Ubuntu 20 上的 BIND9-无法配置 Zone 以正常工作

Ubuntu 20 上的 BIND9-无法配置 Zone 以正常工作

我在 Ubunto 20 上安装了它,并配置了两个区域选项配置文件

acl internal {
        localhost;
        localnets;
        192.168.70.0/24;
        10.200.157.0/24;
};
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                9.9.9.9;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation no;
        //auth-nxdomain no;

        listen-on { 127.0.0.1; 192.168.70.66; };
        listen-on-v6 { ::1; };
        allow-recursion { any; };
        allow-query-cache { any; };
        allow-query { any; };
};

本地配置文件

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "wisam.rph" {
 type master;
 file "/etc/bind/forward.wisam.rph";
 allow-query { any; };
};
zone "70.168.192.in-addr.arpa" {
 type master;
 file "/etc/bind/reverse.wisam.rph";
 allow-query { any; };
};
logging {
 channel query.log {
        file "/var/log/named/query.log";
        // Set the severity to dynamic to see all the debug messages.
        severity dynamic;
 };
};

前进区

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     vmubuntuauthserver.wisam.rph. root.vmubuntuauthserver.wisam.rph. (
                              4         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
vmubuntuauthserver      IN      A       192.168.70.66
;
@       IN      NS      vmubuntuauthserver.wisam.rph.
nameserver      IN      A       192.168.70.66
www     IN      A       192.168.70.66
@       IN      AAAA    ::1

反向区域

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     nameserver.wisam.rph. root.nameserver.wisam.rph. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      nameserver.wisam.rph.
66      IN      PTR     nameserver.wisam.rph.

注意服务器的 IP 是 192.168.70.66 我已禁用 systemd-resolved,删除了 resolv.conf 文件,并使用以下内容重新创建了 resolv.conf

nameserver 192.168.70.66
search wisam.rph

在服务器中,如果我执行“dig nameserver.wisam.rph”,我得到的结果是

; <<>> DiG 9.16.1-Ubuntu <<>> nameserver.wisam.rph
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61584
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 32e45ecf7d5069f601000000653a9e7e43d963d1c233e471 (good)
;; QUESTION SECTION:
;nameserver.wisam.rph.          IN      A
;; ANSWER SECTION:
nameserver.wisam.rph.   604800  IN      A       192.168.70.66
;; Query time: 0 msec
;; SERVER: 192.168.70.66#53(192.168.70.66)
;; WHEN: Thu Oct 26 17:14:38 UTC 2023
;; MSG SIZE  rcvd: 93

对于反向“dig -x 192.168.70.66”,我得到

; <<>> DiG 9.16.1-Ubuntu <<>> -x 192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45455
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: add17d7373cfe21c01000000653a9ed0d83ec9b4b4f3cfb0 (good)
;; QUESTION SECTION:
;66.70.168.192.in-addr.arpa.    IN      PTR
;; ANSWER SECTION:
66.70.168.192.in-addr.arpa. 604800 IN   PTR     nameserver.wisam.rph.
;; Query time: 0 msec
;; SERVER: 192.168.70.66#53(192.168.70.66)
;; WHEN: Thu Oct 26 17:16:00 UTC 2023
;; MSG SIZE  rcvd: 117

此时我找不到任何问题,我确实运行了命令“sudo ufw allow Bind9”以确保允许流量,但在另一个 ubuntu 20 桌面上将 dns 设置为 192.168.70.66 并尝试执行此命令“dig nameserver.wisam.rph @192.168.70.66”,我得到了

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> nameserver.wisam.rph @192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46698
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nameserver.wisam.rph.          IN      A
;; Query time: 4 msec
;; SERVER: 192.168.70.66#53(192.168.70.66) (UDP)
;; WHEN: Thu Oct 26 13:19:36 EDT 2023
;; MSG SIZE  rcvd: 49

但如果我 ping 它,我会得到

PING 192.168.70.66 (192.168.70.66) 56(84) bytes of data.
64 bytes from 192.168.70.66: icmp_seq=1 ttl=64 time=0.937 ms
64 bytes from 192.168.70.66: icmp_seq=2 ttl=64 time=0.644 ms
64 bytes from 192.168.70.66: icmp_seq=3 ttl=64 time=0.803 ms
64 bytes from 192.168.70.66: icmp_seq=4 ttl=64 time=0.707 ms
64 bytes from 192.168.70.66: icmp_seq=5 ttl=64 time=0.660 ms
64 bytes from 192.168.70.66: icmp_seq=6 ttl=64 time=0.690 ms
64 bytes from 192.168.70.66: icmp_seq=7 ttl=64 time=0.751 ms
64 bytes from 192.168.70.66: icmp_seq=8 ttl=64 time=0.784 ms
64 bytes from 192.168.70.66: icmp_seq=9 ttl=64 time=0.675 ms
64 bytes from 192.168.70.66: icmp_seq=10 ttl=64 time=0.384 ms
64 bytes from 192.168.70.66: icmp_seq=11 ttl=64 time=0.504 ms
64 bytes from 192.168.70.66: icmp_seq=12 ttl=64 time=0.378 ms
64 bytes from 192.168.70.66: icmp_seq=13 ttl=64 time=0.558 ms
64 bytes from 192.168.70.66: icmp_seq=14 ttl=64 time=0.401 ms
64 bytes from 192.168.70.66: icmp_seq=15 ttl=64 time=1.13 ms
64 bytes from 192.168.70.66: icmp_seq=16 ttl=64 time=0.355 ms
64 bytes from 192.168.70.66: icmp_seq=17 ttl=64 time=0.340 ms
64 bytes from 192.168.70.66: icmp_seq=18 ttl=64 time=0.359 ms
64 bytes from 192.168.70.66: icmp_seq=19 ttl=64 time=0.290 ms
64 bytes from 192.168.70.66: icmp_seq=20 ttl=64 time=0.410 ms
64 bytes from 192.168.70.66: icmp_seq=21 ttl=64 time=0.426 ms
64 bytes from 192.168.70.66: icmp_seq=22 ttl=64 time=0.605 ms
64 bytes from 192.168.70.66: icmp_seq=23 ttl=64 time=0.420 ms
64 bytes from 192.168.70.66: icmp_seq=24 ttl=64 time=0.412 ms
64 bytes from 192.168.70.66: icmp_seq=25 ttl=64 time=0.428 ms

如果我执行“dig google.com @192.168.70.66”,我会得到

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> google.com @192.168.70.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57387
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A
;; ANSWER SECTION:
google.com.             33      IN      A       142.250.176.206
;; Query time: 12 msec
;; SERVER: 192.168.70.66#53(192.168.70.66) (UDP)
;; WHEN: Thu Oct 26 13:21:55 EDT 2023
;; MSG SIZE  rcvd: 55

“netstat -lnptu | grep 53”的结果是

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 192.168.70.66:53        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -
tcp6       0      0 ::1:53                  :::*                    LISTEN      -
tcp6       0      0 ::1:953                 :::*                    LISTEN      -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 192.168.70.66:53        0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 127.0.0.1:53            0.0.0.0:*                           -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 ::1:53                  :::*                                -
udp6       0      0 :::5353                 :::*                                -

通过使用 wireshark,以下是尝试 ping namespace.wisam.rph 的响应

Domain Name System (response)
    Transaction ID: 0x56ba
    Flags: 0x8183 Standard query response, No such name
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0011 = Reply code: No such name (3)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 0
    Queries
        namespace.wisam.rph: type A, class IN
    Authoritative nameservers
        <Root>: type SOA, class IN, mname a.root-servers.net
    [Request In: 187889]
    [Time: 0.016853000 seconds]

运行“sudo systemctl status named”时我得到的结果如下

named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-10-29 23:25:46 UTC; 1s ago
       Docs: man:named(8)
   Main PID: 51693 (named)
      Tasks: 14 (limit: 19082)
     Memory: 26.6M
     CGroup: /system.slice/named.service
             └─51693 /usr/sbin/named -f -u bind

Oct 29 23:25:46 vmubuntuauthserver named[51693]: command channel listening on ::1#953
Oct 29 23:25:46 vmubuntuauthserver named[51693]: managed-keys-zone: loaded serial 6
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 0.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone localhost/IN: loaded serial 2
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 70.168.192.in-addr.arpa/IN: loaded serial 2
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone wisam.rph/IN: loaded serial 4
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 127.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: zone 255.in-addr.arpa/IN: loaded serial 1
Oct 29 23:25:46 vmubuntuauthserver named[51693]: all zones loaded
Oct 29 23:25:46 vmubuntuauthserver named[51693]: running

我遗漏了什么?对于我评论过的行,我尝试过,但结果和没有相同的结果 [请注意,我添加了监听和转发的行,将它们注释掉,目前已取消注释]

答案1

仅为其创建 SOA(授权起始点)记录wisam.rph,并为其指定 IP 地址。然后创建名称服务器记录。因此,如下所示:

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     wisam.rph. root.wisam.rph. (
2         ; Serial
604800         ; Refresh
86400         ; Retry
2419200         ; Expire
604800 )       ; Negative Cache TTL
        IN      A       192.168.70.66
;
@       IN      NS      nameserver.wisam.rph.
nameserver      IN      A       192.168.70.66
www     IN      A       192.168.70.66
@       IN      AAAA    ::1

您的反向文件不应包含正向类型记录。因此,如下所示:

;
; BIND reverse data file for local 192.168.70.XXX net
;
$TTL    604800
@       IN      SOA     nameserver.wisam.rph. root.wisam.rph. (
1         ; Serial
604800         ; Refresh
86400         ; Retry
2419200         ; Expire
604800 )       ; Negative Cache TTL
;
@       IN      NS      nameserver.wisam.rph.
66      IN      PTR     nameserver.wisam.rph.

相关内容