bind9 geoip 無法正常工作

bind9 bind-9.17.2已從debian-9上的原始碼編譯。

./named -V
BIND 9.17.2 (Development Release) <id:6d46544>
running on Linux x86_64 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
built by make with  '--with-maxminddb' '--prefix=/usr' '--enable-fixed-rrset' '--sysconfdir=/etc/bind'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019
compiled with zlib version: 1.2.8
linked to zlib version: 1.2.8
linked to maxminddb version: 1.2.0
threads support is enabled

default paths:
 named configuration:  /etc/bind/named.conf
 rndc configuration:   /etc/bind/rndc.conf
 DNSSEC root key:      /etc/bind/bind.keys
 nsupdate session key: /usr/var/run/named/session.key
 named PID file:       /usr/var/run/named/named.pid
 named lock file:      /usr/var/run/named/named.lock
 geoip-directory:      /usr/share/GeoIP

主要目標是使用其GeoIP功能並根據解析器 IP 地址位置回答查詢，並且配置named.conf.local非常簡單：

...
...
include "/etc/bind/geoip/GeoIP.acl";

view "Iran" {
     match-clients { IR; };
     recursion no;
     zone "ppod.ir" {
           type master;
           file "/etc/bind/db.ppod.ir.iran";
     };
};

view "default"  {
      include "/etc/bind/named.conf.default-zones";
      ...
      ...

的區域db.ppod.ir.iran是：

; A, AAAA => host record
ppod.ir.     1      IN      A       185.8.172.233

而對於default view是：

; A, AAAA => host record
ppod.ir.     1      IN      A       5.63.13.22
ppod.ir.     1      IN      A       95.216.12.6

---

現在，如果我從伊朗查詢域ppod.ir，DNS 伺服器給了我錯誤的 IP。

$ dig ppod.ir # the answer is wrong

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> ppod.ir
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15519
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ppod.ir.           IN  A

;; ANSWER SECTION:
ppod.ir.        1   IN  A   5.63.13.22
ppod.ir.        1   IN  A   95.216.12.6

;; Query time: 263 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Jul 14 12:59:53 +0430 2020
;; MSG SIZE  rcvd: 68

但無論是哪種方式，如果我直接詢問 DNS 伺服器或跟踪它提供正確 IP 的查詢。

$ dig ppod.ir @171.22.25.82 +short # the answer is right
185.8.172.233

並追踪它：

$ dig ppod.ir @1.1.1.1 +trace  +short # the answer is right
NS a.root-servers.net. from server 1.1.1.1 in 257 ms.
NS b.root-servers.net. from server 1.1.1.1 in 257 ms.
NS c.root-servers.net. from server 1.1.1.1 in 257 ms.
NS d.root-servers.net. from server 1.1.1.1 in 257 ms.
NS e.root-servers.net. from server 1.1.1.1 in 257 ms.
NS f.root-servers.net. from server 1.1.1.1 in 257 ms.
NS g.root-servers.net. from server 1.1.1.1 in 257 ms.
NS h.root-servers.net. from server 1.1.1.1 in 257 ms.
NS i.root-servers.net. from server 1.1.1.1 in 257 ms.
NS j.root-servers.net. from server 1.1.1.1 in 257 ms.
NS k.root-servers.net. from server 1.1.1.1 in 257 ms.
NS l.root-servers.net. from server 1.1.1.1 in 257 ms.
NS m.root-servers.net. from server 1.1.1.1 in 257 ms.
RRSIG NS 8 0 ..... from server 1.1.1.1 in 257 ms.
couldn't get address for 'ns2.redcursor.ir': not found
A 185.8.172.233 from server 171.22.25.82 in 40 ms.

TTL 的記憶體已設置為 1，綁定也已符合 GeoIP 功能，問題是為什麼 DNS 伺服器無法正確響應？ 我知道記憶體 IP 地址和公共 DNS 伺服器的遞歸查詢，但根據我配置的 IP 應該被記憶體

這是這兩個查詢的日誌dig ppod.ir，dig ppod.ir @171.22.25.82來自相同的位置和 IP 地址。第一個是錯的，第二個是對的。

14-Jul-2020 08:38:21.312 info: client @0x7fbb20000a30 162.158.82.125#56703 (ppod.ir): view default: query: ppod.ir IN A -E(0)D (171.22.25.82)
14-Jul-2020 08:38:21.312 debug 3: client @0x7fbb20000a30 162.158.82.125#56703 (ppod.ir): view default: query 'ppod.ir/A/IN' approved
14-Jul-2020 08:38:21.312 debug 3: client @0x7fbb20000a30 162.158.82.125#56703 (ppod.ir): view default: reset client
14-Jul-2020 08:38:43.308 debug 3: client @0x7fbb20000a30 5.117.5.210#55509: UDP request
14-Jul-2020 08:38:43.308 debug 5: client @0x7fbb20000a30 5.117.5.210#55509: view Iran: using view 'Iran'
14-Jul-2020 08:38:43.308 debug 3: client @0x7fbb20000a30 5.117.5.210#55509: view Iran: request is not signed
14-Jul-2020 08:38:43.308 debug 3: client @0x7fbb20000a30 5.117.5.210#55509: view Iran: recursion not available
14-Jul-2020 08:38:43.308 info: client @0x7fbb20000a30 5.117.5.210#55509 (ppod.ir): view Iran: query: ppod.ir IN A +E(0)K (171.22.25.82)
14-Jul-2020 08:38:43.308 debug 3: client @0x7fbb20000a30 5.117.5.210#55509 (ppod.ir): view Iran: query 'ppod.ir/A/IN' approved
14-Jul-2020 08:38:43.308 debug 3: client @0x7fbb20000a30 5.117.5.210#55509 (ppod.ir): view Iran: reset client

感謝@MichaelHampton 指出了這一事實，即我的本地解析器已配置為使用我已設置bind9 DNS 伺服器的網路側的DNS 伺服器。因此，在沒有使用和啟用我的調製解調器

配置我的本地解析器之後，現在來自的查詢給出了正確的答案。systemd-resolver``DHCP``dig

dig ppod.ir

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> ppod.ir
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21503
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ppod.ir.           IN  A

;; ANSWER SECTION:
ppod.ir.        1   IN  A   185.8.172.233

;; Query time: 153 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jul 19 12:14:46 +0430 2020
;; MSG SIZE  rcvd: 52

引用自：https://serverfault.com/questions/1025147