反向从属 DNS 服务器区域文件未传输

tag-icon tag-icon centos dns bind
反向从属 DNS 服务器区域文件未传输

我正在使用亚马逊免费套餐和 RHEL 7 并配置主 DNS 服务器和从 DNS 服务器。从主人那里一切都好,但奴隶我找不到结果。我还想知道如何保护我的 dns 服务器。

在从服务器中,/etc/named.conf 文件:

options {
listen-on port 53 { 127.0.0.1; 52.34.228.106; 0.0.0.0/0; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 0.0.0.0/0; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recurs ion.
- If you are building a RECURSIVE (caching) DNS server, you need to ena ble
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so w ill
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
#options{
recursion yes;
# allow-recursion { trusted;};
#};

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

和 /etc/rfc1912.zones 文件:

zone "iftibd.com" IN {
type slave;
file "slaves/seobd.fz";
masters { 52.37.252.202;};
allow-notify {52.37.252.202; };
};

zone "228.34.52.in-addr.arpa" IN {
type slave;
file "slaves/seobd.rz";
masters { 52.37.252.202;};
allow-notify {52.37.252.202;};
};



   [root@ip-172-31-17-202 slaves]# nslookup iftibd.com
    Server: 52.34.228.106
    Address: 52.34.228.106#53

Name: iftibd.com
Address: 52.37.252.202
Name: iftibd.com
Address: 52.34.228.106

[root@ip-172-31-17-202 slaves]# nslookup 52.34.228.106
Server: 52.34.228.106
Address: 52.34.228.106#53

** server can't find 106.228.34.52.in-addr.arpa: SERVFAIL

我发现只创建了seobd.fz,但没有创建反向区域。

答案1

您现在拥有您的反向区域 - 例如 228.34.52.in-addr.arpa,亚马逊是所有者,因此您只能设置您的正向 DNS 区域,而不能设置反向区域。

whois  52.34.228.106
NetRange:       52.32.0.0 - 52.63.255.255
Organization:   Amazon Technologies Inc. (AT-88-Z)

您还可以发现它正在执行digor nslookup

Authoritative answers can be found from:
34.52.in-addr.arpa
    origin = dns-external-master.amazon.com
    mail addr = root.amazon.com
    serial = 1218
    refresh = 3600
    retry = 900
    expire = 604800
    minimum = 900

据我所知,过去你可以逃避声明不属于你的区域,现在 BIND 在这方面更加智能,甚至无需将 DNSSEC 纳入考虑范围。

DNSSEC 还对区域进行签名,并防止人们“冒充”它们。您还拥有 DNSSEC

绑定 DNSSEC 指南

答案2

我在我的电脑中使用 DNS=52.37.252.202 找到了它。

C:\Users\USER>nslookup 52.37.252.202 
Server: www.iftibd.com 
Address: 52.37.252.202 
Name: www.iftibd.com 
Address: 52.37.252.202 
C:\Users\USER>nslookup 52.34.228.106 
Server: ns1.iftibd.com 
Address: 52.37.252.202 
Name: ec2-52-34-228-106.us-west-2.compute.amazonaws.com 
Address: 52.34.228.106

我在我的电脑中使用 DNS=52.34.228.106 找到了它。

  C:\Users\USER>nslookup 52.34.228.106
Server:  UnKnown
Address:  52.34.228.106

*** UnKnown can't find 52.34.228.106: Server failed

C:\Users\USER>nslookup 52.37.252.202
Server:  UnKnown
Address:  52.34.228.106

Name:    ec2-52-37-252-202.us-west-2.compute.amazonaws.com
Address:  52.37.252.202

另请检查我的配置是否正确?

相关内容