itasahobby's questions

问题

我想阻止返回私有范围 IP 地址的 DNS 解析。到目前为止，我发现要做这样的事情你需要设置一个缓存/递归 DNS 服务器。但是，由于我想在 docker 中使用它，所以我遇到了困难。

我发现最简单的方法是使用dnsmasq（如其他答案中所述）。另一方面，只需要运行一个进程，以便找出supervisord解决该问题的方法。尽管如此，创建了一个示例 docker 映像，当我dnsmasq通过添加标志或从容器中--dns 127.0.0.1替换来使用 localhost dns 服务器（）时，我得到一个错误，这在我在运行容器时收到警告之后才有意义：/etc/resolv.conf** server can't find google.com: REFUSED

WARNING: Localhost DNS setting (--dns=127.0.0.1) may fail in containers.

环境

示例泊坞窗图像：

FROM ubuntu:latest

RUN apt update &&\
    apt upgrade -y

RUN apt install -y supervisor \
    dnsmasq \
    dnsutils \
    iputils-ping \
    nano

RUN echo "stop-dns-rebind" > /etc/dnsmasq.d/stop-rebinding

COPY supervisor.conf /etc/supervisor.conf

ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisor.conf"]

主管.conf：

[supervisord]
nodaemon=true
logfile=/dev/stdout
logfile_maxbytes=0

[program:dnsmasq]
command=dnsmasq --no-daemon
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0

建造：

sudo docker build . -t samplednsmasq

跑：

sudo docker run -it --dns 127.0.0.1 --rm samplednsmasq:latest

可行吗？

我想知道是否有任何方法可以使它工作（不使用像 docker-compose 这样的多容器）和 dnsmasq，我也对不涉及 dns 缓存服务器的其他替代方案持开放态度。

解决方案：更改supervisor.conf为：

[supervisord]
nodaemon=true
logfile=/dev/stdout
logfile_maxbytes=0

[program:dnsmasq]
command=dnsmasq --no-daemon --interface=lo --stop-dns-rebind
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0

还更新了 Dockerfile

FROM ubuntu:latest

RUN apt update &&\
    apt upgrade -y

RUN apt install -y supervisor \
    dnsmasq \
    dnsutils \
    iputils-ping \
    nano \
    net-tools

RUN echo "listen-address=127.0.0.1\nbind-interfaces\nstop-dns-rebind" > /etc/dnsmasq.d/stop-rebinding &&\
    echo "\nserver=8.8.8.8\nserver=8.8.4.4\nno-resolv" >> /etc/dnsmasq.conf

COPY supervisor.conf /etc/supervisor.conf

ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisor.conf"]

描述

我在实验室网络中有一个跨互联网的 PostgreSQL 服务器。目前我正在使用 ssh 连接到它。但是我想在我的本地网络上有一个管理员泊坞窗连接到服务器。是否可以创建一个端口重定向，以便 docker 可以连接到我本地计算机上的一个端口，将我重定向到 PostgreSQL 服务？

我相信这个 ssh 命令可能有效但不确定，我还想简要解释一下它是如何工作的： ssh -L 5000:myserverdomain:5432 postgresql@myserverdomain

图表

代表场景的小图：

背景

我正在尝试使用dnssec-lookaside选项设置递归 DNSSec 服务器。遵循本指南。

错误信息

root@dnssec:/home/jose# systemctl status bind9
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Sun 2020-01-19 18:54:09 UTC; 1s ago
     Docs: man:named(8)
  Process: 1617 ExecStart=/usr/sbin/named -f $OPTIONS (code=killed, signal=ABRT)
 Main PID: 1617 (code=killed, signal=ABRT)

ene 19 18:54:09 dnssec named[1617]: #2 0x7f3fa9fd125e in ??
ene 19 18:54:09 dnssec named[1617]: #3 0x561ca9e89856 in ??
ene 19 18:54:09 dnssec named[1617]: #4 0x561ca9ecbc00 in ??
ene 19 18:54:09 dnssec named[1617]: #5 0x561ca9ecd343 in ??
ene 19 18:54:09 dnssec named[1617]: #6 0x7f3fa9b6fd99 in ??
ene 19 18:54:09 dnssec named[1617]: #7 0x7f3fa90e86db in ??
ene 19 18:54:09 dnssec named[1617]: #8 0x7f3fa881c88f in ??
ene 19 18:54:09 dnssec named[1617]: exiting (due to assertion failure)
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Failed with result 'signal'.

绑定配置：

命名.conf

root@dnssec:/home/jose# cat /etc/bind/named.conf

include "/etc/bind/named.conf.options";

include "/etc/bind/named.conf.options.dnssec";


zone "wetlands.cam"{
        type master;
        file "/etc/bind/db.wetlands.cam";
};

zone "30.20.10.in-addr.arpa"{
        type master;
        file "/etc/bind/db.30.20.10";
};

命名.conf.options

root@dnssec:/home/jose# cat /etc/bind/named.conf.options
acl homeLab {
        10.20.30.0/24;
        localhost;
        localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { homeLab; };

        forwarders {
                10.20.30.1;
                8.8.8.8;
                8.8.4.4;
        };


        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside "." trust-anchor auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };

        dnssec-lookaside auto;

};

named.conf.options 还包括日志，如本文所述，但没有日志文件包含有关错误的信息，因此为了便于阅读，我省略了它。

命名.conf.dnssec

root@dnssec:/home/jose# cat /etc/bind/named.conf.options.dnssec
trusted-keys{
"." 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";

"cat." 257 3 10
"AwEAAYA2JNjCp4vwA2YjEASi2AyxNSCB8RwAJveS44fCrcOsy3ejVzH4 s1bVKolZdObVAcZcjFd1uusnIZ6SRVpRxs2G9nflbYgCZ1oihfwPuuVE HExUDzu8nFEkivKTL4RBOT6EYNYgbVwG7JVRaCKU8/g1YR+by1cfTAl6 0SgdyMGapN3JlBcYBq9P3bMX0beYWdxTa+NSasAauLemmp84RJwBWtX3 YhAyF3LrCapSfLVkgakNb+kuUbQngnX1ABdioYD5BvFO3TjslwuFy+FU GH8HGaI2F4kwXfpIukUfjhGTnXihG1n1cI3Noy0wOL/twxy9SB66GbxT rNOnoXftnzk=";

"org." 257 3 7
"AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=";

"dlv.isc.org." 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";

};

journalctl 输出

ene 19 18:54:09 dnssec systemd[1]: Started BIND Domain Name Server.
ene 19 18:54:09 dnssec named[1617]: starting BIND 9.11.3-1ubuntu1.11-Ubuntu (Extended Support Version) <id:a375815>
ene 19 18:54:09 dnssec named[1617]: running on Linux x86_64 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019
ene 19 18:54:09 dnssec named[1617]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexec
ene 19 18:54:09 dnssec named[1617]: running as: named -f -u bind
ene 19 18:54:09 dnssec named[1617]: ----------------------------------------------------
ene 19 18:54:09 dnssec named[1617]: BIND 9 is maintained by Internet Systems Consortium,
ene 19 18:54:09 dnssec named[1617]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
ene 19 18:54:09 dnssec named[1617]: corporation.  Support and training for BIND 9 are
ene 19 18:54:09 dnssec named[1617]: available at https://www.isc.org/support
ene 19 18:54:09 dnssec named[1617]: ----------------------------------------------------
ene 19 18:54:09 dnssec named[1617]: adjusted limit on open files from 4096 to 1048576
ene 19 18:54:09 dnssec named[1617]: found 1 CPU, using 1 worker thread
ene 19 18:54:09 dnssec named[1617]: using 1 UDP listener per interface
ene 19 18:54:09 dnssec named[1617]: using up to 4096 sockets
ene 19 18:54:09 dnssec named[1617]: loading configuration from '/etc/bind/named.conf'
ene 19 18:54:09 dnssec named[1617]: /etc/bind/named.conf.options:27: dnssec-lookaside 'auto' is no longer supported
ene 19 18:54:09 dnssec named[1617]: /etc/bind/named.conf.options.dnssec:1: trusted-key for dlv.isc.org still present; dlv.isc.org has been shut down
ene 19 18:54:09 dnssec named[1617]: reading built-in trust anchors from file '/etc/bind/bind.keys'
ene 19 18:54:09 dnssec named[1617]: initializing GeoIP Country (IPv4) (type 1) DB
ene 19 18:54:09 dnssec named[1617]: GEO-106FREE 20180315 Build
ene 19 18:54:09 dnssec named[1617]: initializing GeoIP Country (IPv6) (type 12) DB
ene 19 18:54:09 dnssec named[1617]: GEO-106FREE 20180315 Build
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv4) (type 2) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv4) (type 6) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv6) (type 30) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv6) (type 31) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Region (type 3) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Region (type 7) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP ISP (type 4) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Org (type 5) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP AS (type 9) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Domain (type 11) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP NetSpeed (type 10) DB not available
ene 19 18:54:09 dnssec named[1617]: using default UDP/IPv4 port range: [32768, 60999]
ene 19 18:54:09 dnssec named[1617]: using default UDP/IPv6 port range: [32768, 60999]
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface lo, 127.0.0.1#53
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface enp0s3, 10.20.30.200#53
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface enp0s8, 192.168.56.200#53
ene 19 18:54:09 dnssec named[1617]: generating session key for dynamic DNS
ene 19 18:54:09 dnssec named[1617]: sizing zone task pool based on 2 zones
ene 19 18:54:09 dnssec named[1617]: none:103: 'max-cache-size 90%' - setting to 886MB (out of 985MB)
ene 19 18:54:09 dnssec named[1617]: ../../../lib/isccfg/parser.c:1228: REQUIRE(obj != ((void *)0) && obj->type->rep == &cfg_rep_string) failed, back trace
ene 19 18:54:09 dnssec named[1617]: #0 0x561ca9ea1050 in ??
ene 19 18:54:09 dnssec named[1617]: #1 0x7f3fa9b477da in ??
ene 19 18:54:09 dnssec named[1617]: #2 0x7f3fa9fd125e in ??
ene 19 18:54:09 dnssec named[1617]: #3 0x561ca9e89856 in ??
ene 19 18:54:09 dnssec named[1617]: #4 0x561ca9ecbc00 in ??
ene 19 18:54:09 dnssec named[1617]: #5 0x561ca9ecd343 in ??
ene 19 18:54:09 dnssec named[1617]: #6 0x7f3fa9b6fd99 in ??
ene 19 18:54:09 dnssec named[1617]: #7 0x7f3fa90e86db in ??
ene 19 18:54:09 dnssec named[1617]: #8 0x7f3fa881c88f in ??
ene 19 18:54:09 dnssec named[1617]: exiting (due to assertion failure)
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Failed with result 'signal'.

我正在尝试使用绑定设置一个递归 DNS，它也有自己的区域。

现在我想升级它以使用 dnssec 但据我了解，如果我没有域名，我必须使用 DLV。

但是，我能找到的少数指南说您需要注册，而dlv.isc.org这些指南并不存在。我正在阅读的一本关于 DNSSEC 的书告诉我 DLV 将被弃用，所以这就是我想知道的原因。（如果您知道任何分步指南来设置它也将不胜感激）

介绍

我想用 2 个客户端和 1 个服务器配置 OpenVpn，但我只设法将它与 1 个服务器和 1 个客户端一起使用。

设置

Server ip: 10.10.102.146
Client ips: 10.10.102.138

服务器配置（tunel.conf）：

local 10.10.102.143
remote 10.10.102.38
dev tun1
port 5555
comp-lzo
user nobody
ping 15
ifconfig 172.160.0.1 172.160.0.2
secret /etc/openvpn/clave.key

客户端配置（tunel.conf）

local 10.10.102.138
remote 10.10.102.143
dev tun1
port 5555
comp-lzo
ping 15
ifconfig 172.160.0.2 172.160.0.1
secret /etc/openvpn/clave.key

clave.key 是非对称密钥

然后我使用以下命令，首先在服务器上，然后在客户端上： openvpn --verb 5 --config /etc/openvpn/tunel.conf

问题

我希望两个客户端同时连接并拥有 ips172.160.0.2和172.160.0.3

我试过的

我尝试在 ifconfig 上添加第三个 ip 和一个额外的遥控器，但它没有遵循正确的语法，因此在运行时会出错。