问题描述:
在ubuntu22.04下,有时候各种原因需要开启nat混杂,所以必须要执行“iptables -t nat -A POSTROUTING -j MASQUERADE”
但是开通混杂模式后,dns就出了问题,不能解析域名,这个问题源于ubuntu的复杂的dns服务设置(具体就是systemd-resolved这个服务),很多人掉坑,本文的解决方案简单粗暴,就是把ubuntu本身的dns服务(systemd-resolved)停掉,直接使用/etc/resolv.conf,以下是拍错过程:
问题具体表象为,先查看dns:
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
可以看到dns server 为127.0.0.53,在没加MASQUERADE混杂前,是可以ping通使用的。在执行MASQUERADE后,现在ping一下:
~# ping 127.0.0.53
PING 127.0.0.53 (127.0.0.53) 56(84) bytes of data.
64 bytes from 127.0.0.53: icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from 127.0.0.53: icmp_seq=2 ttl=64 time=0.059 ms
可以看到也能ping通,但此时却不能解析域名(应该是systemd-resolved导致),利用dig 进行trace:
# dig google.com +trace
;; communications error to 127.0.0.53#53: timed out
可以看到系统已经连不到127.0.0.53,超时了,下面是要把这个127.0.0.53替换掉的过程。
ubuntu22.04的dns服务是由systemd-resolved这个服务控制,现在/etc/resolv.conf文件仍然存在,但它是由systemd-resolved服务控制的符号链接,不应手动对其进行编辑。注意一下,这个配置文件其实是一个软连接:
root@us:~# ll /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Apr 21 2022 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
先查看状态:
# systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2024-03-09 04:19:35 UTC; 3h 10min ago
Docs: man:systemd-resolved.service(8)
man:org.freedesktop.resolve1(5)
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
Main PID: 2247 (systemd-resolve)
Status: "Processing requests..."
Tasks: 1 (limit: 1037)
Memory: 4.7M
CPU: 72ms
CGroup: /system.slice/systemd-resolved.service
└─2247 /lib/systemd/systemd-resolved
Mar 09 04:19:37 us systemd-resolved[2247]: Got packet on unexpected (i.e. non-localhost) IP range, ignoring.
Mar 09 05:14:36 us systemd-resolved[2247]: Got packet on unexpected (i.e. non-localhost) IP range, ignoring.
Mar 09 05:14:36 us systemd-resolved[2247]: Got packet on unexpected (i.e. non-localhost) IP range, ignoring.
Mar 09 05:17:02 us systemd-resolved[2247]: Got packet on unexpected (i.e. non-localhost) IP range, ignoring.
对于这个服务,要想修改dns nameserver,必须修改 /etc/systemd/resolved.conf,比如下面添加了8.8.8.8为dns server:
cat /etc/systemd/resolved.conf
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=8.8.8.8
重启服务:systemctl restart systemd-resolved,通过命令resolvectl status查看当前dns server:
# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
DNS Servers: 8.8.8.8
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 2001:4860:4860::8888 2001:4860:4860::4444 205.185.112.68 205.185.112.69
Link 5 (tinc0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
可以看到当前的dns 为8.8.8.8,,ping一下:
~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=16.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=16.1 ms
通的,确定网络没问题,接下来利用 dig 来 trace一下看看dns是否正常:
# dig google.com +trace
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
可以看到,虽然我们更换了dns server,但是系统还是去找127.0.0.53,这个是systemd-resolved这个服务很多人遇到的坑的地方。
今天不管它,先停掉systemd-resolved
root@us:/run/systemd/resolve# systemctl stop systemd-resolved
root@us:/run/systemd/resolve# systemctl disable systemd-resolved
Removed /etc/systemd/system/dbus-org.freedesktop.resolve1.service.
Removed /etc/systemd/system/multi-user.target.wants/systemd-resolved.service.
再用systemd-resolved的resolvectl命令查看,发现服务已经失效了:
root@us:~# resolvectl status
Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.
先删除resolv.conf这个软链接,重新编辑一个resolv.conf文件,把127.0.0.53注释掉,加上服务商的dns服务器,简单粗暴:
root@us:~# cat /etc/resolv.conf
#nameserver 127.0.0.53
nameserver 205.185.112.68
nameserver 205.185.112.69
options edns0 trust-ad
search .
再看解析细节,正常解析了:
root@us:~# nslookup google.com
Server: 205.185.112.68
Address: 205.185.112.68#53
Non-authoritative answer:
Name: google.com
Address: 172.217.12.142
Name: google.com
Address: 2607:f8b0:4007:801::200e
其他博主讲的更多细节:https://www.keepnight.com/archives/1772/