Bind
BIND 看不到本地客戶端 PC,反之亦然
我正在嘗試配置 bind9 DNS 以使其可用於我的小型 Windows PC 網路,以便在 samba 上創建 Active Directory DC。出於某種原因,我得到這些 PC 的“忽略區域外數據”。我很確定我錯過了一些東西,很可能是理解它是如何工作的。如果在綁定配置方面有更多經驗的人可以看看這個並發現我做錯了什麼,我將不勝感激。我開始想也許我應該使用水平分割 DNS,就像這裡描述的那樣: https ://www.howtoforge.com/two_in_one_dns_bind9_views
但是,此伺服器應主要用於內部網路 192.168.3.0,因此 PC 將與同一網路內的 SAMBA Active Directory DC 來回通信(SAMBA 與 BIND 託管在同一台機器上),並且還能夠解決查詢通過此 DNS 訪問 Internet。然而,我對為網路 10.0.5.0 提供查詢不感興趣,因為它使用 named.conf 中指定的單獨 DNS 伺服器作為轉發器(10.0.14.13、10.0.6.66)。
解析.conf:
search dom.co.uk nameserver 192.168.3.10命名為 conf:
options { listen-on port 53 { 127.0.0.1; 192.168.3.10; 10.0.5.105; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # allow-query { localhost; }; forwarders { 10.0.14.13; 10.0.6.66; }; allow-query { localhost; 192.168.3.10; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; allow-recursion { trusted; }; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "j6105.md.dom.co.uk" IN { type master; file "/var/named/j6105.md.dom.co.uk"; allow-update { none; }; }; zone "3.168.192.in-addr.arpa" IN { type master; file "/var/named/j6105.md.dom.co.uk.rev"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; server 10.0.14.13 { }; server 10.0.6.66 { }; acl trusted { 192.168.3.0/27; 10.0.5.0/24; 10.0.162.0/24; 10.0.163.0/24; localhost; localnets; };j6105.md.dom.co.uk 區域文件:
$ORIGIN j6105.md.dom.co.uk. $TTL 3h @ IN SOA dc1.j6105.md.dom.co.uk. root.j6105.md.dom.co.uk. ( 201900924 3h 1h 1h 1h ) @ IN NS j6105.md.dom.co.uk. @ 3600 IN MX 10 j6105.md.dom.co.uk. @ 3600 IN A 192.168.3.10 j6105.md.dom.co.uk. 3600 IN A 192.168.3.10 j6105.md.dom.co.uk. 3600 IN A 192.168.3.10 j6105.md.dom.co.uk. 3600 IN A 10.0.5.105 ; lan data j6105.md.dom.co.uk. 3600 IN A 192.168.3.10 pc5.md.dom.co.uk. 3600 IN A 192.168.3.11 pc2.md.dom.co.uk. 3600 IN A 192.168.3.12 pc3.md.dom.co.uk. 3600 IN A 192.168.3.13 pc1.md.dom.co.uk. 3600 IN A 192.168.3.14 pc4.md.dom.co.uk. 3600 IN A 192.168.3.15 nicola-research2.md.dom.co.uk. 3600 IN A 192.168.3.16j6105.md.dom.co.uk.rev 用於區域 3.168.192.in-addr.arpa 文件:
$ttl 1H 3.168.192.in-addr.arpa. IN SOA j6105.md.dom.co.uk. root.j6105.md.dom.co.uk. ( 2008112122 3600 3600 3600 3600 ) 10.3.168.192.in-addr.arpa. IN NS j6105.md.dom.co.uk. 3.168.192.in-addr.arpa. IN NS dc1.j6105.md.dom.co.uk. 105.5.0.10.in-addr.arpa. IN NS j6105.md.dom.co.uk. 10.3.168.192.in-addr.arpa. IN PTR j6105.md.dom.co.uk 11.3.168.192.in-addr.arpa. IN PTR pc5.j6105.md.dom.co.uk 12.3.168.192.in-addr.arpa. IN PTR pc2.j6105.md.dom.co.uk 13.3.168.192.in-addr.arpa. IN PTR pc3.j6105.md.dom.co.uk 14.3.168.192.in-addr.arpa. IN PTR pc1.j6105.md.dom.co.uk 15.3.168.192.in-addr.arpa. IN PTR pc4.j6105.md.dom.co.uk 16.3.168.192.in-addr.arpa. IN PTR nicola-research2 187.5.0.10.in-addr.arpa. IN PTR nicola-research2named-checkzone 命令的結果:
sudo named-checkzone j6105.md.dom.co.uk /var/named/j6105.md.dom.co.uk /var/named/j6105.md.dom.co.uk:17: ignoring out-of-zone data (pc5.md.dom.co.uk) /var/named/j6105.md.dom.co.uk:18: ignoring out-of-zone data (pc2.md.dom.co.uk) /var/named/j6105.md.dom.co.uk:19: ignoring out-of-zone data (pc3.md.dom.co.uk) /var/named/j6105.md.dom.co.uk:20: ignoring out-of-zone data (pc1.md.dom.co.uk) /var/named/j6105.md.dom.co.uk:21: ignoring out-of-zone data (pc4.md.dom.co.uk) /var/named/j6105.md.dom.co.uk:22: ignoring out-of-zone data (nicola-research2.md.dom.co.uk) zone j6105.md.dom.co.uk/IN: loaded serial 201900924 OK來自 Linux BIND 伺服器的命令 nslookup 命令給了我以下結果:
nslookup pc4.md.dom.co.uk Server: 192.168.3.10 Address: 192.168.3.10#53 ** server can't find pc4.md.dom.co.uk: NXDOMAIN nslookup 192.168.3.15 Server: 192.168.3.10 Address: 192.168.3.10#53 15.3.168.192.in-addr.arpa name = pc4.j6105.md.dom.co.uk.3.168.192.in-addr.arpa.來自 Windows 客戶端電腦的 nslookup (pc4.md.dom.co.uk/192.168.3.15):
> nslookup 192.168.3.10 Server: [192.168.3.10] Address: 192.168.3.10 *** 192.168.3.10 can't find nslookup: Non-existent domain > nslookup j6105.md.dom.co.uk Server: j6105.md.dom.co.uk Addresses: 10.0.5.105 192.168.3.10 *** j6105.md.dom.co.uk can't find nslookup: Non-existent domain從 linux 伺服器託管探勘綁定到客戶端機器(pc4.md.dom.co.uk/192.168.3.15):
dig pc4.md.dom.co.uk ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> pc4.md.dom.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52595 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pc4.md.dom.co.uk. IN A ;; AUTHORITY SECTION: dom.co.uk. 4553 IN SOA eagle.dom.co.uk. dnsman.dom.co.uk. 2019070968 7200 3600 604800 14400 ;; Query time: 0 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Thu Sep 19 14:06:22 BST 2019 ;; MSG SIZE rcvd: 94 dig 192.168.3.15 ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> 192.168.3.15 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50490 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.3.15. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019091802 1800 900 604800 86400 ;; Query time: 23 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Thu Sep 19 14:06:50 BST 2019 ;; MSG SIZE rcvd: 116
認為您的配置將子域(在 SOA 行以及
@條目中)顯示為j6105.md.dom.co.uk. 但是PC是pcX.md.dom.co.uk,不在j6105.md.dom.co.uk該區域內。更改 PC 的名稱
pcX.j6105.md.dom.co.uk並重新檢查
named-checkzone j6105.md.dom.co.uk /path/to/zone/file/for/j6105.md.dom.co.uk你應該很高興。