没必要注册
回复 9# lhq123lol
我表示你對DNS服務器的工作原理不夠理解,你看偏了。本人的內部dns服務器除了能夠解析自己的域名,一樣可以解析外部域名,不用什麼轉發器,謝謝,除非你那台DNS服務器無法訪問外網。
你要知道dns服務器查找域名他會優先查找自己的dns緩存記錄,如果緩存記錄沒有,就查找zone文件,如果都沒有,則會把這個請求發給全球最頂層的十三台域名服務器某一台上(當然現在中國加入了應該有14台),然後一級往一級查找。你dns服務器都架設了,難道你不知道你設定那個13台根服務器是拿來玩的?
回复 12# woxizishen
对啊,我也是这么理解的,可是我配置的DNS不能够解析外网域名呢? 我也知道根域名的作用,我用dig测试了一下,首先缓存中没有,然后我自己的DNS下也没有,当跑到根域下查找时就没有反应了,然后就解析不了。还请大神指教哈!
这是我的配置
一、named.conf文件
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
forward first;
forwarders{
//这一个转发器我填的是公司域名服务器地址,我设置和不设置一个样,都没有能解析外部域名,怎么回事?
};
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
二、named.rfc1912.zones文件
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {none;};
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {none;};
};
zone "13.7.10.in-addr.arpa" IN {
type master;
file "13.7.10.zone";
//allow-update { none; };
};
zone "test2.com" IN {
type master;
file "test2.com.zone";
};
zone "14.7.10.in-addr.arpa" IN {
type master;
file "14.7.10.zone";
};
三、named.ca 就不用说了吧,都一样,没更改其中的内容
四、test2.com.zone 文件
$TTL 1D
@ IN SOA ns.test2.com. root (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.test2.com.
ns IN A 10.7.14.15
www IN A 10.7.14.15
五、14.7.10.zone 文件
$TTL 1D
@ IN SOA ns.test2.com. root (
12 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.test2.com.
15 IN PTR ns.test2.com.
15 IN PTR www.test2.com.
基本就是这样配置的,能够解析我自己的www.test2.com ,但是不能解析例如:www.baidu.com这样的外网域名,怎么回事呢?
本帖最后由 woxizishen 于 2014-09-22 18:03 编辑
帥哥 檢查下你本機系統的這個文件
/etc/resolv.conf
nameserver xxxxxxxx
nameserver xxxxxxxx
回复 14# woxizishen
哦,这个我也改了,我把这个设置成我本机的地址了,因为我在本机下配置的bind,把本机作为域名服务器,原来的nameserver注释掉了,还不是不可以。。。
用dig www.baidu.com +trace测试一下,看看卡在哪里?
我感觉是这里的问题:
forward first;
forwarders{
//这一个转发器我填的是公司域名服务器地址,我设置和不设置一个样,都没有能解析外部域名,怎么回事?
};
还有注意防火墙
回复 17# cryboy2001
大哥,非常感谢你的回答,这些我都试过了,转发不起作用,防火墙也关了,SElinux也关了,路由也没有问题。。很是捉急呀 。。
用dig 测试就卡在了这里,但我不知道怎样让它继续执行下去。。
<<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> baidu.com +trace
;; global options: +cmd
. 45355 IN NS j.root-servers.net.
. 45355 IN NS f.root-servers.net.
. 45355 IN NS g.root-servers.net.
. 45355 IN NS e.root-servers.net.
. 45355 IN NS c.root-servers.net.
. 45355 IN NS h.root-servers.net.
. 45355 IN NS b.root-servers.net.
. 45355 IN NS i.root-servers.net.
. 45355 IN NS k.root-servers.net.
. 45355 IN NS l.root-servers.net.
. 45355 IN NS d.root-servers.net.
. 45355 IN NS m.root-servers.net.
# dig www.baidu.com +trace
; <<>> DiG 9.2.4 <<>> www.baidu.com +trace
;; global options:printcmd
. 433181 IN NS l.root-servers.net.
. 433181 IN NS m.root-servers.net.
. 433181 IN NS a.root-servers.net.
. 433181 IN NS b.root-servers.net.
. 433181 IN NS c.root-servers.net.
. 433181 IN NS d.root-servers.net.
. 433181 IN NS e.root-servers.net.
. 433181 IN NS f.root-servers.net.
. 433181 IN NS g.root-servers.net.
. 433181 IN NS h.root-servers.net.
. 433181 IN NS i.root-servers.net.
. 433181 IN NS j.root-servers.net.
. 433181 IN NS k.root-servers.net.
;; Received 496 bytes from 58.21.62.4#53(58.21.62.4) in 26 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 491 bytes from 199.7.83.42#53(l.root-servers.net) in 37 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.5.6.30#53(a.gtld-servers.net) in 286 ms
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
;; Received 228 bytes from 202.108.22.220#53(dns.baidu.com) in 35 ms
你的dig是不全的,停在哪里不动吗?连本机的服务器ip都没出现(如上面红色的)。
日志有什么信息吗?
回复 19# cryboy2001
对,就是停在这里不动了,连ip都没有出现,如下:
# dig www.baidu.com +trace
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> www.baidu.com +trace
;; global options: +cmd
. 518217IN NS a.root-servers.net.
. 518217IN NS e.root-servers.net.
. 518217IN NS c.root-servers.net.
. 518217IN NS b.root-servers.net.
. 518217IN NS d.root-servers.net.
. 518217IN NS g.root-servers.net.
. 518217IN NS f.root-servers.net.
. 518217IN NS j.root-servers.net.
. 518217IN NS i.root-servers.net.
. 518217IN NS m.root-servers.net.
. 518217IN NS k.root-servers.net.
. 518217IN NS h.root-servers.net.
. 518217IN NS l.root-servers.net.
日志的内容我也看不懂,好像是网络不可达
这是日志的最末尾几行:
error (network unreachable) resolving 'b.root-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'b.root-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'b.root-servers.net/A/IN': 2001:500:2f::f#53
error (network unreachable) resolving 'b.root-servers.net/AAAA/IN': 2001:500:2f::f#53
error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53
validating @0xb5092bc8: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'root-servers.net/DS/IN': 192.52.178.30#53
error (network unreachable) resolving 'root-servers.net/DS/IN': 2001:503:a83e::2:30#53
error (network unreachable) resolving 'b.root-servers.net.localdomain/A/IN': 2001:dc3::35#53
error (network unreachable) resolving 'b.root-servers.net.localdomain/AAAA/IN': 2001:dc3::35#53
error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
error (network unreachable) resolving './NS/IN': 2001:500:84::b#53
error (network unreachable) resolving 'b.root-servers.net.localdomain/A/IN': 2001:500:84::b#53
error (network unreachable) resolving 'b.root-servers.net.localdomain/AAAA/IN': 2001:500:84::b#53
error (network unreachable) resolving 'root-servers.net/DS/IN': 2001:503:231d::2:30#53
error (network unreachable) resolving 'd.root-servers.net/A/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving 'd.root-servers.net/AAAA/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving './NS/IN': 2001:503:c27::2:30#53
error (network unreachable) resolving 'd.root-servers.net/A/IN': 2001:503:c27::2:30#53
error (network unreachable) resolving 'd.root-servers.net/AAAA/IN': 2001:503:c27::2:30#53
validating @0xb5501378: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'root-servers.net/DS/IN': 192.33.14.30#53
validating @0xb50bb548: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'root-servers.net/DS/IN': 192.31.80.30#53
validating @0xb50bb548: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'root-servers.net/DS/IN': 192.43.172.30#53
error (no valid DS) resolving 'd.root-servers.net/A/IN': 192.33.4.12#53
error (no valid DS) resolving 'd.root-servers.net/AAAA/IN': 192.203.230.10#53
error (no valid DS) resolving 'b.root-servers.net/AAAA/IN': 128.63.2.53#53
error (no valid DS) resolving 'b.root-servers.net/A/IN': 128.63.2.53#53
error (network unreachable) resolving 'd.root-servers.net/A/IN': 2001:7fd::1#53
error (network unreachable) resolving 'd.root-servers.net/AAAA/IN': 2001:7fd::1#53
error (network unreachable) resolving 'd.root-servers.net/A/IN': 2001:500:2f::f#53
error (network unreachable) resolving 'd.root-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'd.root-servers.net/A/IN': 2001:dc3::35#53
error (network unreachable) resolving 'b.root-servers.net.localdomain/AAAA/IN': 2001:503:c27::2:30#53
validating @0xb50b4188: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'root-servers.net/DS/IN': 192.42.93.30#53
error (network unreachable) resolving 'root-servers.net/DS/IN': 2001:503:a83e::2:30#53
这是日志的最开始几行:
zone 0.0.127.in-addr.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
managed-keys-zone ./IN: loaded serial 0
running
error (network unreachable) resolving './DNSKEY/IN': 2001:503:c27::2:30#53
error (network unreachable) resolving './DNSKEY/IN': 2001:7fd::1#53
error (network unreachable) resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving './DNSKEY/IN': 2001:503:c27::2:30#53
error (network unreachable) resolving './DNSKEY/IN': 2001:7fd::1#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:48::1#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:f::1#53
error (network unreachable) resolving './DNSKEY/IN': 2001:500:2f::f#53
managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:dc3::35#53
error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:dc3::35#53
error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:500:1::803f:235#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:4f8:0:2::20#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:71::29#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:60::29#53
error (network unreachable) resolving 'd0.info.afilias-nst.org/A/IN': 2001:500:48::1#53
error (network unreachable) resolving 'd0.info.afilias-nst.org/A/IN': 2001:500:c::1#53
error (network unreachable) resolving 'd0.info.afilias-nst.org/AAAA/IN': 2001:500:48::1#53
error (network unreachable) resolving 'd0.info.afilias-nst.org/A/IN': 2001:500:f::1#53
error (network unreachable) resolving 'd0.info.afilias-nst.org/AAAA/IN': 2001:500:c::1#53
error (network unreachable) resolving 'd0.info.afilias-nst.org/AAAA/IN': 2001:500:f::1#53
error (network unreachable) resolving 'c.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'c.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'd.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'd.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'e.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'e.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'f.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'f.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'g.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'g.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'h.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'h.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'i.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'i.gtld-servers.net/AAAA/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'j.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'k.gtld-servers.net/A/IN': 2001:503:ba3e::2:30#53
但是我直接ping ip是可以ping 通的