你能帮我设置DNS转发吗？

Question

我在公司网络的子网中有一个dns服务器，当它无法解析时，我想告诉它转发到主dns服务器。

这是我的档案：

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        forwarders { 10.90.0.135; 10.90.0.174; };
        forward first;
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


zone "appletop.local" IN {
        type master;
        file "appletop.local";
        allow-update { none; };
};

我知道dns服务器10.90.0.35很好，如果我用它来解决问题的话，就可以使用它的精细的

[root@ns1 etc]# dig www.yahoo.com @10.90.0.135

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> www.yahoo.com @10.90.0.135
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24437
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com.                 IN      A

;; ANSWER SECTION:
www.yahoo.com.          278     IN      CNAME   fd-fp3.wg1.b.yahoo.com.
fd-fp3.wg1.b.yahoo.com. 278     IN      CNAME   ds-fp3.wg1.b.yahoo.com.
ds-fp3.wg1.b.yahoo.com. 1       IN      CNAME   ds-eu-fp3-lfb.wa1.b.yahoo.com.
ds-eu-fp3-lfb.wa1.b.yahoo.com. 235 IN   CNAME   ds-eu-fp3.wa1.b.yahoo.com.
ds-eu-fp3.wa1.b.yahoo.com. 26   IN      A       87.248.122.122
ds-eu-fp3.wa1.b.yahoo.com. 26   IN      A       87.248.112.181

;; Query time: 49 msec
;; SERVER: 10.90.0.135#53(10.90.0.135)
;; WHEN: Thu Sep 12 17:37:15 2013
;; MSG SIZE  rcvd: 167

但我无法将任何正常请求转发到该服务器。

我做错了什么?我从网上的例子中复制了条目，但它不起作用

谢谢

Answer 1

问题是，我在文件中启用了dns-sec，我删除了sec的所有内容，并且工作正常。

谢谢

Answer 2

你有没有尝试过添加：

allow-recursion { 192.168.0.0/24; };

绑定选项？其中192.168.0.0/24是您的本地子网。

你能贴出a的结果吗？

dig @yourdnsserver www.yahoo.com

？

你可以考虑在你的问题中加上这些，而不是我的回答。

来自请求者的===Edits below=== dig挂起：

www.yahoo.com；<<>> dig 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> +trace www.yahoo.com；全局选项：+cmd。518400在NS H.ROOT-SERVERS.NET. .518400在NS G.ROOT-SERVERS.NET. .518400在NS M.ROOT-SERVERS.NET. .518400在NS K.ROOT-SERVERS.NET. .518400在NS J.ROOT-SERVERS.NET. .518400在NS L.ROOT-SERVERS.NET. .518400在NS I.ROOT-SERVERS.NET. .518400在NS A.ROOT-SERVERS.NET. .518400在NS D.ROOT-SERVERS.NET. .518400在NS C.ROOT-SERVERS.NET. .518400在NS E.ROOT-SERVERS.NET. .518400在NS F.ROOT-SERVERS.NET. .NS B.ROOT-SERVERS.NET中的518400。

另外，var/log/messages中充满了：

> Sep 12 18:08:51 ns1 named-sdb[25026]: validating @0x7fef184578a0: .
> NS: got insecure response; parent indicates it should be secure Sep 12
> 18:08:51 ns1 named-sdb[25026]: error (insecurity proof failed)
> resolving './NS/IN': 10.90.0.174#53 Sep 12 18:08:51 ns1
> named-sdb[25026]: validating @0x7fef184b2ea0: . NS: got insecure
> response; parent indicates it should be secure Sep 12 18:08:51 ns1
> named-sdb[25026]: error (insecurity proof failed) resolving './NS/IN':
> 10.90.0.135#53 Sep 12 18:08:53 ns1 named-sdb[25026]: error (network unreachable) resolving 'NET/DS/IN': 2001:7fe::53#53 Sep 12 18:08:55
> ns1 named-sdb[25026]: error (network unreachable) resolving './NS/IN':
> 2001:503:c27::2:30#53 Sep 12 18:08:57 ns1 named-sdb[25026]: error
> (network unreachable) resolving './NS/IN': 2001:500:2f::f#53 Sep 12
> 18:08:58 ns1 named-sdb[25026]: error (network unreachable) resolving
> 'NET/DS/IN': 2001:503:c27::2:30#53 Sep 12 18:09:01 ns1
> named-sdb[25026]: error (network unreachable) resolving 'NET/DS/IN':
> 2001:500:3::42#53 Sep 12 18:09:01 ns1 named-sdb[25026]: error (no
> valid DS) resolving 'F.ROOT-SERVERS.NET/A/IN': 10.90.0.174#53 Sep 12
> 18:09:01 ns1 named-sdb[25026]: error (no valid DS) resolving
> 'F.ROOT-SERVERS.NET/AAAA/IN': 10.90.0.174#53 Sep 12 18:09:01 ns1
> named-sdb[25026]: error (no valid DS) resolving
> 'E.ROOT-SERVERS.NET/A/IN': 10.90.0.174#53 Sep 12 18:09:05 ns1
> named-sdb[25026]: error (network unreachable) resolving 'NET/DS/IN':
> 2001:500:1::803f:235#53 Sep 12 18:09:09 ns1 named-sdb[25026]: error
> (network unreachable) resolving 'NET/DS/IN': 2001:7fe::53#53 Sep 12
> 18:09:09 ns1 named-sdb[25026]: error (network unreachable) resolving
    > 'NET/DS/IN': 2001:500:2d::d#53 Sep 12 18:09:09 ns1 named-sdb[25026]:
> error (network unreachable) resolving './NS/IN': 2001:500:2d::d#53 Sep
> 12 18:09:11 ns1 named-sdb[25026]: error (network unreachable)
> resolving 'NET/DS/IN': 2001:dc3::35#53