Domain-Name-System

Debian Wheezy,帶視圖的綁定和通用配置

  • February 4, 2015

最近幾天我一直在努力完成我的bind工作。我相信,它有一個非常通用的配置,但不知何故,當使用域名(myho.st)時,它不會向本地客戶端提供我的伺服器的正確 IP。系統是 Debian Wheezy。named-checkconf不報告任何錯誤。

配置如下:

/etc/bind/named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.log";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

acl localhost_acl {
       127.0.0.1;
};

acl internal_10_acl {
       192.168.10.0/24;
};

/etc/bind/named.conf.local:

include "/etc/bind/zones.rfc1918";

view "local_view" {

       match-clients { localhost_acl; internal_10_acl; };

       zone "myho.st" {
               type master;
               file "/etc/bind/db.myho.st";
       };

};

/etc/bind/zones.rfc1918:

view "global_view" {

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };

       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

/etc/bind/named.conf.default-zones:

view "default_view" {

       // prime the server with knowledge of the root servers
       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       // be authoritative for the localhost forward and reverse zones, and for
       // broadcast zones as per RFC 1912

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

};

/etc/bind/named.conf.log:

logging {
       channel update_debug {
               file "/var/log/bind/update_debug.log" versions 3 size 100k;
               severity debug;
               print-severity  yes;
               print-time      yes;
       };
       channel security_info {
               file "/var/log/bind/security_info.log" versions 1 size 100k;
               severity info;
               print-severity  yes;
               print-time      yes;
       };
       channel bind_log {
               file "/var/log/bind/bind.log" versions 3 size 1m;
               severity info;
               print-category  yes;
               print-severity  yes;
               print-time      yes;
       };

       category default { bind_log; };
       category lame-servers { null; };
       category update { update_debug; };
       category update-security { update_debug; };
       category security { security_info; };
};

/etc/bind/named.conf.options:

options {

       directory "/var/cache/bind";
       dnssec-validation auto;
       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { none; };
       listen-on {
               127.0.0.1;
               192.168.10.1;
       };
       allow-transfer { none; };
       allow-query { localhost_acl; internal_10_acl; };

};

最後**/etc/bind/db.myho.st**:

$TTL    3h
@       IN      SOA     ns.myho.st. hostmaster.myho.st. (
                         4        ; Serial
                         3h       ; Refresh after 3 hours
                         1h       ; Retry after 1 hour
                         1w       ; Expire after 1 week
                         1h )     ; Negative caching TTL of 1 day
;
@               IN      NS      ns.myho.st.

@               IN      A       192.168.10.1
ns              IN      A       192.168.10.1

named-checkzone myho.st /etc/bind/db.myho.st不報告任何錯誤。

我的客戶在192.168.10.0/24子網中,他們都可以 ping 192.168.10.1,這是伺服器的 IP。但是myho.st域名正在通過 ISP 的 DNS 解析為全球 IP,但似乎由我的伺服器提供服務:

user@client:~$ nslookup myho.st
Server:         192.168.10.1
Address:        192.168.10.1#53

Non-authoritative answer:
Name:   myho.st
Address: *some global IP*

顯然我錯過了 中的一些基本設置named.conf*,但我看不出到底是哪個。可能views沒有正確配置。請指教。

從我所見,您的配置部分的名稱具有誤導性(此外,我可以說 Debian 將一個像樣的配置文件拆分為超過 9000 個的傳統通常具有誤導性和適得其反的效果)。

考慮到這一點

view clauses are processed in the order in which they appear in the named.conf file.
Thus, in the example above the 'badguys' view clause matching condition (any) also 
satisfies the 'trusted' view matching condition. However, since 'trusted' appears first
its matching condition is the first to be satisfied and view matching stops.

我可以說您global_view的先處理,因此您的本地客戶正在匹配它。在視圖之後移動include "/etc/bind/zones.rfc1918";(是的,這是具有誤導性的名稱包括)local_view

引用自:https://serverfault.com/questions/664933