我有以下configuration:CISCO 881,IOS 15.2(4)M6。 在WAN接口上configuration来自ISP的86.34.156.48/29子网。 在路由器后面停留2个networking服务器。 NAT:86.34.156.51 <> 10.10.10.100(私有IP,server1)。 如果我使用服务器的外部IP(86.34.156.51)configurationBIND DNS服务器A的logging,外部世界永远不会从我的DNS服务器得到响应(我不知道那里发生了什么事情,也许路由器做DNS篡改或某事类似(这是一个问题)),并确定DNS服务器configuration和工作正常(我捕获的TCP数据包的IP数据包)。 但是,如果我使用服务器私有IP(10.10.10.100)configurationDNS服务器Alogging,则数据包会到达正确的目的地(与服务器的外部IP,也许DNS篡改)。 唯一的问题就是DNS数据包的TTL值消失了,如下图所示。
我能做什么???
+-----+ | | an other host somewhere on internet(C) | | +-----+ | | : : internet : | +-----+ | | ISP's router | | black box, without acces +-----+ | | 86.34.456.48/29 +-----+ | | CISCO 881, | | IOS 15.2(4)M6 +-----+ | | ------------------------------------------------------------ local private network 10.10.10.0/24 | | | (86.34.156.51) | (Nat rule not yet attached) | 10.10.10.100 | 10.10.10.101 | | +-----+ +-----+ | | | | | | | | +-----+ +-----+ linux server (A) linux server (B) BIND DNS server style2take.ro 下面是一些dig(linux下的dns诊断工具):
从主机B:$ dig style2take.ro
;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42222 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;style2take.ro. IN A ;; ANSWER SECTION: style2take.ro. 0 IN A 10.10.10.100 <-- here you can see the TTL is 0 ;; Query time: 52 msec ;; SERVER: 193.231.100.130#53(193.231.100.130) ;; WHEN: Fri Feb 20 10:27:25 EET 2015 ;; MSG SIZE rcvd: 58
从主机B:$ dig @ 10.10.10.100 style2take.ro
;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65374 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;style2take.ro. IN A ;; ANSWER SECTION: style2take.ro. 3600 IN A 10.10.10.100 <-- here you can see the TTL is 3600 ;; AUTHORITY SECTION: style2take.ro. 3600 IN NS ns1.style2take.ro. style2take.ro. 3600 IN NS ns2.style2take.ro. ;; ADDITIONAL SECTION: ns1.style2take.ro. 3600 IN A 10.10.10.100 ns2.style2take.ro. 3600 IN A 10.10.10.100 ;; Query time: 0 msec ;; SERVER: 10.10.10.100#53(10.10.10.100) ;; WHEN: Fri Feb 20 10:28:58 EET 2015 ;; MSG SIZE rcvd: 126
从主机C:$ dig style2take.ro
;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32364 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 0 ;; QUESTION SECTION: ;style2take.ro. IN A ;; ANSWER SECTION: style2take.ro. 0 IN A 86.34.156.51 <-- here you can see the TTL is 0 ;; AUTHORITY SECTION: ro. 106161 IN NS sns-pb.isc.org. ro. 106161 IN NS primary.rotld.ro. ro. 106161 IN NS sec-dns-a.rotld.ro. ro. 106161 IN NS sec-dns-b.rotld.ro. ro. 106161 IN NS dns-at.rotld.ro. ro. 106161 IN NS dns-ro.denic.de. ;; Query time: 149 msec ;; SERVER: 82.79.24.74#53(82.79.24.74) ;; WHEN: Fri Feb 20 10:29:52 2015 ;; MSG SIZE rcvd: 201
从主机C:$ dig @ 86.34.156.51 style2take.ro
; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;style2take.ro. IN A ;; ANSWER SECTION: style2take.ro. 0 IN A 86.34.156.51 <-- here you can see the TTL is 0 ;; AUTHORITY SECTION: style2take.ro. 0 IN NS ns2.style2take.ro. style2take.ro. 0 IN NS ns1.style2take.ro. ;; ADDITIONAL SECTION: ns1.style2take.ro. 0 IN A 86.34.156.51 ns2.style2take.ro. 0 IN A 86.34.156.51 ;; Query time: 29 msec ;; SERVER: 86.34.156.51#53(86.34.156.51) ;; WHEN: Fri Feb 20 10:35:05 2015 ;; MSG SIZE rcvd: 115
那么,如果你没有解决DNS,问题可能是双重的:
不正确的DNSconfiguration – 是全球DNS系统能够告诉您的域名是什么NS? 这是你需要在你的名字提供者处设置的东西。 什么是dig style2take.ro NS输出?
您的路由器不允许DNS请求。 在外面的服务器上,并尝试远程login到DNS telnet 86.34.156.51端口53. telnet 86.34.156.51 – DNS应该同时在UDP和TCP上工作,至lesstestingTCP部分。