我已经在 Ubuntu 14.04 中安装了 bind9,它可以解析本地域,但无法解析互联网域,例如 google.com、facebook.com 等。
我花了两天时间寻找解决方案,但没有成功。请帮我解决这个问题。
配置参考自https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04我从当地的书上买的也一样,但是都没有用。
这台机器的防火墙仍然关闭,并且我已将端口 53 转发到这台机器。
下面是我的机器的配置。转发记录:
$TTL 604800
@ IN SOA ns.test.id. [email protected]. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.test.id.
@ IN MX 10 mail
@ IN A 10.0.0.2
ns IN A 10.0.0.2
mail IN A 10.0.0.2
反向記錄:
$TTL 604800
@ IN SOA ns.test.id. [email protected]. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
10 IN PTR ns.test.id.
10 IN PTR mail.test.id.
命名.conf.本地:
//
// Do any local configuration here
//
zone "test.id" {
type master;
file "/etc/bind/db.test.id";
};
zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10";
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
命名的.conf.选项:
acl trusted {
127.0.0.0/8;
10.0.0.0/24;
};
options {
//listen-on port 53 {trusted;};
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//forwarders {
// 8.8.8.8;
// 8.8.4.4;
//};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
// Allow recursion request
recursion yes;
allow-query {trusted;};
};
Ping 和挖掘测试:
anggra@mail:/etc/bind$ dig google.co.id
; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> google.co.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27793
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.co.id. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 26 08:32:15 WIB 2017
;; MSG SIZE rcvd: 41
anggra@mail:/etc/bind$ ping google.co.id
ping: unknown host google.co.id
/etc/resolv.conf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search test.id
答案1
为了使用递归,你必须根提示或forwarders已配置。
对于根提示,添加区域
.(您可以从互联网名称与数字地址分配机构 (ICANN)):zone "." in { type hint; file "root.servers"; };对于转发器,请将您的 ISP 的名称服务器放置在
named.conf:forwarders { 8.8.8.8; 8.8.4.4; };
由于这似乎是一个小型本地网络,因此您应该使用转发器而不是根名称服务器。 ISP 的 DNS 服务器离您更近,并且它们可能已经缓存了最常见的请求。使用转发器还可以减少根和权威性名称服务器,如果您使用防火墙,则可以限制仅为这些 IP 地址打开端口 53。
(此外,我在您的区域中没有看到任何$ORIGIN指令,但您可能只是对其进行了清理。)