Linux
BIND 無法通過“警告:請求遞歸但不可用”來解決
- 日誌中沒有錯誤,查詢日誌不會初始化
- iptables 完全禁用
但伺服器將響應“警告:請求遞歸但不可用”,因為我的客戶端 104.200.17.225 將轉到外部。但是客戶端“在”受信任的 ACL 中。Bind 完全忽略了我的信任列表。
mlr01 ~ # dig facebook.com ; <<>> DiG 9.9.5 <<>> facebook.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10440 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;facebook.com. IN A ;; AUTHORITY SECTION: . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. ;; Query time: 42 msec ;; SERVER: 66.228.35.79#53(66.228.35.79) ;; WHEN: Thu Oct 16 23:28:20 UTC 2014 ;; MSG SIZE rcvd: 252
Named 似乎忽略了我的 ACL:
cat /etc/bind/named.conf acl "outside" { any; }; acl "trusted" { 173.255.211.166; 104.200.17.225; //this is the client in question 10.8.0.0/24; 10.8.1.0/24; 127.0.0.1/32; ::1/128; }; options { directory "/var/bind"; pid-file "/var/run/named/named.pid"; transfer-source 198.74.49.126; listen-on-v6 { ::1; 2600:3c03::f03c:91ff:feae:9e6d;}; listen-on { 127.0.0.1; 66.228.35.79;}; max-cache-ttl 1600; version none; allow-query { any; }; allow-query-cache { any; }; allow-transfer { trusted; }; allow-update { trusted; }; //forward first; forwarders { 109.74.192.20; 97.107.133.4; 198.74.49.126; //internal router1 }; }; logging { channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity warning; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; }; view "internal" { match-clients { trusted; }; allow-query-cache { any; }; allow-recursion { trusted; }; recursion yes; zone "azevedomd.com" { type master; file "pri/azevedomd.com.internal"; }; zone "35.228.66.in-addr.arpa"{ type master; file "pri/reverse.internal"; }; zone "127.in-addr.arpa" { type master; file "pri/127.0.0.1"; }; }; view "external" { match-clients { any; }; match-destinations { any; }; recursion no; allow-query { any; }; zone "." IN { type hint; file "/var/bind/named.ca"; }; zone "azevedomd.com" { type master; file "pri/azevedomd.com.external"; }; zone "35.228.66.in-addr.arpa"{ type master; file "pri/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "pri/127.0.0.1"; }; };
查詢日誌說它是外部的。為什麼它忽略內部和受信任的列表?客戶在列表中。
17-Oct-2014 00:17:03.886 client 104.200.17.225#41300 (facebook.com): view external: query: facebook.com IN A +E (66.228.35.79
嘗試切換您的 ACL 語句
acl "trusted" { 173.255.211.166; 104.200.17.225; //this is the client in question 10.8.0.0/24; 10.8.1.0/24; 127.0.0.1/32; ::1/128; }; acl "outside" { any; };
您的 104.200.17.225 客戶端首先匹配“外部”acl。重新排列 acls 的順序可能會有所幫助,但更可靠的方法是從“外部”排除您的“受信任”地址:
acl "outside" { !173.255.211.166; !104.200.17.225; //this is the client in question !10.8.0.0/24; !10.8.1.0/24; !127.0.0.1/32; !::1/128; any; };