用于RDS的AWS客户端VPN DNS解决方案
用于RDS的AWS客户端VPN DNS解决方案
提问于 2022-03-05 22:28:22
我已经建立了客户端VPN,并且似乎无法在私有子网中到达我的RDS实例。我可以使用IP访问EC2实例,但不能通过DNS访问。我的设置看起来有点像这样:
VPC:
10.0.0.0/16
- DNS解析:已启用的
- 主机名:已启用的
客户端-Vpn:
DNS服务器: 10.0.0.2 (还尝试了empty)
- Security Group: vpn-sg (从我的IP,egress all入口)
- 客户端CIDR: 10.1.0.0/16
- Transport: UDP 443
- Associations: 3x专用子网(都可以访问启用RDS instance)
- Split-tunnel:的
)。
RDS实例:
rds-sg
- Security
- 安全组:
的所有通信量
我认为DNS解析存在问题,而且由于某种原因,RDS实例的DNS没有得到解决。从我的EC2实例中,我可以连接到RDS,这意味着DNS解析在VPC中工作。
我正在运行Ubunut20.04,我使用的是AWS客户端(我相信它在下面使用openvpn )。我正在使用从AWS控制面板中的VPN设置下载的openvpn配置。
有人能解释一下为什么DNS没有被解析吗?调试信息如下。
连接到VPN时进行调试
$ ping ip-10-0-0-177.eu-west-1.compute.internal
ping: ip-10-0-0-177.eu-west-1.compute.internal: Name or service not known
$ ping 10.0.0.177
PING 10.0.0.177 (10.0.0.177) 56(84) bytes of data.
64 bytes from 10.0.0.177: icmp_seq=1 ttl=254 time=22.8 ms
64 bytes from 10.0.0.177: icmp_seq=2 ttl=254 time=22.5 ms
64 bytes from 10.0.0.177: icmp_seq=3 ttl=254 time=24.1 ms
--- 10.0.0.177 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 22.472/23.841/25.161/1.046 ms$ systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 22 (tun0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 10.0.0.2
DNS Servers: 10.0.0.2
Link 3 (wlp0s20f3)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.254
DNS Servers: 192.168.1.254
DNS Domain: ~.
home$ traceroute google.com
traceroute to google.com (216.58.212.238), 30 hops max, 60 byte packets
1 eehub.home (192.168.1.254) 2.327 ms 2.225 ms 3.201 ms
2 * * *
3 * * *
4 213.121.98.128 (213.121.98.128) 14.432 ms 14.407 ms 14.380 ms
5 87.237.20.130 (87.237.20.130) 20.563 ms 20.538 ms 20.992 ms
6 74.125.52.216 (74.125.52.216) 16.718 ms 12.813 ms 12.728 ms
7 * * *
8 142.251.52.148 (142.251.52.148) 13.044 ms 209.85.248.240 (209.85.248.240) 11.870 ms 142.251.54.26 (142.251.54.26) 13.344 ms
9 ams16s22-in-f14.1e100.net (216.58.212.238) 13.257 ms 216.239.63.219 (216.239.63.219) 14.388 ms 14.360 ms
$ traceroute ip-10-0-0-177.eu-west-1.compute.internal
ip-10-0-0-177.eu-west-1.compute.internal: Name or service not known
Cannot handle "host" cmdline arg `ip-10-0-0-177.eu-west-1.compute.internal' on position 1 (argc 1)编辑1:我刚刚学习了如何使用特定的名称服务器运行dig命令,并确认了当系统使用正确的服务器时,DNS解析确实有效:
$ dig @10.0.0.2 ip-10-0-0-177.eu-west-1.compute.internal
; <<>> DiG 9.16.1-Ubuntu <<>> @10.0.0.2 ip-10-0-0-177.eu-west-1.compute.internal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2950
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ip-10-0-0-177.eu-west-1.compute.internal. IN A
;; ANSWER SECTION:
ip-10-0-0-177.eu-west-1.compute.internal. 60 IN A 10.0.0.177
;; Query time: 24 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Sat Mar 05 22:38:15 GMT 2022
;; MSG SIZE rcvd: 85编辑2:在阅读了一些疑难解答技巧后,成功地获得了EC2 DNS解析,但没有获得EC2解析。仍然希望有人能帮助破译这个:)
$ dig ip-10-0-0-177.eu-west-1.compute.internal
; <<>> DiG 9.16.1-Ubuntu <<>> ip-10-0-0-177.eu-west-1.compute.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3681
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ip-10-0-0-177.eu-west-1.compute.internal. IN A
;; ANSWER SECTION:
ip-10-0-0-177.eu-west-1.compute.internal. 54 IN A 10.0.0.177
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Mar 05 22:46:10 GMT 2022
;; MSG SIZE rcvd: 85dig ***.***.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> ***.***.eu-west-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44468
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;***.***.eu-west-1.rds.amazonaws.com. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Mar 05 22:48:26 GMT 2022
;; MSG SIZE rcvd: 82同样,当我直接针对正确的名称服务器执行此操作时,它将进行解析。
dig @10.0.0.2 ***.***.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> @10.0.0.2 ***.***.eu-west-1.rds.amazonaws.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5532
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;***.***.eu-west-1.rds.amazonaws.com. IN A
;; ANSWER SECTION:
***.***.eu-west-1.rds.amazonaws.com. 5 IN A 10.0.1.233
;; Query time: 24 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Sat Mar 05 22:49:23 GMT 2022
;; MSG SIZE rcvd: 98回答 1
Stack Overflow用户
回答已采纳
发布于 2022-07-26 06:06:08
海报在他的“编辑”帖子中给出了答案,这也对我有用,所以我把它留在这里,以防别人发现这个问题。
我不得不将DNS设置为一些有用的东西,比如我的工作室卡上的Google (8.8.8.8,4.4.4.4),然后重新启动。就是这样。我不知道为什么,但我的另一个DNS解决不了。
我在康卡斯特的互联网上,我有着和OP完全一样的问题。一旦我切换到谷歌DNS,根据他的建议,一切正常!
谢谢OP。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71366382
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号