我的问题简单概括就是,我们已经在我的机构内开始进行 DNS 服务器升级。
我们目前有 2 个内部 DNS 服务器和 2 个外部 DNS 服务器。我们正在升级到新设备并合并我们的服务器,因此我们有 1 个主服务器和 1 个从服务器,它们将负责内部和外部 DNS。两台服务器都有两个 NIC,它们的 IP 地址一个在公共外部网络中,一个在内部网络中。在我的主服务器上,我设置了一个只能从我们的内部网络范围访问的内部视图和一个允许任何人查询的外部视图。我已设置好一切,DNS 解析工作正常。但我遇到的问题是,当我配置从服务器并进行设置时,从服务器将仅继承内部视图中列出的区域的更新。所有外部视图区域都给出错误
;<<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> IN AXFR 43.96.32.in-addr.arpa @129.yy.yy.10
;; global options: +cmd
; Transfer failed.
我一直在疯狂地谷歌搜索,却找不到解决方案,希望这里有人能知道为什么会发生这种情况。
下面我将给出我的主/从 named.conf 文件的示例。我的系统当前运行的是 RHEL 6.6 和 Bind DNS 9.8.2。
主 - Named.conf
acl internal_hosts { 10.101.0.0/16; 172.21.0.0/16;
10.2.0.0/16; 169.254.0.0/16;
172.23.0.0/16; 32.0.0.0/8;
12.109.164.0/24; 12.109.165.0/24;
63.79.18.0/24; 63.88.0.0/16;
129.42.0.0/16; 4.30.26.0/24;
4.28.188.0/24; 172.21.131.248/29;};
acl internal_slave { 10.xx.xx.2; };
acl external_slave { 129.yy.yy.11; };
acl internal_master { 10.xx.xx.1; };
acl external_master { 129.yy.yy.10; };
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
dnssec-enable no;
query-source port 53;
forward only;
notify yes;
allow-query { any; };
listen-on {
10.xx.xx.1;
127.0.0.1;
129.yy.yy.10;
};
forwarders {
129.34.20.80;
198.4.83.35;
4.2.2.2;
8.8.8.8;
};
allow-transfer {127.0.0.1; };
};
server 10.xx.xx.2 {
transfer-format many-answers;
transfers 10000;
};
server 129.yy.yy.11 {
transfer-format many-answers;
transfers 10000;
};
view "Internal" {
match-clients { internal_hosts; !external_slave; internal_slave; };
also-notify { 10.xx.xx.2; };
allow-transfer { internal_slave; };
recursion yes;
allow-recursion { internal_hosts; };
transfer-source 10.xx.xx.1;
zone "64.2.10.in-addr.arpa" {
type master;
also-notify { 10.xx.xx.2; };
notify yes;
allow-transfer { internal_slave; };
file "/var/named/10.2.64.rev";
};
view "External" {
match-clients { !internal_slave; external_slave; any; };
recursion no;
allow-transfer { external_slave; };
also-notify { 129.yy.yy.11; };
transfer-source 129.yy.yy.10;
zone "50.146.204.in-addr.arpa" {
type master;
notify yes;
also-notify {129.yy.yy.11;};
allow-transfer {external_slave;};
file "/var/named/204.146.50.rev";
};
从属-Named.conf
acl internal_hosts { 10.101.0.0/16; 172.21.0.0/16;
10.2.0.0/16; 169.254.0.0/16;
172.23.0.0/16; 32.0.0.0/8;
12.109.164.0/24; 12.109.165.0/24;
63.79.18.0/24; 63.88.0.0/16;
129.42.0.0/16; 4.30.26.0/24;
4.28.188.0/24; 172.21.131.248/29;
};
acl internal_slave { 10.xx.xx.2; };
acl external_slave { 129.yy.yy.11; };
acl internal_master { 10.xx.xx.1; };
acl external_master { 129.yy.yy.10; };
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
dnssec-enable no;
query-source port 53;
forward only;
allow-query { any; };
listen-on port 53 {
127.0.0.1;
10.xx.xx.2;
129.yy.yy.11;
};
forwarders {
129.34.20.80;
198.4.83.35;
4.2.2.2;
8.8.8.8;
};
allow-transfer {127.0.0.1; };
};
server 10.xx.xx.1 {
transfer-format many-answers;
transfers 10000;
};
server 129.yy.yy.10 {
transfer-format many-answers;
transfers 10000;
};
view "Internal" {
match-clients { internal_hosts; !external_master; internal_master; };
recursion yes;
allow-recursion {internal_hosts;};
allow-transfer { internal_master; };
transfer-source 10.xx.xx.2;
allow-notify {10.xx.xx.1;};
zone "64.2.10.in-addr.arpa" {
type slave;
masters {10.xx.xx.1;};
allow-transfer {internal_master;};
allow-update {internal_master;};
file "/var/named/slaves/10.2.64.Internal.rev";
};
view "External" {
allow-transfer {external_master;};
allow-notify {129.yy.yy.10;};
transfer-source 129.yy.yy.11;
match-clients {!internal_master; external_master; internal_hosts; any;};
recursion no;
zone "50.146.204.in-addr.arpa" {
type slave;
masters {129.yy.yy.10;};
allow-transfer {external_master;};
allow-update {external_master;};
file "/var/named/slaves/204.146.50.External.rev";
};
以下是我向主服务器请求的有关 DIG 的 /var/log/messages 输出。brsbld.ihost.com 的 DIG 是外部视图中失败的 DIG,而 bldbcrs.net 的 DIG 位于内部视图中,并且运行正常。
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR started
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR started
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR ended
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR ended
Apr 17 09:32:56 bbridns01 named[1717]: client 129.42.206.11#41783: view Internal: bad zone transfer request: 'brsbld.ihost.com/IN': non-authoritative zone (NOTAUTH)
Apr 17 09:32:56 bbridns01 named[1717]: client 129.42.206.11#41783: view Internal: bad zone transfer request: 'brsbld.ihost.com/IN': non-authoritative zone (NOTAUTH)
答案1
伙计们,我只是想更新一下,让你们知道我找到了什么解决方案。在我的内部视图下,match-clients 参数让我很困惑。
match-clients { internal_hosts; !external_slave; internal_slave; };
internal_hosts acl 包括范围 129.42.0.0/16。它列在 !external_slave; 参数之前,因此它首先选择它,因为从属服务器是 129.42.206.11,并将其放入内部视图中。我重新安排了它,以便它首先排除 external_slave,然后它才能被外部视图正确选择。
match-clients { !external_slave; internal_hosts; internal_slave; };
答案2
我猜测主配置选项中的此行阻止其他人获取区域:
allow-transfer {127.0.0.1; };
我会尝试删除该行或更新它以包含您的 external_master。
也许是因为您的配置中有多个视图,默认视图从选项中获取了有限的允许传输指令。
http://docs.freebsd.org/doc/8.3-RELEASE/usr/share/doc/bind9/arm/Bv9ARM.ch06.html