出于教育目的,我们被要求:总结一下......
- 使用 BIND DNS
第一步:
- 在第一台服务器中使用相同的守护进程
- 在特定 IP 地址上创建 TLD 区域(作为父区域)
- 在另一个 IP 地址上创建子区域
- 在父区域委托子区域
- 允许从父级到子级递归
然后...
第二步:
- 在第二台服务器中使用相同的配置
- 设置第一和第二服务器父区域之间的主/从关系
- 设置第一和第二个服务器子区域之间的主/从关系
然后...
第三步:
子区域区域 的第一台和第二台服务器之间的逆主从关系- 设置 DNSSEC
- 使用 dhcpd 设置动态 DNS
我在这里停了下来,因为我在第一步就被阻止了。
这是我的 TLD 命名lab.区域文件
$ORIGIN lab.
; Time a cache will keep responses
$TTL 1h
;; ----------------------------------------------------------------------------------
;; ZONE : lab.
;; ----------------------------------------------------------------------------------
;; ---------------------------------------
;; START OF AUTHORITY
;; ---------------------------------------
@ IN SOA ns0 hostmaster (
; serial
2020040400
; Frequency of zone transfer from slave
12h
; delay before slave retries after a zone transfer failure
15m
; Time a slave will keep the data in case it cannot contact the master
1w
; Time a cache will keep negative responses (NXDOMAIN)
1h
)
;; --------------------------------------
;; NAME SERVER
;; --------------------------------------
@ IN NS ns0
ns0 IN A 10.31.0.220
;; v0.1 seems bad ??
;; --------------------------------------
;; SUB DOMAIN / DELEGATION
;; --------------------------------------
;;demo IN NS ns1.demo
;;ns1.demo IN A 10.31.0.221
;; v0.2 not better
;; --------------------------------------
;; SUB DOMAIN / DELEGATION
;; --------------------------------------
;;demo IN A 10.31.0.221
;;$ORIGIN demo.lab.
;;$TTL 1h;
;;@ IN NS ns1
;;@ IN NS ns0.lab.
;;ns1 IN A 10.31.0.221
这是我的子域名的demo.lab.区域文件
$ORIGIN demo.lab.
; Time a cache will keep responses
$TTL 1h
;; ----------------------------------------------------------------------------------
;; ZONE : demo.lab.
;; ----------------------------------------------------------------------------------
;; ---------------------------------------
;; START OF AUTHORITY
;; ---------------------------------------
@ IN SOA ns1 hostmaster (
; serial
2020040400
; Frequency of zone transfer from slave
12h
; delay before slave retries after a zone transfer failure
15m
; Time a slave will keep the data in case it cannot contact the master
1w
; Time a cache will keep negative responses (NXDOMAIN)
1h
)
;; --------------------------------------
;; NAME SERVER
;; --------------------------------------
@ IN NS ns1
ns1 IN A 10.31.0.221
@ IN NS ns0.lab.
这是我的named.conf文件
options {
directory "/etc/bind";
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on {
10.31.0.220;
10.31.0.221;
};
recursion yes;
allow-recursion { any; };
allow-recursion-on { any; };
allow-query-cache { any; };
minimal-responses no;
querylog yes;
};
zone "lab." IN {
type master;
file "zone/2/db-lab";
allow-query {
10.31.0/24;
10.31.10/24;
10.31.0.221;
};
allow-query-on {
10.31.0.220;
};
};
zone "demo.lab." IN {
type master;
file "zone/2/db-demo.lab";
allow-query {
10.31.0/24;
10.31.10/24;
10.31.0.220;
};
allow-query-on {
10.31.0.221;
};
};
/*
zone "0.31.10.in-addr.arpa" IN {
type master;
file "zone/2/db.0.31.10.in-addr.arpa";
allow-query {
any;
};
};
*/
10.31.0.220BIND 正在监听的第一个服务器10.31.0.221
lab.区域允许10.31.0.220demo.lab.区域允许10.31.0.221
用于每个区域allow-query-on
allow-query-on当我尝试demo.lab.使用 查询父区域时,我总是会遇到拒绝查询的10.31.0.220情况。如果我lab.查询.221
08-Apr-2020 11:13:19.869 queries: info: client @0x1cf6450 10.31.0.254#50248 (demo.lab): query: demo.lab IN A +E(0)K (10.31.0.220)
08-Apr-2020 11:13:19.869 security: info: client @0x1cf6450 10.31.0.254#50248 (demo.lab): query-on denied
08-Apr-2020 11:13:19.869 query-errors: info: client @0x1cf6450 10.31.0.254#50248 (demo.lab): query failed (REFUSED) for demo.lab/IN/A at query.c:5382
似乎它不是从父级递归.220到子级.221。我不知道我是否正确设置了父级/子级之间的委托。我读过很多教程,其中一些是矛盾的,我做了很多测试,但都失败了。
我对每个领域的每次聆听都没有allow-query-on答案。
即使有allow-recursion { any; },allow-recursion-on { any; };这也不起作用。
我不知道是否需要视图。
说实话我完全迷失了。
答案1
它使用 2 个视图来工作。
view "lab" IN {
match-clients { any; };
match-destinations { 10.31.0.220; };
match-recursive-only no;
recursion yes;
allow-recursion { any; };
allow-recursion-on { 10.31.0.220; };
allow-query {
10.31.0/24;
10.31.10/24;
10.31.0.221;
10.31.0.221;
};
allow-query-on {
10.31.0.220;
};
// zone lab.
zone "lab." IN {
type master;
file "zone/2/db-lab";
allow-query-on { 10.31.0.220; };
};
// zone 0.31.10.in-addr.arpa
zone "0.31.10.in-addr.arpa" IN {
type master;
file "zone/2/db-0.31.10.in-addr.arpa";
};
//notify no;
};
view "demo.lab" IN {
match-clients { any; }; // source
match-destinations { 10.31.0.221; }; // destination
match-recursive-only no;
recursion yes;
allow-recursion { any; };
allow-recursion-on { 10.31.0.221; };
allow-query {
10.31.0/24;
10.31.10/24;
//10.31.0.221;
};
allow-query-on {
10.31.0.221;
};
// try demo.lab to lab
//forward only;
//forwarders { 10.31.0.220; };
// zone demo.lab.
zone "demo.lab." IN {
type master;
file "zone/2/db-demo.lab";
};
/*
// zone lab.
// forward cause dnssec error need to add in global options
// dnssec-enable no;
// dnssec-validation no;
zone "lab." IN {
type forward;
forwarders { 10.31.0.220; };
};
*/
// replace forward
zone "lab." IN {
type stub;
file "zone/2/db-lab";
masters { 10.31.0.220; };
};
// zone 0.31.10.in-addr.arpa
zone "0.31.10.in-addr.arpa" IN {
type master;
file "zone/2/db-0.31.10.in-addr.arpa";
};
//notify no;
};
第一次可能不是最好的,但日志中没有错误。
我需要ns0.lab.从区域中删除 NS,demo.lab.因为我在日志中有此消息,而且我不知道它是否好。
notify: notice: client @0x67b450 10.31.0.254#41543: view lab: received notify for zone 'demo.lab': not authoritative
亲切的问候