有什么方法可以了解我的 Bind9 服务器一步步正在做什么?
dig
目前,我正在努力解决请求被拒绝并告知的问题recursion requested but not available
。但是,递归根本不应该参与,因为这应该是权威服务器。
我该怎么做才能了解一切问题出在哪里?
以下是 的回应dig @127.0.0.1 client.example.com
:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 client.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55821
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;client.example.com. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 31 01:09:08 EET 2017
;; MSG SIZE rcvd: 54
我尝试使用详细模式进行调试(这是从另一台机器发出的请求),得到的结果如下:
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: UDP request
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: request is not signed
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: recursion not available
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: query
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query (cache) 'client.example.com/A/IN' denied
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query failed (REFUSED) for client.example.com/IN/A at ../../../bin/named/query.c:6475
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): error
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): send
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): sendto
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): senddone
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): next
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): endrequest
31-Oct-2017 00:48:04.363 client @0x123456789abcdef: udprecv
不幸的是,我无法理解在这种情况下为什么需要递归。
如果有人可以帮助我进行手动调试,以下是我的服务器设置方式。
命名的.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
命名的.conf.选项:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { any; };
recursion no;
allow-transfer { localhost; };
allow-query-cache { none; };
allow-query { any; };
};
命名.conf.本地:
zone "example.com" {
type master;
file "/etc/bind/zones/example.com";
};
区域/example.com:
$TTL 300
@ IN SOA ns.example.com. admin.example.com (
4 ; Serial
300 ; Refresh
300 ; Retry
2419200 ; Expire
300 ) ; Negative Cache TTL
@ IN NS ns.example.com.
ns IN A 192.0.2.1
@ IN A 192.0.2.1
www IN A 192.0.2.1
client IN A 192.0.2.1
@ IN MX 50 mx.example.net.
@ IN MX 100 mx2.example.net.
该文件named.conf.default-zones
以及默认区域的文件均保持默认安装状态。
我正在使用 BIND 9.10.3-P4-Ubuntu。
答案1
使用启动 BIND-d 1
将启用调试。根据您的操作系统/发行版,您可能需要查找如何设置启动命令行参数。如果您需要更多信息,可以增加该值。
如果您需要更多指导,您可能应该在问题中发布您的配置文件,删除机密信息并用示例替换您的姓名。其他人查看您的设置时可能会在此处识别出这些信息。
更新 1:
我认为错误可能是因为 named 无法读取区域文件,因此它完全忽略了该区域,让它认为应该在其他地方询问,但由于递归被禁用,所以无法询问。查看 named 启动时的日志文件,看看是否有任何关于正在发生的事情的提示。