BIND 无法解析并显示“警告:请求递归但不可用”

tag-icon tag-icon linux networking domain-name-system bind
BIND 无法解析并显示“警告:请求递归但不可用”
  1. 日志中没有错误,查询日志不会初始化
  2. iptables 已完全禁用

但服务器将响应“警告:请求递归但不可用”,因为我的客户端 104.200.17.225 将转到外部。但客户端“在”受信任的 ACL 中。Bind 完全忽略了我的受信任列表。

mlr01 ~ # dig facebook.com

; <<>> DiG 9.9.5 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10440
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; AUTHORITY SECTION:
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.

;; Query time: 42 msec
;; SERVER: 66.228.35.79#53(66.228.35.79)
;; WHEN: Thu Oct 16 23:28:20 UTC 2014
;; MSG SIZE  rcvd: 252

Named 似乎忽略了我的 ACL:

cat /etc/bind/named.conf
acl "outside" {
        any;
};

acl "trusted" {
        173.255.211.166;
        104.200.17.225;  //this is the client in question
        10.8.0.0/24;
        10.8.1.0/24;
        127.0.0.1/32;
        ::1/128;
};

options {
        directory "/var/bind";
        pid-file "/var/run/named/named.pid";
        transfer-source  198.74.49.126;
        listen-on-v6 { ::1; 2600:3c03::f03c:91ff:feae:9e6d;};
        listen-on { 127.0.0.1; 66.228.35.79;};
        max-cache-ttl 1600;
        version none;
        allow-query {
                any;
        };

        allow-query-cache {
                any;
        };

        allow-transfer {
                trusted;
        };

        allow-update {
                trusted;
        };

        //forward first;
        forwarders {
                109.74.192.20;
                97.107.133.4;
                198.74.49.126;          //internal router1
        };

};


logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
                severity warning;
        };
        channel resolver_file {
                file "/var/log/named/resolver.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel xfer-in_file {
                file "/var/log/named/xfer-in.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        category default { default_log; };
        category general { default_log; };
};


include "/etc/bind/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

view "internal" {
        match-clients { trusted; };
        allow-query-cache { any; };
        allow-recursion { trusted; };
        recursion yes;

        zone "azevedomd.com" {
                type master;
                file "pri/azevedomd.com.internal";
        };
        zone "35.228.66.in-addr.arpa"{
                type master;
                file "pri/reverse.internal";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "pri/127.0.0.1";
        };

};

view "external" {
        match-clients { any; };
        match-destinations { any; };
        recursion no;
        allow-query { any; };
        zone "." IN {
                type hint;
                file "/var/bind/named.ca";
        };
        zone "azevedomd.com" {
                type master;
                file "pri/azevedomd.com.external";
        };
        zone "35.228.66.in-addr.arpa"{
                type master;
                file "pri/reverse.external";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "pri/127.0.0.1";
        };

};

查询日志显示它将转到外部。为什么它忽略内部和受信任列表?客户端在列表中。

17-Oct-2014 00:17:03.886 client 104.200.17.225#41300 (facebook.com): view external: query: facebook.com IN A +E (66.228.35.79

答案1

尝试切换你的 ACL 语句

acl "trusted" {
        173.255.211.166;
        104.200.17.225;  //this is the client in question
        10.8.0.0/24;
        10.8.1.0/24;
        127.0.0.1/32;
        ::1/128;
};

acl "outside" {
        any;
};

答案2

您的 104.200.17.225 客户端首先匹配“外部” acl。重新排列 acl 的顺序可能会有所帮助,但更可靠的方法是从“外部”排除您的“受信任”地址:

acl "outside" {
        !173.255.211.166;
        !104.200.17.225;  //this is the client in question
        !10.8.0.0/24;
        !10.8.1.0/24;
        !127.0.0.1/32;
        !::1/128;
        any;
};

相关内容