Bind
BIND DNS Linux - 將查詢轉發到另一個 DNS
我有一個 dns 設置指向 DNS linux (.157) 的伺服器,我需要將此伺服器加入 Microsoft AD 託管的 AD 域。我需要將 ldap 的 SRV 查詢從 DNS linux 轉發到另一個 DNS(Microsoft DNS,.149)。AD域是corp.dom;在我的 DNS linux 上進行此配置:
options { #listen-on port 53 { 172.23.133.157; 127.0.0.1; }; listen-on-v6 port 53 { none; }; allow-query { any; }; allow-recursion { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; version "REFUSED"; }; zone "corp.dom" { type forward; forward only; forwarders {172.23.133.149; }; //this is the Microsoft DNS where corp.dom resides };我擷取了這個輸出:
[root@predns named]# dig srv _ldap._tcp.dc._msdcs.corp.dom ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> srv _ldap._tcp.dc._msdcs.corp.dom ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17251 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.dc._msdcs.corp.dom. IN SRV ;; AUTHORITY SECTION: . 518400 IN NS m.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS j.root-servers.net. ;; Query time: 0 msec ;; SERVER: 172.23.133.157#53(172.23.133.157) ;; WHEN: mar giu 19 16:55:52 CEST 2018 ;; MSG SIZE rcvd: 269任何幫助都會很棒!
DNS linux 的完整配置:我省略了類型主區域,因為它們可以工作並且與 corp.dom 無關:
acl "ihd" { 127.0.0.1/32; 172.23.133.128/28; 172.23.133.144/28; }; include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { #listen-on port 53 { 172.23.133.157; 127.0.0.1; }; listen-on-v6 port 53 { none; }; forwarders { 172.23.133.149; }; allow-query { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; empty-zones-enable no; version "REFUSED"; }; view "internal" { match-clients { ihd; }; allow-query { ihd; }; # allow-recursion { ihd; }; recursion no; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.root.key"; include "/etc/named.rfc1912.zones"; zone "133.23.172.in-addr.arpa" IN { type master; file "172.23.133.zone"; allow-transfer { 172.23.133.157; }; }; zone "corp.dom" { type forward; forward only; forwarders {172.23.133.149; }; /*file "corp.dom.zone"; allow-transfer { 172.23.133.157; };*/ }; view "external" { match-clients { any; }; allow-query { any; }; recursion no; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; };
您已
recursion no;為匹配內部“ihd”acl 的查詢設置。所有 DNS 轉發查詢都是遞歸查詢,您至少需要將其設置為“內部”視圖。
recursion yes;DNSSEC 還可以中斷遞歸查詢的通信。使用 +cd 和 +dnssec 選項確保 DNSSEC 不會導致問題執行 dig
dig srv _ldap._tcp.dc._msdcs.corp.dom @linux_dns_server_ip +cd dig srv _ldap._tcp.dc._msdcs.corp.dom @linux_dns_server_ip +dnssec如果您使用 +cd 選項而不是 +dnssec 得到答案,那麼您需要禁用 DNSSEC 驗證
dnssec-validation no;