Fra*_*oyd 5 domain-name-system centos7
Linux 新手,正在寻求友好的帮助。
我的公司正在重新配置我们的网络 DNS 基础设施,将我们的内部 DNS 服务器指向我们 DMZ 中两台新的 CentOS 7 / BIND 9 机器,而不是直接伸出手来解析未知主机。我已经安装了 CentOS 核心,为服务器所在的网络配置了 IP、掩码和 GW,并验证了 IP 连接是否正常。
# cat /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="ens160"
UUID="939ac388-1804-487d-a38c-307b7fa8ac18"
DEVICE="ens160"
ONBOOT="yes"
IPADDR="10.1xx.x.x"
PREFIX="24"
GATEWAY="10.1xx.x.1"
DNS1="127.0.0.1"
DNS2="8.8.8.8"
DNS3="198.41.0.4"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_PRIVACY="no"
然后我就可以安装 BIND 和 BIND-UTILS。在那之后,一切都走下坡路了。我无法对来自任一服务器或内部测试 DNS 服务器的任何内容执行 nslookups。我与我们的防火墙工程师一起工作,他已经验证了我的内部测试 DNS 服务器到两个 DMZ DNS 缓存服务器以及从它们到世界之间的 DNS 流量是允许的;现在试图联系他以确保外部 NAT 正常工作。我将 localhost、8.8.8.8 和 198.41.0.4 配置为两个 DNS 缓存服务器的 DNS 服务器。
# cat /etc/resolv.conf
# Generated by NetworkManager
search <my.domain>
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 198.41.0.4
主机文件:
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
网络文件:
cat /etc/sysconfig/network
# Created by anaconda
我还尝试禁用两台服务器上的防火墙,但行为没有变化。
我讨厌这是对项目的阻碍,但我真的很讨厌为此使用 Windows 服务器...... :) 任何帮助将不胜感激。
- - - - - - 更新 - - - - - -
谢谢大家的回复。127.0.0.1 作为占位符将被替换为该对中另一台服务器的 IP。这个想法是,如果一个人的缓存中没有记录,另一个人可能会在向全世界寻求信息之前先询问它。我暂时从列表中删除了 127.0.0.1,重新启动了服务器,nslookups 现在正在工作。:-) IP 连接一直在工作,即使 DNS 解析没有,这让我昨天早上更新了根提示。至于不使用 Linux 并在 Windows 上运行,不是我的决定......管理层想为此使用 Linux,我得到了标签以实现它。因此,我向有更多经验的人寻求帮助。我将在 www.Pluralsight.com 上度过我的周末,试图了解更多信息。
# dig +short @198.41.0.4 serverfault.com
# dig +short @8.8.8.8 serverfault.com
104.16.46.232
104.16.48.232
104.16.49.232
104.16.47.232
104.16.45.232
# dig +short @127.0.0.1 serverfault.com
;; connection timed out; no servers could be reached
# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-04-08 13:36:46 EDT; 5s ago
Process: 1867 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 1878 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1876 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1881 (named)
CGroup: /system.slice/named.service
1881 /usr/sbin/named -u named
Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: journal file is out of date: removi...file
Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: loaded serial 3
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 0.in-addr.arpa/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost.localdomain/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
Apr 08 13:36:46 <DNS Cache Server> named[1881]: all zones loaded
Apr 08 13:36:46 <DNS Cache Server> named[1881]: running
Apr 08 13:36:46 <DNS Cache Server> systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
# ping www.eye4u.com
PING www.eye4u.com (208.91.197.132) 56(84) bytes of data.
64 bytes from 208.91.197.132: icmp_seq=1 ttl=244 time=46.4 ms
64 bytes from 208.91.197.132: icmp_seq=2 ttl=244 time=52.2 ms
...
--- www.eye4u.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 26201ms
rtt min/avg/max/mdev = 45.103/49.591/54.753/3.257 ms
# nslookup
> www.bermuda.com
Server: 4.2.2.2
Address: 4.2.2.2#53
Non-authoritative answer:
www.bermuda.com canonical name = bermuda.com.
Name: bermuda.com
Address: 104.27.191.246
Name: bermuda.com
Address: 104.27.190.246
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl trusted {
<internal DNS 1 IP>
<internal DNS 2 IP>
<internal DNS 3 IP>
<internal DNS 4 IP>
<internal DNS 5 IP>
<internal DNS 6 IP>
localhost;
};
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
#allow-transfer {}
allow-query { trusted; };
allow-query { localhost; };
forwarders { 198.41.0.4; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
************** 更新 2 **************
发布第一个更新后,我注意到“侦听端口 53”选项仍然设置为“{ 127.0.0.1; };” 所以我将缓存服务器的IP添加到列表中并重新启动named。我们的内部 DNS 服务器仍然无法查询缓存服务器,因此我检查了防火墙状态,因为我之前重新启动了缓存服务器。宾果游戏 - 我忘记设置启用端口 53 流量的规则。现在事情很幸福。如果您在配置中看到任何可以改进的设置,请告诉我。再次感谢你的帮助。
小智 0
我有类似的问题。好吧,以下步骤对我有用,可能对您有帮助。
vi /etc/selinux/config
并更换SELINUX=disabled并重新启动服务器。
编辑后的示例如下:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted