Domain-Name-System

BIND 拆分視圖 DNS 不適用於區域傳輸

  • January 6, 2010

我正在設置兩個 DNS 伺服器。一個在防火牆/路由器上,另一個是內部伺服器。我有很多設置 DNS 伺服器的經驗,所以這個問題特別令人困惑。

機器設置

防火牆外部地址:207.62.233.2

防火牆內部地址:10.24.0.1

二級內部地址:10.24.0.21

Master named.conf(僅相關部分)

options {
   listen-on port 53 { any; };
   listen-on-v6 port 53 { any; };
   directory   "/var/named";
   dump-file   "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   recursion yes;
};

view "internal" {
   match-clients { 10.24.0.0/16; 127.0.0.1; };

   match-recursive-only yes;
   allow-recursion { clients; };
   allow-transfer { 10.24.0.21; };

   zone "ct.sierracollege.edu" {
       type master;
       file "data/db.ct.int";
   };

   include "/etc/named.rfc1912.zones";

   zone "." IN {
       type hint;
       file "named.ca";
   };
};

view "external" {
   recursion no;
   match-clients { any; };
   allow-transfer { any; }; // temporarily allowed for debugging purposes

   zone "ct.sierracollege.edu" {
           type master;
           file "data/db.ct.ext";
   };
};

什麼有效

防火牆上的拆分 DNS 效果很好。如果我從內部機器查詢它,我會得到內部答案。同樣,從外部機器查詢它會給我外部答案。這是一個內部查詢。

# dig @10.24.0.1 ct1.ct.sierracollege.edu

; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct1.ct.sierracollege.edu
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51024
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ct1.ct.sierracollege.edu.  IN  A

;; ANSWER SECTION:
ct1.ct.sierracollege.edu. 3600  IN  A   10.24.0.11

;; AUTHORITY SECTION:
ct.sierracollege.edu.   3600    IN  NS  cs.sierracollege.edu.
ct.sierracollege.edu.   3600    IN  NS  fw.ct.sierracollege.edu.

;; ADDITIONAL SECTION:
cs.sierracollege.edu.   3600    IN  A   10.24.0.21
fw.ct.sierracollege.edu. 3600   IN  A   10.24.0.1

;; Query time: 1 msec
;; SERVER: 10.24.0.1#53(10.24.0.1)
;; WHEN: Wed Jan  6 12:57:02 2010
;; MSG SIZE  rcvd: 124

什麼不起作用

區域傳輸無法正常工作。它不是轉移內部區域,而是轉移外部區域。這是一個範例,由與上述相同的內部機器完成:

# dig @10.24.0.1 ct.sierracollege.edu axfr

; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct.sierracollege.edu axfr
; (1 server found)
;; global options:  printcmd
ct.sierracollege.edu.   3600    IN  SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600
ct.sierracollege.edu.   3600    IN  NS  fw.ct.sierracollege.edu.
ct1.ct.sierracollege.edu. 3600  IN  A   207.62.233.11
ct2.ct.sierracollege.edu. 3600  IN  A   207.62.233.12
ct3.ct.sierracollege.edu. 3600  IN  A   207.62.233.13
fw.ct.sierracollege.edu. 3600   IN  A   207.62.233.2
ct.sierracollege.edu.   3600    IN  SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600
;; Query time: 2 msec
;; SERVER: 10.24.0.1#53(10.24.0.1)
;; WHEN: Wed Jan  6 13:01:37 2010
;; XFR size: 7 records (messages 1, bytes 208)

/var/log/messages 文件中的條目顯示外部視圖正在被命中:

Jan  6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR started
Jan  6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR ended

因此,我的slaves目錄充滿了外部區域文件,而不是內部文件。

有任何想法嗎?

您是否嘗試過使用 ACL?聽起來很有趣,我知道。另外,為什麼只啟用匹配遞歸?這不會讓您的客戶只有在進行遞歸查詢時才能獲得結果?

acl "internal-net" { 
   10.24.0.0/16; 127/8;
};

view "internal" {
   match-clients { "internal-net"; };

   # --- I'm removing this because I'm making the daft assumption
   # --- that you are trusting your clients on your internal network,
   # --- so why bother restricting them?  Then there's this tidbit
   # --- from http://www.zytrax.com/books/dns/ch7/view.html#match-recursive-only
   # --- which seems to imply that the client match will fail because
   # --- the client might not be asking for recursion...
   #match-recursive-only yes;

   allow-recursion { "internal-net"; };
   allow-transfer { "internal-net"; };

   zone "ct.sierracollege.edu" {
       type master;
       file "data/db.ct.int";
   };

   include "/etc/named.rfc1912.zones";

   zone "." IN {
      type hint;
      file "named.ca";
   };
};

引用自:https://serverfault.com/questions/100210