Linux

BIND 無法通過“警告:請求遞歸但不可用”來解決

  • August 9, 2015
  1. 日誌中沒有錯誤,查詢日誌不會初始化
  2. iptables 完全禁用

但伺服器將響應“警告:請求遞歸但不可用”,因為我的客戶端 104.200.17.225 將轉到外部。但是客戶端“在”受信任的 ACL 中。Bind 完全忽略了我的信任列表。

mlr01 ~ # dig facebook.com

; <<>> DiG 9.9.5 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10440
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; AUTHORITY SECTION:
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.

;; Query time: 42 msec
;; SERVER: 66.228.35.79#53(66.228.35.79)
;; WHEN: Thu Oct 16 23:28:20 UTC 2014
;; MSG SIZE  rcvd: 252

Named 似乎忽略了我的 ACL:

cat /etc/bind/named.conf
acl "outside" {
       any;
};

acl "trusted" {
       173.255.211.166;
       104.200.17.225;  //this is the client in question
       10.8.0.0/24;
       10.8.1.0/24;
       127.0.0.1/32;
       ::1/128;
};

options {
       directory "/var/bind";
       pid-file "/var/run/named/named.pid";
       transfer-source  198.74.49.126;
       listen-on-v6 { ::1; 2600:3c03::f03c:91ff:feae:9e6d;};
       listen-on { 127.0.0.1; 66.228.35.79;};
       max-cache-ttl 1600;
       version none;
       allow-query {
               any;
       };

       allow-query-cache {
               any;
       };

       allow-transfer {
               trusted;
       };

       allow-update {
               trusted;
       };

       //forward first;
       forwarders {
               109.74.192.20;
               97.107.133.4;
               198.74.49.126;          //internal router1
       };

};


logging {
       channel default_log {
               file "/var/log/named/named.log" versions 5 size 50M;
               print-time yes;
               print-severity yes;
               print-category yes;
               severity warning;
       };
       channel resolver_file {
               file "/var/log/named/resolver.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       channel xfer-in_file {
               file "/var/log/named/xfer-in.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       category default { default_log; };
       category general { default_log; };
};


include "/etc/bind/rndc.key";
controls {
       inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

view "internal" {
       match-clients { trusted; };
       allow-query-cache { any; };
       allow-recursion { trusted; };
       recursion yes;

       zone "azevedomd.com" {
               type master;
               file "pri/azevedomd.com.internal";
       };
       zone "35.228.66.in-addr.arpa"{
               type master;
               file "pri/reverse.internal";
       };
       zone "127.in-addr.arpa" {
               type master;
               file "pri/127.0.0.1";
       };

};

view "external" {
       match-clients { any; };
       match-destinations { any; };
       recursion no;
       allow-query { any; };
       zone "." IN {
               type hint;
               file "/var/bind/named.ca";
       };
       zone "azevedomd.com" {
               type master;
               file "pri/azevedomd.com.external";
       };
       zone "35.228.66.in-addr.arpa"{
               type master;
               file "pri/reverse.external";
       };
       zone "127.in-addr.arpa" {
               type master;
               file "pri/127.0.0.1";
       };

};

查詢日誌說它是外部的。為什麼它忽略內部和受信任的列表?客戶在列表中。

17-Oct-2014 00:17:03.886 client 104.200.17.225#41300 (facebook.com): view external: query: facebook.com IN A +E (66.228.35.79

嘗試切換您的 ACL 語句

acl "trusted" {
       173.255.211.166;
       104.200.17.225;  //this is the client in question
       10.8.0.0/24;
       10.8.1.0/24;
       127.0.0.1/32;
       ::1/128;
};

acl "outside" {
       any;
};

您的 104.200.17.225 客戶端首先匹配“外部”acl。重新排列 acls 的順序可能會有所幫助,但更可靠的方法是從“外部”排除您的“受信任”地址:

acl "outside" {
       !173.255.211.166;
       !104.200.17.225;  //this is the client in question
       !10.8.0.0/24;
       !10.8.1.0/24;
       !127.0.0.1/32;
       !::1/128;
       any;
};

引用自:https://serverfault.com/questions/637668