我最近几天一直在努力完成我的bind工作。我相信,它有一个非常通用的配置,但不知何故,当使用域名时,它不会向本地客户端提供我服务器的正确 IP myho.st。系统是 Debian Wheezy。named-checkconf没有报告任何错误。
配置如下:
/etc/bind/named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.log";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
acl localhost_acl {
127.0.0.1;
};
acl internal_10_acl {
192.168.10.0/24;
};
/etc/bind/named.conf.local:
include "/etc/bind/zones.rfc1918";
view "local_view" {
match-clients { localhost_acl; internal_10_acl; };
zone "myho.st" {
type master;
file "/etc/bind/db.myho.st";
};
};
/etc/bind/zones.rfc1918:
view "global_view" {
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
/etc/bind/named.conf.默认区域:
view "default_view" {
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
};
/etc/bind/named.conf.log:
logging {
channel update_debug {
file "/var/log/bind/update_debug.log" versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/bind/security_info.log" versions 1 size 100k;
severity info;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category lame-servers { null; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
};
/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
listen-on {
127.0.0.1;
192.168.10.1;
};
allow-transfer { none; };
allow-query { localhost_acl; internal_10_acl; };
};
最后/etc/bind/db.myho.st:
$TTL 3h
@ IN SOA ns.myho.st. hostmaster.myho.st. (
4 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day
;
@ IN NS ns.myho.st.
@ IN A 192.168.10.1
ns IN A 192.168.10.1
named-checkzone myho.st /etc/bind/db.myho.st没有报告任何错误。
我的客户端在192.168.10.0/24子网中,所有客户端都可以 ping 通192.168.10.1,即服务器的 IP。但是myho.st域名正在通过 ISP 的 DNS 解析为全局 IP,然而似乎由我的服务器提供服务:
user@client:~$ nslookup myho.st
Server: 192.168.10.1
Address: 192.168.10.1#53
Non-authoritative answer:
Name: myho.st
Address: *some global IP*
显然我漏掉了 中的一些基本设置named.conf*,但我看不出具体是哪些。可能是views配置不正确。请指教。
答案1
据我所见,您的配置部分的名称具有误导性(此外,我可以说,将一个像样的配置文件拆分为超过 9000 个包含文件的 Debian 传统总体上具有误导性并且适得其反)。
考虑到这:
view clauses are processed in the order in which they appear in the named.conf file.
Thus, in the example above the 'badguys' view clause matching condition (any) also
satisfies the 'trusted' view matching condition. However, since 'trusted' appears first
its matching condition is the first to be satisfied and view matching stops.
我可以说您的global_view首先被处理,因此您的本地客户端正在匹配它。将include "/etc/bind/zones.rfc1918";(是的,这是误导性的名称包括)移动到local_view视图之后。
答案2
重要的是要理解每个查询将准确命中一个视图这是与传入查询匹配的第一个视图(基于match-*)。
您有三个视图,其中两个对于哪些查询将匹配根本没有要求。
这会导致这样一种情况:根据视图的排序方式,任何人都无法查询一个或两个视图。
如果您的default_view或您的global_view视图按顺序排在第一位,那么所有查询都将进入该视图,而其余两个视图则无法访问。
如果您的local_view视图是第一个,则不匹配的地址match-clients { localhost_acl; internal_10_acl; };可以查询第一个 default_view,global_view但最后一个视图仍然无法访问。
另一个方面是,在最后一个例子中,匹配的查询local_view将看不到其他视图中的任何区域,即使这些区域对查询没有特殊要求。
总而言之,您在将视图引入此发行版提供的默认配置时实际上不应以“每个文件一个视图”为基础,而应考虑到上述情况。