Bind
如何調試 BIND 配置?
有什麼方法可以逐步了解我的 Bind9 伺服器在做什麼?
目前我正在努力解決請求被拒絕並
dig告訴它的問題recursion requested but not available。但是,根本不應該涉及遞歸,因為這應該是權威伺服器。我應該怎麼做才能了解哪裡出了問題?
以下是對的回复
dig @127.0.0.1 client.example.com:; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 client.example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55821 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;client.example.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Oct 31 01:09:08 EET 2017 ;; MSG SIZE rcvd: 54我嘗試使用詳細模式進行調試(這是從另一台機器發出的請求),這是我得到的:
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: UDP request 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: request is not signed 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: recursion not available 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: query 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query (cache) 'client.example.com/A/IN' denied 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query failed (REFUSED) for client.example.com/IN/A at ../../../bin/named/query.c:6475 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): error 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): send 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): sendto 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): senddone 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): next 31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): endrequest 31-Oct-2017 00:48:04.363 client @0x123456789abcdef: udprecv不幸的是,我無法理解在這種情況下它是如何需要遞歸的。
如果有人可以幫助我進行手動調試,這就是我的伺服器的設置方式。
命名的.conf:
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";命名.conf.options:
options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; listen-on port 53 { any; }; recursion no; allow-transfer { localhost; }; allow-query-cache { none; }; allow-query { any; }; };命名的.conf.local:
zone "example.com" { type master; file "/etc/bind/zones/example.com"; };區域/example.com:
$TTL 300 @ IN SOA ns.example.com. admin.example.com ( 4 ; Serial 300 ; Refresh 300 ; Retry 2419200 ; Expire 300 ) ; Negative Cache TTL @ IN NS ns.example.com. ns IN A 192.0.2.1 @ IN A 192.0.2.1 www IN A 192.0.2.1 client IN A 192.0.2.1 @ IN MX 50 mx.example.net. @ IN MX 100 mx2.example.net.該文件
named.conf.default-zones與預設區域的文件一樣預設安裝。我正在使用 BIND 9.10.3-P4-Ubuntu。
啟動 BIND
-d 1將啟用調試。根據您的作業系統/發行版,您可能需要尋找如何設置啟動命令行參數。如果您需要更多資訊,可以增加該值。如果您需要更多指導,您可能應該在您的問題中發布您的配置文件,編輯秘密並用範例替換您的名稱。其他人在查看您的設置時可能會在此處辨識出來。
更新1:
我認為錯誤可能是 named 無法讀取區域文件,所以它完全忽略了區域,讓它認為它應該在其他地方詢問但不能因為遞歸被禁用。查看命名啟動時的日誌文件,看看是否有任何關於正在發生的事情的提示。