我已经设置了 Client-VPN,但似乎无法在私有子网中访问我的 RDS 实例。我可以使用 IP 但不能通过 DNS 访问 EC2 实例。我的设置看起来有点像这样:
专有网络:
- CIDR:10.0.0.0/16
- DNS 解析:已启用
- DNS 主机名:已启用
客户端-VPN:
- DNS 服务器:10.0.0.2(也试过空)
- 安全组:vpn-sg(从我的 IP 全部入口,全部出口)
- 客户端 CIDR:10.1.0.0/16
- 传输:UDP 443
- 关联:3 个私有子网(都可以访问 RDS 实例)
- 拆分隧道:启用
RDS 实例:
- 安全组:rds-sg
- 安全组入口:来自 vpn-sg 的所有流量
我认为 DNS 解析存在问题,并且由于某种原因,RDS 实例的 DNS 没有得到解析。从我的 EC2 实例中,我可以连接到 RDS,这表明 DNS 解析正在 VPC 中工作。
我正在运行 Ubunutu 20.04,并且正在使用 AWS VPN 客户端(我相信它在下面使用了 openvpn)。我正在使用从 AWS 控制面板中的 VPN 设置下载的 openvpn 配置。
有人可以帮助解释为什么 DNS 没有被解析吗?调试信息如下。
连接到 VPN 时进行调试
$ ping ip-10-0-0-177.eu-west-1.compute.internal
ping: ip-10-0-0-177.eu-west-1.compute.internal: Name or service not known
$ ping 10.0.0.177
PING 10.0.0.177 (10.0.0.177) 56(84) bytes of data.
64 bytes from 10.0.0.177: icmp_seq=1 ttl=254 time=22.8 ms
64 bytes from 10.0.0.177: icmp_seq=2 ttl=254 time=22.5 ms
64 bytes from 10.0.0.177: icmp_seq=3 ttl=254 time=24.1 ms
--- 10.0.0.177 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 22.472/23.841/25.161/1.046 ms
$ systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 22 (tun0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 10.0.0.2
DNS Servers: 10.0.0.2
Link 3 (wlp0s20f3)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.254
DNS Servers: 192.168.1.254
DNS Domain: ~.
home
$ traceroute google.com
traceroute to google.com (216.58.212.238), 30 hops max, 60 byte packets
1 eehub.home (192.168.1.254) 2.327 ms 2.225 ms 3.201 ms
2 * * *
3 * * *
4 213.121.98.128 (213.121.98.128) 14.432 ms 14.407 ms 14.380 ms
5 87.237.20.130 (87.237.20.130) 20.563 ms 20.538 ms 20.992 ms
6 74.125.52.216 (74.125.52.216) 16.718 ms 12.813 ms 12.728 ms
7 * * *
8 142.251.52.148 (142.251.52.148) 13.044 ms 209.85.248.240 (209.85.248.240) 11.870 ms 142.251.54.26 (142.251.54.26) 13.344 ms
9 ams16s22-in-f14.1e100.net (216.58.212.238) 13.257 ms 216.239.63.219 (216.239.63.219) 14.388 ms 14.360 ms
$ traceroute ip-10-0-0-177.eu-west-1.compute.internal
ip-10-0-0-177.eu-west-1.compute.internal: Name or service not known
Cannot handle "host" cmdline arg `ip-10-0-0-177.eu-west-1.compute.internal' on position 1 (argc 1)
编辑 1:我刚刚学习了如何dig使用特定名称服务器运行命令,并确认当系统使用正确的服务器时 DNS 解析确实有效:
$ dig @10.0.0.2 ip-10-0-0-177.eu-west-1.compute.internal
; <<>> DiG 9.16.1-Ubuntu <<>> @10.0.0.2 ip-10-0-0-177.eu-west-1.compute.internal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2950
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ip-10-0-0-177.eu-west-1.compute.internal. IN A
;; ANSWER SECTION:
ip-10-0-0-177.eu-west-1.compute.internal. 60 IN A 10.0.0.177
;; Query time: 24 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Sat Mar 05 22:38:15 GMT 2022
;; MSG SIZE rcvd: 85
编辑 2:在阅读了一些故障排除提示后,我设法获得了 EC2 DNS 解析,但没有获得 RDS。仍然希望有人可以帮助破译这个:)
$ dig ip-10-0-0-177.eu-west-1.compute.internal
; <<>> DiG 9.16.1-Ubuntu <<>> ip-10-0-0-177.eu-west-1.compute.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3681
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ip-10-0-0-177.eu-west-1.compute.internal. IN A
;; ANSWER SECTION:
ip-10-0-0-177.eu-west-1.compute.internal. 54 IN A 10.0.0.177
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Mar 05 22:46:10 GMT 2022
;; MSG SIZE rcvd: 85
dig ***.***.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> ***.***.eu-west-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44468
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;***.***.eu-west-1.rds.amazonaws.com. IN A
;; Query time: 20 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Mar 05 22:48:26 GMT 2022
;; MSG SIZE rcvd: 82
同样,当我直接针对正确的名称服务器执行此操作时,它会解析。
dig @10.0.0.2 ***.***.eu-west-1.rds.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> @10.0.0.2 ***.***.eu-west-1.rds.amazonaws.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5532
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;***.***.eu-west-1.rds.amazonaws.com. IN A
;; ANSWER SECTION:
***.***.eu-west-1.rds.amazonaws.com. 5 IN A 10.0.1.233
;; Query time: 24 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Sat Mar 05 22:49:23 GMT 2022
;; MSG SIZE rcvd: 98