bind9 查询失败(已拒绝)

tag-icon tag-icon linux dns bind
bind9 查询失败(已拒绝)

我在 Ubuntu 20.04 上安装并配置了 bind9,文件如下:

root@server:/etc/bind# cat named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.
        listen-on { any; };
        allow-transfer { none; };

        allow-query { any; };
        recursion yes;
        allow-recursion { 127.0.0.1; };
        forwarders { 8.8.8.8; };
        querylog yes;

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };
};

root@server:/etc/bind# cat named.conf.default-zones
...
zone "site" {
        type master;
        file "/etc/bind/site";
};

root@server:/etc/bind# cat site
$TTL    86400
mydomain.com.      IN      SOA     ns1.mydomain.com. my.email.gmail.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 );      ; Negative Cache TTL
mydomain.com.   IN      NS      ns1.mydomain.com.
mydomain.com.   IN      NS      ns2.mydomain.com.
mydomain.com.   IN      A       ipv4
www             IN      A       ipv4
ns1             IN      A       ipv4
ns2             IN      A       ipv4

ufw status

53/tcp                     ALLOW       Anywhere
53/udp                     ALLOW       Anywhere

root@server:/etc/bind# netstat -tulpn | grep 53
tcp        0      0 server-ip:53            0.0.0.0:*               LISTEN      2649/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2649/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      2649/named
udp        0      0 server-ip:53            0.0.0.0:*                           2649/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2649/named

当我dig(无论我是dig从服务器dig @localhost还是从我的笔记本电脑dig @serveripv4)时,这是系统日志错误:

root@server:/etc/bind# tailf /var/log/syslog | grep named
Jun 29 20:23:25 server named[2649]: client @0x7f1930005910 my-laptop-ip#40259 (ns1.mydomain.com): query: ns1.mydomain.com IN A +E(0)K (server-ip)
Jun 29 20:23:25 server named[2649]: client @0x7f1930005910 my-laptop-ip#40259 (ns1.mydomain.com): query (cache) 'ns1.mydomain.com/A/IN' denied
Jun 29 20:23:25 server named[2649]: client @0x7f1930005910 my-laptop-ip#40259 (ns1.mydomain.com): query failed (REFUSED) for ns1.mydomain.com/IN/A at query.c:5425

配置有什么问题,导致我无法使用 dns 和 dig?

答案1

zone{}为每个块指定的名称必须与实际 DNS 区域匹配(域)——它不仅仅是一个任意的标签。

现在,您的 DNS 服务器已配置为服务于名为的域site,但没有任何与您尝试查询的名称匹配的区域(它既没有区域mydomain.com,也没有ns1.mydomain.com区域,也没有com区域)。

相关内容