我正在build立两个DNS服务器。 一个是防火墙/路由器,另一个是内部服务器。 我有很多设置DNS服务器的经验,所以这个问题尤其令人困惑。
防火墙外部地址:207.62.233.2
防火墙内部地址:10.24.0.1
次要内部地址:10.24.0.21
options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion yes; }; view "internal" { match-clients { 10.24.0.0/16; 127.0.0.1; }; match-recursive-only yes; allow-recursion { clients; }; allow-transfer { 10.24.0.21; }; zone "ct.sierracollege.edu" { type master; file "data/db.ct.int"; }; include "/etc/named.rfc1912.zones"; zone "." IN { type hint; file "named.ca"; }; }; view "external" { recursion no; match-clients { any; }; allow-transfer { any; }; // temporarily allowed for debugging purposes zone "ct.sierracollege.edu" { type master; file "data/db.ct.ext"; }; }; 防火墙上的分割DNS工作得很好。 如果我从内部机器查询它,我得到内部答案。 同样,从外部机器查询给我外部答案。 这是一个内部查询。
# dig @10.24.0.1 ct1.ct.sierracollege.edu ; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct1.ct.sierracollege.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51024 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ct1.ct.sierracollege.edu. IN A ;; ANSWER SECTION: ct1.ct.sierracollege.edu. 3600 IN A 10.24.0.11 ;; AUTHORITY SECTION: ct.sierracollege.edu. 3600 IN NS cs.sierracollege.edu. ct.sierracollege.edu. 3600 IN NS fw.ct.sierracollege.edu. ;; ADDITIONAL SECTION: cs.sierracollege.edu. 3600 IN A 10.24.0.21 fw.ct.sierracollege.edu. 3600 IN A 10.24.0.1 ;; Query time: 1 msec ;; SERVER: 10.24.0.1#53(10.24.0.1) ;; WHEN: Wed Jan 6 12:57:02 2010 ;; MSG SIZE rcvd: 124
区域传输无法正常工作。 它不是传输内部区域,而是传输外部区域。 下面是一个例子,用上面的内部机器完成的:
# dig @10.24.0.1 ct.sierracollege.edu axfr ; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct.sierracollege.edu axfr ; (1 server found) ;; global options: printcmd ct.sierracollege.edu. 3600 IN SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600 ct.sierracollege.edu. 3600 IN NS fw.ct.sierracollege.edu. ct1.ct.sierracollege.edu. 3600 IN A 207.62.233.11 ct2.ct.sierracollege.edu. 3600 IN A 207.62.233.12 ct3.ct.sierracollege.edu. 3600 IN A 207.62.233.13 fw.ct.sierracollege.edu. 3600 IN A 207.62.233.2 ct.sierracollege.edu. 3600 IN SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600 ;; Query time: 2 msec ;; SERVER: 10.24.0.1#53(10.24.0.1) ;; WHEN: Wed Jan 6 13:01:37 2010 ;; XFR size: 7 records (messages 1, bytes 208)
来自/ var / log / messages文件的条目显示外部视图正在被命中:
Jan 6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR started Jan 6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR ended
因此,我的slaves目录正在填充外部区域文件,而不是内部的。
有任何想法吗?
你有没有尝试过使用ACL? 听起来很有趣,我知道。 另外,为什么匹配recursion – 只打开? 如果他们正在做recursion查询,这不会使你的客户只能得到结果吗?
acl "internal-net" { 10.24.0.0/16; 127/8; }; view "internal" { match-clients { "internal-net"; }; # --- I'm removing this because I'm making the daft assumption # --- that you are trusting your clients on your internal network, # --- so why bother restricting them? Then there's this tidbit # --- from http://www.zytrax.com/books/dns/ch7/view.html#match-recursive-only # --- which seems to imply that the client match will fail because # --- the client might not be asking for recursion... #match-recursive-only yes; allow-recursion { "internal-net"; }; allow-transfer { "internal-net"; }; zone "ct.sierracollege.edu" { type master; file "data/db.ct.int"; }; include "/etc/named.rfc1912.zones"; zone "." IN { type hint; file "named.ca"; }; };