我正在配置本地仅转发 DNS(bind9)服务器。具有以下配置:
options {
directory "/var/cache/bind";
recursion yes; /* So that server could answer queries about domains its is not authoritative for. */
allow-query { homeclients; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on port 53 {
127.0.0.1;
192.168.1.33;
};
listen-on-v6 { any; };
};
但当我这样做时:
dig @127.0.0.1 ubuntu.com +trace
我得到:
; (1 server found)
;; global options: +cmd
. 3600000 IN NS J.ROOT-SERVERS.NET.
...
. 3600000 IN NS K.ROOT-SERVERS.NET.
;; Received 811 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
ubuntu.com. 3600 IN A 91.189.94.40
;; Received 55 bytes from 192.33.4.12#53(C.ROOT-SERVERS.NET) in 1 ms
挖从本地获取信息绑定根据我的配置,该实例应将所有查询转发到 Google 的 DNS 服务器。但它也会询问根服务器...
为什么仅转发 DNS 服务器询问“根”服务器?谢谢。
答案1
我认为您误解了 dig 的跟踪模式的实际工作方式。查看 dig 的手册页,您会得到以下信息:
+[no]trace
Toggle tracing of the delegation path from the root name servers
for the name being looked up. Tracing is disabled by default. When
tracing is enabled, dig makes iterative queries to resolve the name
being looked up. It will follow referrals from the root servers,
showing the answer from each server that was used to resolve the
lookup.
If @server is also specified, it affects only the initial query for
the root zone name servers.
特别是最后一部分明确指出,它将dig +trace @server向服务器询问根名称服务器,然后自行接管和迭代下一级的名称服务器。
不过,我理解你的疑惑——我必须自己去查一下;)