我在 VirtualBox 中创建了一个虚拟配置以供练习,但无法使其工作。我有一个 Ubuntu 14.04 Server 作为服务器,一个 Xubuntu 16.04 作为客户端。服务器有一个网络接口作为桥接器 (192.168.1.192),另一个在本地网络中 (192.168.56.101),客户端在本地网络中只有一个接口 (192.168.56.200)。我试图在 DNS 转发器配置中设置绑定,但客户端无法连接到服务器。
服务器配置:
-iptables
*filter
:INPUT DROP [1824:109808]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [776:81374]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p udp -m multiport --ports 53 -j ACCEPT
-A FORWARD -p tcp -m multiport --ports 53,80,8080,443,110,25,21 -j ACCEPT
COMMIT
# Completed on Mon Feb 6 19:29:11 2017
# Generated by iptables-save v1.4.21 on Mon Feb 6 19:29:11 2017
*nat
:PREROUTING ACCEPT [1983:119530]
:INPUT ACCEPT [2:144]
:OUTPUT ACCEPT [19:1244]
:POSTROUTING ACCEPT [19:1244]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT
/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "PuLMSMi7CDsY1tG9qGSQBQ==";
};
#
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
/etc/bind/rndc.conf
#Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "PuLMSMi7CDsY1tG9qGSQBQ==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
/etc/bind/named.conf.options
acl goodclients {
192.168.56.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
listen-on port 53 { 192.168.56.101; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
绑定似乎工作正常
sudo service bind9 restart
* Stopping domain name service... bind9 WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
waiting for pid 1046 to die
[ OK ]
* Starting domain name service... bind9 [ OK ]
但 named 却没有,事实上,named 根本就不存在
sudo service named status
named: unrecognized service
客户端配置
/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
我已尝试将 192.168.56.101(内部网络上的服务器接口)添加到 resolv.conf,但没有任何反应。
/etc/网络/接口
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto enp0s3
iface enp0s3 inet static
address 192.168.56.200
netmask 255.255.255.0
broadcast 192.168.56.255
network 192.168.56.0
gateway 192.168.56.101
/etc/hosts
127.0.0.1 localhost
127.0.1.1 xubuntu-VirtualBox
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
调查
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=40 time=148 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=40 time=105 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=40 time=78.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=40 time=79.2 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 78.928/102.951/148.389/28.314 ms
向外界发送 Ping 消息有效
telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
Connection closed by foreign host.
以及 telnet。
ping 192.168.56.101
PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_seq=1 ttl=64 time=0.735 ms
64 bytes from 192.168.56.101: icmp_seq=2 ttl=64 time=0.492 ms
64 bytes from 192.168.56.101: icmp_seq=3 ttl=64 time=0.483 ms
64 bytes from 192.168.56.101: icmp_seq=4 ttl=64 time=0.610 ms
64 bytes from 192.168.56.101: icmp_seq=5 ttl=64 time=0.357 ms
^C
--- 192.168.56.101 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3997ms
rtt min/avg/max/mdev = 0.357/0.535/0.735/0.129 ms
对内部服务器接口进行 ping 操作成功。
telnet 192.168.56.101 53
Trying 192.168.56.101...
telnet: Unable to connect to remote host: Connection timed out
然而 telnet 没有
netstat -anp | grep '53'
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 192.168.56.101:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -
tcp6 0 0 :::53 :::* LISTEN -
udp 0 0 192.168.56.101:53 0.0.0.0:* -
udp6 0 0 ::1:53908 ::1:48239 ESTABLISHED -
udp6 0 0 :::53 :::* -
udp6 0 0 ::1:48239 ::1:53908 ESTABLISHED -
但服务器正在监听该端口。
我在防火墙中启用了转发,在 named.conf 中设置了转发,并在两端禁用了 ufw。还有什么可能出错?
更新:编辑防火墙规则如下:
# Generated by iptables-save v1.4.21 on Tue Feb 7 21:04:56 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [6:435]
:POSTROUTING ACCEPT [6:435]
-A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Feb 7 21:04:56 2017
# Generated by iptables-save v1.4.21 on Tue Feb 7 21:04:56 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [123:14050]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --ports 53 -j ACCEPT
-A INPUT -p udp -m multiport --ports 53 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p tcp -m multiport --ports 80,8080,443,110,25,21 -j ACCEPT
COMMIT
# Completed on Tue Feb 7 21:04:56 2017
Telnet 现在可以连接,但是 DNS 仍然无法连接。
dig google.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached
详细说明:防火墙和绑定托管在同一台服务器上。
答案1
配置问题有两个方面:
首先,应该配置转发服务器的 iptables 以将传入的 DNS 请求定向到链INPUT,否则它们将无法被 bind 接受和处理。
-A INPUT -p tcp -m multiport --ports 53 -j ACCEPT
-A INPUT -p udp -m multiport --ports 53 -j ACCEPT
dns-nameserver其次,客户端的配置文件中缺少一个条目/etc/network/interfaces,如果接口配置为静态,则应该在该条目中。
iface enp0s3 inet static
address 192.168.56.200
netmask 255.255.255.0
broadcast 192.168.56.255
network 192.168.56.0
gateway 192.168.56.101
dns-nameservers 192.168.56.101
如果网络接口配置为动态接口,则应编辑/etc/dhcp/dhclient.conf并添加以下行。
prepend domain-name-servers x.x.x.x, y.y.y.y;
其中x.x.x.x和y.y.y.y是 DNS 服务器的地址。