绑定转发器未按预期工作

tag-icon tag-icon domain-name-system centos7 bind
绑定转发器未按预期工作

我想设置一个本地 DNS 服务器,该服务器托管 fld.example.com,并带有基于区域的转发器。Bind 在 CentOS7 上运行,使用 BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7(扩展支持版本)。当我在 options {} 块中设置解析器时,它工作正常,我得到了响应。

命名配置文件

options {
   listen-on port 53 { 192.0.2.2; };
   forwarders      { 198.51.100.2; };
   ...
};

# 挖掘 api.example.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> api.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4730
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;api.example.net.   IN      A

;; ANSWER SECTION:
api.example.net. 300 IN     CNAME   internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com.
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.3
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.4
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.5

;; AUTHORITY SECTION:
.                       34329   IN      NS      m.root-servers.net.
.                       34329   IN      NS      c.root-servers.net.
.                       34329   IN      NS      b.root-servers.net.
.                       34329   IN      NS      j.root-servers.net.
.                       34329   IN      NS      h.root-servers.net.
.                       34329   IN      NS      g.root-servers.net.
.                       34329   IN      NS      d.root-servers.net.
.                       34329   IN      NS      k.root-servers.net.
.                       34329   IN      NS      e.root-servers.net.
.                       34329   IN      NS      l.root-servers.net.
.                       34329   IN      NS      i.root-servers.net.
.                       34329   IN      NS      f.root-servers.net.
.                       34329   IN      NS      a.root-servers.net.

;; Query time: 91 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 22:32:53 CDT 2020
;; MSG SIZE  rcvd: 397

一旦我将转发器移至某个区域,它就不会按预期工作。它返回 SERVFAIL。

命名的.conf.本地

zone "example.net" {
    type forward;
    forward only;
    forwarders { 198.51.100.2; };
};

# 挖掘 api.example.net

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> api.example.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17224
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;api.example.net.   IN      A

;; Query time: 4001 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 22:37:00 CDT 2020
;; MSG SIZE  rcvd: 56

tcpdump -I ens192 host 198.51.100.2 根本没有显示任何流量。

尝试一个不存在的 DNS 记录,我立即从转发到的服务器获得 NXDOMAIN 答复:

# 挖掘不存在的dnsrecord.example.net

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> nonexistingdnsrecord.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34093
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
; nonexistingdnsrecord.example.net.   IN      A

;; AUTHORITY SECTION:
example.net. 891     IN      SOA     ns-0000.awsdns-53.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 102 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 23:45:04 CDT 2020
;; MSG SIZE  rcvd: 138

我花了一整晚的时间试图解决这个问题,并看了一些教程,但还是没能解决。请帮我解决这个问题。

请参阅以下配置:

命名的.conf:

    options {
        listen-on port 53 { 192.0.2.2; };
        forwarders      { 198.51.100.2; }
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";

        allow-transfer  { 192.0.2.3; };
        allow-query     { any; };

        filter-aaaa-on-v4 yes;
        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/etc/named/named.conf.local";

命名的.conf.本地

zone "fld.example.com" {
    type master;
    file "/etc/named/zones/db.fld.example.com"; # zone file path
};


zone "2.0.192.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.192.0.2";  # 192.0.2.0/24 subnet
    };

zone "example.net" {
    type forward;
    forward only;
    forwarders { 198.51.100.2; };
};

zone "100.51.198.in-addr.arpa" {
    type forward;
    forward only;
    forwarders { 198.51.100.2; };
};

答案1

仅在主配置中使用转发器才有意义。区域部分应该只包含“masters {}”块。尝试一下:

更新:

zone ... {
    type forward;
    forward only;
    masters {
       198.51.100.2;
    };
};

相关内容