为什么我无法解析实验室网络后面的子网的名称?

tag-icon tag-icon ubuntu domain-name-system bind isc-dhcp
为什么我无法解析实验室网络后面的子网的名称?

我已接到任务,设置一个网络,其中已为我的“公共 IP”10.200.3.2/28 设置网关。我要设置一个 gw/dhcp,它使用现有网关,在一个 vlan 接口 (eth0.2) 上指定 ip 地址,并使用 NAT 将流量从 172.16.0.0/25 发送到互联网,然后再返回伪装。

我首先尝试设置一个简单的 NAT,如下所示:

*nat
:POSTROUTING ACCEPT [0:0]

#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE

然后在第二台机器上设置 BIND9,只使用内部 ip(正向和反向),不使用任何视图或 acl。这很有效,我能够解决问题。然后我继续进行,最终到了现在这个地步。我无法使用 ping 或 nslookup 来解决问题,当我尝试使用例如“www.example.com”时,我得到了以下信息:

user@ns:~$ nslookup www.example.com
;; communications error to 172.16.0.2#53: timed out
;; Got SERVFAIL reply from 172.16.0.2, trying next server
;; communications error to 10.250.0.5#53: timed out
;; communications error to 10.250.0.5#53: timed out
;; no servers could be reached

状态显示:

Nov 24 22:23:46 ns.bedrift3.d3-101.usn named[2232]: network unreachable resolving 'ntp.ubuntu.com/AAAA/IN': 10.250.0.5#53
Nov 24 22:28:55 ns.example.com named[2232]: listening on IPv4 interface eno1, 172.16.0.2#53
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out

我在这个领域还很新,感觉我已经尽了最大的努力,因此非常感谢任何反馈。

两台机器都在 ubuntu 22.04 LTS Server 上

Everything 网关 DHCP(172.16.0.1) 能够从 gw 解析(由于某种原因真的很慢)

user@gw:~$ ping google.com
PING google.com (172.217.21.174) 56(84) bytes of data.
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=1 ttl=52 time=10.5 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=2 ttl=52 time=10.3 ms
64 bytes from arn11s03-in-f14.1e100.net (172.217.21.174): icmp_seq=3 ttl=52 time=10.3 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=4 ttl=52 time=10.6 ms

user@gw:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
    inet 169.254.245.151/16 brd 169.254.255.255 scope link noprefixroute eth0
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether dc:a6:32:44:a2:1a brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
    inet 10.200.3.2/28 brd 10.200.3.15 scope global noprefixroute eth0.2
       valid_lft forever preferred_lft forever
5: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.1/25 brd 172.16.0.127 scope global noprefixroute eth0.30
       valid_lft forever preferred_lft forever

user@gw:~$ ip r
default via 10.200.3.1 dev eth0.2 proto static metric 401
10.200.3.0/28 dev eth0.2 proto kernel scope link src 10.200.3.2 metric 401
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.245.151 metric 100
172.16.0.0/25 dev eth0.30 proto kernel scope link src 172.16.0.1 metric 400
224.0.0.0/4 dev eth0 proto static scope link metric 100

/etc/ufw/before.rules

# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE

#Port forwarding
-A PREROUTING -i eth0.30 -p tcp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p udp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 1433 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 1433 -j DNAT --to-destination 172.16.0.3

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

dhcpd配置文件

option domain-name "example.com";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;

subnet 172.16.0.0 netmask 255.255.255.128 {
        option domain-name-servers 172.16.0.2, 10.250.0.5, 8.8.8.8;
        option routers 172.16.0.1;
        option broadcast-address 172.16.0.127;
}

host DNS {
        hardware ethernet 18:03:73:28:00:35;
        fixed-address 172.16.0.2;
}

host webserver {
        hardware ethernet 00:25:64:E6:FD:CF;
        fixed-address 172.16.0.3;
}

host safe-dhcp {
        hardware ethernet DC:A6:32:44:A2:58;
        fixed-address 172.16.0.4;
}

一切 ns(172.16.0.2)

user@ns:~$ ping google.com
ping: google.com: Temporary failure in name resolution

user@ns:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 18:03:73:28:00:35 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    inet 172.16.0.2/25 brd 172.16.0.127 scope global dynamic noprefixroute eno1
       valid_lft 509sec preferred_lft 509sec
    inet6 fe80::1a03:73ff:fe28:35/64 scope link
       valid_lft forever preferred_lft forever
user@ns:~$ ip r
default via 172.16.0.1 dev eno1 proto dhcp metric 100
172.16.0.0/25 dev eno1 proto kernel scope link src 172.16.0.2 metric 100

DNS 文件

/etc/bind/named.conf.options 10.150.0.5 是一个经过实验室测试的 DNS 服务器。

options {
        listen-on port 53 { localhost; 172.16.0.2; };
        directory "/var/cache/bind";
        allow-query { any; };
        allow-transfer { any; };
        forwarders { 10.250.0.5; };
        forward only;
};

acl private { localhost; 172.16.0.0/25; 172.16.1.0/25; };

acl public { 10.100.7.0/24; 10.250.0.0/16; };

/etc/bind/named.conf.local

view private {
        match-clients { private; };

        zone "." {
                type hint;
                file "/usr/share/dns/root.hints";
        };

        zone "example.com" IN {
                type master;
                file "/etc/bind/db.example.com";
                allow-update { none; };
        };

        zone "3.200.10.in-addr.arpa" IN {
                type master;
                file "/etc/bind/db.10.200.3";
                allow-update { none; };
        };
};

view public {
        match-clients { public; };

        zone "example.com" IN {
                type master;
                file "/etc/bind/db.public.example.com";
                allow-update { none; };
        };

        zone "0.16.172.in-addr.arpa" IN {
                type master;
                file "/etc/bind/db.172.16.0";
                allow-update { none; };
        };
};

/etc/bind/db.example.com

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

gw      IN      A       172.16.0.1
ns      IN      A       172.16.0.2
www     IN      A       172.16.0.3
mail    IN      A       172.16.0.3
safe    IN      A       172.16.0.4
@       IN      MX      10      mail

/etc/bind/db.public.example.com

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

gw      IN      A       10.200.3.1
ns      IN      A       10.200.3.2
www     IN      A       10.200.3.2
mail    IN      A       10.200.3.2
safe    IN      A       10.200.3.2
@       IN      MX      10      mail

/etc/bind/db.10.200.3

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

1       IN      PTR     gw.example.com.
2       IN      PTR     ns.example.com.
3       IN      PTR     www.example.com.
3       IN      PTR     mail.example.com.
4       IN      PTR     safe.example.com.

/etc/bind/db.172.16.0

$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)

@       IN      NS      dns-example.com.

1       IN      PTR     gw.example.com.
2       IN      PTR     ns.example.com.
3       IN      PTR     www.example.com.
3       IN      PTR     mail.example.com.
4       IN      PTR     safe.example.com.

答案1

似乎您的 DNS 服务器无法在 10.150.0.5 上访问,因为您将所有内容转发到 172.16.0.2。

您可以尝试将 iptables 规则中的 dns 转发更改为类似以下内容

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 10.150.0.5

我不确定这是否会起作用,因为您的设置中的所有配置文件都让我有点困惑。

相关内容