作。我已将 localhost、8.8.8.8 和 198.41.0.4 配置为两个 DNS 缓存服务器的 DNS 服务器。
# cat /etc/resolv.conf
# Generated by NetworkManager
search <my.domain>
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 198.41.0.4
主机文件:
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
网络文件:
cat /etc/sysconfig/network
# Created by anaconda
我也尝试过禁用两台服务器上的防火墙,但行为没有任何改变。
我不想让这成为项目的阻碍,但我真的不想为此使用 Windows 服务器...:) 如能得到任何帮助我将非常感激。
- - - - - - 更新 - - - - - -
感谢大家的回复。127.0.0.1 是作为占位符存在的,将被替换为对中另一台服务器的 IP。想法是,如果一台服务器的缓存中没有记录,另一台服务器可能会先询问它,然后再向外界寻求信息。我暂时从列表中删除了 127.0.0.1,重新启动了服务器,nslookups 现在正在运行。:-) 即使 DNS 解析没有,IP 连接也一直有效,这让我能够在昨天早上更新根提示。至于不使用 Linux 而运行 Windows,不是我的决定......管理层希望为此使用 Linux,我被标记来实现它。因此,我向更有经验的人寻求帮助。我将在周末埋头于 www.Pluralsight.com 以了解更多信息。
# dig +short @198.41.0.4 serverfault.com
# dig +short @8.8.8.8 serverfault.com
104.16.46.232
104.16.48.232
104.16.49.232
104.16.47.232
104.16.45.232
# dig +short @127.0.0.1 serverfault.com
;; connection timed out; no servers could be reached
# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-04-08 13:36:46 EDT; 5s ago
Process: 1867 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 1878 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1876 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1881 (named)
CGroup: /system.slice/named.service
1881 /usr/sbin/named -u named
Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: journal file is out of date: removi...file
Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: loaded serial 3
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost.localdomain/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: all zones loaded
Apr 08 13:36:46 <DNS Cache Server> named[1881]: running
Apr 08 13:36:46 <DNS Cache Server> systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
# ping www.eye4u.com
PING www.eye4u.com (208.91.197.132) 56(84) bytes of data.
64 bytes from 208.91.197.132: icmp_seq=1 ttl=244 time=46.4 ms
64 bytes from 208.91.197.132: icmp_seq=2 ttl=244 time=52.2 ms
...
--- www.eye4u.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 26201ms
rtt min/avg/max/mdev = 45.103/49.591/54.753/3.257 ms
# nslookup
> www.bermuda.com
Server: 4.2.2.2
Address: 4.2.2.2#53
Non-authoritative answer:
www.bermuda.com canonical name = bermuda.com.
Name: bermuda.com
Address: 104.27.191.246
Name: bermuda.com
Address: 104.27.190.246
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl trusted {
<internal DNS 1 IP>
<internal DNS 2 IP>
<internal DNS 3 IP>
<internal DNS 4 IP>
<internal DNS 5 IP>
<internal DNS 6 IP>
localhost;
};
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
#allow-transfer {}
allow-query { trusted; };
allow-query { localhost; };
forwarders { 198.41.0.4; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
************** 更新 2 ***************
发布第一个更新后,我注意到“监听端口 53”选项仍然设置为“{ 127.0.0.1; };”,因此我将缓存服务器的 IP 添加到列表中并重新启动了命名。我们的内部 DNS 服务器仍然无法查询缓存服务器,因此我检查了防火墙状态,因为我之前重新启动了缓存服务器。BINGO - 我忘记设置规则来启用端口 53 流量。现在一切都很顺利。如果您发现配置中有任何可以改进的设置,请告诉我。再次感谢您的帮助。
答案1
我遇到了类似的问题。好吧,以下步骤对我有用,可能对你也有帮助。
vi /etc/selinux/config
并更换SELINUX=disabled并重新启动服务器。
编辑后的示例如下:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted