Linux

升級到 Debian Jessie 後 BIND SERVFAIL

  • June 6, 2015

我對我的 BIND 配置完全沒有做任何事情,但看起來Debian Jessie升級已經破壞了它。也許引入了一些新選項,或者舊的東西現在工作方式不同,但我找不到問題所在。

我一直SERVFAIL在我/var/log/bind/bind.log的。

我已經檢查了我的區域,named-checkzone它們都“正常”。我已經在系統範圍內禁用了 IPv6。我重新創建rndc了 key 甚至創建了/etc/rndc.conf. 沒有任何效果。

以下是一些配置:

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.log";
include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";

acl localhost_acl {
       127.0.0.0/8;
};

acl internal_10_acl {
       192.168.10.0/24;
};

acl internal_150_acl {
       192.168.150.0/24;
};

acl vpn_acl {
       192.168.200.2;
       192.168.200.5;
};

key "rndc-key" {
algorithm hmac-md5;
secret "somesecretkey==";
};

controls {
inet 127.0.0.1 port 953
      allow { 127.0.0.1; } keys { "rndc-key"; };
};

/etc/bind/named.conf.options

options {
       directory "/var/cache/bind";
       dnssec-validation auto;
       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { none; };
       listen-on {
               127.0.0.1;
               192.168.10.1;
               192.168.150.1;
               192.168.200.1;
       };
       allow-transfer { none; };
       max-recursion-queries 200;
};

/etc/bind/named.conf.log

logging {

   channel update_debug {

           file "/var/log/bind/update_debug.log" versions 3 size 100k;
           severity debug;
           print-severity  yes;
           print-time      yes;

   };

   channel security_info {

           file "/var/log/bind/security_info.log" versions 1 size 100k;
           severity debug;
           print-severity  yes;
           print-time      yes;

   };

   channel bind_log {

           file "/var/log/bind/bind.log" versions 3 size 1m;
           severity debug;
           print-category  yes;
           print-severity  yes;
           print-time      yes;

   };

   category default { bind_log; };
   category lame-servers { security_info; };
   category update { update_debug; };
   category update-security { update_debug; };
   category security { security_info; };

};

/etc/bind/named.conf.local(這是一個很長的):

// 1
view "internal_10_view" {

       allow-query-on { 127.0.0.1; 192.168.10.1; };
       allow-query { localhost_acl; internal_10_acl; };
       match-clients { localhost_acl; internal_10_acl; };

       zone "myhost.tld" {
               type master;
               file "/etc/bind/db.myhost.tld_10";
       };

       zone "168.192.in-addr.arpa" {
               type master;
               notify no;
               file "/etc/bind/db.192.168.10";
       };

       // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

       // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

// 2
view "internal_150_view" {

       allow-query-on { 192.168.150.1; };
       allow-query { internal_150_acl; };
       match-clients { internal_150_acl; };

       zone "myhost.tld" {
               type master;
               file "/etc/bind/db.myhost.tld_150";
       };

       zone "168.192.in-addr.arpa" {
               type master;
               notify no;
               file "/etc/bind/db.192.168.150";
       };

       // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

       // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

};

// 3
view "vpn_view" {

       allow-query-on { 192.168.200.1; };
       allow-query { vpn_acl; };
       match-clients { vpn_acl; };

       zone "myhost.tld" {
               type master;
               file "/etc/bind/db.myhost.tld_vpn";
       };

       // formerly named.conf.default-zones

       zone "." {
               type hint;
               file "/etc/bind/db.root";
       };

       zone "localhost" {
               type master;
               file "/etc/bind/db.local";
       };

       zone "127.in-addr.arpa" {
               type master;
               file "/etc/bind/db.127";
       };

       zone "0.in-addr.arpa" {
               type master;
               file "/etc/bind/db.0";
       };

       zone "255.in-addr.arpa" {
               type master;
               file "/etc/bind/db.255";
       };

       // formerly zones.rfc1918

       zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
       zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
       zone "32.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };

       // somedomain.tld
       zone "somedomain.tld" {
               type forward;
               forward first;
               forwarders { 192.168.34.110; 192.168.34.100; };
       };

};

/etc/rndc.conf

key "rndc-key" {
       algorithm hmac-md5;
       secret "somesecretkey==";
};

options {
       default-key "rndc-key";
       default-server 127.0.0.1;
       default-port 953;
};

我@傑西:~ $ sudo netstat -lnptu | grep “named\W $ “*

tcp        0      0 192.168.10.1:53         0.0.0.0:*               LISTEN      1871/named      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1871/named      
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1871/named      
udp        0      0 192.168.200.1:53        0.0.0.0:*                           1871/named      
udp        0      0 192.168.10.1:53         0.0.0.0:*                           1871/named      
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1871/named 

我@jessie:~$ ps aux | grep 命名

bind      5843  0.0  1.0 297780 84412 ?        Ssl  00:52   0:16 /usr/sbin/named -f -u bind -4

me@jessie:/etc/bind$ 命名為 -V

BIND 9.9.5-9-Debian (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'                                                                                
compiled by GCC 4.9.2                                                                                                   
using OpenSSL version: OpenSSL 1.0.1k 8 Jan 2015                                                                        
using libxml2 version: 2.9.2    

me@jessie’s_client:~$ dig @192.168.10.1 launchpad.net

; <<>> DiG 9.9.5-9-Debian <<>> @192.168.10.1 launchpad.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19673
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;launchpad.net.                 IN      A

;; Query time: 0 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Thu May 07 23:29:38 MSK 2015
;; MSG SIZE  rcvd: 42

最後是/var/log/bind/bind.log的一些日誌

07-May-2015 22:52:49.287 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV
07-May-2015 22:52:49.287 resolver: debug 1: createfetch: . NS
07-May-2015 22:52:49.954 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV
07-May-2015 22:52:50.353 resolver: debug 1: createfetch: launchpad.net A
07-May-2015 22:52:51.288 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV
07-May-2015 22:52:51.575 query-errors: debug 1: client 127.0.0.1#47208 (pandion.im): view internal_10_view: query failed (SERVFAIL) for pandion.im/IN/AAAA at query.c:7004
07-May-2015 22:52:53.138 query-errors: debug 1: client 127.0.0.1#55548 (_jabber._tcp.none.su): view internal_10_view: query failed (SERVFAIL) for _jabber._tcp.none.su/IN/SRV at query.c:7004
07-May-2015 22:52:53.955 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV
07-May-2015 22:52:54.622 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV
07-May-2015 22:52:55.353 query-errors: debug 1: client 192.168.10.2#37375 (launchpad.net): view internal_10_view: query failed (SERVFAIL) for launchpad.net/IN/A at query.c:7004
07-May-2015 22:52:55.354 resolver: debug 1: createfetch: launchpad.net A
07-May-2015 22:52:55.956 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV

/var/log/bind/security_info.log

07-May-2015 00:45:26.055 warning: using built-in root key for view vpn_view
07-May-2015 12:31:37.603 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:37.769 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:37.773 warning: using built-in root key for view vpn_view
07-May-2015 12:31:44.859 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:44.865 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:44.871 warning: using built-in root key for view vpn_view
07-May-2015 12:31:46.005 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:46.011 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:46.016 warning: using built-in root key for view vpn_view
07-May-2015 12:31:47.108 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:47.114 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:47.121 warning: using built-in root key for view vpn_view
07-May-2015 12:31:48.946 warning: using built-in root key for view internal_10_view
07-May-2015 12:31:48.951 warning: using built-in root key for view internal_150_view
07-May-2015 12:31:48.957 warning: using built-in root key for view vpn_view
07-May-2015 14:07:39.729 warning: using built-in root key for view internal_10_view
07-May-2015 14:07:39.737 warning: using built-in root key for view internal_150_view
07-May-2015 14:07:39.743 warning: using built-in root key for view vpn_view
07-May-2015 14:12:05.871 warning: using built-in root key for view internal_10_view
07-May-2015 14:12:05.880 warning: using built-in root key for view internal_150_view
07-May-2015 14:12:05.890 warning: using built-in root key for view vpn_view
07-May-2015 14:27:07.630 warning: using built-in root key for view internal_10_view
07-May-2015 14:27:07.638 warning: using built-in root key for view internal_150_view
07-May-2015 14:27:07.644 warning: using built-in root key for view vpn_view

有什麼建議可能是錯的嗎?

如果您不熟悉新max-recursion-queries選項或添加它的原因,那麼要進行故障排除是一件非常痛苦的事情。

CVE-2014-8500在 2014 年底被確定為影響多個名稱伺服器產品,包括 BIND。該漏洞允許惡意名稱伺服器製作一系列引用,這些引用將被無限跟踪,最終導致資源耗盡。ISC 對這個問題的修復是為伺服器願意代表單個查詢執行多少級遞歸添加上限。上限由max-recursion-queries預設為 75 的新選項控制。

事實證明,75 級遞歸對空的名稱伺服器記憶體不是很友好——在整個程序重新啟動後,您將始終擁有該記憶體。.由於最終在請求的記錄和(根)之間遍歷了多少級別的引用,有許多域將無法使用此預設值解析。域恰好是其中pandion.im.之一,它可能與來自 TLD 的無膠授權有關。以下是摘錄dig +trace +additional pandion.im

im.                     172800  IN      NS      ns4.ja.net.
im.                     172800  IN      NS      hoppy.iom.com.
im.                     172800  IN      NS      barney.advsys.co.uk.
im.                     172800  IN      NS      pebbles.iom.com.
ns4.ja.net.             172800  IN      A       193.62.157.66
hoppy.iom.com.          172800  IN      A       217.23.163.140
barney.advsys.co.uk.    172800  IN      A       217.23.160.50
pebbles.iom.com.        172800  IN      A       80.168.83.242
ns4.ja.net.             172800  IN      AAAA    2001:630:0:47::42
;; Received 226 bytes from 199.7.83.42#53(199.7.83.42) in 29 ms

pandion.im.             259200  IN      NS      ed.ns.cloudflare.com.
pandion.im.             259200  IN      NS      jill.ns.cloudflare.com.
;; Received 81 bytes from 80.168.83.242#53(80.168.83.242) in 98 ms

的名稱伺服器im.委託pandion.im.給 Cloudflare 的名稱伺服器,而不提供 IP 地址粘合。在空記憶體上,這意味著伺服器必須啟動單獨的引用遍歷以獲取這些名稱伺服器的 IP 地址,並且所有這些引用都計入原始查詢的最大遞歸數。此時,只有當伺服器已經從其他查詢中知道這些名稱伺服器的 IP 地址時,查詢才會成功:

# service named restart && sleep 1 && dig @localhost pandion.im | grep status
Checking named config:
Stopping named:                                        [  OK  ]
Starting named:                                        [  OK  ]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63173

再試一次,這次嘗試在之前查找那些名稱伺服器pandion.im.

# service named restart && sleep 1 && dig @localhost ed.ns.cloudflare.com jill.ns.cloudflare.com pandion.im | grep status
Checking named config:
Stopping named:                                        [  OK  ]
Starting named:                                        [  OK  ]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26428
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30491
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22162

長話短說,這個問題很難辨識,特別是因為如果程序繼續執行,它似乎最終會隨著時間“消失”。我們的一位合作夥伴根據實際使用場景推薦了 200 的值。從 200 開始,如果它對你的喜好來說太高了,就調味。

引用自:https://serverfault.com/questions/690447