Bind

如何調試 BIND 配置?

  • October 31, 2017

有什麼方法可以逐步了解我的 Bind9 伺服器在做什麼?

目前我正在努力解決請求被拒絕並dig告訴它的問題recursion requested but not available。但是,根本不應該涉及遞歸,因為這應該是權威伺服器。

我應該怎麼做才能了解哪裡出了問題?

以下是對的回复dig @127.0.0.1 client.example.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 client.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55821
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;client.example.com.     IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 31 01:09:08 EET 2017
;; MSG SIZE  rcvd: 54

我嘗試使用詳細模式進行調試(這是從另一台機器發出的請求),這是我得到的:

31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: UDP request
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: request is not signed
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: recursion not available
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: query
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query (cache) 'client.example.com/A/IN' denied
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query failed (REFUSED) for client.example.com/IN/A at ../../../bin/named/query.c:6475
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): error
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): send
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): sendto
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): senddone
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): next
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): endrequest
31-Oct-2017 00:48:04.363 client @0x123456789abcdef: udprecv

不幸的是,我無法理解在這種情況下它是如何需要遞歸的。

如果有人可以幫助我進行手動調試,這就是我的伺服器的設置方式。

命名的.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

命名.conf.options:

options {
   directory "/var/cache/bind";

   dnssec-validation auto;

   auth-nxdomain no;    # conform to RFC1035
   listen-on-v6 { any; };
   listen-on port 53 { any; };

   recursion no;
   allow-transfer { localhost; };
   allow-query-cache { none; };
   allow-query { any; };
};

命名的.conf.local:

zone "example.com" {
   type master;
   file "/etc/bind/zones/example.com";
};

區域/example.com:

$TTL    300
@   IN  SOA ns.example.com. admin.example.com (
                 4     ; Serial
               300     ; Refresh
               300     ; Retry
           2419200     ; Expire
              300 )    ; Negative Cache TTL

@           IN  NS  ns.example.com.
ns          IN  A   192.0.2.1

@           IN  A   192.0.2.1
www         IN  A   192.0.2.1
client      IN  A   192.0.2.1

@           IN  MX  50 mx.example.net.
@           IN  MX  100 mx2.example.net.

該文件named.conf.default-zones與預設區域的文件一樣預設安裝。

我正在使用 BIND 9.10.3-P4-Ubuntu。

啟動 BIND-d 1將啟用調試。根據您的作業系統/發行版,您可能需要尋找如何設置啟動命令行參數。如果您需要更多資訊,可以增加該值。

如果您需要更多指導,您可能應該在您的問題中發布您的配置文件,編輯秘密並用範例替換您的名稱。其他人在查看您的設置時可能會在此處辨識出來。

更新1:

我認為錯誤可能是 named 無法讀取區域文件,所以它完全忽略了區域,讓它認為它應該在其他地方詢問但不能因為遞歸被禁用。查看命名啟動時的日誌文件,看看是否有任何關於正在發生的事情的提示。

引用自:https://serverfault.com/questions/881081