Domain-Name-System

Centos 7 DNS 伺服器 /PTR/IN’ 拒絕

  • December 13, 2017

我需要幫助,我花了一些時間對我創建的 dns 伺服器進行故障排除。但發生的是:

當我試圖解析我在日誌下面收到的地址時:

Nov 15 04:21:01 mydnshostname00 named[1057]: client xxx.yyy.zzz.111#51843 (mydbhostname.example.local.example.local): query 'mydbhostname.example.local.example.local/A/IN' **denied**
Nov 15 04:21:01 mydnshostname00 named[1057]: client xxx.yyy.zzz.111#51843 (mydbhostname.example.local.example.local): query 'mydbhostname.example.local.example.local/AAAA/IN' **denied**
Nov 15 04:24:11 mydnshostname00 named[1057]: client xxx.yyy.zzz.111#44369 (22.zzz.yyy.xxx.in-addr.arpa): query '22.zzz.yyy.xxx.in-addr.arpa/PTR/IN' **denied**
.
.
.
Nov 15 04:36:31 mydnshostname00 named[1057]: client xxx.yyy.zzz.122#26059 (example.local): query 'example.local/SOA/IN' **denied**

但是,我可以從本地 dns 伺服器本身正確解析我的 dns。

有什麼建議可能出了什麼問題?或者如何解決這個問題?

這是我的配置:

/etc/named.conf

options {
       listen-on port 53 { 127.0.0.1; xxx.yyy.zzz.121; };
       listen-on-v6 port 53 { ::1; };
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       allow-query     { localhost; xxx.yyy.zzz.0/30; };
       allow-transfer  { localhost; xxx.yyy.zzz.122; };

       recursion yes;

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";

       pid-file "/run/named/named.pid";
       session-keyfile "/run/named/session.key";
};

logging {
       channel default_debug {
               file "data/named.run";
               severity dynamic;
       };
};

zone "." IN {
       type hint;
       file "named.ca";
};
zone "example.local" IN{
       type master;
       file "forward.example";
       allow-update { none; };
};
zone "zzz.yyy.xxx.in-addr.arpa" IN {
       type master;
       file "reverse.example";
       allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

/var/named/forward.example

$TTL 86400
@   IN  SOA     MasterDNSDomain.example.local. root.example.local. (
       2011071001  ;Serial
       3600        ;Refresh
       1800        ;Retry
       604800      ;Expire
       86400       ;Minimum TTL
)

@                       IN  NS          MasterDNSDomain.example.local.
@                       IN  NS          SlaveDNSDomain.example.local.
;@                      IN  A           xxx.yyy.zzz.121
;@                      IN  A           xxx.yyy.zzz.122
;@                      IN  A           xxx.yyy.zzz.120
;@                      IN  A           xxx.yyy.zzz.111
;@                      IN  A           xxx.yyy.zzz.112
@                       IN  A           xxx.yyy.zzz.113

MasterDNSDomain         IN  A           xxx.yyy.zzz.121
SlaveDNSDomain          IN  A           xxx.yyy.zzz.122
ClientServerco01        IN  A           xxx.yyy.zzz.120
mydbhostname            IN  A           xxx.yyy.zzz.111
ClientServercr02        IN  A           xxx.yyy.zzz.112
ClientServerwb03        IN  A           xxx.yyy.zzz.113

www                     IN  CNAME       ClientServerwb03

/var/named/reverse.example

$TTL 86400
@       IN  SOA     MasterDNSDomain.example.local. root.example.local. (
       2011071001  ;Serial
       3600        ;Refresh
       1800        ;Retry
       604800      ;Expire
       86400       ;Minimum TTL
)

@                       IN  NS          MasterDNSDomain.example.local.
@                       IN  NS          SlaveDNSDomain.example.local.

113                     IN  PTR         example.local.

MasterDNSDomain         IN  A           xxx.yyy.zzz.121
SlaveDNSDomain          IN  A           xxx.yyy.zzz.122
ClientServerco01        IN  A           xxx.yyy.zzz.120
mydbhostname            IN  A           xxx.yyy.zzz.111
ClientServercr02        IN  A           xxx.yyy.zzz.112
ClientServerwb03        IN  A           xxx.yyy.zzz.113

121                     IN  PTR         MasterDNSDomain.example.local.
122                     IN  PTR         SlaveDNSDomain.example.local.
120                     IN  PTR         ClientServerco01.example.local.
111                     IN  PTR         mydbhostname.example.local.
112                     IN  PTR         ClientServercr02.example.local.
113                     IN  PTR         ClientServerwb03.example.local.

防火牆配置

firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp

權限配置

chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

在我的從屬 DNS 伺服器中

/etc/named.conf

options {
       listen-on port 53 { 127.0.0.1; xxx.yyy.zzz.122; };
       listen-on-v6 port 53 { ::1; };
       directory       "/var/named";
       dump-file       "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       allow-query     { localhost; xxx.yyy.zzz.0/30; };

       recursion yes;

       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;

       /* Path to ISC DLV key */
       bindkeys-file "/etc/named.iscdlv.key";

       managed-keys-directory "/var/named/dynamic";

       pid-file "/run/named/named.pid";
       session-keyfile "/run/named/session.key";
};

logging {
       channel default_debug {
               file "data/named.run";
               severity dynamic;
       };
};

zone "." IN {
       type hint;
       file "named.ca";
};
zone "example.local" IN {
       type slave;
       file "slaves/example.fwd";
       masters { xxx.yyy.zzz.121; };
};
zone "zzz.yyy.xxx.in-addr.arpa" IN {
       type slave;
       file "slaves/example.rev";
       masters { xxx.yyy.zzz.121; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

防火牆配置

firewall-cmd --permanent --add-port=53/tcp

權限配置

chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

先感謝您

乾杯,

允許您的子網查詢。

options { allow-query { 192.168.196.0/24; localhost; }; };

你只有2個IP地址

allow-query { localhost; xxx.yyy.zzz.0/30; }; 

http://www.tldp.org/HOWTO/DNS-HOWTO-6.html

您還應該檢查以下配置說明:

allow-recursion { your subnet; 192.168.1.1/24; };

引用自:https://serverfault.com/questions/736425