这是我在这个网站上的第一篇文章,所以请多包涵。我对 DNS 不太了解,所以这可能是我遇到的第一个问题,但我确信我已经尽可能地涵盖了我所知道的内容。
因此,我在 centos 7 上安装了 Bind9,并为 master 等创建了所有配置,它运行良好。当我将 masterdns 的静态 DNS 放在本地计算机上时,我可以解析我创建的记录。
服务器信息:
Masterdns.vnq.local:192.168.2.210
slavedns.vnq.local:192.168.2.11
因此,我的想法是将文件/记录复制到从属服务器,以防 masterdns 因某种原因出现故障。所以我使用了此链接设置我的主服务器和从服务器。当我测试从服务器并在本地机器中输入静态并尝试 ping/解析 dns 名称时,它没有发生,下面是配置,我将尝试解释(据我所知)我尝试过的方法。
我将从我遇到的错误或目前遇到的错误开始,然后我将发布所有相关的配置。
因此,当我想检查 SLAVEDNS 上的反向配置是否正确解析时,它会给我以下输出。(请注意,从属服务器上的正向文件获得“OK”),并且信息从主服务器完美复制到从属服务器,但它无法在从属服务器上解析。我尝试的是仔细检查所有信息,尤其是命名配置文件我相信这两个文件都存在于某个地方,但我可能完全错了。
[root@slavedns slaves]# named-checkzone vnq.local /var/named/slaves/vnq.r ev
/var/named/slaves/vnq.rev:3: ignoring out-of-zone data (2.168.192.in-addr .arpa)
/var/named/slaves/vnq.rev:14: ignoring out-of-zone data (165.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:15: ignoring out-of-zone data (166.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:16: ignoring out-of-zone data (167.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:17: ignoring out-of-zone data (170.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:18: ignoring out-of-zone data (171.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:19: ignoring out-of-zone data (210.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:20: ignoring out-of-zone data (211.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:21: ignoring out-of-zone data (214.2.168.192.in -addr.arpa)
/var/named/slaves/vnq.rev:22: ignoring out-of-zone data (masterdns.2.168. 192.in-addr.arpa)
/var/named/slaves/vnq.rev:23: ignoring out-of-zone data (ovirt.2.168.192. in-addr.arpa)
/var/named/slaves/vnq.rev:24: ignoring out-of-zone data (ovirthost1.2.168 .192.in-addr.arpa)
/var/named/slaves/vnq.rev:25: ignoring out-of-zone data (ovirthost2.2.168 .192.in-addr.arpa)
/var/named/slaves/vnq.rev:26: ignoring out-of-zone data (ovirthost3.2.168 .192.in-addr.arpa)
/var/named/slaves/vnq.rev:27: ignoring out-of-zone data (remote.2.168.192 .in-addr.arpa)
/var/named/slaves/vnq.rev:28: ignoring out-of-zone data (slavedns.2.168.1 92.in-addr.arpa)
/var/named/slaves/vnq.rev:29: ignoring out-of-zone data (storage.2.168.19 2.in-addr.arpa)
zone vnq.local/IN: has 0 SOA records
zone vnq.local/IN: has no NS records
zone vnq.local/IN: not loaded due to errors.
以下是 VNQ.REV 文件的内容。
$ORIGIN .
$TTL 86400 ; 1 day
2.168.192.in-addr.arpa IN SOA masterdns.vnq.local. root.vnq.local. (
2011071001 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS masterdns.vnq.local.
NS slavedns.vnq.local.
PTR vnq.local.
$ORIGIN 2.168.192.in-addr.arpa.
165 PTR ovirt.vnq.local
166 PTR ovirthost1.vnq.local
167 PTR ovirthost2.vnq.local
170 PTR storage.vnq.local
171 PTR remote.vnq.local
210 PTR masterdns.vnq.local
211 PTR slavedns.vnq.local
214 PTR ovirthost3.vnq.local
masterdns A 192.168.2.210
ovirt A 192.168.2.165
ovirthost1 A 192.168.2.166
ovirthost2 A 192.168.2.167
ovirthost3 A 192.168.2.214
remote A 192.168.2.171
slavedns A 192.168.2.211
storage A 192.168.2.170
这是 vnq.fwd 文件
$ORIGIN .
$TTL 86400 ; 1 day
vnq.local IN SOA masterdns.vnq.local. root.vnq.local. (
2011071001 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS masterdns.vnq.local.
NS slavedns.vnq.local.
A 192.168.2.210
A 192.168.2.211
A 192.168.2.165
A 192.168.2.166
A 192.168.2.167
A 192.168.2.214
A 192.168.2.170
A 192.168.2.171
$ORIGIN vnq.local.
masterdns A 192.168.2.210
ovirt A 192.168.2.165
ovirthost1 A 192.168.2.166
ovirthost2 A 192.168.2.167
ovirthost3 A 192.168.2.214
remote A 192.168.2.171
slavedns A 192.168.2.211
storage A 192.168.2.170
SLAVEDNS 命名的.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.2.211; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.2.0/24; };
};
zone "vnq.local" IN {
type slave;
file "slaves/vnq.fwd";
masterfile-format text;
masters { 192.168.2.210; };
};
zone "2.168.192.in-addr.arpa" IN {
type slave;
file "slaves/vnq.rev";
masterfile-format text;
masters { 192.168.2.210; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
以下是主named.conf信息
[root@masterdns var]# vi /etc/named.conf
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "vnq.local" IN {
type master;
file "forward.vnq";
allow-update { none; };
};
zone "2.168.192.in-addr.arpa" IN {
type master;
file "reverse.vnq";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
就像我说的,masterdns 运行良好。当我在 masterdns 服务器上执行相同的命令时,它收到了反向和正向文件的“ok”。
请参阅以下 MASTERDNS 的正向和反向文件
Forward.vnq 文件
$TTL 86400
@ IN SOA masterdns.vnq.local. root.vnq.local. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS masterdns.vnq.local.
@ IN NS slavedns.vnq.local.
@ IN A 192.168.2.210
@ IN A 192.168.2.211
@ IN A 192.168.2.165
@ IN A 192.168.2.166
@ IN A 192.168.2.167
@ IN A 192.168.2.214
@ IN A 192.168.2.170
@ IN A 192.168.2.171
masterdns IN A 192.168.2.210
slavedns IN A 192.168.2.211
ovirt IN A 192.168.2.165
ovirthost1 IN A 192.168.2.166
ovirthost2 IN A 192.168.2.167
ovirthost3 IN A 192.168.2.214
storage IN A 192.168.2.170
remote IN A 192.168.2.171
反向.vnq 字段
$TTL 86400
@ IN SOA masterdns.vnq.local. root.vnq.local. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS masterdns.vnq.local.
@ IN NS slavedns.vnq.local.
@ IN PTR vnq.local.
masterdns IN A 192.168.2.210
slavedns IN A 192.168.2.211
ovirt IN A 192.168.2.165
ovirthost1 IN A 192.168.2.166
ovirthost2 IN A 192.168.2.167
ovirthost3 IN A 192.168.2.214
storage IN A 192.168.2.170
remote IN A 192.168.2.171
210 IN PTR masterdns.vnq.local
211 IN PTR slavedns.vnq.local
165 IN PTR ovirt.vnq.local
166 IN PTR ovirthost1.vnq.local
167 IN PTR ovirthost2.vnq.local
214 IN PTR ovirthost3.vnq.local
170 IN PTR storage.vnq.local
171 IN PTR remote.vnq.local
答案1
named-checkzone对于您正在测试的文件来说,您的命令行是不正确的。
你跑了:
named-checkzone vnq.local /var/named/slaves/vnq.rev
但是查看您的named.conf以及该区域文件的内容,似乎该区域的名称是2.168.192.in-addr.arpa(而不是vnq.local命令行上所指示的)。
如果你调整命令行,测试本身应该可以工作:
named-checkzone 2.168.192.in-addr.arpa /var/named/slaves/vnq.rev
我发现相当方便的另一种方法是:
named-checkconf -zj
(这将加载named.conf并验证配置以及配置中引用的区域文件。)
现在,当然,在您更正用于测试区域文件的命令之后,您的区域文件可能还会存在实际问题,但至少测试会引导您找到真正的问题,而不是纯粹由于验证工具的参数不一致而导致的虚假问题。
仅查看问题的内容,我立即发现了以下一些问题:
- 您可能希望在记录值的末尾添加尾随点
PTR(即,在您的示例中,我假设您希望值为ovirt.vnq.local,而不是ovirt.vnq.local.2.168.192.in-addr.arpa,而它目前是 )。 - TLD
local是为 mDNS 保留的,不应出现在 DNS 中。您可能应该考虑使用自己的命名空间。 - 反向区域中的地址记录相当不合常规。除非您打算查找类似这样的名称
masterdns.2.168.192.in-addr.arpa,否则我认为拥有这些记录纯粹是一个错误。 - 很奇怪,您似乎在从属端直接使用区域文件及其中的数据。您不需要这样做;当主服务器正常工作时,从属服务器应该传输区域数据并将其写入指定文件,而无需任何手动干预。(但是,看起来您需要
allow-transfer在主服务器端添加。)
答案2
是的,基本上我运行的命令是错误的,谢谢你指出这一点,运行命令后我得到了“ok”,这让我开始思考为什么它不起作用......所以我禁用了服务器上的防火墙,果然从属服务器正在工作。这只是一个本地 DNS,我只是为了使用和玩弄而制作的。
所以基本上命令输出让我有点紧张,而且由于我对从头开始构建 DNS 服务器的“有限”知识,我认为我的配置在某个地方搞砸了。
感谢所有的回答和评论!