绑定 9 区域传输被拒绝查看

tag-icon tag-icon linux dns bind
绑定 9 区域传输被拒绝查看

我正在运行 BIND 9.10.3-P4-Debian。

我有两个权威名称服务器:一个主服务器(192.168.200.3)和一个辅助服务器(192.168.201.3)。

我想将所有记录提供给我的子网 (192.168.200.0/22) 上的主机。这些记录在视图中内部视图

我想将所有记录的子集提供给 IP 地址在 RFC 1918 私有 IP 块中但不在我的特定子网中的主机。这些记录在视图中外部视图

我尝试通过为两个视图分别设置不同的 TSIG 密钥来强制每个视图与其同名的对等视图进行对话。

使用如下所示的配置,内部视图从主服务器传输到辅助服务器。但是,外部视图才不是。

主端日志显示:

client 192.168.201.3#41723/key external-view (dct.example.com): view internal-view: zone transfer 'dct.example.com/AXFR/IN' denied

注意外部视图是期望的,并且外部视图密钥已提供,但请求被视为内部视图

下面的辅助端日志显示辅助名称服务器认为它正在请求外部视图

次级侧日志显示:

zone dct.example.com/IN/external-view: Transfer started.
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: connected using 192.168.201.3#41723
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: failed while receiving responses: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer status: REFUSED
transfer of 'dct.example.com/IN/external-view' from 192.168.200.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)

主要和次要配置的相关部分如下所示。

有人能看出我错在哪里吗?

预先感谢您的任何帮助。

主要配置

options {
   allow-transfer { none; };
};

key internal-view. {
   algorithm hmac-sha512;
   secret "5<redacted>==";
};

key external-view. {
   algorithm hmac-sha512;
   secret "y<redacted>==";
};

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

view "internal-view" {
   match-clients { "internal-hosts"; };

   server 192.168.201.3 { keys { internal-view.; }; };
   allow-transfer { key internal-view.; };

   zone "dct.example.com" {
      type master;
      file "zones/internal-view/db.dct.example.com";
      forwarders { };
   };
};

view "external-view" {
   match-clients { "external-hosts"; };

   server 192.168.201.3 { keys { external-view.; }; };
   allow-transfer { key external-view.; };

   zone "dct.example.com" {
      type master;
      file "zones/external-view/db.dct.example.com";
      forwarders { };
   };
};

二次配置

options {
   allow-transfer { none; };
};

key internal-view. {
   algorithm hmac-sha512;
   secret "5<redacted>==";
};

key external-view. {
   algorithm hmac-sha512;
   secret "y<redacted>==";
};

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

masters "dct-masters" { 192.168.200.3; };

view "internal-view" {
   match-clients { "internal-hosts"; };

   server 192.168.200.3 { keys { internal-view.; }; };
   allow-transfer { key internal-view.; };

   zone "dct.example.com" {
      type slave;
      file "zones/internal-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

view "external-view" {
   match-clients { "external-hosts"; };

   server 192.168.200.3 { keys { external-view.; }; };
   allow-transfer { key external-view.; };

   zone "dct.example.com" {
      type slave;
      file "zones/external-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

答案1

下面的方法就成功了。

主要配置

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };

acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };

options {
   directory "/etc/bind";
   version none;

   allow-query { "allowed-clients"; };

   recursion no; # Override in views, where appropriate.
   allow-recursion { none; }; # Override in views, where appropriate.

   notify explicit; # Requires use of also-notify.
   also-notify { }; # Who should we notify? For primary, override this in each view.
   allow-notify { none; }; # Who can notify us? For secondary, override this in each view.

   allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.

   allow-update { none; };
   allow-update-forwarding { none; };

   # This allows *all* local network interfaces.
   listen-on { localhost; };

   forward only;
   forwarders { 192.168.20.3; 192.168.30.3; };

   statistics-file "named.stats";

   dnssec-validation no;
   dnssec-lookaside no;

   auth-nxdomain no;
   listen-on-v6 { none; };
};

key internal-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

key external-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

view "internal-view" {
   match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
   server 192.168.200.3 { keys { internal-view-key; }; };
   server 192.168.201.3 { keys { internal-view-key; }; };

   recursion yes;
   allow-recursion { "internal-hosts"; };

   also-notify { 192.168.201.3 key internal-view-key; }; # Who should we notify?
   allow-notify { none; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key internal-view-key; };

   zone "dct.example.com" {
      type master;
      file "zones/internal-view/db.dct.example.com";
      forwarders { };
   };
};

view "external-view" {
   match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
   server 192.168.200.3 { keys { external-view-key; }; };
   server 192.168.201.3 { keys { external-view-key; }; };

   recursion no;
   allow-recursion { none; };

   also-notify { 192.168.201.3 key external-view-key; }; # Who should we notify?
   allow-notify { none; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key external-view-key; };

   zone "dct.example.com" {
      type master;
      file "zones/external-view/db.dct.example.com";
      forwarders { };
   };
};

二次配置

acl "private-ip-addresses" { 10/8; 192.168/16; 172.16/12; };
acl "allowed-clients" { "private-ip-addresses"; 127/8; };

acl "internal-hosts" { 192.168.200/22; 127/8; };
acl "external-hosts" { !"internal-hosts"; "private-ip-addresses"; };

acl "primary-ns" { 192.168.200.3; };
acl "secondary-ns" { 192.168.201.3; };
acl "all-ns" { "primary-ns"; "secondary-ns"; };

acl notify-to-allow { "primary-ns"; };
acl notify-to-reject { !"notify-to-allow"; any; };

acl transfer-to-allow { "all-ns"; 127/8; };
acl transfer-to-reject { !"transfer-to-allow"; any; };

options {
   directory "/etc/bind";
   version none;

   allow-query { "allowed-clients"; };

   recursion no; # Override in views, where appropriate.
   allow-recursion { none; }; # Override in views, where appropriate.

   notify explicit; # Requires use of also-notify.
   also-notify { }; # Who should we notify? For primary, override this in each view.
   allow-notify { none; }; # Who can notify us? For secondary, override this in each view.

   allow-transfer { none; }; # Who should we allow zone transfers to? For primary, override this in each view.

   allow-update { none; };
   allow-update-forwarding { none; };

   # This allows *all* local network interfaces.
   listen-on { localhost; };

   forward only;
   forwarders { 192.168.20.3; 192.168.30.3; };

   statistics-file "named.stats";

   dnssec-validation no;
   dnssec-lookaside no;

   auth-nxdomain no;
   listen-on-v6 { none; };
};

key internal-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

key external-view-key {
   algorithm hmac-sha512;
   secret "<redacted>";
};

masters "dct-masters" { 192.168.200.3; };

view "internal-view" {
   match-clients { !key external-view-key; key internal-view-key; "all-ns"; "internal-hosts"; };
   server 192.168.200.3 { keys { internal-view-key; }; };
   server 192.168.201.3 { keys { internal-view-key; }; };

   recursion yes;
   allow-recursion { "internal-hosts"; };

   also-notify { }; # Who should we notify?
   allow-notify { !notify-to-reject; key internal-view-key; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key internal-view-key; };

   zone "dct.example.com" {
      type slave;
      file "zones/internal-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

view "external-view" {
   match-clients { !key internal-view-key; key external-view-key; "all-ns"; "external-hosts"; };
   server 192.168.200.3 { keys { external-view-key; }; };
   server 192.168.201.3 { keys { external-view-key; }; };

   recursion no;
   allow-recursion { none; };

   also-notify { }; # Who should we notify?
   allow-notify { !notify-to-reject; key external-view-key; }; # Who can notify us?

   # Who should we allow zone transfers to?
   allow-transfer { !transfer-to-reject; key external-view-key; };

   zone "dct.example.com" {
      type slave;
      file "zones/external-view/bak.dct.example.com";
      masters { dct-masters; };
      forwarders { };
   };
};

相关内容