外部DNS用于管理域//测试自己的外部DNS服务器的方法

Question

我在斯特拉托有几个域名。我想建立我自己的外部DNS来管理我的域。

为了在Strato做到这一点，我使用了“Domainverwal栋: NS-Records”选项。我必须为这个配置提供两个名称服务器。系统接受了我的配置。

我在BIND9上有主(主)和从(从) DNS。

root@server1:/etc/bind# named -v
BIND 9.10.3-P4-Debian 

主的The配置

/etc/bind/named.conf.选项

acl trusted {
        127.0.0.1;
        xxx.xxx.xxx.43; # NS1
        xx.xx.xx.107; # NS2
        81.169.148.38; # Strato DNS
};

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //             0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;
        listen-on port 53 { any; };
         recursion no;
         allow-query { any; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

/etc/bind/named.conf.

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone    "my-domain.com"   {
        type master;
        file    "/etc/bind/forward.my-domain.com";
        allow-transfer { xx.xx.xx.107; };
 };

/etc/bind/.etc domain.com

$TTL    604800

@       IN      SOA     primary.my-domain.com. root.primary.my-domain.com. (
                              6         ; Serial
                         604820         ; Refresh
                          86600         ; Retry
                        2419600         ; Expire
                         604600 )       ; Negative Cache TTL

;Name Server Information
@       IN      NS      primary.my-domain.com.
@       IN      NS      secondary.my-domain.com.

;IP address of Your Domain Name Server(DNS)
primary IN       A      xxx.xxx.xxx.43
secondary IN     A      xx.xx.xx.107

;A Record for Host names
@       IN       A       xxx.xxx.xxx.43
www     IN       A       xxx.xxx.xxx.43

;CNAME Record
ftp     IN      CNAME    www.my-domain.com.

从的The配置

/etc/bind/named.conf.选项

acl trusted {
        127.0.0.1;
        xxx.xxx.xxx.43; # NS1
        xx.xx.xx.107; # NS2
        81.169.148.38; # Strato DNS
};

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //             0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;
        listen-on port 53 { any; };
         recursion no;
         allow-query { any; };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        allow-notify { trusted; };
        allow-transfer { trusted; };
};

/etc/bind/named.conf.

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone    "my-domain.com"   {
        type slave;
        file    "/etc/bind/forward.my-domain.com";
         masters { xxx.xxx.xxx.43; };
 };

/etc/bind/.etc domain.com

$TTL    604800

@       IN      SOA     primary.my-domain.com. root.primary.my-domain.com. (
                              6         ; Serial
                         604820         ; Refresh
                          86600         ; Retry
                        2419600         ; Expire
                         604600 )       ; Negative Cache TTL

;Name Server Information
@       IN      NS      primary.my-domain.com.
@       IN      NS      secondary.my-domain.com.

;IP address of Your Domain Name Server(DNS)
primary IN       A      xxx.xxx.xxx.43
secondary IN     A      xx.xx.xx.107

;A Record for Host names
@       IN       A       xxx.xxx.xxx.43
www     IN       A       xxx.xxx.xxx.43

;CNAME Record
ftp     IN      CNAME    www.my-domain.com.

为了测试这一点，我使用了：

<#>挖掘

~$ dig my-domain.com @xxx.xxx.xxx.43

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> my-domain.com @xxx.xxx.xxx.43
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31536
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;my-domain.com.         IN  A

;; ANSWER SECTION:
my-domain.com.      604800  IN  A   xxx.xxx.xxx.43

;; AUTHORITY SECTION:
my-domain.com.      604800  IN  NS  secondary.my-domain.com.
my-domain.com.      604800  IN  NS  primary.my-domain.com.

;; ADDITIONAL SECTION:
primary.my-domain.com.  604800  IN  A   xxx.xxx.xxx.43
secondary.my-domain.com. 604800 IN  A   xx.xx.xx.107

;; Query time: 16 msec
;; SERVER: xxx.xxx.xxx.43#53(xxx.xxx.xxx.43)
;; WHEN: Tue Oct 16 14:42:09 CEST 2018
;; MSG SIZE  rcvd: 136

And NSLOOKUP:

~$ nslookup my-domain.com xxx.xxx.xxx.43
Server:     xxx.xxx.xxx.43
Address:    xxx.xxx.xxx.43#53

Name:   my-domain.com
Address: xxx.xxx.xxx.43

但是，在没有直接指向我的NS的情况下，我的提供商的NS正在回答：

挖掘：

~$ dig my-domain.com

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> my-domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7286
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;my-domain.com.         IN  A

;; ANSWER SECTION:
my-domain.com.      69  IN  A   81.169.145.157

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 16 14:44:23 CEST 2018
;; MSG SIZE  rcvd: 58

NSLOOKUP：

~$ nslookup my-domain.com
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   my-domain.com
Address: 81.169.145.157
Name:   my-domain.com
Address: 2a01:238:20a:202:1157::

Strato说：“请注意，由于DNS的分散结构，对这些设置的更改在激活后24小时内才会完全激活。”

但即使在24小时后，我的支票也没有指向我的。我能做什么测试来找出可能的问题吗？

斯特拉图还指出：(抱歉，自动翻译) 原版。

使用辅助名称服务器设置记录(仅用于专用服务器)，如果主名称服务器失败，您可以创建备份。这将确保仍将到达域。主名称服务器和次要名称服务器是冗余的(通过区域传输，所有配置都与域同步)，以便第二个名称服务器可以为域发出正确的DNS记录，如A-Record、MX-Record等。STRATO次要名称服务器的IP地址必须允许区域传输。此IP地址是静态的，因此将来不需要更改(例如，通过允许传输)绑定。当使用STRATO次级Nameserver时，不需要操作两个自己的名称服务器。如果允许区域从主名称服务器传输到sns.serverkompetenz.de，它将获得您在主名称服务器上设置的域的DNS配置。如果主名称服务器发生故障，则仍可访问域。在域区域中，sns.serverkompetenz.de还必须作为NS集中的名称服务器列出。

Answer 1

谢谢guzzijason分享dig的+trace选项。

测试自己的名称服务器DENIC->SERVICE->TOOLS->NAST的另一个选项。这是作为丹尼奇网站上的一个服务。

在那里，您可以输入要设置的域、Nameserver 1、Nameserver 2和名称服务器的IP。见这里的结果：

DENIC网站的NAST测试

这表明我的设置是正确的。这样我就能深入探讨这个话题了。

我的问题是:在我的域名提供商Strato的was接口中，我从上面提到的rootserver中输入了这些I。

Strato的正确配置是输入服务器DNS-主机名，比如："h1234567.stratoserver.net“表示一个strato服务器，或者输入"b123123.online-server.cloud”作为1und1服务器。

也许这能帮到某人..。

Answer 2

您可以从执行dig +trace my-domain.com.开始。这将从根服务器名称服务器开始，然后跟踪NS委托路径(希望如此)到您自己的名称服务器。确保在每一点返回的NS记录都是您希望看到的记录。例如，我的域的(筛选)跟踪是这样的：

$ dig +trace guzzijason.com. | grep -E 'IN\s*NS'
.           509129  IN  NS  b.root-servers.net.
.           509129  IN  NS  h.root-servers.net.
.           509129  IN  NS  g.root-servers.net.
.           509129  IN  NS  i.root-servers.net.
.           509129  IN  NS  m.root-servers.net.
.           509129  IN  NS  k.root-servers.net.
.           509129  IN  NS  f.root-servers.net.
.           509129  IN  NS  j.root-servers.net.
.           509129  IN  NS  e.root-servers.net.
.           509129  IN  NS  c.root-servers.net.
.           509129  IN  NS  d.root-servers.net.
.           509129  IN  NS  l.root-servers.net.
.           509129  IN  NS  a.root-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
guzzijason.com.     172800  IN  NS  ns01.guzzijason.com. # Note: delegation NS record hosted by gtld-servers
guzzijason.com.     172800  IN  NS  ns02.guzzijason.com. # Note: delegation NS record hosted by gtld-servers
guzzijason.com.     7200    IN  NS  ns01.guzzijason.com. # authoritative NS record served by guzzijason.com nameservers
guzzijason.com.     7200    IN  NS  ns02.guzzijason.com. # authoritative NS record served by guzzijason.com nameservers

我还注意到，哪些是上游的委托记录，哪些是由我的授权名称服务器提供的记录。