我在家庭networking中实现这个function,所以如果我把angular色从主机交换到从机[这台机器应该作为ns.insec的主服务器,而从机服务器在机器1和机器2中作为not.insec的主服务器[primary server用于不用.insec和从服务器用于ns.insec ]。 这里出现了同样的问题区域传输权限被拒绝。它从机器1工作的一种方式,但机器2不能传输区域文件。到目前为止我还没有find任何解决scheme的情况下,交换dns服务器的angular色。 我可以挖掘和做机器2反向查询,但我不能做任何**挖not.insec -t axfr **。 有人可以build议我解决这个问题。
所以我现在可以做一个机器1的挖掘
dig ns.insec -t axfr dig not.insec axfr 所以使用这些我validation了机器1传输文件到机器2但是,如果我从机器2挖这个我得到这个错误消息。
这是machine2的日志文件
Mar 16 14:26:50 ip-172-31-31-48 named[6131]: zone not.insec/IN: sending notifies (serial 7) Mar 16 14:26:50 ip-172-31-31-48 named[6131]: zone ns.insec/IN: sending notifies (serial 10) Mar 16 14:26:50 ip-172-31-31-48 named[6131]: zone 31.31.172.in-addr.arpa/IN: refresh: non-authoritative answer from master 172.31.22.11#53 (source 0.0.0.0#0) Mar 16 14:50:50 ip-172-31-31-48 dhclient: DHCPREQUEST of 172.31.31.48 on eth0 to 172.31.16.1 port 67 (xid=0x1a6b53e6) Mar 16 14:50:50 ip-172-31-31-48 dhclient: DHCPACK of 172.31.31.48 from 172.31.16.1 Mar 16 14:50:50 ip-172-31-31-48 dhclient: bound to 172.31.31.48 -- renewal in 1698 seconds. Mar 16 14:40:54 ip-172-31-31-48 named[6131]: message repeated 4 times: [ zone 31.31.172.in-addr.arpa/IN: refresh: non-authoritative answer from master 172.31.22.11#53 (source 0.0.0.0#0)] Mar 16 14:54:47 ip-172-31-31-48 named[6131]: client 172.31.31.48#52792 (ns.insec): zone transfer 'ns.insec/AXFR/IN' denied Mar 16 14:55:05 ip-172-31-31-48 named[6131]: zone 31.31.172.in-addr.arpa/IN: refresh: non-authoritative answer from master 172.31.22.11#53 (source 0.0.0.0#0) Mar 16 14:55:22 ip-172-31-31-48 named[6131]: client 172.31.31.48#49102 (not.insec): zone transfer 'not.insec/AXFR/IN' denied
这是来自机器2的named.conf.local
zone "not.insec" { type master; file "/etc/bind/zones/db.not.insec"; allow-transfer { 172.31.22.11; 127.0.0.1; }; also-notify { 172.31.22.11; }; }; zone "48-20.31.31.172.in-addr.arpa"{ type master; file "/etc/bind/zones/db.172.31.31.20-48"; allow-transfer { 172.31.22.11; }; also-notify { 172.31.22.11; }; }; zone "ns.insec" { type slave; file "db.ns.insec"; masters { 172.31.22.11; }; }; zone "31.31.172.in-addr.arpa" { type slave; file "db.172.31.31"; masters { 172.31.22.11; }; };
这是来自机器2的named.conf.options
acl "allowed" { localhost; 172.31.0.0/20; localnets; }; options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; forward only; allow-query { allowed; }; allow-query-cache { allowed; }; allow-recursion { allowed; }; recursion yes; allow-transfer { 172.31.22.11; 127.0.0.1; }; };
这是machine2中/ etc / bind /的文件权限
/ etc / bind /在机器1中也具有相同的权限
-rw-r--r-- 1 root root 2389 Mar 8 14:54 bind.keys -rw-r--r-- 1 root root 237 Mar 8 14:54 db.0 -rw-r--r-- 1 root root 271 Mar 8 14:54 db.127 -rw-r--r-- 1 root root 237 Mar 8 14:54 db.255 -rw-r--r-- 1 root root 353 Mar 8 14:54 db.empty -rw-r--r-- 1 root root 270 Mar 8 14:54 db.local -rw-r--r-- 1 root root 3048 Mar 8 14:54 db.root -rw-rw-r-- 1 bind bind 463 Mar 8 14:54 named.conf -rw-rw-r-- 1 bind bind 490 Mar 8 14:54 named.conf.default-zones -rw-rw-r-- 1 bind bind 724 Mar 16 14:20 named.conf.local -rw-rw-r-- 1 bind bind 1113 Mar 16 14:26 named.conf.options -rw-rw-r-- 1 bind bind 1112 Mar 16 06:03 named.conf.options.save -rw-r----- 1 bind bind 77 Mar 15 21:21 rndc.key drwxr-sr-x 2 bind bind 4096 Mar 16 05:07 zones -rw-r--r-- 1 root root 1317 Mar 8 14:54 zones.rfc1918
机器1中的named.conf.options
acl "trusted" { localhost; 172.31.0.0/20; localnets; }; options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; forward only; allow-query-cache { trusted; }; allow-query { trusted; }; allow-recursion { trusted; }; recursion yes; allow-transfer { 172.31.31.48; 127.0.0.1; }; //also-notify { trusted; }; };
这里是机器1中的named.conf.local
zone "ns.insec" { type master; file "/etc/bind/zones/db.ns.insec"; allow-transfer { 172.31.31.48; 127.0.0.1; }; also-notify { 172.31.31.48; }; }; zone "22.31.172.in-addr.arpa" { type master; file "/etc/bind/zones/db.172.31.22"; allow-transfer { 172.31.31.48; }; also-notify { 172.31.31.48; }; }; zone "not.insec" { type slave; file "db.not.insec"; masters { 172.31.31.48; }; }; zone "11-20.22.31.172" { type slave ; file "db.172.31.22.20-11"; masters { 172.31.31.48; }; };
我会很感激你的努力。谢谢
这是服务器#2上的日志错误:
Mar 16 14:55:22 ip-172-31-31-48 named [6131]:client 172.31.31.48 #49102(not.insec):zone transfer'not.insec / AXFR / IN'denied
这是您的区域在服务器#2上的configuration方式:
zone "not.insec" { type master; file "/etc/bind/zones/db.not.insec"; allow-transfer { 172.31.22.11; 127.0.0.1; }; also-notify { 172.31.22.11; }; };
再次非常仔细地阅读这两个。 提示是粗体的。