我在主 dns 服务器上使用 bind9,两个辅助 dns 服务器处于主/从关系。我正在尝试实现 DDNS,但在添加转发映射时似乎遇到了问题,我收到了错误
无法将 DESKTOP-9MFAP8Q.student.co.uk 的正向映射添加到 192.168.80.51:SERVFAIL
我最初得到一个 REFUSED 错误,直到我将 DHCP 服务器的地址添加到主 dns 上的allow-query和allow-transfer选项中。named.conf.local我不确定这是否需要,这只是我为了让它工作而尝试的东西。
我尝试使用更改区域文件的权限
sudo chown 绑定:绑定 /etc/bind/*.db
sudo chmod 664 /etc/bind/*.db
但这对结果没有任何改变。
我将在下面发布配置文件,不胜感激。
路由器 - 192.168.80.2
DHCP - 192.168.80.3
主 DNS - 192.168.80.4
辅助 DNS - 192.168.80.5、192.168.80.6
-------------------------主 DNS------------------------ --
命名.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
key "rndc-key" {
algorithm hmac-sha256;
secret "ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==";
};
zone "student.co.uk" {
type master;
file "/etc/bind/db.student.co.uk";
notify no;
allow-query {
127.0.0.1;
192.168.80.5;
192.168.80.6;
192.168.80.3;
};
allow-transfer {
192.168.80.5;
192.168.80.6;
192.168.80.3;
};
allow-update {
{ key rndc-key; };
};
};
zone "80.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.80.168.192.in-addr.arpa";
notify no;
allow-query {
127.0.0.1;
192.168.80.5;
192.168.80.6;
};
allow-transfer {
192.168.80.5;
192.168.80.6;
};
allow-update {
{ key rndc-key; };
};
};
命名.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
8.8.8.8;
8.8.4.4;
};
allow-query {
192.168.80.5;
192.168.80.6;
127.0.0.1;
};
allow-transfer {
192.168.80.5;
192.168.80.6;
127.0.0.1;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
db.80.168.192.in-addr.arpa
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2021020902 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.student.co.uk.
@ IN NS ns2.student.co.uk.
150 IN PTR www.student.co.uk.
151 IN PTR www.student.co.uk.
db.student.co.uk
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2021021902 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.student.co.uk.
@ IN NS ns2.student.co.uk.
ns1 IN A 192.168.80.5
ns2 IN A 192.168.80.6
www IN A 192.168.80.150
www IN A 192.168.80.151
-------------------------DHCP------------------------ -
dhcpd.conf
# option definitions common to all supported networks...
option domain-name "student.co.uk";
option domain-name-servers 192.168.80.5, 192.168.80.6;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-updates on;
ddns-update-style standard;
update-static-leases on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
allow unknown-clients;
use-host-decl-names on;
key rndc-key {
algorithm hmac-sha256;
secret ppxPx1DgcHkDWDgngLNlgKAETBPEEL9+k8kn9zI/iKRHMdP/8G+U4FRasufyNGOKuUGgTfNqHnOyFxs3zuWlMA==;
};
zone student.co.uk. {
primary 192.168.80.4;
key rndc-key;
}
zone 80.168.192.in-addr.arpa. {
primary 192.168.80.4;
key rndc-key;
}
subnet 192.168.80.0 netmask 255.255.255.0 {
range 192.168.80.50 192.168.80.100;
option domain-name-servers 192.168.80.5, 192.168.80.6;
option domain-name "student.co.uk";
ddns-domainname "student.co.uk.";
ddns-rev-domainname "in-addr.arpa.";
option subnet-mask 255.255.255.0;
option routers 192.168.80.2;
option broadcast-address 192.168.80.255;
default-lease-time 600;
max-lease-time 7200;
host DOMAIN1 {
hardware ethernet 00:0c:29:20:87:b0;
fixed-address 192.168.80.99;
ddns-hostname "test";
}
}
一般建议
检查 BIND 的日志(从它的外观来看,这是发生错误的地方),您应该从那里的更新尝试中找到相关的错误消息。
我的预感(有根据的猜测,如果你愿意的话)
BIND 可能无法创建/修改文件。
根据文件系统权限,目录和/或文件是不可写的,或者像 Selinux/Apparmor 这样的附加层不允许在特定服务的预期目录之外写入。
根本原因理论(假设我的预感是正确的)
您将这些可写文件放置在非常规的地方,这很可能与包维护者的准备工作背道而驰(在文件系统权限和任何 Selinux/Apparmor 配置文件方面)。
通常你会使用类似
/var/lib/bind可写文件(或/var/cache/bind“缓存”文件)的东西,而不是/etc/bind通常的只读配置。我建议确认适当的目录并使用它,而不是进行额外的系统更改,除非有重要的理由使用不同的目录。
旁注:我建议对这些来自 dhcpd 的更新使用特定的密钥,而不是重新使用一个名为的密钥,使其似乎是为 rndc 使用而设计的(并且可能对此也有效?)。