出于各种原因，主要是与安全和隐私相关的原因，如果我的仅缓存 bind9 仅使用 TCP 进行向外连接，我会更高兴。

当然，它应该能够接受和处理 UDP 查询。

我怎样才能做到这一点？

用户@nextcloudpi:/$sudo certbot -d downwind.duckdns.org --manual --preferred-challenges dns certonly~

返回：

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.downwind.duckdns.org with the following value:

to8BGF9LfNEOTdZkJAMUYoEd0rROw8Zwa6dumWVBIvA

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

因为我正在尝试为 duckdns 设置证书，所以我尝试了：

https://www.duckdns.org/update?domains=downwind.duckdns.org&token=MyDuckdnsToken&txt=to8BGF9LfNEOTdZkJAMUYoEd0rROw8Zwa6dumWVBIvA

我想验证证书是否有效。有没有可以远程执行的命令行测试？

更新

SSL 检查器返回：

结果是否表明证书安装成功？

我已经查看了resolve.conf这里和其他文档中的各种问题，但他们都将 DNS 作为外部事物来讨论，这无助于我在这种情况下进行区分。

• 我有一台服务器。该服务器存在某种 DNS 问题。
• 该服务器运行 Linux（CentOS 7.9）并有 2 个指向它的 IP 地址。
• 该服务器有一个/etc/resolve.conf包含另外两个IP 地址的 IP 地址。

resolve.conf 中的这些其他IP应该是指向服务器的 2 个 IP 还是应该是指向上游的 2 个“陌生”IP？

谢谢

我已经为本地 LAN DNS 运行了 bind9。我还有一个 APT 缓存服务器。因此，我设置了一个 RPZ 文件来毒害某些域名，并让它们解析到我的内部缓存服务器。我认为apt update运行 eg返回解析错误，因为缓存服务器无法解析真正的（外部）记录并获取数据。我认为这意味着我必须将缓存服务器的视图设置为 /32。

所以问题是，我是否可以设置它，以便我的缓存服务器访问中毒区域中的域时只进行转发，而网络的其余部分则获取中毒数据？我只是不确定如何去做。

我最近使用 Bind (v9.18.28-1) 建立了一个新的 DNS 服务器，并且在我的“常规”日志文件中出现了重复的错误块：

02-Oct-2024 09:49:09.723 resolver: DNS format error from 2001:7fe::53#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.755 resolver: DNS format error from 2001:dc3::35#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.787 resolver: DNS format error from 2001:500:2f::f#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.819 resolver: DNS format error from 2001:500:12::d0d#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.851 resolver: DNS format error from 2001:503:c27::2:30#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.883 resolver: DNS format error from 2001:500:2::c#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.919 resolver: DNS format error from 2001:500:2d::d#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.951 resolver: DNS format error from 2001:7fd::1#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:09.991 resolver: DNS format error from 2001:500:9f::42#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.027 resolver: DNS format error from 2801:1b8:10::b#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.059 resolver: DNS format error from 2001:500:a8::e#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.095 resolver: DNS format error from 2001:500:1::53#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.127 resolver: DNS format error from 2001:503:ba3e::2:30#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.163 resolver: DNS format error from 192.36.148.17#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.183 resolver: DNS format error from 202.12.27.33#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.207 resolver: DNS format error from 192.5.5.241#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.227 resolver: DNS format error from 192.112.36.4#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.251 resolver: DNS format error from 192.58.128.30#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.275 resolver: DNS format error from 192.33.4.12#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.299 resolver: DNS format error from 199.7.91.13#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.323 resolver: DNS format error from 193.0.14.129#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.347 resolver: DNS format error from 199.7.83.42#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.371 resolver: DNS format error from 170.247.170.2#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.395 resolver: DNS format error from 192.203.230.10#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.423 resolver: DNS format error from 198.97.190.53#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.447 resolver: DNS format error from 198.41.0.4#53 resolving ./NS for <unknown>: non-improving referral
02-Oct-2024 09:49:10.447 resolver: resolver priming query complete: failure

看来这些都是我在 /usr/share/dns/root.hints 文件中列出的所有根名称服务器。

该文件通过我的命名配置文件中的这个区域块引用：

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

以下是我设置的选项：

options {
        directory "/var/cache/bind";

        allow-query {
                any;
        };

        forwarders {
          1.1.1.1;
        };

        allow-recursion {
              xx.xx.xx.xx/29;
              //10.0.0.0/8;
              10.1.0.0/16;
        };
        // hide version #
        version "unknown";


        dnssec-validation auto;


};

知道是什么原因导致这些格式错误吗？我能做些什么来解决？

谢谢大家！

如果我修改我的/etc/hosts文件如下：

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost

更改为：

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
127.0.0.1       www.microsoft.com

这会将任何访问 的尝试重定向www.microsoft.com到127.0.0.1，从而有效地阻止对 的访问www.microsoft.com。效果很好。

现在，我不想重定向到本地主机，而是想重定向到另一个网站，例如，我想将 /etc/hosts 更改为如下所示：

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
www.google.com       www.microsoft.com

但是，当我尝试访问 时www.microsoft.com，它永远不会将我重定向到www.google.com。它只是直接转到www.microsoft.com并忽略我在 中执行的操作/etc/hosts。

有人知道如何解决这个问题或者如何实现这个目标吗？

问题

将resolve.conf 中的DNS 选项从虚拟机网关更改为8.8.8.8 将导致无法进行DNS 解析。

resolvctl query google.com如果我将 DNS 设置为我的网关，则会成功。

设置

• /etc/resolv.conf 链接到stub-resolv.conf
• Systemd-networkd设置如下

[匹配]
名称=enp0s3

[网络]
地址=192.168.0.222/24
网关=192.168.0.1
DNS=8.8.8.8

• /etc/systemd/resolve.conf 未修改

其他故障排除

• 我尝试将 /etc/resolv.conf 链接到 /run/systemd/resolve/resolv.conf ，并且只列出 8.8.8.8 作为名称服务器。但 systemd-resolved 会覆盖 /run/systemd/resolve/resolv.conf

我的 Turris Omnia 无法解析 t.co，但与其他域（例如 twitter.com 或 x.co）没有问题。本地名称 (hpdisk.lan) 也可以使用：

root@turris:~# ping t.co
ping: t.co: Name does not resolve

root@turris:~# ping twitter.com
PING twitter.com (104.244.42.193) 56(84) bytes of data.
64 bytes from 104.244.42.193 (104.244.42.193): icmp_seq=1 ttl=58 time=11.5 ms

tange@turris:~$ ping x.co
PING x.co (148.72.51.157) 56(84) bytes of data.
64 bytes from 157.51.72.148.host.secureserver.net (148.72.51.157): icmp_seq=1 ttl=42 time=139 ms

tange@turris:~$ ping hpdisk.lan
PING hpdisk.lan (192.168.1.30) 56(84) bytes of data.
64 bytes from 192.168.1.30 (192.168.1.30): icmp_seq=1 ttl=64 time=0.374 ms

路由器查询身份验证名称服务器没有问题，因此不是由某些网络过滤或路由问题引起的：

root@turris:/tmp/log# dig @a.r06.twtrdns.net. t.co

; <<>> DiG 9.18.24 <<>> @a.r06.twtrdns.net. t.co
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13597
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;t.co.                          IN      A

;; ANSWER SECTION:
t.co.                   300     IN      A       104.244.42.197

查找 u.co 会导致此流量（与 [as,uz].co 非常相似）：

14:36:00.469554 IP 100.100.246.190.51757 > 156.154.105.25.53: 20216% [1au] A? U.CO. (33)
14:36:00.484396 IP 156.154.105.25.53 > 100.100.246.190.51757: 20216- 0/6/1 (639)
14:36:00.485495 IP 100.100.246.190.55245 > 193.108.91.245.53: 25634% [1au] A? Ns50.DoMAInCoNtROL.COm. (51)
14:36:00.500380 IP 193.108.91.245.53 > 100.100.246.190.55245: 25634*- 1/0/1 A 173.201.72.25 (67)
14:36:00.500659 IP 100.100.246.190.60650 > 173.201.72.25.53: 49104% [1au] A? U.Co. (33)
14:36:00.513975 IP 173.201.72.25.53 > 100.100.246.190.60650: 49104*- 2/2/1 A 15.197.142.173, A 3.33.152.147 (120)

查找 t.co 不会导致任何流量。闻起来好像 Knot Resolver 认为它是 t.co 的授权

我已尝试重新启动路由器。这并没有解决问题。

root@turris:~# uname -a
Linux turris 5.15.148 #0 SMP Tue Apr 2 01:04:13 2024 armv7l GNU/Linux
root@turris:~# kresd --version
Knot Resolver, version 5.7.1
root@turris:~# netstat -anp |grep 0:53
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      18768/kresd
udp        0      0 0.0.0.0:53              0.0.0.0:*                           18768/kresd
tange@turris:~$ cat /etc/resolv.conf 
search lan
nameserver 127.0.0.1
nameserver ::1
root@turris:/tmp/log# cat /var/log/resolver 
Apr 27 11:52:30 turris kresd[8728]: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
Apr 27 11:52:50 turris kresd[12702]: [system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288

我还没有发现任何浏览器支持定义的别名，/etc/hosts即使单个术语（无需在浏览器中预先添加http://）不被解释为默认搜索引擎的搜索术语（badwolf browser的情况）也是如此。别名在前缀为 http:// 时有效，例如， http://bse但必须键入http://会破坏使用它们的目的。

Cloudflare 不允许通过别名访问 bitcoin.stackexchange.com，定义为 172.64.144.30 bitcoin.stackexchange.com bse

Error 1003 Ray ID: 85750e9fc9b65e4d • 2024-02-18 08:56:29 UTC
Direct IP access not allowed
What happened?
You've requested an IP address that is part of the Cloudflare network. A valid Host header must be supplied to reach the desired website.

当我尝试访问时，bitcoin.stackexchange.com我没有从 Cloudflare 收到任何错误。

1. bitcoin.stackexchange.com当我尝试从台式电脑访问并附加到 时，我是否发送主机标172.64.144.30 bitcoin.stackexchange.com bse头/etc/hosts？

2. 为什么我在尝试访问浏览器时会得到不同的浏览器http://bse行为bitcoin.stackexchange.com？

3. Brave、Firefox (？)、Chromium 等浏览器中是否有任何设置about:config可以让我无缝地使用我的别名？

除了/etc/hosts我的 DNS 查询之外，其他查询均由家庭路由器解析，如我的内容所示/etc/resolv.conf

# Generated by Connection Manager
search home 
nameserver 192.168.1.1

我所做的研究是man hosts。附加的假设目的172.64.144.30 bitcoin.stackexchange.com bse是/etc/hosts限制对我的路由器的 dns 服务器的某些 DNS 查询的数量（这可能使我的分析看起来过于激进，从而导致有针对性的监视）。我知道反向 DNS 查找的可能性，但这超出了问题的范围。

运行时，dig您可以指定“服务器”（您进行查询的 DNS 服务器）、“域”和“主机”。由于“主机”不是可选的，我猜这就是您想要解决的问题。但您也可以指定一个“域”。我认为如果我们以unix.stackexchange.com为例，“主机”可能是unix，“域”可能是stackexchange.com，但dig stackexchange.com unix似乎没有检索 的 dns 记录unix.stackexchange.com。

我所指的“主机”和“域”是下面帮助行中列出的内容。

（澄清一下，我知道这是dig unix.stackexchange.com可行的，我在挖掘帮助热线中询问“主机”和“域”的含义）

$ dig -v
DiG 9.16.44-Debian
$ dig -h
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]
Where:  domain    is in the Domain Name System
        q-class  is one of (in,hs,ch,...) [default: in]
        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
                 (Use ixfr=version for type ixfr)
        q-opt    is one of:
                 -4                  (use IPv4 query transport only)
                 -6                  (use IPv6 query transport only)
                 -b address[#port]   (bind to source address/port)
                 -c class            (specify query class)
                 -f filename         (batch mode)
                 -k keyfile          (specify tsig key file)
                 -m                  (enable memory usage debugging)
                 -p port             (specify port number)
                 -q name             (specify query name)
                 -r                  (do not read ~/.digrc)
                 -t type             (specify query type)
                 -u                  (display times in usec instead of msec)
                 -x dot-notation     (shortcut for reverse lookups)
                 -y [hmac:]name:key  (specify named base64 tsig key)
        d-opt    is of the form +keyword[=value], where keyword is:
                 +[no]aaflag         (Set AA flag in query (+[no]aaflag))
                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))
...
        global d-opts and servers (before host name) affect all queries.
        local d-opts and servers (after host name) affect only that lookup.
        -h                           (print help and exit)
        -v                           (print version and exit)