我在正确设置用于测试邮件欺骗预防机制的工作基础架构方面遇到了问题。如下图所示,我有 2 个邮件服务器(centos1 和 2)和 2 个 DNS 服务器。每个主机必须有一个 DNS 来测试 SPF 记录。
问题是,两个 DNS 无法相互通信。我的意思是,它们可以 ping 通,但我真的不知道如何设置它们以提供其他域的 A 或 MX 记录。在实际网络中,这些本地 DNS 服务器必须与为本地 DNS 服务器提供域名的根 DNS 进行通信。我应该设置额外的根 DNS 服务器吗?如果是,该怎么做?我几乎在互联网上到处都找过了,但一无所获……
例如,我想从[电子邮件保护]到[电子邮件保护],但是当我这样做时,邮件交换恶魔出现了以下消息:
<[email protected]>: Host or domain name not found. Name service error for
name=another.local type=A: Host not found
我目前的一个DNS配置是(第二个DNS与之类似,只是域名不同):
前锋区:
$TTL 1D
@ IN SOA dns1.example.local. root.example.local. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns1.example.local.
@ IN A 192.168.21.131
dns1 IN A 192.168.21.131
host IN A 192.168.21.131
centos1 IN A 192.168.21.128
centos2 IN A 192.168.21.129
another.local IN A 192.168.21.130
example.local IN MX 5 centos1.example.local.
反向区域:
$TTL 1D
@ IN SOA dns1.example.local. root.example.local. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns1.example.local.
@ IN PTR example.local.
dns1 IN A 192.168.21.131
host IN A 192.168.21.131
centos1 IN A 192.168.21.128
centos2 IN A 192.168.21.129
131 IN PTR dns1.example.local.
128 IN PTR centos1.example.local.
129 IN PTR centos2.another.local.
和named.conf
options {
listen-on port 53 { 127.0.0.1;192.168.21.131; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.local" IN {
type master;
file "forward.example.local";
allow-update {none; };
};
zone "21.168.192.in-addr.arpa" IN {
type master;
file "reverse.example.local";
allow-update {none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
综上所述,如何让我的邮件服务器能够与每个邮件服务器使用同一个 DNS 来交换邮件?请务必查看下面的图表,我认为它可以解释很多。
期待您的回复!:D
答案1
我认为你这里的记录不正确:
another.local IN A 192.168.21.130
您的区域适用于域/主机名:example.local
如果您想添加新域名:another.local
为其创建新的区域。