Active-Directory

無法啟動帶有 Bind9 和 BIND_DLZ 的動態 DNS?

  • March 25, 2020

我有一個使用 BIND_DLZ 作為後端執行 Samba 作為 Active Directory 域控制器的設備。

最重要的是,我正在執行一個輔助設備,該設備也配置為 Active Directory 域控制器,也使用 BIND_DLZ 作為後端以實現冗餘目的。

IP 地址由 ISC DHCP 伺服器分配,該伺服器能夠使用加密密鑰 (TSIG) 更新 DNS 資源記錄。

無論如何:關於我的問題。

這是我目前的設置

命名.conf.options:

options 
{
    directory "/var/cache/bind";

    forwarders {
           2001:4860:4860::8888;
           2001:4860:4860::8844;
           8.8.8.8;
           8.8.4.4;
    };

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };

    listen-on port 53 { 192.168.1.240; };
    listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
    minimal-responses yes;
    recursion yes;
};

acl "home-net"
{
   127.0.0.1;
   192.168.1.0/24;
   2001:db8:cafe:beef::/56; # <-- I am using a IPv6 range from Tunnelbroker in real life.
};

view "normal"
{
   include "/etc/bind/named.conf.default-zones";
   include "/etc/bind/named.conf.internal";

   # Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
   include "/etc/bind/netflix-ipv6-blackhole.conf";  

   match-clients
   {
       home-net; # <-- Only respond to queries originating from my own network.
   };

   dnssec-enable yes;
   dnssec-validation auto;

   allow-query { any; };
   allow-query-cache { home-net; };
   allow-recursion { home-net; };

   forwarders {
     8.8.8.8;
     8.8.4.4;
     2001:4860:4860::8888;
     2001:4860:4860::8844;
  };
};

命名的.conf.internal:

zone "1.168.192.in-addr.arpa"
{
   type master;
   file "/etc/bind/db.192.168.1.rev";
   notify yes;

   allow-query { any; };
   allow-transfer { xfer; };

   # If allow-update is enabled instead of the include named.conf.update line, 
   # then Dynamic DNS works fine due to ISC DHCP can update the ressource records. 
   #
   # Sadly you can't have both lines enabled. It is either / or.

   // allow-update { key ddns-key; };

   include "/var/lib/samba/bind-dns/named.conf.update"; # <-- Having issues with THIS line only.
};

include "/var/lib/samba/bind-dns/named.conf";

/var/lib/samba/bind-dns/named.conf:

dlz "AD DNS Zone" {
   # For BIND 9.11.x
   database "dlopen /usr/lib/arm-linux-gnueabihf/samba/bind9/dlz_bind9_11.so";
};

/var/lib/samba/bind-dns/named.conf.update:

/* this file is auto-generated - do not edit */
update-policy {
       grant EXAMPLE.COM ms-self * A AAAA;
       grant Administrator@EXAMPLE.COM wildcard * A AAAA SRV CNAME;

       # Main Active Directory Domain Controller
       grant HARDY$@example.com wildcard * A AAAA SRV CNAME;

       # Backup Active Directory Domain Controller
       grant LAUREL$@example.com wildcard * A AAAA SRV CNAME;
};

如果我嘗試使用此配置開始綁定,我會得到一個我無法弄清楚的相當奇怪的錯誤:

/var/lib/samba/bind-dns/named.conf.update:3: name field not set to placeholder value '.'

有沒有人可以告訴我named.conf.update有什麼問題?

好的,您有兩個使用 Bind9 作為 dns 伺服器的 Samba AD DC,並且您遇到了 dns 問題,我想知道這是否與您不正確的綁定文件有關?

一個主要問題是您在平面文件中有反向區域,這是不允許的,您需要創建它 AD,您可以使用 samba-tool 來執行此操作。您也不能使用“視圖”

試試這些 bind9 conf 文件:

/etc/bind/named.conf

包括“/etc/bind/named.conf.options”;包括“/etc/bind/named.conf.local”;包括“/etc/bind/named.conf.default-zones”;

/etc/bind/named.conf.options

選項 {

directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.1.0/24; };
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
forwarders {
       2001:4860:4860::8888;
       2001:4860:4860::8844;
       8.8.8.8;
       8.8.4.4;
};
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { any; };
listen-on port 53 { 192.168.1.240; };
listen-on port 53 { 192.168.1.240; 127.0.0.1; };
listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;

};

/etc/bind/named.conf.local

包括“/var/lib/samba/bind-dns/named.conf”;

// Netflix 真的不喜歡 Tunnelbroker IPv6,所以我要刪除所有 Netflix AAAA 資源記錄。

包括“/etc/bind/netflix-ipv6-blackhole.conf”;

如果你備份了 /var/lib/samba/bind-dns/named.conf.update 然後從備份中恢復。如果不是,則將其更改為:

/* 這個文件是自動生成的 - 不要編輯 */ update-policy {

grant EXAMPLE.COM ms-self * A AAAA;
grant Administrator@EXAMPLE.COM wildcard * A AAAA SRV CNAME;
grant HARDY$@example.com wildcard * A AAAA SRV CNAME;
grant LAUREL$@example.com wildcard * A AAAA SRV CNAME;

};

引用自:https://serverfault.com/questions/1008267