使用 bind 和 linux 命名空间解决查询问题

tag-icon tag-icon bind dns-hosting network-namespace
使用 bind 和 linux 命名空间解决查询问题

我一直在绞尽脑汁试图解决在 centos 中使用 bind 进行 DNS 解析的问题

我的设置并不典型(这是继承的)。

基本上,在服务器上有一个名为 gi 的命名空间,这里是新服务调用 srv-gi 使用命名服务的地方'''

#!/bin/sh

start_service() {
        ip netns exec gi /usr/sbin/zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf
        ip netns exec gi /usr/sbin/bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf 
        #DNS service
        ip netns exec gi  /usr/sbin/named -u named -c /etc/gi-named.conf
}

start_service

'''

named.conf 文件也已重命名为 gi-named.conf 文件。

// // named.conf // // 由 Red Hat bind 包提供,用于将 ISC BIND named(8) DNS // 服务器配置为仅缓存名称服务器(仅作为本地主机 DNS 解析器)。 // // 有关命名配置文件的示例,请参阅 /usr/share/doc/bind*/sample/。 // // 有关位于 /usr/share/doc/bind-{version}/Bv9ARM.html 中的 // 配置的详细信息,请参阅 BIND 管理员参考手册 (ARM)

options {
        listen-on port 53 { Public IP; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        allow-query-on  { PublicIP; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;
        allow-query-cache { Internal Range; };
        allow-query-cache-on  { PublicIP; };



        query-source address Public IP ;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};


logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        /*channel default_debug {
                print-time yes;
                print-category yes;
                print-severity yes;
                file "data/named.run";
                severity dynamic;
        };*/
        channel queries_log {
                file "/var/log/queries" versions 1 size 20m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 3;
        };

        category queries { queries_log; };
        category client { queries_log;  };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

还要注意的是,我有一个 quagga 路由器配置为允许通过公共 IP 进行 DNS 解析

/etc/quagga/bgpd.conf

!
! Zebra configuration saved from vty
!   2019/10/11 10:11:45
!
!
router bgp AS
 bgp router-id PublicIP
 network PublicIP/32
 network CoreIP/32
 neighbor DUB1-WGW peer-group
 neighbor DUB1-WGW remote-as AS
 neighbor DUB1-WGW soft-reconfiguration inbound
 neighbor DUB1-WGW route-map XXXXX out
 neighbor CoreBGPIP peer-group DUB1-WGW
 neighbor CoreBGPIP peer-group DUB1-WGW
!
ip prefix-list XXXX seq 5 permit PublicIP/32
ip prefix-list XXXX seq 10 permit PrivateIP/32
!
route-map DNS_TO_GI permit 10
 match ip address prefix-list XXXXX
!
line vty
!

/etc/quagga/zebra.conf

!
! Zebra configuration saved from vty
!   2019/10/11 10:11:45
!
hostname hostname
!
interface ens160
 ipv6 nd suppress-ra
!
interface ens192
 ipv6 nd suppress-ra
!
interface ens192.890
 ipv6 nd suppress-ra
!
interface ens192.892
 ipv6 nd suppress-ra
!
interface XX
 ipv6 nd suppress-ra
!
interface lo
!
ip prefix-list XX seq 5 permit PublicIP3/32
ip prefix-list XX seq 10 permit PrivateIP/32
!
route-map XXXX permit 10
 match ip address prefix-list XXX
!
!
!
line vty
!

# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route

B>* 0.0.0.0/0 [20/10] via neighbor IP, ens192.892, 00:02:18
C>* 127.0.0.0/8 is directly connected, lo
C>* Public IP/32 is directly connected, lo
C>* NeighborSubnet/30 is directly connected, ens192.890
C>* NeighborIP/30 is directly connected, ens192.892
C>* LocalIP/32 is directly connected, lo

我正在使用测试 APN 测试分辨率,虽然我可以在引入第二个 APN 时获得一个 APN 分辨率,但我在 tcpdump 中遇到以下错误:

11:29:38.065284 IP PublicIP.domain > internal IP.p2pcommunity: 30622 ServFail 0/0/0 (44)
11:29:38.265736 IP PublicIP.domain > internal IP.32209: 12606 ServFail 0/0/0 (37)
11:29:38.266037 IP PublicIP.domain > internal IP.10793: 26678 ServFail 0/0/0 (37)
11:29:38.295727 IP PublicIP.domain > internal IP.ibm_wrless_lan: 23483 ServFail 0/0/0 (33)
11:29:38.296038 IP PublicIP.domain > internal IP.22097: 8347 ServFail 0/0/0 (33)
11:29:38.297532 IP PublicIP.domain > internal IP.31026: 23400 ServFail 0/0/0 (38)
11:29:38.298117 IP PublicIP.domain > internal IP.23707: 26481 ServFail 0/0/0 (38)

来自 /var/log/queries

22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): error
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): send
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): sendto
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): error
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): senddone
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): next
22-Sep-2020 11:31:07.552 client: debug 3: client InternalIP#61793 (www.facebook.com): endrequest
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): send
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): sendto
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): senddone
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): next
22-Sep-2020 11:31:07.553 client: debug 3: client InternalIP#48008 (2.android.pool.ntp.org): endrequest

我真的不知道如何解决这个问题,任何指点或建议都将不胜感激

dig 命令的输出

dig facebook.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;facebook.com.          IN  A

;; ANSWER SECTION:
facebook.com.       93  IN  A   31.13.86.36

;; Query time: 2 msec
;; SERVER: internal DNS#53(Internal DNS)
;; WHEN: Tue Sep 22 19:38:58 UTC 2020
;; MSG SIZE  rcvd: 57


dig @PublicIP facebook.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @PublicIP facebook.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig @208.67.222.222 facebook.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @208.67.222.222 facebook.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

ip netns exec gi tcpdump -n -f 'port 53' -i any
09:55:35.676645 IP PublicIP.domain > InternalIP.46571: 36451 ServFail 0/0/0 (32)
09:55:35.676939 IP PublicIP.domain > InternalIP.37817: 52592 ServFail 0/0/0 (32)
09:55:35.677865 IP PublicIP.domain > InternalIP41737: 52624 ServFail 0/0/0 (32)
09:55:35.713870 IP PublicIP.34042 > 193.0.14.129.domain: 11264 [1au] A? mtalk.google.com. (45)
09:55:35.713914 IP PublicIP.11218 > 193.0.14.129.domain: 3623 [1au] NS? . (28)
09:55:35.768649 IP 193.0.14.129.domain > PublicIP.11218: 3623*-| 0/0/1 (28)
09:55:35.784456 IP 193.0.14.129.domain > PublicIP.34042: 11264-| 0/0/1 (45)
09:55:36.045130 IP PublicIP.wcbackup > 192.112.36.4.domain: 28368 A? update.googleapis.com. (39)
09:55:36.063323 IP InternalIP.49382 > PublicIP.domain: 57145+ A? accounts.google.com. (37)
09:55:36.064459 IP PublicIP.48169 > 193.0.14.129.domain: 15825 [1au] A? accounts.google.com. (48)
09:55:36.065883 IP APNIP.54312 > PublicIP.domain: 53585+ A? accounts.google.com. (37)
09:55:36.080202 IP 192.112.36.4.domain > PublicIP.wcbackup: 28368- 0/13/14 (499)
09:55:36.120905 IP 193.0.14.129.domain > PublicIP.48169: 15825- 0/15/27 (1182)
09:55:36.170289 IP InternalIP.59759 > PublicIP.domain: 52061+ A? www.google.com. (32)
09:55:36.224316 IP PublicIP.5346 > 192.112.36.4.domain: 40438 A? www.facebook.com. (34)
09:55:36.257993 IP 192.112.36.4.domain > PublicIP.5346: 40438- 0/13/14 (494)
09:55:36.441576 IP PublicIP.domain > InternalIP.65408: 45517 ServFail 0/0/0 (39)
09:55:36.441666 IP PublicIP.domain > InternalIP.60664: 54663 ServFail 0/0/0 (39)
09:55:36.442994 IP PublicIP.domain > InternalIP.48634: 56799 ServFail 0/0/0 (39)
09:55:36.443474 IP PublicIP.domain > InternalIP.36045: 34980 ServFail 0/0/0 (39)

答案1

  1. 如果您解释您的网络架构(例如 APN1、APN2 以及您想要实现的目标),这将有助于我们为您提供帮助。
  2. 似乎 quagga 配置出了问题。您可能也想发布一下。Quagga 通常与 bind 一起使用,将流量路由到最近的名称解析器。例如,opendns(我与他们没有任何关系,仅将其用作示例)发布两个 IP 地址 208.67.222.222 和 208.67.220.220。但来自世界不同地区的查询会转到离它们最近的服务器(例如,来自欧洲的查询由欧洲的 opendns 服务器解析)。所有这些都是使用 quagga 进行协调的。

相关内容