bind9 遇到的问题,解析超时
1,现象
[c:\~]$ nslookup
默认服务器: UnKnown
Address: 10.1.1.1
> server 172.30.0.1
DNS request timed out.
timeout was 2 seconds.
默认服务器: [172.30.0.1]
Address: 172.30.0.1
> uat.bacic.com
*** 请求 [172.30.0.1] 超时
服务器: [172.30.0.1]
Address: 172.30.0.1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
2,直接设置server 172.30.1.1 解析是超时的,应该就是本地安装的dns解析失败了,一直都没有解析到
3,检查配置
cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; };
配置里面没有def.com.zone 的配置文件
增加如下配置
zone "abc.def.com" IN { type master; file "cbsv.bacic.com.zone"; allow-update { none; }; };
在/var/named 增加abc.def.com.zone的文件
$TTL 1D $ORIGIN abc.def.com. @ IN SOA abc.def.com. admin.abc.def.com. ( 20170526; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum cbsv.bacic.com. IN NS ns1.cbsv.bacic.com. ns1 IN A 172.30.1.22 harbor IN A 172.30.1.64 pinpoint IN A 172.30.1.53 grafana IN A 172.30.1.42 uat IN A 172.30.1.22
4,systemctl restart named 重启
5,常用命令
dig uat.def.com @172.30.1.1 直接解析dns
no errror 表示解析正确,查询成功
nxdomain 表示服务器提示不存在这样的名称
servfail 表示服务器停机或者dnssec响应验证失败
refused dns拒绝回答(也许是出于访问控制的原因)
nslookup uat.def.com 解析dns
nslookup
sever 172.30.1.1 指定dns
uat.bacic.com
rndc reload 可以直接生效dns配置
6,named.conf 配置
[root@ip-172-30-4-53 etc]# cat named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; //由127.0.0.1;改为 any,目的是在所有IP上 //打开监听 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; //由localhost改为0.0.0.0/0;允许所有IP访问,不配置会报refused dns /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
本文来自博客园,作者:春江潮水连海平,转载请注明原文链接:https://www.cnblogs.com/alonewaiting/p/14011700.html