具有 bind9 的 DNS 服务器无法解析反向区域

具有 bind9 的 DNS 服务器无法解析反向区域

我最近重新配置了我的网络,并试图完成更换所有服务器的过程。在此过程中,我发现我的 dns/dhcp 服务器出现了一些问题。我的正向区域按预期工作,但我无论如何也无法让反向区域工作。所有日志都没有显示错误;dhcp 在更新任一区域时都没有问题;但 arp、dig -x 和 host 无法将 ip 解析为主机名。我的服务器和网络仅适用于 ipv4,尽管 localhost ipv6 语句已保留。

在问题解决之前,服务器防火墙已被禁用。故障转移服务器也已被禁用;除非将主 dhcp 服务器从恢复正常状态移至通信中断状态。服务器详细信息和日志如下:

操作系统:Ubuntu 14.04.4(amd64),内核:4.2.0-34-generic,bind9:1:9.9.5.dfsg-3ubuntu0.8,isc-dhcp-server:4.2.4-7ubuntu12.4,网络(屏蔽):10.94.78.0/23

命名配置文件

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on  the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
inet 10.xxx.78.11 allow { 10.xxx.78.11; 10.xxx.78.13; } keys { "rndc-key"; };
};

 logging {
     <Logging details omitted as it is working as expected>
      };

     category default { default_file; };
     category general { general_file; };
     category database { database_file; };
     category security { security_file; };
     category config { config_file; };
     category resolver { resolver_file; };
     category xfer-in { xfer-in_file; };
     category xfer-out { xfer-out_file; };
     category notify { notify_file; };
     category client { client_file; };
     category unmatched { unmatched_file; };
     category queries { queries_file; };
     category network { network_file; };
     category update { update_file; };
     category dispatch { dispatch_file; };
     category dnssec { dnssec_file; };
     category lame-servers { lame-servers_file; };
 };

命名的.conf.选项

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

        forwarders {

        // OpenDNS Servers
//                208.67.222.222; // Use for Primary
        //      208.67.220.220; // Use for Secondary

        // Google Public DNS
//                8.8.8.8; // Use for Primary
        //      8.8.4.4; // Use for Secondary
        };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
#   dnssec-validation auto;
        dnssec-enable no;
        dnssec-validation no;
    auth-nxdomain no;    # conform to RFC1035
#   listen-on-v6 { any; };

# added thanks to bigdinosaur.org
        allow-query {
                10.xxx.78/23;
                <VPN IPs omitted>
                127.0.0.1;
        };
        allow-transfer {
                10.xxx.78/23;
                127.0.0.1;
        };

};

命名的.conf.本地

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
 include "/etc/rndc/rndc.key";
 include "/etc/bind/zones.rfc1918";
 include "/var/lib/bind/spywaredomains.zones";
 include "/var/lib/bind/ads.zones";

// Defining ACLs
acl "Secondary DNS" {
        10.xxx.78.xx;
};

// Defining Forward Lookup Zone
zone "hili-caffinated.local" {
        type master;
        file "/var/lib/bind/db.hili-caffinated.local";
        allow-update { key "rndc-key"; };
        allow-transfer { "Secondary DNS"; };
};

// Defining Reverse Lookup Zone
zone "xxx.10.in-addr.arpa" {
        type master; 
//        notify no;
        file "/var/lib/bind/db.xxx.10.in-addr.arpa";
        allow-update { key "rndc-key"; };
        allow-transfer { "Secondary DNS"; };
};

named.conf.default-zones 与软件包提供的完全相同

db.hili-含咖啡因.local

;
; BIND data file for hili-caffinated.local
;
$TTL    604800
@       IN      SOA     hcsvrxx.hili-caffinated.local. nseadm.hcsvr11.hili-caffinated.local. (
                      032816102         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      hcsvrxx.hili-caffinated.local.
@       IN      NS      hcsvrxx.hili-caffinated.local.
@       IN      PTR     hili-caffinated.local.
@       IN      A       10.xxx.78.xx
@       IN      AAAA    ::1
; Printers
hcptrxx IN      A       10.xxx.78.xx

<entries omitted after verified syntax is same as above>

; CNAME Entries
; hcptrxx
hp8600  IN      CNAME   hcptrxx
<entries omitted after verifying syntax is same as above>

db.xxx.10.in-addr.arpa

;
; BIND reverse data file for hili-caffinated .local
;
$TTL    604800
@       IN      SOA     hcsvrxx.hili-caffinated.local. nseadm.hcsvrxx.hili-caffinated.local. (
                      032816202         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      hcsvrxx.hili-caffinated.local.
@       IN      NS      hcsvrxx.hili-caffinated.local.
; Printers
78.xx   IN  PTR hcptrxx.hili-caffinated.local.
<entries omitted after verifying syntax is same as above>

; Broadcast
79.255  IN  PTR hcbroadcast.hili-caffinated.local.

Ping 结果

PING hcwknxxx.hili-caffinated.local (10.xxx.78.xx) 56(84) bytes of data.
64 bytes from 10.xxx.78.xx: icmp_seq=1 ttl=64 time=0.168 ms

--- hcwknxxx.hili-caffinated.local ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.168/0.168/0.168/0.000 ms

ARP 结果

arp 10.xxx.78.xx
Address                  HWtype  HWaddress           Flags Mask            Iface
10.xxx.78.xx              ether   <correct mac address>   C                     eth0

DIG-X 结果

dig -x 10.xxx.78.xx

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 10.xxx.78.xx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39726
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xx.78.xxx.10.in-addr.arpa. IN  PTR

;; AUTHORITY SECTION:
xxx.10.in-addr.arpa.    604800  IN  SOA hcsvrxx.hili-caffinated.local. <username_omitted>.hcsvrxx.hili-caffinated.local. 32816206 604800 86400 2419200 604800

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 28 20:06:05 CDT 2016
;; MSG SIZE  rcvd: 125

HOST 结果

host 10.xxx.78.xx
Host xx.78.xxx.10.in-addr.arpa. not found: 3(NXDOMAIN)

SYSLOG 来自绑定重启

Mar 28 21:03:47 hcsvrxx rbind.sh[5627]: root has restart the bind9 service...
Mar 28 21:03:48 hcsvrxx named[5687]: starting BIND 9.9.5-3ubuntu0.8-Ubuntu -u bind
Mar 28 21:03:48 hcsvrxx named[5687]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
Mar 28 21:03:48 hcsvrxx named[5687]: ----------------------------------------------------
Mar 28 21:03:48 hcsvrxx named[5687]: BIND 9 is maintained by Internet Systems Consortium,
Mar 28 21:03:48 hcsvrxx named[5687]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 28 21:03:48 hcsvrxx named[5687]: corporation.  Support and training for BIND 9 are
Mar 28 21:03:48 hcsvrxx named[5687]: available at https://www.isc.org/support
Mar 28 21:03:48 hcsvrxx named[5687]: ----------------------------------------------------
Mar 28 21:03:48 hcsvrxx named[5687]: adjusted limit on open files from 4096 to 1048576
Mar 28 21:03:48 hcsvrxx named[5687]: found 2 CPUs, using 2 worker threads
Mar 28 21:03:48 hcsvrxx named[5687]: using 2 UDP listeners per interface
Mar 28 21:03:48 hcsvrxx named[5687]: using up to 4096 sockets
Mar 28 21:03:48 hcsvrxx named[5687]: loading configuration from '/etc/bind/named.conf'
Mar 28 21:03:49 hcsvrxx named[5687]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Mar 28 21:03:49 hcsvrxx named[5687]: using default UDP/IPv4 port range: [1024, 65535]
Mar 28 21:03:49 hcsvrxx named[5687]: using default UDP/IPv6 port range: [1024, 65535]
Mar 28 21:03:49 hcsvrxx named[5687]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 28 21:03:49 hcsvrxx named[5687]: listening on IPv4 interface eth0, 10.xxx.78.xx#53
Mar 28 21:03:49 hcsvrxx named[5687]: generating session key for dynamic DNS
Mar 28 21:03:49 hcsvrxx named[5687]: sizing zone task pool based on 17835 zones
Mar 28 21:03:50 hcsvrxx named[5687]: set up managed keys zone for view _default, file 'managed-keys.bind'
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 64.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 65.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 66.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 67.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 68.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 69.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 70.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 71.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 72.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 73.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 74.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 75.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 76.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 77.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 78.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 79.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 80.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 81.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 82.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 83.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 84.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 85.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 86.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 87.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 88.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 89.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 90.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 91.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 92.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 93.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 94.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 95.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 96.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 97.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 98.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 99.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 100.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 101.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 102.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 103.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 104.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 105.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 106.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 107.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 108.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 109.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 110.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 111.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 112.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 113.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 114.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 115.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 116.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 117.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 118.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 119.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 120.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 121.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 122.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 123.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 124.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 125.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 126.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 127.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: D.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: A.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: B.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: command channel listening on 127.0.0.1#953
Mar 28 21:03:51 hcsvrxx named[5687]: command channel listening on 10.xxx.78.xx#953
Mar 28 21:03:56 hcsvrxx rbind.sh[5694]: ...The bind9 service has restarted.

通用日志

28-Mar-2016 13:37:16.169 running
28-Mar-2016 21:03:47.629 received control channel command 'stop -p'
28-Mar-2016 21:03:47.630 shutting down: flushing changes
28-Mar-2016 21:03:47.630 stopping command channel on 127.0.0.1#953
28-Mar-2016 21:03:47.630 stopping command channel on 10.xxx.78.xx#953
28-Mar-2016 21:03:48.010 exiting
28-Mar-2016 21:03:51.577 managed-keys-zone: loaded serial 4
28-Mar-2016 21:03:51.603 zone 200words.ae/IN: loaded serial 32816300
<Irrellevant zone entries omitted though very similar to above>
28-Mar-2016 21:03:54.975 zone hili-caffinated.local/IN: loaded serial 32816102
28-Mar-2016 21:03:54.975 zone glassbu.info/IN: loaded serial 32816300
<Irrellevant one entries omitted though very similar to above>
28-Mar-2016 21:03:51.635 zone xxx.10.in-addr.arpa/IN: loaded serial 32816202
28-Mar-2016 21:03:51.635 zone comunadepilar.gob.ar/IN: loaded serial 32816300
<Irrellevant one entries omitted though very similar to above>
28-Mar-2016 21:03:55.791 all zones loaded
28-Mar-2016 21:03:56.137 running

*注:无关区域是通过相同脚本创建的,并且都在同一台机器上的先前环境中运行。只有网络信息发生了变化。

来自 dhcp 交换的 SYSLOG 条目

Mar 28 22:14:47 hcsvrxx dhcpd: DHCPDISCOVER from xx:xx:xx:xx:96:d8 via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: DHCPOFFER on 10.xxx.78.xx to xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: Can't create new lease file: Permission denied
Mar 28 22:14:48 hcsvrxx dhcpd: DHCPREQUEST for 10.xxx.78.xx (10.xxx.78.xx) from xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: DHCPACK on 10.xxx.78.xx to xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: Added new forward map from hcvmwdxx.hili-caffinated.local to 10.xxx.78.xx
Mar 28 22:14:48 hcsvrxx dhcpd: Added reverse map from xx.78.xxx.10.in-addr.arpa to hcvmwdxx.hili-caffinated.local

注意:租赁文件是相关人员目前正在处理的问题,不需要在这里解决。

如果您还有其他需要,请告诉我。

答案1

问题出在反向zone文件中 IP 地址八位字节的顺序上/var/lib/bind/db.xxx.10.in-addr.arpa

在反向zone声明中,您使用了xxx.10.in-addr.arpa$ORIGIN而在区域文件中您使用了:

78.xx   IN  PTR hcptrxx.hili-caffinated.local.

因此,10.xxx.xx.78将解析为hcptrxx.hili-caffinated.local,这显然不是您想要的。

修复记录中的顺序PTR

xx.78   IN  PTR hcptrxx.hili-caffinated.local.

这意味着10.xxx.78.xx将正确解析为hcptrxx.hili-caffinated.local

类似地,执行以下操作:

255.79  IN  PTR hcbroadcast.hili-caffinated.local.

为了便于理解,请记住 IP 八位字节总是以反向方式工作zonePTR记录声明。

相关内容