升級到 Debian Jessie 後 BIND SERVFAIL
我對我的 BIND 配置完全沒有做任何事情,但看起來
Debian Jessie
升級已經破壞了它。也許引入了一些新選項,或者舊的東西現在工作方式不同,但我找不到問題所在。我一直
SERVFAIL
在我/var/log/bind/bind.log
的。我已經檢查了我的區域,
named-checkzone
它們都“正常”。我已經在系統範圍內禁用了 IPv6。我重新創建rndc
了 key 甚至創建了/etc/rndc.conf
. 沒有任何效果。以下是一些配置:
/etc/bind/named.conf
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.log"; include "/etc/bind/named.conf.local"; //include "/etc/bind/named.conf.default-zones"; acl localhost_acl { 127.0.0.0/8; }; acl internal_10_acl { 192.168.10.0/24; }; acl internal_150_acl { 192.168.150.0/24; }; acl vpn_acl { 192.168.200.2; 192.168.200.5; }; key "rndc-key" { algorithm hmac-md5; secret "somesecretkey=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
/etc/bind/named.conf.options
options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; listen-on { 127.0.0.1; 192.168.10.1; 192.168.150.1; 192.168.200.1; }; allow-transfer { none; }; max-recursion-queries 200; };
/etc/bind/named.conf.log
logging { channel update_debug { file "/var/log/bind/update_debug.log" versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file "/var/log/bind/security_info.log" versions 1 size 100k; severity debug; print-severity yes; print-time yes; }; channel bind_log { file "/var/log/bind/bind.log" versions 3 size 1m; severity debug; print-category yes; print-severity yes; print-time yes; }; category default { bind_log; }; category lame-servers { security_info; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; };
/etc/bind/named.conf.local(這是一個很長的):
// 1 view "internal_10_view" { allow-query-on { 127.0.0.1; 192.168.10.1; }; allow-query { localhost_acl; internal_10_acl; }; match-clients { localhost_acl; internal_10_acl; }; zone "myhost.tld" { type master; file "/etc/bind/db.myhost.tld_10"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.10"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 2 view "internal_150_view" { allow-query-on { 192.168.150.1; }; allow-query { internal_150_acl; }; match-clients { internal_150_acl; }; zone "myhost.tld" { type master; file "/etc/bind/db.myhost.tld_150"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.150"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 3 view "vpn_view" { allow-query-on { 192.168.200.1; }; allow-query { vpn_acl; }; match-clients { vpn_acl; }; zone "myhost.tld" { type master; file "/etc/bind/db.myhost.tld_vpn"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; // somedomain.tld zone "somedomain.tld" { type forward; forward first; forwarders { 192.168.34.110; 192.168.34.100; }; }; };
/etc/rndc.conf
key "rndc-key" { algorithm hmac-md5; secret "somesecretkey=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; };
我@傑西:~ $ sudo netstat -lnptu | grep “named\W $ “*
tcp 0 0 192.168.10.1:53 0.0.0.0:* LISTEN 1871/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1871/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1871/named udp 0 0 192.168.200.1:53 0.0.0.0:* 1871/named udp 0 0 192.168.10.1:53 0.0.0.0:* 1871/named udp 0 0 127.0.0.1:53 0.0.0.0:* 1871/named
我@jessie:~$ ps aux | grep 命名
bind 5843 0.0 1.0 297780 84412 ? Ssl 00:52 0:16 /usr/sbin/named -f -u bind -4
me@jessie:/etc/bind$ 命名為 -V
BIND 9.9.5-9-Debian (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' compiled by GCC 4.9.2 using OpenSSL version: OpenSSL 1.0.1k 8 Jan 2015 using libxml2 version: 2.9.2
me@jessie’s_client:~$ dig @192.168.10.1 launchpad.net
; <<>> DiG 9.9.5-9-Debian <<>> @192.168.10.1 launchpad.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19673 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;launchpad.net. IN A ;; Query time: 0 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu May 07 23:29:38 MSK 2015 ;; MSG SIZE rcvd: 42
最後是/var/log/bind/bind.log的一些日誌
07-May-2015 22:52:49.287 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV 07-May-2015 22:52:49.287 resolver: debug 1: createfetch: . NS 07-May-2015 22:52:49.954 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV 07-May-2015 22:52:50.353 resolver: debug 1: createfetch: launchpad.net A 07-May-2015 22:52:51.288 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV 07-May-2015 22:52:51.575 query-errors: debug 1: client 127.0.0.1#47208 (pandion.im): view internal_10_view: query failed (SERVFAIL) for pandion.im/IN/AAAA at query.c:7004 07-May-2015 22:52:53.138 query-errors: debug 1: client 127.0.0.1#55548 (_jabber._tcp.none.su): view internal_10_view: query failed (SERVFAIL) for _jabber._tcp.none.su/IN/SRV at query.c:7004 07-May-2015 22:52:53.955 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV 07-May-2015 22:52:54.622 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV 07-May-2015 22:52:55.353 query-errors: debug 1: client 192.168.10.2#37375 (launchpad.net): view internal_10_view: query failed (SERVFAIL) for launchpad.net/IN/A at query.c:7004 07-May-2015 22:52:55.354 resolver: debug 1: createfetch: launchpad.net A 07-May-2015 22:52:55.956 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV
/var/log/bind/security_info.log
07-May-2015 00:45:26.055 warning: using built-in root key for view vpn_view 07-May-2015 12:31:37.603 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:37.769 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:37.773 warning: using built-in root key for view vpn_view 07-May-2015 12:31:44.859 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:44.865 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:44.871 warning: using built-in root key for view vpn_view 07-May-2015 12:31:46.005 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:46.011 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:46.016 warning: using built-in root key for view vpn_view 07-May-2015 12:31:47.108 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:47.114 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:47.121 warning: using built-in root key for view vpn_view 07-May-2015 12:31:48.946 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:48.951 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:48.957 warning: using built-in root key for view vpn_view 07-May-2015 14:07:39.729 warning: using built-in root key for view internal_10_view 07-May-2015 14:07:39.737 warning: using built-in root key for view internal_150_view 07-May-2015 14:07:39.743 warning: using built-in root key for view vpn_view 07-May-2015 14:12:05.871 warning: using built-in root key for view internal_10_view 07-May-2015 14:12:05.880 warning: using built-in root key for view internal_150_view 07-May-2015 14:12:05.890 warning: using built-in root key for view vpn_view 07-May-2015 14:27:07.630 warning: using built-in root key for view internal_10_view 07-May-2015 14:27:07.638 warning: using built-in root key for view internal_150_view 07-May-2015 14:27:07.644 warning: using built-in root key for view vpn_view
有什麼建議可能是錯的嗎?
如果您不熟悉新
max-recursion-queries
選項或添加它的原因,那麼要進行故障排除是一件非常痛苦的事情。CVE-2014-8500在 2014 年底被確定為影響多個名稱伺服器產品,包括 BIND。該漏洞允許惡意名稱伺服器製作一系列引用,這些引用將被無限跟踪,最終導致資源耗盡。ISC 對這個問題的修復是為伺服器願意代表單個查詢執行多少級遞歸添加上限。上限由
max-recursion-queries
預設為 75 的新選項控制。事實證明,75 級遞歸對空的名稱伺服器記憶體不是很友好——在整個程序重新啟動後,您將始終擁有該記憶體。
.
由於最終在請求的記錄和(根)之間遍歷了多少級別的引用,有許多域將無法使用此預設值解析。域恰好是其中pandion.im.
之一,它可能與來自 TLD 的無膠授權有關。以下是摘錄dig +trace +additional pandion.im
:im. 172800 IN NS ns4.ja.net. im. 172800 IN NS hoppy.iom.com. im. 172800 IN NS barney.advsys.co.uk. im. 172800 IN NS pebbles.iom.com. ns4.ja.net. 172800 IN A 193.62.157.66 hoppy.iom.com. 172800 IN A 217.23.163.140 barney.advsys.co.uk. 172800 IN A 217.23.160.50 pebbles.iom.com. 172800 IN A 80.168.83.242 ns4.ja.net. 172800 IN AAAA 2001:630:0:47::42 ;; Received 226 bytes from 199.7.83.42#53(199.7.83.42) in 29 ms pandion.im. 259200 IN NS ed.ns.cloudflare.com. pandion.im. 259200 IN NS jill.ns.cloudflare.com. ;; Received 81 bytes from 80.168.83.242#53(80.168.83.242) in 98 ms
的名稱伺服器
im.
委託pandion.im.
給 Cloudflare 的名稱伺服器,而不提供 IP 地址粘合。在空記憶體上,這意味著伺服器必須啟動單獨的引用遍歷以獲取這些名稱伺服器的 IP 地址,並且所有這些引用都計入原始查詢的最大遞歸數。此時,只有當伺服器已經從其他查詢中知道這些名稱伺服器的 IP 地址時,查詢才會成功:# service named restart && sleep 1 && dig @localhost pandion.im | grep status Checking named config: Stopping named: [ OK ] Starting named: [ OK ] ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63173
再試一次,這次嘗試在之前查找那些名稱伺服器
pandion.im.
:# service named restart && sleep 1 && dig @localhost ed.ns.cloudflare.com jill.ns.cloudflare.com pandion.im | grep status Checking named config: Stopping named: [ OK ] Starting named: [ OK ] ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26428 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30491 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22162
長話短說,這個問題很難辨識,特別是因為如果程序繼續執行,它似乎最終會隨著時間“消失”。我們的一位合作夥伴根據實際使用場景推薦了 200 的值。從 200 開始,如果它對你的喜好來說太高了,就調味。