绑定不解析域名

tag-icon tag-icon linux networking centos domain bind
绑定不解析域名

我有一台专用服务器,但似乎无法使用 bind 正确解析我的域名。我尝试了很多互联网搜索并比较了不同的配置文件,但似乎无法弄清楚。我只有一个 IP 地址和网关地址。

挖掘@localhost www.euphorics.net

    ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @localhost www.euphorics.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58762
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.euphorics.net.     IN  A

;; ANSWER SECTION:
www.euphorics.net.  3600    IN  A   38.130.218.68

;; AUTHORITY SECTION:
euphorics.net.      3600    IN  NS  ns2.euphorics.net.
euphorics.net.      3600    IN  NS  ns1.euphorics.net.

;; ADDITIONAL SECTION:
ns1.euphorics.net.  3600    IN  A   38.130.218.68
ns2.euphorics.net.  3600    IN  A   38.130.218.68

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 19 08:24:26 EDT 2016
;; MSG SIZE  rcvd: 130

/etc/named.conf

    //
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; 38.130.218.68; };
#       listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-transfer { 38.130.218.68; };      # disable zone transfers by default
        allow-query     { trusted; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

acl "trusted" {
        127.0.0.1;    # ns1 - can be set to localhost
        38.130.218.68;    # ns2
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";

/etc/named/named.conf.local

    zone "euphorics.net" {
    type master;
    file "/etc/named/zones/db.euphorics.net"; # zone file path
};

zone "130.38.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.38.130";  # 10.128.0.0/16 subnet
};

/etc/named/zones/db.euphorics.net

    $TTL 3600
@       IN      SOA     ns1.euphorics.net. admin.euphorics.net. (
                              3         ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL

; name servers - NS records
euphorics.net.          IN      NS      ns1.euphorics.net.
euphorics.net.          IN      NS      ns2.euphorics.net.

; name servers - A records
@                                   A       38.130.218.68
www                                 A       38.130.218.68
ns1.euphorics.net.          IN      A       38.130.218.68
ns2.euphorics.net.          IN      A       38.130.218.68

我还向防火墙和 iptables 添加了端口 53 tcp/udp。我甚至关闭了防火墙,看看是否有帮助,但没有用。重新启动了绑定/服务器,仍然不行。

答案1

acl recurseallow { 127.0.0.1; 38.130.218.68; 192.168.0.0/24; }; //local network maybe?
allow-query     { any; };
recursion { recurseallow; };

关于区域文件,请尝试以下操作:

$ttl 60 //for testing purpose. After that set it above 3600
@       IN  SOA ns1.euphorics.net. root.euphorics.net. (
                    2016101901 ; serial
                    10800      ; refresh (3 hours)
                    60       ; retry (30 minutes) // after finishing testing, set it above 3600
                    604800     ; expire (1 week )
                    38400     ; minimum (1 day)
                    )

           NS      ns1.euphorics.net.
           NS      ns2.euphorics.net.
            A      38.130.218.68
        IN  A   38.130.218.68
ns1     IN  A   38.130.218.68
ns2     IN  A   38.130.218.68
www     IN  A   38.130.218.68

答案2

您仅允许 acl 列表中的某些 IP 地址

acl "trusted" { 127.0.0.1; #ns1 – 可以设置为localhost 38.130.218.68; #ns2 };

并且在允许查询标签中,您已经调用了“受信任”acl,其中只允许本地ip进行查询。

允许查询 { 受信任; };

理想情况下,对于权威服务器,应该允许整个互联网查询您的域,否则人们将无法解析您的域。

在挖掘查询中,我得到了查询,状态:拒绝从您的服务器查询时。

答案3

@sly1x... 您的服务器现在充当开放解析器,如下所示 -

*Kansals-MacBook:~ Kansal$ dig nkn.in @38.130.218.68 +short 180.149.57.82 Kansals-MacBook:~ Kansal$*

您的服务器可能会被用来对其他人发起 DDoS 攻击。

作为最佳实践,不建议运行开放解析器,除非您具备执行相同操作的专业知识。

请在以下位置进行以下设置选项绑定配置的部分

递归否;

或使用访问控制列表选择性地允许递归。

相关内容