新的Linux和寻求友好的援助。
我的公司正在重新configuration我们的networkingDNS基础设施,将我们的内部DNS服务器指向我们DMZ中的两台新的CentOS 7 / BIND 9机器,而不是直接解决未知主机。 我已经安装了CentOS内核,为服务器所在的networkingconfiguration了IP,掩码和网关,并validation了IP连接正在工作。
# cat /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="ens160" UUID="939ac388-1804-487d-a38c-307b7fa8ac18" DEVICE="ens160" ONBOOT="yes" IPADDR="10.1xx.xx" PREFIX="24" GATEWAY="10.1xx.x.1" DNS1="127.0.0.1" DNS2="8.8.8.8" DNS3="198.41.0.4" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes" IPV6_PRIVACY="no" 然后我可以安装BIND和BIND-UTILS。 之后,一切都已经下山了。 我无法从任何服务器或从我的内部testingDNS服务器上执行nslookups。 我和我们的防火墙工程师一起工作过,他已经validation了DNS内部testingDNS服务器与两个DMZ DNScaching服务器之间允许DNS通信, 试图联系他,以确保外部NAT正在工作。 我将localhost,8.8.8.8和198.41.0.4configuration为DNScaching服务器的DNS服务器。
# cat /etc/resolv.conf # Generated by NetworkManager search <my.domain> nameserver 127.0.0.1 nameserver 8.8.8.8 nameserver 198.41.0.4
主机文件:
# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
networking文件:
cat /etc/sysconfig/network # Created by anaconda
我也尝试禁用两台服务器上的防火墙,但行为没有改变。
我讨厌这个项目,但我真的很讨厌使用Windows服务器… :)任何援助将不胜感激。
———–更新————
谢谢大家的回复。 127.0.0.1作为一个占位符将被replace为对中另一个服务器的IP。 这个想法是,如果一个人在caching中没有logging,那么另一个人可能会先询问它,然后才能向世界寻求信息。 现在我已经从列表中删除了127.0.0.1,重新启动了服务器,nslookups正在工作。 :-)即使DNSparsing没有,IP连接一直在工作,这让我可以在昨天早上更新Root提示。 至于不使用Linux和Windows运行,不是我的决定…pipe理层希望使用Linux为此,我被贴上标签,使其发生。 因此,我从那些有更多经验的人那里寻求帮助。 我将花费在我的周末埋在www.Pluralsight.com试图学习更多。
# dig +short @198.41.0.4 serverfault.com # dig +short @8.8.8.8 serverfault.com 104.16.46.232 104.16.48.232 104.16.49.232 104.16.47.232 104.16.45.232 # dig +short @127.0.0.1 serverfault.com ;; connection timed out; no servers could be reached # systemctl status named named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2016-04-08 13:36:46 EDT; 5s ago Process: 1867 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 1878 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 1876 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 1881 (named) CGroup: /system.slice/named.service 1881 /usr/sbin/named -u named Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: journal file is out of date: removi...file Apr 08 13:36:46 <DNS Cache Server> named[1881]: managed-keys-zone: loaded serial 3 Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 0.in-addr.arpa/IN: loaded serial 0 Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost.localdomain/IN: loaded serial 0 Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone localhost/IN: loaded serial 0 Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Apr 08 13:36:46 <DNS Cache Server> named[1881]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0 Apr 08 13:36:46 <DNS Cache Server> named[1881]: all zones loaded Apr 08 13:36:46 <DNS Cache Server> named[1881]: running Apr 08 13:36:46 <DNS Cache Server> systemd[1]: Started Berkeley Internet Name Domain (DNS). Hint: Some lines were ellipsized, use -l to show in full. # ping www.eye4u.com PING www.eye4u.com (208.91.197.132) 56(84) bytes of data. 64 bytes from 208.91.197.132: icmp_seq=1 ttl=244 time=46.4 ms 64 bytes from 208.91.197.132: icmp_seq=2 ttl=244 time=52.2 ms ... --- www.eye4u.com ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 26201ms rtt min/avg/max/mdev = 45.103/49.591/54.753/3.257 ms # nslookup > www.bermuda.com Server: 4.2.2.2 Address: 4.2.2.2#53 Non-authoritative answer: www.bermuda.com canonical name = bermuda.com. Name: bermuda.com Address: 104.27.191.246 Name: bermuda.com Address: 104.27.190.246 # cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl trusted { <internal DNS 1 IP> <internal DNS 2 IP> <internal DNS 3 IP> <internal DNS 4 IP> <internal DNS 5 IP> <internal DNS 6 IP> localhost; }; options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; #allow-transfer {} allow-query { trusted; }; allow-query { localhost; }; forwarders { 198.41.0.4; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
**************更新2 **************
发布第一次更新后,我注意到“监听端口53”选项仍设置为“{127.0.0.1;};” 所以我将caching服务器的IP添加到列表中并重新启动。 我们的内部DNS服务器仍然无法查询caching服务器,所以我检查了防火墙状态,因为我之前已经重启了caching服务器。 宾果 – 我忘了设置一个规则来启用端口53的stream量。 现在事情开心了。 如果你看到configuration中的任何设置可以改进,请让我知道。 再次感谢你的帮助。