求助:內網搭建DNS伺服器解析外網域名問題
我們單位的區域網 網關是192.168.1.1,網站伺服器在內網ip是192.168.1.2通過網關NAT成外網ip:221.7.23.41,對外申請了一級域名www.abc.com指向221.7.23.41,在區域網以外的電腦可以通過www.abc.com正常訪問我們單位的網站。
但是區域網內電腦使用,無法通過www.abc.com訪問網站,因為網通的DNS伺服器221.7.34.10
,把www.abc.com解析成了外網ip,
所以我用bind在能網搭建了一個DNS伺服器,ip是192.168.1.3,用來在區域網內解析www.abc.com為它的內網ip地址:192.168.1.2,這樣外網用戶可以訪問www.abc.com的同時,內網用戶也可以使用www.abc.com訪問單位網站了,
現在的問題是,內網用戶如果使用內網DNS192.168.1.3,就無法解析其他外部域名了,比如www.163.com
查了一些資料,說可以做DNS轉發,修改內網DNS配置named.conf
forward First;
forwarders {
221.7.34.10;
};
現在內網用戶可以通過內網DNS解析外部域名了,問題是有時候解析www.abc.com為外網ip,
怎麼設置才能讓區域網內用戶只使用內網DNS(192.168.1.3)既可以在內網解析www.abc.com為內網ip(192.168.1.2)又可以解析外網域名,
也就是說讓內網DNS(192.168.1.3)先解析域名,解析不了的域名,再轉發到外網DNS上解析。
[ 本帖最後由 北回歸客 於 2008-3-11 10:27 編輯 ]
《解決方案》
請將192.168.1.3上named的配置貼出來。
《解決方案》
named的配置
// $FreeBSD: src/etc/namedb/named.conf,v 1.21.2.1 2005/09/10 08:27:27 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 192.168.1.3; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
forward First;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
221.7.23.41;
};
*/
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
// query-source address * port 53;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
};
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries. It can be convenient to become
// a slave at least for the zone your own domain is in. Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to set up a primary zone, make sure you fully
// understand how DNS and BIND works. There are sometimes
// non-obvious pitfalls. Setting up a slave zone is simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
/* An example master zone
zone "example.net" {
type master;
file "master/example.net";
};
*/
zone "abc.com"{
type master;
file "master/abc.com";
};
/* An example dynamic zone
key "exampleorgkey" {
algorithm hmac-md5;
secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
type master;
allow-update {
key "exampleorgkey";
};
file "dynamic/example.org";
};
*/
/* Examples of forward and reverse slave zones
zone "example.com" {
type slave;
file "slave/example.com";
masters {
192.168.1.1;
};
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters {
192.168.1.1;
};
};
*/
《解決方案》
回復 #1 北回歸客 的帖子
試試:
zone "abc.com"{
type master;
file "master/abc.com";
forwarders {};
};