但服务器将回应“警告:recursion请求但不可用”,因为我的客户端104.200.17.225将外部。 但客户端在“可信的ACL”中。 绑定完全忽略了我的可信列表。
mlr01 ~ # dig facebook.com ; <<>> DiG 9.9.5 <<>> facebook.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10440 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;facebook.com. IN A ;; AUTHORITY SECTION: . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. ;; Query time: 42 msec ;; SERVER: 66.228.35.79#53(66.228.35.79) ;; WHEN: Thu Oct 16 23:28:20 UTC 2014 ;; MSG SIZE rcvd: 252 命名似乎忽略了我的ACL:
cat /etc/bind/named.conf acl "outside" { any; }; acl "trusted" { 173.255.211.166; 104.200.17.225; //this is the client in question 10.8.0.0/24; 10.8.1.0/24; 127.0.0.1/32; ::1/128; }; options { directory "/var/bind"; pid-file "/var/run/named/named.pid"; transfer-source 198.74.49.126; listen-on-v6 { ::1; 2600:3c03::f03c:91ff:feae:9e6d;}; listen-on { 127.0.0.1; 66.228.35.79;}; max-cache-ttl 1600; version none; allow-query { any; }; allow-query-cache { any; }; allow-transfer { trusted; }; allow-update { trusted; }; //forward first; forwarders { 109.74.192.20; 97.107.133.4; 198.74.49.126; //internal router1 }; }; logging { channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity warning; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; }; view "internal" { match-clients { trusted; }; allow-query-cache { any; }; allow-recursion { trusted; }; recursion yes; zone "azevedomd.com" { type master; file "pri/azevedomd.com.internal"; }; zone "35.228.66.in-addr.arpa"{ type master; file "pri/reverse.internal"; }; zone "127.in-addr.arpa" { type master; file "pri/127.0.0.1"; }; }; view "external" { match-clients { any; }; match-destinations { any; }; recursion no; allow-query { any; }; zone "." IN { type hint; file "/var/bind/named.ca"; }; zone "azevedomd.com" { type master; file "pri/azevedomd.com.external"; }; zone "35.228.66.in-addr.arpa"{ type master; file "pri/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "pri/127.0.0.1"; }; };
查询日志logging表明它将要到外部。 为什么忽略内部和可信列表? 客户端在列表中。
17-Oct-2014 00:17:03.886 client 104.200.17.225#41300 (facebook.com): view external: query: facebook.com IN A +E (66.228.35.79
尝试切换你的ACL语句
acl "trusted" { 173.255.211.166; 104.200.17.225; //this is the client in question 10.8.0.0/24; 10.8.1.0/24; 127.0.0.1/32; ::1/128; }; acl "outside" { any; };
您的104.200.17.225客户端首先匹配“outside”acl。 重新排列acls的顺序可能有帮助,但更可靠的方法是从“外部”排除“可信”地址:
acl "outside" { !173.255.211.166; !104.200.17.225; //this is the client in question !10.8.0.0/24; !10.8.1.0/24; !127.0.0.1/32; !::1/128; any; };