无法使用 bind9 和 Wireguard VPN 连接解析私有域

无法使用 bind9 和 Wireguard VPN 连接解析私有域

我有一个具有静态外部 IP 和 Ubuntu 22.04 的 VPS。我配置了 Wireguard VPN 连接到我的服务器,通过 VPS 隧道传输所有流量。我还启用了 UFW。我想在有 VPN 连接的情况下解析一些域,所以我在同一台服务器上安装了 bind9。但不幸的是,解析不起作用。例如,假设我想解析我的私人域名

我的 Wireguard 配置是:

[Interface]
Address = 10.8.0.1/24
MTU = 1500
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <PRIVATE_KEY>
DNS = 1.1.1.1, 8.8.8.8

[Peer]
....

我已在 etc/sysctl.conf 中启用了 IP 转发:

...
net.ipv4.ip_forward=1
...

我的/etc/bind/named.conf.options:

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };

    allow-recursion { 127.0.0.1; 10.8.0.0/24; };
        version "guess";
};

以及bind9区域配置。/etc/bind/named.conf.local:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "myprivatedomain" {
        type master;
        file "/etc/bind/zones/db.myprivatedomain";
};

和区域文件/etc/bind/zones/db.myprivatedomain:

$TTL 86400

@ IN SOA ns1.myprivatedomain. admin.myprivatedomain. (
    2023092301 ; Serial (YYYYDDMM plus 2 digit serial)
    86400 ; refresh (1 day)
    7200 ; retry (2 hours)
    8640000 ; expire (100 days)
    86400) ; minimum (1 day)
    
; Name Servers
@       IN      NS      ns1.myprivatedomain.

; A records
@       IN      A       10.8.0.1

; A records
ns1     IN      A       10.8.0.1

以下是一些服务状态:

root@blablabla:/etc/bind# systemctl status [email protected][email protected] - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2023-09-23 16:49:13 CEST; 13min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 82319 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 82319 (code=exited, status=0/SUCCESS)
        CPU: 544ms

Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] ip link add wg0 type wireguard
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] wg setconf wg0 /dev/fd/63
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] ip -4 address add 10.8.0.1/24 dev wg0
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] ip link set mtu 1500 up dev wg0
Sep 23 16:49:12 blablabla.dev wg-quick[82338]: [#] resolvconf -a tun.wg0 -m 0 -x
Sep 23 16:49:13 blablabla.dev wg-quick[82319]: [#] ufw route allow in on wg0 out on eth0
Sep 23 16:49:13 blablabla.dev wg-quick[82414]: Rule added
Sep 23 16:49:13 blablabla.dev wg-quick[82414]: Rule added (v6)
Sep 23 16:49:13 blablabla.dev wg-quick[82319]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Sep 23 16:49:13 blablabla.dev systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

root@blablabla:/etc/bind# systemctl status bind9
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-09-23 17:01:36 CEST; 3min 27s ago
       Docs: man:named(8)
    Process: 82997 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 82998 (named)
      Tasks: 14 (limit: 19101)
     Memory: 6.9M
        CPU: 85ms
     CGroup: /system.slice/named.service
             └─82998 /usr/sbin/named -u bind -4

Sep 23 17:01:36 blablabla.dev named[82998]: zone 0.in-addr.arpa/IN: loaded serial 1
Sep 23 17:01:36 blablabla.dev named[82998]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 23 17:01:36 blablabla.dev named[82998]: zone localhost/IN: loaded serial 2
Sep 23 17:01:36 blablabla.dev named[82998]: zone 255.in-addr.arpa/IN: loaded serial 1
Sep 23 17:01:36 blablabla.dev named[82998]: zone myprivatedomain/IN: loaded serial 2023092301
Sep 23 17:01:36 blablabla.dev named[82998]: all zones loaded
Sep 23 17:01:36 blablabla.dev named[82998]: running
Sep 23 17:01:36 blablabla.dev systemd[1]: Started BIND Domain Name Server.
Sep 23 17:01:36 blablabla.dev named[82998]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Sep 23 17:01:36 blablabla.dev named[82998]: resolver priming query complete: success

我可以连接到 VPN,也可以上网,但无法访问我的私人域名。ping 也不起作用。但是,我可以使用 IP 10.8.0.1 访问 Web 服务器。此外,我的公共域名(由 Namecheap DNS 服务器解析)可以正常工作,我可以访问它们。

以下是 ping 和 dig 的答案:

root@blablabla:/etc/bind# ping myprivatedomain
ping: myprivatedomain: Name or service not known
root@blablabla:/etc/bind# dig myprivatedomain

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> myprivatedomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;myprivatedomain.       IN  A

;; AUTHORITY SECTION:
.           86400   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2023092100 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Sep 23 17:15:04 CEST 2023
;; MSG SIZE  rcvd: 119

你能帮我解决这个问题吗?

更新 1。

似乎问题出在 bind9 配置和客户端的配置文件中。

我删除了 listen-on-v6 { any; }; (因为我无论如何禁用了 ipv6)并添加了 listen-on { 10.8.0.1; };:

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on { 10.8.0.1; };

    allow-recursion { 127.0.0.1; 10.8.0.0/24; };
    version "guess";
};

我有以下配置客户端的 wireguard 配置:

[Interface]
Address = 10.8.0.102/32
PrivateKey = <PRIVATEKEY>
DNS = 1.1.1.1, 213.136.95.10, 213.136.95.11

[Peer]
PublicKey = <PUBLICKEY>
AllowedIPs = 0.0.0.0/0         # Route all traffic through the VPN server
Endpoint = <IP>:<PORT>

我将其替换为 DNS = 10.8.0.1, 1.1.1.1 并且一切正常。

据我了解,我无法将 DNS 设置从服务器推送到客户端,但也许我错了?

答案1

据我了解,我无法将 DNS 设置从服务器推送到客户端,但也许我错了?

您实际上无法使用 WG 推送任何设置。Wireguard 根据两端的配置创建隧道。WG 是一个低级系统,其配置由某个单独的层处理。

相关内容