我在 Centos7 上设置了一个 Bind 9.9.4 名称服务器。它包括一个具有静态 IP 的单个区域,用于我的企业 LAN。我已将其设置为将其他所有内容转发到 Google 的公共 DNS。一切似乎都正常(本地和互联网名称解析),直到我意识到我无法访问 linkedin.com。LinkedIn 似乎设置了 cname 链,当我查询本地服务器时,它只执行了解析 IP 所需步骤的一半。
如果我直接查找公共 Google DNS,我会得到正确的答案:
>>nslookup www.linkedin.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
www.linkedin.com canonical name = 2-01-2c3e-003c.cdx.cedexis.net.
2-01-2c3e-003c.cdx.cedexis.net canonical name = any-na.www.linkedin.com.
Name: any-na.www.linkedin.com
Address: 108.174.10.10
但是,如果我通过 DNS 服务器,它似乎无法解析链中的第二个 cname 条目,而是返回0.0.0.0
>>nslookup www.linkedin.com 10.26.2.4
Server: 10.26.2.4
Address: 10.26.2.4#53
Non-authoritative answer:
www.linkedin.com canonical name = 2-01-2c3e-003c.cdx.cedexis.net.
Name: 2-01-2c3e-003c.cdx.cedexis.net
Address: 0.0.0.0
我在 Google 上搜索了几个小时,尝试了 named.conf 中的各种配置选项,但一直无法弄清楚为什么会发生这种情况。每次我对 named.conf 进行更改时,我都会执行以下操作以确保不会得到过时的结果:
>>sudo systemctl reload named
>>sudo systemctl restart named
>>sudo rndc flush
>>sudo rndc reload
如果我直接尝试解析 IP 地址,无论我的目标服务器是我的 DNS 服务器还是 Google 的 DNS 服务器,2-01-2c3e-003c.cdx.cedexis.net我都会得到以下结果:0.0.0.0
>>nslookup 2-01-2c3e-003c.cdx.cedexis.net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Name: 2-01-2c3e-003c.cdx.cedexis.net
Address: 0.0.0.0
>>nslookup 2-01-2c3e-003c.cdx.cedexis.net 10.26.2.4
Server: 10.26.2.4
Address: 10.26.2.4#53
Non-authoritative answer:
Name: 2-01-2c3e-003c.cdx.cedexis.net
Address: 0.0.0.0
我认为这是我的配置问题,但我无法确定到底哪里出了问题。以下是我的 named.conf。如能得到任何帮助,我将不胜感激:
acl "trusted" { 10.26.2/24; 10.28.2/24; localhost; };
options {
listen-on port 53 { 127.0.0.1; 10.26.2.4; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forwarders { 8.8.8.8; 8.8.4.4; };
forward first;
recursion yes;
allow-query { trusted; };
allow-transfer { 10.26.2.5; };
dnssec-enable yes;
dnssec-validation no;
#auth-nxdomain no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
这里有一些额外的调试信息。
针对我的名称服务器(10.26.2.4)进行挖掘:
>>dig @10.26.2.4 www.linkedin.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @10.26.2.4 www.linkedin.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26538
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.linkedin.com. IN A
;; ANSWER SECTION:
www.linkedin.com. 1 IN CNAME 2-01-2c3e-003c.cdx.cedexis.net.
2-01-2c3e-003c.cdx.cedexis.net. 0 IN A 0.0.0.0
;; AUTHORITY SECTION:
. 141169 IN NS k.root-servers.net.
. 141169 IN NS i.root-servers.net.
. 141169 IN NS b.root-servers.net.
. 141169 IN NS c.root-servers.net.
. 141169 IN NS g.root-servers.net.
. 141169 IN NS l.root-servers.net.
. 141169 IN NS e.root-servers.net.
. 141169 IN NS h.root-servers.net.
. 141169 IN NS m.root-servers.net.
. 141169 IN NS f.root-servers.net.
. 141169 IN NS a.root-servers.net.
. 141169 IN NS d.root-servers.net.
. 141169 IN NS j.root-servers.net.
;; Query time: 31 msec
;; SERVER: 10.26.2.4#53(10.26.2.4)
;; WHEN: Sat Jan 27 14:03:27 MST 2018
;; MSG SIZE rcvd: 313
针对 Google 的 DNS 进行挖掘:
>>dig @8.8.8.8 www.linkedin.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> @8.8.8.8 www.linkedin.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17261
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.linkedin.com. IN A
;; ANSWER SECTION:
www.linkedin.com. 1 IN CNAME 2-01-2c3e-003c.cdx.cedexis.net.
2-01-2c3e-003c.cdx.cedexis.net. 1 IN CNAME any-na.www.linkedin.com.
any-na.www.linkedin.com. 1 IN A 108.174.10.10
;; Query time: 28 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 27 14:03:47 MST 2018
;; MSG SIZE rcvd: 126
答案1
你可能要做的第一件事是添加允许递归语句,例如allow-recursion {trusted;};