我的问题的简要总结是我们已经在我的工厂开始了DNS服务器升级.
我们目前有2个内部DNS服务器和2个外部DNS服务器.我们正在升级到新设备并合并我们的服务器,因此我们有1个主设备和1个从设备,它们将负责内部和外部dns.两台服务器都有两个已通过IP公共外部网络中的一个地址和一个内部网络中的网卡.在我的主人身上,我设置了一个只能从我们的内部网络范围访问的内部视图和一个允许任何人查询的外部视图.我有一切设置和DNS解析工作正常.我遇到的问题是,当我配置从站并进行设置时,从站将仅继承内部视图中列出的区域的更新.所有外部视图区域都会出错
;<<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> IN AXFR 43.96.32.in-addr.arpa @129.yy.yy.10 ;; global options: +cmd ; Transfer @R_404_159@.
我一直在谷歌搜索疯狂,无法找到解决方案希望这里的人可能知道为什么会发生这种情况.
下面我将给出我的主/从named.conf文件的样本.我的系统目前正在运行RHEL 6.6和绑定DNS 9.8.2.
Master – Named.conf
acl internal_hosts { 10.101.0.0/16; 172.21.0.0/16;
10.2.0.0/16; 169.254.0.0/16;
172.23.0.0/16; 32.0.0.0/8;
12.109.164.0/24; 12.109.165.0/24;
63.79.18.0/24; 63.88.0.0/16;
129.42.0.0/16; 4.30.26.0/24;
4.28.188.0/24; 172.21.131.248/29;};
acl internal_slave { 10.xx.xx.2; };
acl external_slave { 129.yy.yy.11; };
acl internal_master { 10.xx.xx.1; };
acl external_master { 129.yy.yy.10; };
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
dnssec-enable no;
query-source port 53;
forward only;
notify yes;
allow-query { any; };
listen-on {
10.xx.xx.1;
127.0.0.1;
129.yy.yy.10;
};
forwarders {
129.34.20.80;
198.4.83.35;
4.2.2.2;
8.8.8.8;
};
allow-transfer {127.0.0.1; };
};
server 10.xx.xx.2 {
transfer-format many-answers;
transfers 10000;
};
server 129.yy.yy.11 {
transfer-format many-answers;
transfers 10000;
};
view "Internal" {
match-clients { internal_hosts; !external_slave; internal_slave; };
also-notify { 10.xx.xx.2; };
allow-transfer { internal_slave; };
recursion yes;
allow-recursion { internal_hosts; };
transfer-source 10.xx.xx.1;
zone "64.2.10.in-addr.arpa" {
type master;
also-notify { 10.xx.xx.2; };
notify yes;
allow-transfer { internal_slave; };
file "/var/named/10.2.64.rev";
};
view "External" {
match-clients { !internal_slave; external_slave; any; };
recursion no;
allow-transfer { external_slave; };
also-notify { 129.yy.yy.11; };
transfer-source 129.yy.yy.10;
zone "50.146.204.in-addr.arpa" {
type master;
notify yes;
also-notify {129.yy.yy.11;};
allow-transfer {external_slave;};
file "/var/named/204.146.50.rev";
};
Slave – Named.conf
acl internal_hosts { 10.101.0.0/16; 172.21.0.0/16;
10.2.0.0/16; 169.254.0.0/16;
172.23.0.0/16; 32.0.0.0/8;
12.109.164.0/24; 12.109.165.0/24;
63.79.18.0/24; 63.88.0.0/16;
129.42.0.0/16; 4.30.26.0/24;
4.28.188.0/24; 172.21.131.248/29;
};
acl internal_slave { 10.xx.xx.2; };
acl external_slave { 129.yy.yy.11; };
acl internal_master { 10.xx.xx.1; };
acl external_master { 129.yy.yy.10; };
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
dnssec-enable no;
query-source port 53;
forward only;
allow-query { any; };
listen-on port 53 {
127.0.0.1;
10.xx.xx.2;
129.yy.yy.11;
};
forwarders {
129.34.20.80;
198.4.83.35;
4.2.2.2;
8.8.8.8;
};
allow-transfer {127.0.0.1; };
};
server 10.xx.xx.1 {
transfer-format many-answers;
transfers 10000;
};
server 129.yy.yy.10 {
transfer-format many-answers;
transfers 10000;
};
view "Internal" {
match-clients { internal_hosts; !external_master; internal_master; };
recursion yes;
allow-recursion {internal_hosts;};
allow-transfer { internal_master; };
transfer-source 10.xx.xx.2;
allow-notify {10.xx.xx.1;};
zone "64.2.10.in-addr.arpa" {
type slave;
masters {10.xx.xx.1;};
allow-transfer {internal_master;};
allow-update {internal_master;};
file "/var/named/slaves/10.2.64.Internal.rev";
};
view "External" {
allow-transfer {external_master;};
allow-notify {129.yy.yy.10;};
transfer-source 129.yy.yy.11;
match-clients {!internal_master; external_master; internal_hosts; any;};
recursion no;
zone "50.146.204.in-addr.arpa" {
type slave;
masters {129.yy.yy.10;};
allow-transfer {external_master;};
allow-update {external_master;};
file "/var/named/slaves/204.146.50.External.rev";
};
这是我的/ var / log / messages中关于DIG的信息输出到我的主人. brsbld.ihost.com的DIG是外部视图中失败的DIG,而bldbcrs.net的DIG位于内部视图中并且运行正常.
Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR started Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR started Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR ended Apr 17 09:32:31 bbridns01 named[1717]: client 10.101.8.2#55756: view Internal: transfer of 'bldbcrs.net/IN': AXFR ended Apr 17 09:32:56 bbridns01 named[1717]: client 129.42.206.11#41783: view Internal: bad zone transfer request: 'brsbld.ihost.com/IN': non-authoritative zone (NOTAUTH) Apr 17 09:32:56 bbridns01 named[1717]: client 129.42.206.11#41783: view Internal: bad zone transfer request: 'brsbld.ihost.com/IN': non-authoritative zone (NOTAUTH)
解决方法
他们只是想更新这个,让你知道我发现的解决方案.在我的内部视图下,match-clients参数搞砸了我.
match-clients { internal_hosts; !external_slave; internal_slave; };
internal_hosts acl包括范围129.42.0.0/16.这是在!external_slave之前列出的;因为从服务器是129.42.206.11并将其放入内部视图,所以它首先选择了它.我重新安排它,以便它首先排除external_slave然后它被外部视图正确地拾取.
match-clients { !external_slave; internal_hosts; internal_slave; };
