Domain-Name-System
無法添加轉發映射 SERVFAIL/REFUSED DDNS
我在主 dns 伺服器上使用 bind9,兩個輔助 dns 伺服器處於主/從關係。我正在嘗試實現 DDNS,但在添加轉發映射時似乎遇到了問題,我收到了錯誤
無法將 DESKTOP-9MFAP8Q.student.co.uk 的正向映射添加到 192.168.80.51:SERVFAIL
我最初得到一個 REFUSED 錯誤,直到我將 DHCP 伺服器的地址添加到主 dns 上的
allow-query和allow-transfer選項中。named.conf.local我不確定這是否需要,這只是我為了讓它工作而嘗試的東西。我嘗試使用更改區域文件的權限
sudo chown 綁定:綁定 /etc/bind/*.db
sudo chmod 664 /etc/bind/*.db
但這對結果沒有任何改變。
我將在下面發布配置文件,不勝感激。
路由器 - 192.168.80.2
DHCP - 192.168.80.3
主 DNS - 192.168.80.4
輔助 DNS - 192.168.80.5、192.168.80.6
————————-主 DNS———————— –
命名.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; key "rndc-key" { algorithm hmac-sha256; secret "ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA=="; }; zone "student.co.uk" { type master; file "/etc/bind/db.student.co.uk"; notify no; allow-query { 127.0.0.1; 192.168.80.5; 192.168.80.6; 192.168.80.3; }; allow-transfer { 192.168.80.5; 192.168.80.6; 192.168.80.3; }; allow-update { { key rndc-key; }; }; }; zone "80.168.192.in-addr.arpa" { type master; file "/etc/bind/db.80.168.192.in-addr.arpa"; notify no; allow-query { 127.0.0.1; 192.168.80.5; 192.168.80.6; }; allow-transfer { 192.168.80.5; 192.168.80.6; }; allow-update { { key rndc-key; }; }; };命名.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; 8.8.4.4; }; allow-query { 192.168.80.5; 192.168.80.6; 127.0.0.1; }; allow-transfer { 192.168.80.5; 192.168.80.6; 127.0.0.1; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on-v6 { any; }; };db.80.168.192.in-addr.arpa
; BIND reverse data file for local loopback interface ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 2021020902 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.student.co.uk. @ IN NS ns2.student.co.uk. 150 IN PTR www.student.co.uk. 151 IN PTR www.student.co.uk.db.student.co.uk
; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 2021021902 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.student.co.uk. @ IN NS ns2.student.co.uk. ns1 IN A 192.168.80.5 ns2 IN A 192.168.80.6 www IN A 192.168.80.150 www IN A 192.168.80.151————————-DHCP———————— -
dhcpd.conf
# option definitions common to all supported networks... option domain-name "student.co.uk"; option domain-name-servers 192.168.80.5, 192.168.80.6; default-lease-time 600; max-lease-time 7200; # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-updates on; ddns-update-style standard; update-static-leases on; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; allow unknown-clients; use-host-decl-names on; key rndc-key { algorithm hmac-sha256; secret ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==; }; zone student.co.uk. { primary 192.168.80.4; key rndc-key; } zone 80.168.192.in-addr.arpa. { primary 192.168.80.4; key rndc-key; } subnet 192.168.80.0 netmask 255.255.255.0 { range 192.168.80.50 192.168.80.100; option domain-name-servers 192.168.80.5, 192.168.80.6; option domain-name "student.co.uk"; ddns-domainname "student.co.uk."; ddns-rev-domainname "in-addr.arpa."; option subnet-mask 255.255.255.0; option routers 192.168.80.2; option broadcast-address 192.168.80.255; default-lease-time 600; max-lease-time 7200; host DOMAIN1 { hardware ethernet 00:0c:29:20:87:b0; fixed-address 192.168.80.99; ddns-hostname "test"; } }
一般建議
檢查 BIND 的日誌(從它的外觀來看,這是發生錯誤的地方),您應該從那裡的更新嘗試中找到相關的錯誤消息。
我的預感(有根據的猜測,如果你願意的話)
BIND 可能無法創建/修改文件。
根據文件系統權限,目錄和/或文件是不可寫的,或者像 Selinux/Apparmor 這樣的附加層不允許在特定服務的預期目錄之外寫入。
根本原因理論(假設我的預感是正確的)
您將這些可寫文件放置在非正常的地方,這很可能與包維護者的準備工作背道而馳(在文件系統權限和任何 Selinux/Apparmor 配置文件方面)。
通常你會使用類似
/var/lib/bind可寫文件(或/var/cache/bind“記憶體”文件)的東西,而不是/etc/bind通常的只讀配置。我建議確認適當的目錄並使用它,而不是進行額外的系統更改,除非有重要的理由使用不同的目錄。
旁注:我建議對這些來自 dhcpd 的更新使用特定的密鑰,而不是重新使用一個名為的密鑰,使其似乎是為 rndc 使用而設計的(並且可能對此也有效?)。