我有一个有趣的问题。 我开始注意到,当我对其中一个权威域进行挖掘+追踪时,我们从名称服务器的“错误引荐”中得到错误,您可以看到它将请求转发回命名空间树,而不是回答。 不幸的是我目前无法再现这个问题。 不过,我可以重现不良(水平)转介。 基本上一旦查询被引用到我们的名字服务器,我看到这个:
;; BAD (HORIZONTAL) REFERRAL ;; Received 187 bytes from xxxx#53(ns.example.com in 2 ms 有时候,这个循环直到我遇到“太多的查找”错误,它只是放弃,或者它会停止,并尝试我们的其他服务器,然后得到一个答案。 这是有趣的部分。 如果我要执行一个简单的挖查对服务器连续失败的痕迹,我得到一个答案。 如果我再转过来,再次对同一查询执行dig +跟踪,它再也不会失败。 它的几乎相似的logging被caching在某个地方,并在到期后,你会开始看到消息。 任何人都可以帮我弄清楚这里发生了什么? 这里是关于我们的环境的信息。
1)RHEL 6运行BIND 9.8.2
2)面向公众的权威主从服务器。“
3)服务器设置为“查看”configuration。 (双视图 – 一个用于“内部”一个用于外部)
4)在实现视图之后,我们似乎开始看到这些古怪的东西。
5)打到内部视图的查询被转发到内部视图中不包含的区域的外部视图。 我们使用环回IP来实现这一点。
6)这些权威服务器也设置为通过使用recursion语句和根“提示”区域来recursion回答非授权查询。
这里是我们简化的设置。
主服务器:
acl ext_trusted { xxxx; // trusted net external }; // end of "ext_trusted" ACL definition. acl int_trusted { xxxx; // trusted internal }; // end of ACL for "int_trusted" options { directory "/var/named"; recursive-clients 30000; tcp-clients 2000; check-names master ignore; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named.stats.txt"; memstatistics-file "/var/named/data/named_mem/stats.txt"; zone-statistics yes; cleaning-interval 30; // Listen on ipv4: // Adding localhost for view forwarding listen-on port 53 { xxxx; 127.0.0.1; }; // And, also listen on ipv6: // loopback is required for view forwarding do not remove listen-on-v6 { ::1; xxxx; }; // Enforce the Customer DNS Query ACL Defined Above: allow-query { ext_trusted; int_trusted; }; }; key "internal" { algorithm HMAC-SHA512; secret "xxxxxxxxx"; }; key "external" { algorithm HMAC-SHA512; secret "xxxxxxxx"; }; view "internal" { match-clients { !key external; int_trusted; key internal; }; //IP of slave server IPv4 server xxxx { keys { internal; }; }; //IP of slave server IPv6 server xxxx { keys { internal; }; }; also-notify { //slave servers go here xxxx; xxxx; }; allow-transfer { key internal; local_ns; int_ns; }; empty-zones-enable no; server fe80::/16 { bogus yes; }; server 0.0.0.0/8 {bogus yes; }; zone "example.org" { type master; file "db.eamplein.org"; allow-query { int_trusted; }; }; forwarders { // forward to external view // 127.0.0.1; ::1; }; forward only; }; view "external" { match-clients { any; }; //IP of slave server IPv4 server xxxx { keys { external; }; }; //IP of slave IPv6 server xxxx { keys { external; }; }; also-notify { //IP address of slave server xxxx; xxxx; }; allow-transfer { key external; ext_ns; local_ns; }; server fe80::/16 { bogus yes; }; server 0.0.0.0/8 {bogus yes; }; empty-zones-enable yes; recursion yes; allow-recursion { any; }; zone "." { type hint; file "/var/named/named.ca"; }; zone "example.org" { type master; file "db.eampleout.org"; allow-query { any; }; }; zone "example.com" { type master; file "db.eample.com"; allow-query { any; }; }; };
从服务器configuration:
acl ext_trusted { xxxx; // trusted net external }; // end of "ext_trusted" ACL definition. acl int_trusted { xxxx; // trusted internal }; // end of ACL for "int_trusted" options { directory "/var/named/slaves"; recursive-clients 30000; tcp-clients 2000; check-names master ignore; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; cleaning-interval 30; // Listen on ipv4: // Change this to the proper IP address if you ever switch back! // loopback is required for view forwarding do not remove listen-on port 53 { 127.0.0.1; x.,xxx;; }; // And, also listen on ipv6: // Configure ipv6 before uncommenting this: // loopback is required for view forwarding do not remove listen-on-v6 port 53 { ::1; x,xxx; ; // Enforce the "trusted" ACL defined at the begining of this config file: allow-query { ext_trusted; int_trusted; }; }; key "internal" { algorithm HMAC-SHA512; secret "xxxxxxxxx"; }; key "external" { algorithm HMAC-SHA512; secret "xxxxxxxx"; }; view "internal" { match-clients { !key external; int_trusted; key internal; }; //IPv4 of master server server xxxx { keys { internal; }; }; // IPv6 server xxxx { keys { internal; }; }; allow-transfer { key internal; local_ns; int_ns; }; transfer-source xxxx; empty-zones-enable no; server fe80::/16 { bogus yes; }; server 0.0.0.0/8 {bogus yes; }; zone "example.org" { type slave; file "db.example.org"; masters { xxxx; xxxx; }; allow-query { int_trusted; }; }; forwarders { // forward to external view // 127.0.0.1; ::1; }; forward only; }; view "external" { match-clients { any; }; //IP of master server server xxxx { keys { external; }; }; //IPv6 server xxxx { keys { external; }; }; allow-transfer { key external; ext_ns; local_ns; }; transfer-source xxxx; server fe80::/16 { bogus yes; }; server 0.0.0.0/8 {bogus yes; }; empty-zones-enable yes; recursion yes; allow-recursion { any; }; zone "." { type hint; file "/var/named/named.ca"; }; zone "example.org" { type slave; file "db.exampleout.org"; masters { xxxx; xxxx; }; allow-query { any; }; }; zone "example.com" { type master; file "db.example.com"; allow-query { any; }; }; };
更新:只是一个快速的说明,我已经注意到,从内部视图的ACL中的IP来的dig + trace将永远不会对内部视图内的zone执行dig + trace。 当您从指向内部视图的IP的外部视图中挖掘+跟踪区域时,这似乎只会失败。
Per @ andrew-b的评论,通常是由于委托不匹配。
我遇到了同样的错误,其中一个开发人员正在尝试对host.subdomain.example.org的行进行+ trace跟踪查找。 确切的原因可能会有所不同 – 但可能会有类似的主题。
在我们的案例中的原因是我们有一个防火墙规则,捕获和redirect*发送到“未经授权的”服务器的DNS查找。 该请求将会到达我们自己的DNS服务器,然后执行recursion查找。 客户端会认为这是每次连续发送到互联网,但这些请求实际上是由我们的内部服务器响应。
修复的方法是提醒开发人员,DNS请求将被拦截,并且他们可以从被列入白名单的服务器进行testing以绕过DNSredirect规则。
请参阅下面的开发人员收到的编辑错误:
tricky-desktop:~ tricky$ dig +trace host.subdomain.example.org ; <<>> DiG 9.8.3-P1 <<>> +trace host.subdomain.example.org ;; global options: +cmd . 3600 IN NS g.root-servers.net. . 3600 IN NS l.root-servers.net. . 3600 IN NS j.root-servers.net. . 3600 IN NS k.root-servers.net. . 3600 IN NS b.root-servers.net. . 3600 IN NS m.root-servers.net. . 3600 IN NS d.root-servers.net. . 3600 IN NS i.root-servers.net. . 3600 IN NS e.root-servers.net. . 3600 IN NS c.root-servers.net. . 3600 IN NS h.root-servers.net. . 3600 IN NS a.root-servers.net. . 3600 IN NS f.root-servers.net. ;; Received 477 bytes from 192.168.1.2#53(192.168.1.2) in 87 ms subdomain.example.org. 0 IN NS ns-outside-1.example.org. subdomain.example.org. 0 IN NS ns-outside-2.example.org. subdomain.example.org. 0 IN NS ns-outside-3.example.org. subdomain.example.org. 0 IN NS ns-outside-4.example.org. ;; Received 295 bytes from 199.43.133.53#53(199.43.133.53) in 14 ms subdomain.example.org. 0 IN NS ns-outside-2.example.org. subdomain.example.org. 0 IN NS ns-outside-3.example.org. subdomain.example.org. 0 IN NS ns-outside-4.example.org. subdomain.example.org. 0 IN NS ns-outside-1.example.org. ;; BAD (HORIZONTAL) REFERRAL ;; Received 295 bytes from 199.43.135.53#53(199.43.135.53) in 5 ms ... 29 REPEATS REDACTED ... subdomain.example.org. 0 IN NS ns-outside-4.example.org. subdomain.example.org. 0 IN NS ns-outside-1.example.org. subdomain.example.org. 0 IN NS ns-outside-2.example.org. subdomain.example.org. 0 IN NS ns-outside-3.example.org. ;; BAD (HORIZONTAL) REFERRAL dig: too many lookups tricky-desktop:~ tricky$
由于“智能DNS”服务改变其DNSconfiguration,BYOD员工原先不需要查看私有内部服务,因此防火墙规则最初是必需的。