關於雙網卡DNS伺服器，可以解析內網域名，不可解析外網DNS的奇怪問題

←手機掃碼閱讀火星人 @ 2014-03-05 , reply:0

關於雙網卡DNS伺服器，可以解析內網域名，不可解析外網DNS的奇怪問題

我的機器是 redhat as 4.0 + bind 9.2.3 (系統預設RPM包) 。該機器連接私網及公網。
伺服器私網IP： 172.16.22.88 (eth0網口）
   公網IP ：223.29.192.203 (eth1網口)

不知道為什麼，該機器可以對自己管理的域名進行解析。可就是無法解析公網的域名信息。
我以前配置的 DNS服務都沒出現過這個問題。查看伺服器進程，如下：

# ps -ef | grep named
named    3738    1  0 01:41 ?       00:00:00 /usr/sbin/named -u named -t /var/named/chroot
root    3809  3679  0 01:57 pts/3 00:00:00 grep named

其它相關文件，具體信息如下：

/etc/named.conf 配置如下：

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
      statistics-file "/var/named/data/named_stats.txt";
/*
   * If there is a firewall between you and nameservers you want
   * to talk to, you might need to uncomment the query-source
   * directive below.  Previous versions of BIND always asked
   * questions using port 53, but BIND 8.1 uses an unprivileged
   * port by default.
   */
   // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
      type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

zone "mydomain.com" {
   type master;
   file "mydomain.com.zone.internal";
};

zone "domain2.com" {
   type master;
   file "db.domain2";
   allow-query { any; };
};

zone "192.29.223.in-addr.arpa" {
   type master;
   file "db.223";
};

zone "22.16.172.in-addr.arpa" {
      type master;
      file "netadmin.rev";
      allow-query { any; };
};

include "/etc/rndc.key";

根域名文件  named.ca 文件如下：

;    This file holds the information on root name servers needed to
;    initialize cache of Internet domain name servers
;    (e.g. reference this file in the "cache  .  <file>"
;    configuration file of BIND domain name servers).
;
;    This file is made available by InterNIC
;    under anonymous FTP as
;          file             /domain/named.cache
;          on server          FTP.INTERNIC.NET
;    -OR-                   RS.INTERNIC.NET
;
;    last update: Jan 29, 2004
;    related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
.                      3600000  IN  NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.    3600000    A    198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                      3600000    NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.    3600000    A    192.228.79.201
;
; formerly C.PSI.NET
;
.                      3600000    NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.    3600000    A    192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                      3600000    NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.    3600000    A    128.8.10.90
;
; formerly NS.NASA.GOV
;
.                      3600000    NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.    3600000    A    192.203.230.10
;
; formerly NS.ISC.ORG
;
.                      3600000    NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.    3600000    A    192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                      3600000    NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.    3600000    A    192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                      3600000    NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.    3600000    A    128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                      3600000    NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.    3600000    A    192.36.148.17
;
; operated by VeriSign, Inc.
;
.                      3600000    NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.    3600000    A    192.58.128.30
;
; operated by RIPE NCC
;
.                      3600000    NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.    3600000    A    193.0.14.129
;
; operated by ICANN
;
.                      3600000    NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.    3600000    A    198.32.64.12
;
; operated by WIDE
;
.                      3600000    NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.    3600000    A    202.12.27.33
; End of File

防火牆配置如下：
#!/bin/bash
echo "Begin iptables "
/sbin/iptables -F
/sbin/iptables -F -t nat

modprobe  ipt_state
modprobe  ipt_LOG
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ipt_limit

/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -d 172.16.22.88 -p tcp --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -d 172.16.22.88 -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -d 172.16.22.88 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -d 172.16.22.88 -p tcp --dport 23 -j ACCEPT
/sbin/iptables -A INPUT -d 172.16.22.88 -p tcp --dport 177 -j ACCEPT
/sbin/iptables -A INPUT -d 172.16.22.88 -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m multiport --ports  25,53,953,80,8005,8009,8080,110 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -P INPUT DROP

文件/etc/resolv.conf 的內容如下：
domain mydomain.com
nameserver  223.29.192.203

該機器與公網連通正常。

實在很奇怪了，查了很多資料，還是沒有找到解決的方法。:em10:
請大家幫幫忙。給些幫助。謝謝了先！:em02:

Tags:

[火星人 ] 關於雙網卡DNS伺服器，可以解析內網域名，不可解析外網DNS的奇怪問題已經有217次圍觀

本文地址：http://coctec.com/docs/service/show-post-41375.html

關於雙網卡DNS伺服器，可以解析內網域名，不可解析外網DNS的奇怪問題

關於雙網卡DNS伺服器，可以解析內網域名，不可解析外網DNS的奇怪問題

熱門文章

最新文章