我在主 DNS 服务器上使用 bind9,并在两个处于主/从关系的辅助 DNS 服务器上使用 bind9。我试图实现 DDNS,但在添加正向映射时似乎遇到了问题,我收到错误
无法将前向地图从 DESKTOP-9MFAP8Q.student.co.uk 添加到 192.168.80.51:SERVFAIL
我最初收到的是 REFUSED 错误,直到我将 DHCP 服务器的地址添加到主 DNS 上的allow-query选项allow-transfer中named.conf.local。我不确定这是否有必要,我只是想让这个功能正常工作。
我尝试使用以下命令更改区域文件的权限
sudo chown bind:bind /etc/bind/*.db
sudo chmod 664 /etc/bind/*.db
但这并没有改变结果。
我将在下面发布配置文件,如能得到任何帮助我将不胜感激。
路由器 - 192.168.80.2
DHCP——192.168.80.3
主 DNS - 192.168.80.4
辅助 DNS - 192.168.80.5、192.168.80.6
-------------------------主要 DNS----------------------
命名的.conf.本地
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
key "rndc-key" {
algorithm hmac-sha256;
secret "ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==";
};
zone "student.co.uk" {
type master;
file "/etc/bind/db.student.co.uk";
notify no;
allow-query {
127.0.0.1;
192.168.80.5;
192.168.80.6;
192.168.80.3;
};
allow-transfer {
192.168.80.5;
192.168.80.6;
192.168.80.3;
};
allow-update {
{ key rndc-key; };
};
};
zone "80.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.80.168.192.in-addr.arpa";
notify no;
allow-query {
127.0.0.1;
192.168.80.5;
192.168.80.6;
};
allow-transfer {
192.168.80.5;
192.168.80.6;
};
allow-update {
{ key rndc-key; };
};
};
命名的.conf.选项
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
8.8.8.8;
8.8.4.4;
};
allow-query {
192.168.80.5;
192.168.80.6;
127.0.0.1;
};
allow-transfer {
192.168.80.5;
192.168.80.6;
127.0.0.1;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
db.80.168.192.in-地址.arpa
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2021020902 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.student.co.uk.
@ IN NS ns2.student.co.uk.
150 IN PTR www.student.co.uk.
151 IN PTR www.student.co.uk.
db.student.co.uk
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2021021902 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.student.co.uk.
@ IN NS ns2.student.co.uk.
ns1 IN A 192.168.80.5
ns2 IN A 192.168.80.6
www IN A 192.168.80.150
www IN A 192.168.80.151
-------------------------DHCP--------------------------
dhcpd配置文件
# option definitions common to all supported networks...
option domain-name "student.co.uk";
option domain-name-servers 192.168.80.5, 192.168.80.6;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-updates on;
ddns-update-style standard;
update-static-leases on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
allow unknown-clients;
use-host-decl-names on;
key rndc-key {
algorithm hmac-sha256;
secret ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==;
};
zone student.co.uk. {
primary 192.168.80.4;
key rndc-key;
}
zone 80.168.192.in-addr.arpa. {
primary 192.168.80.4;
key rndc-key;
}
subnet 192.168.80.0 netmask 255.255.255.0 {
range 192.168.80.50 192.168.80.100;
option domain-name-servers 192.168.80.5, 192.168.80.6;
option domain-name "student.co.uk";
ddns-domainname "student.co.uk.";
ddns-rev-domainname "in-addr.arpa.";
option subnet-mask 255.255.255.0;
option routers 192.168.80.2;
option broadcast-address 192.168.80.255;
default-lease-time 600;
max-lease-time 7200;
host DOMAIN1 {
hardware ethernet 00:0c:29:20:87:b0;
fixed-address 192.168.80.99;
ddns-hostname "test";
}
}
答案1
一般建议
检查 BIND 的日志(因为从表面上看错误发生在那里),您应该在那里找到与更新尝试相关的错误消息。
我的直觉(如果你愿意的话,也可以说是一种有根据的猜测)
BIND 可能无法创建/修改文件。
根据文件系统权限,目录和/或文件不可写入,或者某些附加层(如 Selinux/Apparmor)不允许在特定服务的预期目录之外进行写入。
根本原因理论(假设我的猜测是正确的)
您将这些可写文件放置在非常规的位置,这可能违背了软件包维护人员的准备(无论是在文件系统权限方面还是在任何 Selinux/Apparmor 配置文件方面)。
通常,您会使用类似/var/lib/bind可写文件(或/var/cache/bind“缓存”文件)的东西,而不是/etc/bind通常的只读配置。
我建议确认适当的目录并使用该目录,而不是进行额外的系统更改,除非有重要原因需要使用其他目录。
旁注:我建议对这些 dhcpd 源更新使用特定的密钥,而不是重新利用一个看起来用于 rndc 的密钥(并且大概也对此有效?)。