局域网Bind9超时，服务器监听端口53

Question

我在Ubuntu上与Bind9有一个非常广泛的情况。服务器正在监听端口53 (使用windows的portqry测试，该端口试图将其用作本地DNS服务器)，但它正在对以下请求进行超时：

> dig @192.168.1.6 YYY +search

; <<>> DiG 9.11.0-P3 <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

在windwos上正确地设置搜索域(ISC DHCP确保这一点)。然而，正如我所说的，portqry探测端口53表示它在监听。

> portqry -n 192.168.1.6 -o 53

Querying target system called:

192.168.1.6

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 53 (domain service): LISTENING

奇怪的是，服务器响应本地主机上的查询(来自服务器本身)：

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23454
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;YYY.mydomain.tld.      IN      A

;; ANSWER SECTION:
YYY.mydomain.tld. 3600  IN      A       192.168.1.11

;; AUTHORITY SECTION:
mydomain.tld.    3600    IN      NS      DNS-SERVER.mydomain.tld.

;; ADDITIONAL SECTION:
DNS-SERVER.mydomain.tld. 3600  IN      A       192.168.1.6

;; Query time: 0 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Thu Feb 23 03:59:37 CST 2017
;; MSG SIZE  rcvd: 104

Netstat声称named正在监听所有常用的端口/附件：

~# netstat -tanpl | grep named
tcp        0      0 10.8.0.1:53             0.0.0.0:*               LISTEN      4074/named
tcp        0      0 192.168.1.6:53          0.0.0.0:*               LISTEN      4074/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      4074/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      4074/named

有什么想法吗？

编辑:通过流行的请求，这里是/etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    // query-source address * port 53;

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };
    query-source address * port 53;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { none; };
    forwarders {
            8.8.8.8;
            8.8.4.4;
            };
    forward first;
};

Answer 1

好的，感谢杰斯科特和石制，对于后代来说，如果有其他人需要排除像这样的情况，下面是建议的步骤：

1. 确保您已经在TCP和UDP上打开了端口53。端口扫描UDP端口是很棘手的，所以要确保UDP 53确实会通过。
2. 您应该在您命名的配置文件的全局部分(Debian/Ubuntu上的allow-query { any; }; )中有/etc/bind/named.conf.options
3. 检查您的配置语法，在systemd机器上您可以使用systemctl status bind9，并根据如何设置绑定日志，检查journalctl -xe -u bind9是否启动了守护进程。
4. 从绑定主机和多台计算机进行测试解析。