CentOS bind9 服务器不断从主 ADDNS 收到错误消息

tag-icon tag-icon centos windows dns bind
CentOS bind9 服务器不断从主 ADDNS 收到错误消息

在过去的几天里,我一直试图将我的 Bind9 服务器作为辅助区域连接到我的 AD 的 DNS,但无济于事。这一切都是在 VMware 上完成的,使用 pfSense 连接两者(是的,端口 53 tcp/udp 也在那里打开)

问题似乎是,当尝试从主服务器传输区域时,数据包将被丢弃,尽管没有防火墙应该拒绝它们。

我可以毫无问题地 ping 所有这些,并且我还可以从普通的 Windows 客户端通过 nslookup 传输区域。

在将 Bind 服务器连接到 ADDNS 服务器时,查看 Wireshark 和 tcpdump -i 任何端口 53,得到以下结果:

https://i.stack.imgur.com/Dpd2I.png

是的,看起来防火墙确实阻止了查询,但相信我,这不可能。我尝试禁用所有防火墙,并添加了要通过的服务和端口号。

您还可以看到 Windows 服务器给了我一个超时错误,尽管它已经开始给我“具有此 IP 的服务器对该区域没有权威性”无论我尝试在哪里应用它(对于区域传输、NS 记录、连接到服务器等)都会出现此错误。

查看命名状态,它给我带来了大量问题,主要是关于非权威回应:

managed-keys-zone: loaded serial 97
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
all zones loaded
running
zone centns.bliss.lan/IN: refresh: non-authoritative answer from master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: non-authoritative answer from master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: non-authoritative answer from master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: non-authoritative answer from master 192.168.64.64#53 (source 0.0.0.0#0)

-

managed-keys-zone: loaded serial 97
zone 0.in-addr.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
all zones loaded
running
zone centns.bliss.lan/IN: refresh: CNAME at top of zone in master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: CNAME at top of zone in master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: CNAME at top of zone in master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: CNAME at top of zone in master 192.168.64.64#53 (source 0.0.0.0#0)
error (host unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 192.5.5.241#53
error (host unreachable) resolving './DNSKEY/IN': 192.5.5.241#53
error (host unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 198.97.190.53#53
error (host unreachable) resolving './NS/IN': 192.5.5.241#53

- 这是在 ADDNS 中为服务器设置 CNAME 记录之后的结果。虽然我没有设置 DNSSEC。

-

managed-keys-zone: journal file is out of date: removing journal file
managed-keys-zone: loaded serial 101
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
all zones loaded
running
zone centns.bliss.lan/IN: refresh: unexpected rcode (NXDOMAIN) from master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: unexpected rcode (NXDOMAIN) from master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: unexpected rcode (NXDOMAIN) from master 192.168.64.64#53 (source 0.0.0.0#0)
received control channel command 'stop'
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
stopping command channel on ::1#953
no longer listening on 127.0.0.1#53
no longer listening on 192.168.64.128#53
exiting
managed-keys-zone: loaded serial 101
zone 0.in-addr.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
all zones loaded
running
zone centns.bliss.lan/IN: refresh: NODATA response from master 192.168.64.64#53 (source 0.0.0.0#0)
zone centns.bliss.lan/IN: refresh: NODATA response from master 192.168.64.64#53 (source 0.0.0.0#0)

- 所以问题看起来很简单,它被视为权威服务器,即使我将它声明为从属服务器?

这是我的named.conf

[root@centns ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53       { 192.168.64.128; 127.0.0.1; };
        filter-aaaa-on-v4       yes;
        directory               "/var/named/";
        dump-file               "/var/named/data/cache_dump.db";
        statistics-file         "/var/named/data/named_stats.txt";
        memstatistics-file      "/var/named/data/named_mem_stats.txt";
//      auth-nxdomain           no;
//      allow-query             { 192.168.64.0/24; };
//      allow-transfer          { 127.0.0.1; 192.168.64.64; };
//      allow-notify            { 127.0.0.1; 192.168.64.64; };
//      allow-recursion         { 127.0.0.1; 192.168.64.64; };
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;


        dnssec-enable no;
        dnssec-validation auto;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };


};
zone "centns.bliss.lan" IN
        {
        type            slave;
        file            "centNS.bliss.lan";
        masters         { 192.168.64.64; };
        allow-query     { 192.168.64.0/24; };
        allow-transfer  { 192.168.64.0/24; };
//      allow-recursion { 192.168.64.0/24; };
        };
                /*
zone "64.168.192.in-addr.arpa" IN
        {
        type slave;
        file "rev.centNS.bliss.lan";
        masters { 192.168.64.64; };
        notify yes;
        };
                */
zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

从所有注释行可以看出,我现在已经尝试了几件事。

我努力了:

*在 Windows 和 CentOS 上禁用防火墙

*在我的 CentNS 服务器的 AD DNS 中设置 A 和 CNAME 记录

*确保 Windows 已启用 BIND

如果您需要更多信息,请询问,我真的希望这能起作用。

答案1

为了创建 Windows DNS 的从属服务器,在 Windows 端,您需要授权区域传输。

大致来说,根据 Windows 版本,该路径为“服务器管理器->DNS->DNS 管理器->属性->区域传输”。选择“允许区域传输”和“仅传输到以下服务器”,然后添加您的 BIND IP 地址。

至于您的 BIND 配置,您还需要允许以 _ 开头的名称,因为 Windows DNS 使用它们。因此,在选项部分,您添加:

check-names master ignore;

还要注意您的 DLV DNSSEC 配置,您收到错误是(host unreachable)因为 DLV 已经过时多年并且该项目自 2015 年以来就已终止。

因此注释掉或者删除该行bindkeys-file "/etc/named.iscdlv.key";

答案2

您的图像显示“主机管理禁止”,因此某处一定有防火墙。

尽管我将其声明为从属服务器,但它被视为权威服务器?

从属服务器也具有权威性。

相关内容