Bind
從站上的 GeoIP 拆分 DNS 錯誤的第三個視圖
使用本指南成功配置 Bind 以使用 TSIG 託管多個視圖。問題是當我添加第三個視圖時,事情變得很奇怪。
在每台伺服器上,我現在有 3 個視圖:
- 鹿
- 歐洲
- 中國
第二個我添加中國視圖,從伺服器應該使用中國視圖時使用歐洲視圖。當我從中國主機查詢主伺服器時,它使用正確的視圖。我已經驗證了兩台伺服器上的密鑰,雖然我的從伺服器將 geoip 與歐洲視圖匹配,但我已經從歐洲視圖中刪除了 geoip 語句,以確保它仍然可以做到。
兩台伺服器上的 ACL:
acl "USA" { key usa-key; !key europe-key; !key china-key; geoip country US; }; acl "Europe" { key europe-key; !key usa-key; !key china-key; geoip country NO; }; acl "China" { key china-key; !key usa-key; !key europe-key; geoip country CN; };掌握:
view "USA" { match-clients { USA; }; allow-transfer { key usa-key; }; zone "domain.net." { type master; also-notify { $slave_server key usa-key; }; file "/etc/bind/domain.net/na.domain.net.zone"; }; zone "3.2.1.in-addr.arpa." { type master; also-notify { $slave_server key usa-key; }; file "/etc/bind/domain.net/na.domain.net.rev"; }; zone "doma.net." { type master; also-notify { $slave_server key usa-key; }; file "/etc/bind/domain.net/na.doma.net.zone"; }; zone "9.8.7.in-addr.arpa." { type master; also-notify { $slave_server key usa-key; }; file "/etc/bind/domain.net/na.doma.net.rev"; }; }; view "Europe" { match-clients { Europe; }; allow-transfer { key europe-key; }; zone "domain.net." { type master; also-notify { $slave_server key europe-key; }; file "/etc/bind/domain.net/eu.domain.net.zone"; }; zone "3.2.1.in-addr.arpa." { type master; also-notify { $slave_server key europe-key; }; file "/etc/bind/domain.net/eu.domain.net.rev"; }; zone "doma.net." { type master; also-notify { $slave_server key europe-key; }; file "/etc/bind/domain.net/eu.doma.net.zone"; }; zone "9.8.7.in-addr.arpa." { type master; also-notify { $slave_server key europe-key; }; file "/etc/bind/domain.net/eu.doma.net.rev"; }; }; view "China" { match-clients { China; }; allow-transfer { key china-key; }; zone "domain.net." { type master; also-notify { $slave_server key china-key; }; file "/etc/bind/domain.net/cn.domain.net.zone"; }; zone "3.2.1.in-addr.arpa." { type master; also-notify { $slave_server key china-key; }; file "/etc/bind/domain.net/cn.domain.net.rev"; }; zone "doma.net." { type master; also-notify { $slave_server key china-key; }; file "/etc/bind/domain.net/cn.doma.net.zone"; }; zone "9.8.7.in-addr.arpa." { type master; also-notify { $slave_server key china-key; }; file "/etc/bind/domain.net/cn.doma.net.rev"; }; };奴隸:
view "USA" { match-clients { USA; }; zone "domain.net." { type slave; masters { $master_server key usa-key; }; file "/var/lib/bind/na.domain.net.zone"; }; zone "3.2.1.in-addr.arpa." { type slave; masters { $master_server key usa-key; }; file "/var/lib/bind/na.domain.net.rev"; }; zone "doma.net." { type slave; masters { $master_server key usa-key; }; file "/var/lib/bind/na.doma.net.zone"; }; zone "9.8.7.in-addr.arpa." { type slave; masters { $master_server key usa-key; }; file "/var/lib/bind/na.doma.net.rev"; }; }; view "Europe" { zone "domain.net." { type slave; masters { $master_server key europe-key; }; file "/var/lib/bind/eu.domain.net.zone"; }; zone "3.2.1.in-addr.arpa." { type slave; masters { $master_server key europe-key; }; file "/var/lib/bind/eu.domain.net.rev"; }; zone "doma.net." { type slave; masters { $master_server key europe-key; }; file "/var/lib/bind/eu.doma.net.zone"; }; zone "9.8.7.in-addr.arpa." { type slave; masters { $master_server key europe-key; }; file "/var/lib/bind/eu.doma.net.rev"; }; }; view "China" { zone "domain.net." { type slave; masters { $master_server key china-key; }; file "/var/lib/bind/ch.domain.net.zone"; }; zone "3.2.1.in-addr.arpa." { type slave; masters { $master_server key china-key; }; file "/var/lib/bind/ch.domain.net.rev"; }; zone "doma.net." { type slave; masters { $master_server key china-key; }; file "/var/lib/bind/ch.doma.net.zone"; }; zone "9.8.7.in-addr.arpa." { type slave; masters { $master_server key china-key; }; file "/var/lib/bind/ch.doma.net.rev"; }; };完全沒有想法。如果有人知道我做錯了什麼,我將不勝感激。
在從屬配置中,您的和視圖
match-clients中缺少指令。Europe``China根據視圖的工作方式(使用第一個匹配視圖),所有與您的視圖不匹配的查詢
USA(有其match-clients指令),其他所有內容都將進入下一個視圖(您的Europe視圖,它匹配任何內容),最後沒有任何內容視圖(您的China視圖也可以匹配任何內容,只是此時沒有不匹配的查詢)。值得注意的是,您可能想要一些包羅萬象的東西。即,如果查詢與任何國家都不匹配,您可能仍需要正確的響應?