我没有对 BIND 配置做任何改动,但Debian Jessie升级似乎破坏了它。也许它引入了一些新选项,或者旧的东西现在工作方式不同了,但我找不到问题所在。
我一直SERVFAIL处于这种状态/var/log/bind/bind.log。
我已经用 检查了我的区域named-checkzone,它们都是“正常”的。我已在系统范围内禁用 IPv6。我重新创建了rndc密钥,甚至创建了/etc/rndc.conf。但都不起作用。
以下是一些配置:
/etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.log";
include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";
acl localhost_acl {
127.0.0.0/8;
};
acl internal_10_acl {
192.168.10.0/24;
};
acl internal_150_acl {
192.168.150.0/24;
};
acl vpn_acl {
192.168.200.2;
192.168.200.5;
};
key "rndc-key" {
algorithm hmac-md5;
secret "somesecretkey==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
listen-on {
127.0.0.1;
192.168.10.1;
192.168.150.1;
192.168.200.1;
};
allow-transfer { none; };
max-recursion-queries 200;
};
/etc/bind/named.conf.log
logging {
channel update_debug {
file "/var/log/bind/update_debug.log" versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/bind/security_info.log" versions 1 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 1m;
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category lame-servers { security_info; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
};
/etc/bind/named.conf.local(这是一个很长的故事):
// 1
view "internal_10_view" {
allow-query-on { 127.0.0.1; 192.168.10.1; };
allow-query { localhost_acl; internal_10_acl; };
match-clients { localhost_acl; internal_10_acl; };
zone "myhost.tld" {
type master;
file "/etc/bind/db.myhost.tld_10";
};
zone "168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192.168.10";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
// 2
view "internal_150_view" {
allow-query-on { 192.168.150.1; };
allow-query { internal_150_acl; };
match-clients { internal_150_acl; };
zone "myhost.tld" {
type master;
file "/etc/bind/db.myhost.tld_150";
};
zone "168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192.168.150";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
};
// 3
view "vpn_view" {
allow-query-on { 192.168.200.1; };
allow-query { vpn_acl; };
match-clients { vpn_acl; };
zone "myhost.tld" {
type master;
file "/etc/bind/db.myhost.tld_vpn";
};
// formerly named.conf.default-zones
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// formerly zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
// somedomain.tld
zone "somedomain.tld" {
type forward;
forward first;
forwarders { 192.168.34.110; 192.168.34.100; };
};
};
/etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "somesecretkey==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
我@杰西:~$ sudo netstat -lnptu | grep "named\W*$"
tcp 0 0 192.168.10.1:53 0.0.0.0:* LISTEN 1871/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1871/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1871/named
udp 0 0 192.168.200.1:53 0.0.0.0:* 1871/named
udp 0 0 192.168.10.1:53 0.0.0.0:* 1871/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1871/named
我@jessie:~$ ps aux | grep 命名
bind 5843 0.0 1.0 297780 84412 ? Ssl 00:52 0:16 /usr/sbin/named -f -u bind -4
我@杰西:/etc/bind$ 命名-V
BIND 9.9.5-9-Debian (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
compiled by GCC 4.9.2
using OpenSSL version: OpenSSL 1.0.1k 8 Jan 2015
using libxml2 version: 2.9.2
me@jessie's_client:~$ dig @192.168.10.1 launchpad.net
; <<>> DiG 9.9.5-9-Debian <<>> @192.168.10.1 launchpad.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19673
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;launchpad.net. IN A
;; Query time: 0 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Thu May 07 23:29:38 MSK 2015
;; MSG SIZE rcvd: 42
最后是一些日志/var/log/bind/bind.log
07-May-2015 22:52:49.287 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV
07-May-2015 22:52:49.287 resolver: debug 1: createfetch: . NS
07-May-2015 22:52:49.954 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV
07-May-2015 22:52:50.353 resolver: debug 1: createfetch: launchpad.net A
07-May-2015 22:52:51.288 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV
07-May-2015 22:52:51.575 query-errors: debug 1: client 127.0.0.1#47208 (pandion.im): view internal_10_view: query failed (SERVFAIL) for pandion.im/IN/AAAA at query.c:7004
07-May-2015 22:52:53.138 query-errors: debug 1: client 127.0.0.1#55548 (_jabber._tcp.none.su): view internal_10_view: query failed (SERVFAIL) for _jabber._tcp.none.su/IN/SRV at query.c:7004
07-May-2015 22:52:53.955 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV
07-May-2015 22:52:54.622 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV
07-May-2015 22:52:55.353 query-errors: debug 1: client 192.168.10.2#37375 (launchpad.net): view internal_10_view: query failed (SERVFAIL) for launchpad.net/IN/A at query.c:7004
07-May-2015 22:52:55.354 resolver: debug 1: createfetch: launchpad.net A
07-May-2015 22:52:55.956 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV
/var/log/bind/security_info.log
07-May-2015 00:45:26.055 warning: using built-in root key for view vpn_view
07-May-2015 12:31:37.603 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:37.769 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:37.773 warning: using built-in root key for view vpn_view
07-May-2015 12:31:44.859 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:44.865 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:44.871 warning: using built-in root key for view vpn_view
07-May-2015 12:31:46.005 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:46.011 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:46.016 warning: using built-in root key for view vpn_view
07-May-2015 12:31:47.108 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:47.114 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:47.121 warning: using built-in root key for view vpn_view
07-May-2015 12:31:48.946 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:48.951 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:48.957 warning: using built-in root key for view vpn_view
07-May-2015 14:07:39.729 warning: using built-in root key for view internal_10_view
07-May-2015 14:07:39.737 warning: using built-in root key for view internal_150_view
07-May-2015 14:07:39.743 warning: using built-in root key for view vpn_view
07-May-2015 14:12:05.871 warning: using built-in root key for view internal_10_view
07-May-2015 14:12:05.880 warning: using built-in root key for view internal_150_view
07-May-2015 14:12:05.890 warning: using built-in root key for view vpn_view
07-May-2015 14:27:07.630 warning: using built-in root key for view internal_10_view
07-May-2015 14:27:07.638 warning: using built-in root key for view internal_150_view
07-May-2015 14:27:07.644 warning: using built-in root key for view vpn_view
有什么建议可能存在什么问题吗?
答案1
如果您不熟悉新max-recursion-queries选项或者添加它的原因,解决这个问题真的很麻烦。
CVE-2014-85002014 年底发现该漏洞影响了多个域名服务器产品,包括 BIND。该漏洞允许恶意域名服务器制作一个可无限执行的引用链,最终导致资源耗尽。ISC 针对此问题的解决方案是为服务器愿意为单个查询执行的递归级别设置上限。上限由max-recursion-queries默认为 75 的新选项控制。
事实证明,75 级递归对于空的名称服务器缓存来说并不是很友好——在完全重新启动进程后,您将始终拥有该缓存。由于在请求的记录和.(根)之间最终要遍历多少级引用,因此许多域将无法使用此默认设置进行解析。该pandion.im.域恰好是其中之一,它可能与 TLD 的无缝委托有关。以下是摘录自dig +trace +additional pandion.im:
im. 172800 IN NS ns4.ja.net.
im. 172800 IN NS hoppy.iom.com.
im. 172800 IN NS barney.advsys.co.uk.
im. 172800 IN NS pebbles.iom.com.
ns4.ja.net. 172800 IN A 193.62.157.66
hoppy.iom.com. 172800 IN A 217.23.163.140
barney.advsys.co.uk. 172800 IN A 217.23.160.50
pebbles.iom.com. 172800 IN A 80.168.83.242
ns4.ja.net. 172800 IN AAAA 2001:630:0:47::42
;; Received 226 bytes from 199.7.83.42#53(199.7.83.42) in 29 ms
pandion.im. 259200 IN NS ed.ns.cloudflare.com.
pandion.im. 259200 IN NS jill.ns.cloudflare.com.
;; Received 81 bytes from 80.168.83.242#53(80.168.83.242) in 98 ms
的名称服务器im.委托pandion.im.给 Cloudflare 的名称服务器,但不提供 IP 地址胶水。在空缓存上,这意味着服务器必须启动分离引荐遍历以获取这些名称服务器的 IP 地址,并且所有这些引荐都计入最大递归次数对于原始查询。此时,只有当服务器已经从其他查询中知道这些名称服务器的 IP 地址时,查询才会成功:
# service named restart && sleep 1 && dig @localhost pandion.im | grep status
Checking named config:
Stopping named: [ OK ]
Starting named: [ OK ]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63173
再次尝试,这次尝试在以下时间之前查找这些名称服务器pandion.im.:
# service named restart && sleep 1 && dig @localhost ed.ns.cloudflare.com jill.ns.cloudflare.com pandion.im | grep status
Checking named config:
Stopping named: [ OK ]
Starting named: [ OK ]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26428
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30491
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22162
长话短说,这个问题很难直观地识别,特别是如果让该过程继续运行,随着时间的推移,它似乎最终会“消失”。我们的一位合作伙伴根据实际使用情况建议将值设为 200。从 200 开始,如果觉得太高,可以调味。
答案2
检查您的日志目录权限。
我在我的日志中发现:
Jun 5 18:46:38 xsystem named[1116]: isc_stdio_open '/var/log/named.debug.log' failed: permission denied
Jun 5 18:46:38 xsystem named[1116]: configuring logging: permission denied
Jun 5 18:46:38 xsystem named[1116]: loading configuration: permission denied
Jun 5 18:46:38 xsystem named[1116]: exiting (due to fatal error)
经过研究,我发现我的/var/log已更改为 group read-only。升级之前,它被设置为 group adm read-write。由于我同时绑定和/var/log使用该adm组,因此失败了。
解决方案:sudo chmod g+w /var/log并重新启动bind(named)
ps 我的绑定日志/var/log不是/var/log/named/