绑定递归和委托允许查询被拒绝

绑定递归和委托允许查询被拒绝

出于教育目的,我们被要求:总结一下......

  • 使用 BIND DNS

第一步:

  • 在第一台服务器中使用相同的守护进程
  • 在特定 IP 地址上创建 TLD 区域(作为父区域)
  • 在另一个 IP 地址上创建子区域
  • 在父区域委托子区域
  • 允许从父级到子级递归

然后...

第二步:

  • 在第二台服务器中使用相同的配置
  • 设置第一和第二服务器父区域之间的主/从关系
  • 设置第一和第二个服务器子区域之间的主/从关系

然后...

第三步:


  • 子区域区域 的第一台和第二台服务器之间的逆主从关系
  • 设置 DNSSEC
  • 使用 dhcpd 设置动态 DNS

我在这里停了下来,因为我在第一步就被阻止了。

这是我的 TLD 命名lab.区域文件

    $ORIGIN lab.

    ; Time a cache will keep responses
    $TTL 1h

    ;; ----------------------------------------------------------------------------------
    ;;  ZONE : lab.
    ;; ----------------------------------------------------------------------------------

    ;; ---------------------------------------
    ;; START OF AUTHORITY
    ;; ---------------------------------------

    @   IN  SOA ns0 hostmaster (
                        ; serial
                        2020040400
                        ; Frequency of zone transfer from slave
                        12h
                        ; delay before slave retries after a zone transfer failure
                        15m
                        ; Time a slave will keep the data in case it cannot contact the master
                        1w
                        ; Time a cache will keep negative responses (NXDOMAIN)
                        1h
                    )
    ;; --------------------------------------
    ;; NAME SERVER
    ;; --------------------------------------

    @       IN  NS  ns0
    ns0     IN  A   10.31.0.220

    ;; v0.1 seems bad ??
    ;; --------------------------------------
    ;; SUB DOMAIN / DELEGATION
    ;; --------------------------------------

    ;;demo      IN  NS  ns1.demo
    ;;ns1.demo  IN  A   10.31.0.221

    ;; v0.2 not better
    ;; --------------------------------------
    ;; SUB DOMAIN / DELEGATION
    ;; --------------------------------------
    ;;demo      IN  A   10.31.0.221

   ;;$ORIGIN demo.lab.
   ;;$TTL 1h;
   ;;@      IN  NS  ns1
   ;;@      IN  NS  ns0.lab. 
   ;;ns1        IN  A   10.31.0.221

这是我的子域名的demo.lab.区域文件

$ORIGIN demo.lab.

; Time a cache will keep responses
$TTL 1h

;; ----------------------------------------------------------------------------------
;;  ZONE : demo.lab.
;; ----------------------------------------------------------------------------------

;; ---------------------------------------
;; START OF AUTHORITY
;; ---------------------------------------

@   IN  SOA ns1 hostmaster (
                    ; serial
                    2020040400
                    ; Frequency of zone transfer from slave
                    12h
                    ; delay before slave retries after a zone transfer failure
                    15m
                    ; Time a slave will keep the data in case it cannot contact the master
                    1w
                    ; Time a cache will keep negative responses (NXDOMAIN)
                    1h
                )
;; --------------------------------------
;; NAME SERVER
;; --------------------------------------

@   IN  NS  ns1
ns1 IN  A   10.31.0.221

@   IN  NS  ns0.lab.

这是我的named.conf文件

options {
    directory "/etc/bind";

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //  0.0.0.0;
    // };

    auth-nxdomain no;    # conform to RFC1035

    listen-on { 
        10.31.0.220;
        10.31.0.221; 
    };      

    recursion yes;

    allow-recursion { any; };
    allow-recursion-on { any;  };
    allow-query-cache { any; };

    minimal-responses no;
    querylog yes;

};

zone "lab." IN {
    type master;
    file "zone/2/db-lab";
    allow-query {
        10.31.0/24;
        10.31.10/24;
        10.31.0.221;
    };

    allow-query-on {
        10.31.0.220;
    };

};

zone "demo.lab." IN {
    type master;
    file "zone/2/db-demo.lab";
    allow-query {
        10.31.0/24;
        10.31.10/24;
        10.31.0.220;
    };

    allow-query-on {
        10.31.0.221;
    };
};


/* 
zone "0.31.10.in-addr.arpa" IN {
    type master;
    file "zone/2/db.0.31.10.in-addr.arpa";

    allow-query {
        any;
    };
};
*/

10.31.0.220BIND 正在监听的第一个服务器10.31.0.221

  • lab.区域允许10.31.0.220
  • demo.lab.区域允许10.31.0.221

用于每个区域allow-query-on

allow-query-on当我尝试demo.lab.使用 查询父区域时,我总是会遇到拒绝查询的10.31.0.220情况。如果我lab.查询.221

08-Apr-2020 11:13:19.869 queries: info: client @0x1cf6450 10.31.0.254#50248 (demo.lab): query: demo.lab IN A +E(0)K (10.31.0.220)
08-Apr-2020 11:13:19.869 security: info: client @0x1cf6450 10.31.0.254#50248 (demo.lab): query-on denied
08-Apr-2020 11:13:19.869 query-errors: info: client @0x1cf6450 10.31.0.254#50248 (demo.lab): query failed (REFUSED) for demo.lab/IN/A at query.c:5382

似乎它不是从父级递归.220到子级.221。我不知道我是否正确设置了父级/子级之间的委托。我读过很多教程,其中一些是矛盾的,我做了很多测试,但都失败了。

我对每个领域的每次聆听都没有allow-query-on答案。

即使有allow-recursion { any; }allow-recursion-on { any; };这也不起作用。

我不知道是否需要视图。

说实话我完全迷失了。

答案1

它使用 2 个视图来工作。

view "lab" IN {
    match-clients { any; };
    match-destinations { 10.31.0.220; };
    match-recursive-only no;
    recursion yes;
    allow-recursion { any; };
    allow-recursion-on { 10.31.0.220; };
    allow-query {
                10.31.0/24;
                10.31.10/24;
                10.31.0.221;
        10.31.0.221;
        };
    allow-query-on {
        10.31.0.220;
        };


    // zone lab.
    zone "lab." IN {
            type master;
            file "zone/2/db-lab";
        allow-query-on { 10.31.0.220; };
    };
    // zone 0.31.10.in-addr.arpa
    zone "0.31.10.in-addr.arpa" IN {
                type master;
                file "zone/2/db-0.31.10.in-addr.arpa";
    };

    //notify no;
};


view "demo.lab" IN {
        match-clients { any; };     // source
        match-destinations { 10.31.0.221; };    // destination
        match-recursive-only no;
        recursion yes;
        allow-recursion { any; };
    allow-recursion-on { 10.31.0.221; };
    allow-query {
                10.31.0/24;
                10.31.10/24;
                //10.31.0.221;
        };
    allow-query-on {
                10.31.0.221;
        };

    // try demo.lab to lab
    //forward only;
    //forwarders { 10.31.0.220; };

    // zone demo.lab.
        zone "demo.lab." IN {
                type master;
                file "zone/2/db-demo.lab";
        };
/*  
    // zone lab.
    // forward cause dnssec error need to add in global options
    //  dnssec-enable no;
    //  dnssec-validation no;
    zone "lab." IN {
        type forward;
        forwarders { 10.31.0.220; };
    };
*/

    // replace forward
    zone "lab." IN {
        type stub;
        file "zone/2/db-lab";
        masters { 10.31.0.220; };
    };

    // zone 0.31.10.in-addr.arpa
    zone "0.31.10.in-addr.arpa" IN {
            type master;
            file "zone/2/db-0.31.10.in-addr.arpa";
    };

    //notify no;

};

第一次可能不是最好的,但日志中没有错误。

我需要ns0.lab.从区域中删除 NS,demo.lab.因为我在日志中有此消息,而且我不知道它是否好。

notify: notice: client @0x67b450 10.31.0.254#41543: view lab: received notify for zone 'demo.lab': not authoritative

亲切的问候

相关内容