Bind

BIND DNS Linux - 將查詢轉發到另一個 DNS

  • June 19, 2018

我有一個 dns 設置指向 DNS linux (.157) 的伺服器,我需要將此伺服器加入 Microsoft AD 託管的 AD 域。我需要將 ldap 的 SRV 查詢從 DNS linux 轉發到另一個 DNS(Microsoft DNS,.149)。AD域是corp.dom;在我的 DNS linux 上進行此配置:

 options {
   #listen-on port 53 { 172.23.133.157; 127.0.0.1; };
   listen-on-v6 port 53 { none; };
   allow-query { any; };
   allow-recursion { any; };
   directory       "/var/named";
   dump-file       "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   pid-file "/run/named/named.pid";
   session-keyfile "/run/named/session.key";
   recursion yes;
   dnssec-enable yes;
   dnssec-validation yes;
   dnssec-lookaside auto;
   /* Path to ISC DLV key */
   bindkeys-file "/etc/named.iscdlv.key";
   managed-keys-directory "/var/named/dynamic";

   version "REFUSED";
};

zone "corp.dom" {
     type forward;
     forward only;
     forwarders {172.23.133.149; };  //this is the Microsoft DNS where corp.dom resides
};

我擷取了這個輸出:

[root@predns named]# dig srv _ldap._tcp.dc._msdcs.corp.dom

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.1 <<>> srv _ldap._tcp.dc._msdcs.corp.dom
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17251
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.corp.dom. IN      SRV

;; AUTHORITY SECTION:
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.

;; Query time: 0 msec
;; SERVER: 172.23.133.157#53(172.23.133.157)
;; WHEN: mar giu 19 16:55:52 CEST 2018
;; MSG SIZE  rcvd: 269

任何幫助都會很棒!


DNS linux 的完整配置:我省略了類型主區域,因為它們可以工作並且與 corp.dom 無關:

acl "ihd" { 127.0.0.1/32; 172.23.133.128/28; 172.23.133.144/28; };
include "/etc/rndc.key";
controls {
    inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
   #listen-on port 53 { 172.23.133.157; 127.0.0.1; };
   listen-on-v6 port 53 { none; };
   forwarders { 172.23.133.149; };
   allow-query { any; };
   directory       "/var/named";
   dump-file       "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   pid-file "/run/named/named.pid";
   session-keyfile "/run/named/session.key";
   recursion yes;
   dnssec-enable yes;
   dnssec-validation yes;
   dnssec-lookaside auto;
   /* Path to ISC DLV key */
   bindkeys-file "/etc/named.iscdlv.key";
   managed-keys-directory "/var/named/dynamic";
   empty-zones-enable no;
   version "REFUSED";
};

view "internal" {
match-clients { ihd; };
allow-query { ihd; };
# allow-recursion { ihd; };
recursion no;


zone "." IN {
     type hint;
     file "named.ca";
};

include "/etc/named.root.key";
include "/etc/named.rfc1912.zones";

zone "133.23.172.in-addr.arpa" IN {
     type master;
     file "172.23.133.zone";
     allow-transfer { 172.23.133.157; };
};
zone "corp.dom" {
     type forward;
     forward only;
     forwarders {172.23.133.149; };
     /*file "corp.dom.zone";
     allow-transfer { 172.23.133.157; };*/
};

view "external" {
match-clients { any; };
allow-query { any; };
recursion no;

zone "." IN {
   type hint;
   file "named.ca";
};

include "/etc/named.rfc1912.zones";


};

您已recursion no;為匹配內部“ihd”acl 的查詢設置。所有 DNS 轉發查詢都是遞歸查詢,您至少

需要將其設置為“內部”視圖。recursion yes;

DNSSEC 還可以中斷遞歸查詢的通信。使用 +cd 和 +dnssec 選項確保 DNSSEC 不會導致問題執行 dig

dig srv _ldap._tcp.dc._msdcs.corp.dom @linux_dns_server_ip +cd
dig srv _ldap._tcp.dc._msdcs.corp.dom @linux_dns_server_ip +dnssec

如果您使用 +cd 選項而不是 +dnssec 得到答案,那麼您需要禁用 DNSSEC 驗證dnssec-validation no;

引用自:https://serverfault.com/questions/917272