Bind9与systemd-resolved环境下正向DNS查询需指定服务器才能生效的问题求助
2026-4-21
Bind9与systemd-resolved环境下正向DNS查询需指定服务器才能生效的问题求助
各位大佬好,我最近在搭建一个小型私有DNS服务器,用的是Bind9,配合systemd-resolved和netplan管理网络配置。我已经在netplan配置文件和/etc/systemd/resolved.conf里都指定了DNS服务器,还在resolved.conf中设置了域名。目前反向DNS查询一切正常,但正向查询必须手动指定DNS服务器才能成功——比如nslookup vm.example.com 192.168.1.1能正常返回结果,但直接执行nslookup vm.example.com就会报错:
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find vm.example.com: NXDOMAIN
我已经反复修改各种配置选项和文件无数次了,实在找不到问题所在,恳请各位帮忙排查!以下是我的相关配置信息:
resolvectl status 输出
Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Current DNS Server: 192.168.1.1 DNS Servers 192.168.1.1 DNS Domain example.com Link 2 (enp0s3) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 10.0.2.3 DNS Servers: 10.0.2.3 DNS Domain: other.com Link 3 (enp0s8) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.1.1 DNS Servers: 192.168.1.1
Bind9 相关配置
named.conf.local 中的zone定义
zone "example.com" { type primary; file "/etc/bind/db.example.com"; };
区域文件 /etc/bind/db.example.com
; ; BIND data file for example.com ; $ORIGIN example.com. $TTL 86400 @ IN SOA ns1.example.com. hostmaster.example.com. ( 24 ; Serial 21600 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ; Negative Cache TTL @ IN NS ns1 ns1 IN A 192.168.1.1 vm IN A 192.168.8.5
备注:该文件权限为644,属主为root:bind
DNS服务器上的 /etc/hosts 文件
127.0.0.1 localhost 192.168.1.1 ns1.example.com ns1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
named.conf.options 配置
acl "trusted" { 127.0.0.1; 192.168.0.0/16; }; options { directory "/var/cache/bind"; allow-query { "trusted"; }; dnssec-validation no; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { <there's an ip address here>; }; forward only; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== listen-on { any; }; listen-on-v6 {}; };
补充说明:当前系统没有启用任何防火墙
备注:内容来源于stack exchange,提问作者sysad noob
