我们在内部 DNS 服务器上运行绑定。
我们在 AWS 中有一个提供 RDS 的高可用性子网组。为了管理通过内部链接进行的访问,我们希望 RDS 实例解析为其私有 IP,而不是公共 IP。
由于 IP 会不时发生变化,我在我们的 DNS 中设置了一个转发,它将针对 Amazon DNS 服务器解析 RDS,并为我们提供当前的私有 IP:
zone "coivvuccn9hs.eu-west-1.rds.amazonaws.com" IN {
type forward;
forward only;
forwarders {
xxx.xxx.xxx.xxx;
};
};
当我从其中一个内部 DNS 服务器针对 AWS DNS 执行查询时:dig @xxx.xxx.xxx.xxx server.coivvuccn9hs.eu-west-1.rds.amazonaws.com 我得到了正确的答案
然而,当我 dig @localhost server.coivvuccn9hs.eu-west-1.rds.amazonaws.com 时,我得到的是公共 IP,尽管 tcpdump 显示服务器确实查询了 AWS DNS 服务器并得到了有效响应。
我的理解是转发器将优先于来自根服务器的响应,那么为什么我会得到公共 IP,而不是私有 IP?
这是我得到的答案:
dig @localhost server.coivvuccn9hs.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @localhost server.coivvuccn9hs.eu-west-1.rds.amazonaws.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5580
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;server.coivvuccn9hs.eu-west-1.rds.amazonaws.com. IN A
;; ANSWER SECTION:
server.coivvuccn9hs.eu-west-1.rds.amazonaws.com. 5 IN CNAME <somename>.eu-west-1.compute.amazonaws.com.
<somename>.eu-west-1.compute.amazonaws.com. 604800 IN A <public ip>
;; AUTHORITY SECTION:
eu-west-1.compute.amazonaws.com. 900 IN NS u6.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS pdns1.ultradns.net.
eu-west-1.compute.amazonaws.com. 900 IN NS u2.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS ns1.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS u4.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS pdns3.ultradns.org.
eu-west-1.compute.amazonaws.com. 900 IN NS ns4.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS u3.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS pdns5.ultradns.info.
eu-west-1.compute.amazonaws.com. 900 IN NS u1.amazonaws.com.
eu-west-1.compute.amazonaws.com. 900 IN NS ns2.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS ns3.p31.dynect.net.
eu-west-1.compute.amazonaws.com. 900 IN NS u5.amazonaws.com.
;; Query time: 489 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 24 15:13:53 2017
;; MSG SIZE rcvd: 416
答案1
请注意 dig/nslookup 响应指向CNAME
(<somename>.eu-west-1.compute.amazonaws.com
在<somename>
您的帖子中被省略)。
;; ANSWER SECTION:
server.coivvuccn9hs.eu-west-1.rds.amazonaws.com. 5 IN CNAME <somename>.eu-west-1.compute.amazonaws.com.
这意味着查找server.coivvuccn9hs.eu-west-1.rds.amazonaws.com
实际上指向<somename>.eu-west-1.compute.amazonaws.com
主机名。
由于您的绑定服务器仅有一个转发规则,因此rds.amazonaws.com
它现在对查找执行默认正向查找compute.amazonaws.com
,从而产生公共 IP。
因此,解决方案是在 CNAME 解析后为“真实”地址添加第二个转发区域。然后,您应该会在这种情况下获得返回的私有 IP。
答案2
我觉得这像是 DNSSEC 验证问题。您dnssec-validation yes;
在 main/viewoptions
部分中遇到了这个问题吗?如果是,请尝试dnssec-must-be-secure domain.tld no;
在其后立即添加。
肝素钠