Domain-Name-System
BIND 拆分視圖 DNS 不適用於區域傳輸
我正在設置兩個 DNS 伺服器。一個在防火牆/路由器上,另一個是內部伺服器。我有很多設置 DNS 伺服器的經驗,所以這個問題特別令人困惑。
機器設置
防火牆外部地址:207.62.233.2
防火牆內部地址:10.24.0.1
二級內部地址:10.24.0.21
Master named.conf(僅相關部分)
options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion yes; }; view "internal" { match-clients { 10.24.0.0/16; 127.0.0.1; }; match-recursive-only yes; allow-recursion { clients; }; allow-transfer { 10.24.0.21; }; zone "ct.sierracollege.edu" { type master; file "data/db.ct.int"; }; include "/etc/named.rfc1912.zones"; zone "." IN { type hint; file "named.ca"; }; }; view "external" { recursion no; match-clients { any; }; allow-transfer { any; }; // temporarily allowed for debugging purposes zone "ct.sierracollege.edu" { type master; file "data/db.ct.ext"; }; };
什麼有效
防火牆上的拆分 DNS 效果很好。如果我從內部機器查詢它,我會得到內部答案。同樣,從外部機器查詢它會給我外部答案。這是一個內部查詢。
# dig @10.24.0.1 ct1.ct.sierracollege.edu ; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct1.ct.sierracollege.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51024 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ct1.ct.sierracollege.edu. IN A ;; ANSWER SECTION: ct1.ct.sierracollege.edu. 3600 IN A 10.24.0.11 ;; AUTHORITY SECTION: ct.sierracollege.edu. 3600 IN NS cs.sierracollege.edu. ct.sierracollege.edu. 3600 IN NS fw.ct.sierracollege.edu. ;; ADDITIONAL SECTION: cs.sierracollege.edu. 3600 IN A 10.24.0.21 fw.ct.sierracollege.edu. 3600 IN A 10.24.0.1 ;; Query time: 1 msec ;; SERVER: 10.24.0.1#53(10.24.0.1) ;; WHEN: Wed Jan 6 12:57:02 2010 ;; MSG SIZE rcvd: 124
什麼不起作用
區域傳輸無法正常工作。它不是轉移內部區域,而是轉移外部區域。這是一個範例,由與上述相同的內部機器完成:
# dig @10.24.0.1 ct.sierracollege.edu axfr ; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct.sierracollege.edu axfr ; (1 server found) ;; global options: printcmd ct.sierracollege.edu. 3600 IN SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600 ct.sierracollege.edu. 3600 IN NS fw.ct.sierracollege.edu. ct1.ct.sierracollege.edu. 3600 IN A 207.62.233.11 ct2.ct.sierracollege.edu. 3600 IN A 207.62.233.12 ct3.ct.sierracollege.edu. 3600 IN A 207.62.233.13 fw.ct.sierracollege.edu. 3600 IN A 207.62.233.2 ct.sierracollege.edu. 3600 IN SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600 ;; Query time: 2 msec ;; SERVER: 10.24.0.1#53(10.24.0.1) ;; WHEN: Wed Jan 6 13:01:37 2010 ;; XFR size: 7 records (messages 1, bytes 208)
/var/log/messages 文件中的條目顯示外部視圖正在被命中:
Jan 6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR started Jan 6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR ended
因此,我的
slaves
目錄充滿了外部區域文件,而不是內部文件。有任何想法嗎?
您是否嘗試過使用 ACL?聽起來很有趣,我知道。另外,為什麼只啟用匹配遞歸?這不會讓您的客戶只有在進行遞歸查詢時才能獲得結果?
acl "internal-net" { 10.24.0.0/16; 127/8; }; view "internal" { match-clients { "internal-net"; }; # --- I'm removing this because I'm making the daft assumption # --- that you are trusting your clients on your internal network, # --- so why bother restricting them? Then there's this tidbit # --- from http://www.zytrax.com/books/dns/ch7/view.html#match-recursive-only # --- which seems to imply that the client match will fail because # --- the client might not be asking for recursion... #match-recursive-only yes; allow-recursion { "internal-net"; }; allow-transfer { "internal-net"; }; zone "ct.sierracollege.edu" { type master; file "data/db.ct.int"; }; include "/etc/named.rfc1912.zones"; zone "." IN { type hint; file "named.ca"; }; };