如何配置绑定(DNS)服务器以响应互联网请求

tag-icon tag-icon domain-name-system centos7 bind
如何配置绑定(DNS)服务器以响应互联网请求

我是 Bind 新手,所以请原谅任何“愚蠢”的问题。我在 CentOS-7 上配置了一个 Bind 服务器,服务器名称为 CentOS-DC (10.64.33.115)。我还配置了 3 个 CentOS-7 客户端

  • CentOS-应用-01 10.60.161.99
  • CentOS-数据库-01 10.60.161.169
  • CentOS-Web-01 10.60.161.229

一切都在内部正确解决。

当我尝试浏览网页时,就会出现此问题。我已将转发器地址添加到 /etc/named.conf,但仍然无法浏览网页。

以下是我的 /etc/named.conf 文件

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    listen-on port 53 { 127.0.0.1; 10.64.33.115;}; ### Master DNS IP ###
        listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 10.60.161.0/24; };
        allow-transfer  { localhost; 10.64.33.115; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
    recursion yes;
        allow-recursion {localhost; 10.60.161.0/24; };

        dnssec-enable yes;
        dnssec-validation yes;

        forwarders {
                10.73.240.235;
                152.62.196.10;
        };

    /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
    channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "CorkCompute.local" IN {
        type master;
        file "forward.CorkCompute";
        allow-update { none; } ;
};

zone "161.60.10" IN {
        type master;
        file "reverse.CorkCompute";
        allow-update { none; } ;
};


zone "." IN {
    type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

谢谢

答案1

我在工作中一位 Linux 专家的帮助下设法解决了这个问题。尽管我已经配置了转发器,但我并没有告诉服务器实际转发任何内容。以下是更新代码

forwarders {
    10.73.240.235;
    152.62.196.10;
};
forward only;

答案2

10.0.0.0/8 是专用于“私人使用网络”(RFC 1918、5735 和 6303)的 IP 范围。网络 192.168.0.0/16 和 172.16.0.0/12 也是如此。这些地址不通过互联网路由,不能直接从外部网络访问。

相关内容