服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Debian Wheezy,绑定和通用configuration与视图
Intereting Posts
SVN访问问题 Fiddler在Windows Server 2012上不起作用 在CentOS 5.X启动时,SHA-2签名的SSL证书会崩溃apache 用htb / tc优先使用相同的协议(http下载vs htto浏览)的linuxstream量 如何configurationExchange通过IP将邮件转发到备份SMTP服务器 带dnsmasq的多个子网 SquirrelMail可以使用MS Exchange读取和发送电子邮件 通过Upstart运行Django网站 Monit Web Service不可用 服务器每两周在同一时间崩溃 debian'f'命令? AWS亚马逊Linux MySQL MySQL Yum更新失败 如何优化时间第一字节(TTFB)? AWS:通过ELB将HTTPS转发到HTTP 如何将SharePoint与Active Directory集成

Debian Wheezy,绑定和通用configuration与视图

我在最近几天挣扎着做我的bind工作。 我相信,它有一个非常通用的configuration,但不知何故,当使用域名( myho.st )时,它不会为我的服务器提供适当的IP给本地客户端。 系统是Debian Wheezy。 named-checkconf不报告任何错误。

configuration如下:

/etc/bind/named.conf

 include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.log"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; acl localhost_acl { 127.0.0.1; }; acl internal_10_acl { 192.168.10.0/24; };

/etc/bind/named.conf.local

 include "/etc/bind/zones.rfc1918"; view "local_view" { match-clients { localhost_acl; internal_10_acl; }; zone "myho.st" { type master; file "/etc/bind/db.myho.st"; }; };

/etc/bind/zones.rfc1918

 view "global_view" { zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; };

/etc/bind/named.conf.default-zones

 view "default_view" { // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; };

/etc/bind/named.conf.log

 logging { channel update_debug { file "/var/log/bind/update_debug.log" versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file "/var/log/bind/security_info.log" versions 1 size 100k; severity info; print-severity yes; print-time yes; }; channel bind_log { file "/var/log/bind/bind.log" versions 3 size 1m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { bind_log; }; category lame-servers { null; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; };

/etc/bind/named.conf.options

 options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; listen-on { 127.0.0.1; 192.168.10.1; }; allow-transfer { none; }; allow-query { localhost_acl; internal_10_acl; }; };

最后是/etc/bind/db.myho.st

 $TTL 3h @ IN SOA ns.myho.st. hostmaster.myho.st. ( 4 ; Serial 3h ; Refresh after 3 hours 1h ; Retry after 1 hour 1w ; Expire after 1 week 1h ) ; Negative caching TTL of 1 day ; @ IN NS ns.myho.st. @ IN A 192.168.10.1 ns IN A 192.168.10.1

named-checkzone myho.st /etc/bind/db.myho.st不会报告任何错误。

我的客户端在192.168.10.0/24子网中,它们都可以ping 192.168.10.1 ,这是服务器的IP。 但myho.st域名正在通过ISP的DNSparsing到全球IP,但似乎是由我的服务器: 

 user@client:~$ nslookup myho.st Server: 192.168.10.1 Address: 192.168.10.1#53 Non-authoritative answer: Name: myho.st Address: *some global IP*

显然我错过了named.conf*一些基本设置,但是我看不清楚究竟是哪一个。 可能views没有正确configuration。 请指教。

从我看到你的configuration部分的名称是误导性的(此外,我可以说,一个正常的configuration文件分裂9000以上的Debian传统是一般误导和反作用)。

考虑到这一点 : 

 view clauses are processed in the order in which they appear in the named.conf file. Thus, in the example above the 'badguys' view clause matching condition (any) also satisfies the 'trusted' view matching condition. However, since 'trusted' appears first its matching condition is the first to be satisfied and view matching stops.

我可以说,你的global_view是先处理,因此你的本地客户端匹配它。 移动include "/etc/bind/zones.rfc1918"; (是的,这是误导性的名字包括)在local_view视图后。

重要的是要明白, 每个查询将命中一个视图 ,这是匹配传入查询的第一个视图(基于match-* )。

您有三个视图,其中两个对于哪些查询将匹配没有任何要求。

这导致了一种情况,根据如何排列视图,任何人都不能查询一个或两个视图。

如果你的default_view或者你的global_view视图是第一个,那么所有的查询都会进入该视图,剩下的两个视图是不可访问的。

如果你的local_view视图是第一个,那么地址不匹配match-clients { localhost_acl; internal_10_acl; }; match-clients { localhost_acl; internal_10_acl; }; 可以查询default_viewglobal_view的第一个,但最后一个视图仍然无法访问。

另一个方面是,在最后一个例子中,匹配local_view查询将不会看到其他视图中的任何区域,即使这些查询没有特别的要求。

总而言之,对于这个发行版提供的默认configuration引入视图实际上不应该在“每个文件一个视图”的基础上进行,而应该考虑到上述原因。