解决 DNS 问题

解决 DNS 问题

我在 VirtualBox 中创建了一个虚拟配置以供练习,但无法使其工作。我有一个 Ubuntu 14.04 Server 作为服务器,一个 Xubuntu 16.04 作为客户端。服务器有一个网络接口作为桥接器 (192.168.1.192),另一个在本地网络中 (192.168.56.101),客户端在本地网络中只有一个接口 (192.168.56.200)。我试图在 DNS 转发器配置中设置绑定,但客户端无法连接到服务器。
服务器配置:
-iptables

*filter
:INPUT DROP [1824:109808]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [776:81374]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p udp -m multiport --ports 53 -j ACCEPT
-A FORWARD -p tcp -m multiport --ports 53,80,8080,443,110,25,21 -j ACCEPT
COMMIT
# Completed on Mon Feb  6 19:29:11 2017
# Generated by iptables-save v1.4.21 on Mon Feb  6 19:29:11 2017
*nat
:PREROUTING ACCEPT [1983:119530]
:INPUT ACCEPT [2:144]
:OUTPUT ACCEPT [19:1244]
:POSTROUTING ACCEPT [19:1244]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT

/etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
    algorithm hmac-md5;
    secret "PuLMSMi7CDsY1tG9qGSQBQ==";
 };
# 
 controls {
    inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
 };
# End of named.conf

/etc/bind/rndc.conf

#Start of rndc.conf
key "rndc-key" {
    algorithm hmac-md5;
    secret "PuLMSMi7CDsY1tG9qGSQBQ==";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};
# End of rndc.conf

/etc/bind/named.conf.options

acl goodclients {
        192.168.56.0/24;
        localhost;
        localnets;
};

options {
    directory "/var/cache/bind";

    recursion yes;
    allow-query { goodclients; };
    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    forwarders {
    8.8.8.8;
    8.8.4.4;
    };
    forward only;
    listen-on port 53 { 192.168.56.101; };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-enable yes;
    dnssec-validation yes;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};

/etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8

绑定似乎工作正常

sudo service bind9 restart 
 * Stopping domain name service... bind9                                                                                 WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
waiting for pid 1046 to die
                                                                                                                  [ OK ]
 * Starting domain name service... bind9                                                                          [ OK ] 

但 named 却没有,事实上,named 根本就不存在

sudo service named status
named: unrecognized service

客户端配置

/etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

我已尝试将 192.168.56.101(内部网络上的服务器接口)添加到 resolv.conf,但没有任何反应。

/etc/网络/接口

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto enp0s3
iface enp0s3 inet static
    address 192.168.56.200
    netmask 255.255.255.0
    broadcast 192.168.56.255
    network 192.168.56.0
    gateway 192.168.56.101

/etc/hosts

127.0.0.1   localhost
127.0.1.1   xubuntu-VirtualBox

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

调查

ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=40 time=148 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=40 time=105 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=40 time=78.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=40 time=79.2 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 78.928/102.951/148.389/28.314 ms

向外界发送 Ping 消息有效

telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
Connection closed by foreign host.

以及 telnet。

ping 192.168.56.101
PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_seq=1 ttl=64 time=0.735 ms
64 bytes from 192.168.56.101: icmp_seq=2 ttl=64 time=0.492 ms
64 bytes from 192.168.56.101: icmp_seq=3 ttl=64 time=0.483 ms
64 bytes from 192.168.56.101: icmp_seq=4 ttl=64 time=0.610 ms
64 bytes from 192.168.56.101: icmp_seq=5 ttl=64 time=0.357 ms
^C
--- 192.168.56.101 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3997ms
rtt min/avg/max/mdev = 0.357/0.535/0.735/0.129 ms

对内部服务器接口进行 ping 操作成功。

telnet 192.168.56.101 53
Trying 192.168.56.101...
telnet: Unable to connect to remote host: Connection timed out

然而 telnet 没有

netstat -anp | grep '53'
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 192.168.56.101:53       0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::53                   :::*                    LISTEN      -               
udp        0      0 192.168.56.101:53       0.0.0.0:*                           -               
udp6       0      0 ::1:53908               ::1:48239               ESTABLISHED -               
udp6       0      0 :::53                   :::*                                -               
udp6       0      0 ::1:48239               ::1:53908               ESTABLISHED -

但服务器正在监听该端口。

我在防火墙中启用了转发,在 named.conf 中设置了转发,并在两端禁用了 ufw。还有什么可能出错?

更新:编辑防火墙规则如下:

# Generated by iptables-save v1.4.21 on Tue Feb  7 21:04:56 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [6:435]
:POSTROUTING ACCEPT [6:435]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Feb  7 21:04:56 2017
# Generated by iptables-save v1.4.21 on Tue Feb  7 21:04:56 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [123:14050]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --ports 53 -j ACCEPT
-A INPUT -p udp -m multiport --ports 53 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p tcp -m multiport --ports 80,8080,443,110,25,21 -j ACCEPT
COMMIT
# Completed on Tue Feb  7 21:04:56 2017

Telnet 现在可以连接,但是 DNS 仍然无法连接。

dig google.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

详细说明:防火墙和绑定托管在同一台服务器上。

答案1

配置问题有两个方面:

首先,应该配置转发服务器的 iptables 以将传入的 DNS 请求定向到链INPUT,否则它们将无法被 bind 接受和处理。

-A INPUT -p tcp -m multiport --ports 53 -j ACCEPT
-A INPUT -p udp -m multiport --ports 53 -j ACCEPT

dns-nameserver其次,客户端的配置文件中缺少一个条目/etc/network/interfaces,如果接口配置为静态,则应该在该条目中。

iface enp0s3 inet static
    address 192.168.56.200
    netmask 255.255.255.0
    broadcast 192.168.56.255
    network 192.168.56.0
    gateway 192.168.56.101
    dns-nameservers 192.168.56.101

如果网络接口配置为动态接口,则应编辑/etc/dhcp/dhclient.conf并添加以下行。

prepend domain-name-servers x.x.x.x, y.y.y.y;

其中x.x.x.xy.y.y.y是 DNS 服务器的地址。

相关内容