我正在我们的实验室 DNS 服务器上测试 BIND 响应策略区域功能。我们使用 BIND 9.8.2 运行 RHEL 6 服务器。我已按照此处的说明进行操作,但无法正常工作。这是我所知道的:
1) DNS 服务器确实响应对在其他区域中找到的主机的查询
2) 我的 RPZ 区域加载成功,如下所示:
Jan 28 12:00:13 labdns named[26564]: zone rpz/IN: loaded serial 2015012816
但是当我查询在 RPZ 区域中找到的域时,这是我在 /var/log/messages 中看到的内容:
Jan 28 11:52:54 labdns named[26060]: client 192.168.254.202#38524: query (cache) 'x99moyu.net/A/IN' denied
我以前见过这种行为,但只有当您关闭递归并且查询在区域文件中找不到的主机时。这是我的 RPZ 区域数据库文件:
$TTL 86400
@ IN SOA localhost. root.localhost. (
2015012816 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ; minimum
)
@ IN NS lab.testdns.net.
; Response Policy for x99moyu.net
x99moyu.net IN A 127.0.0.1
IN AAAA ::1
; Response Policy for ix99moyu.net
ix99moyu.net IN A 127.0.0.1
IN AAAA ::1
; Response Policy for duobao369.com
duobao369.com IN A 127.0.0.1
IN AAAA ::1
我试过在域名的前后都加点,但这没有帮助,说明说无论如何不要使用点。
这是我的 /etc/named.conf 文件:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 192.168.155.128; }; #Master DNS Servers IP
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named.stats";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.155.0/24; 192.168.254.0/23; 192.168.160.0/24; }; # IP range of hosts
allow-transfer { localhost; 192.168.254.202; }; # Slave DNS server
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
zone-statistics yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
response-policy { zone "rpz"; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel rpz-queries {
file "/var/log/bind/rpz.log" versions 10 size 50m;
severity info;
};
category rpz {
rpz-queries;
};
};
zone"rpz" IN {
type master;
file "/var/named/db.rpz";
notify yes;
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
我不确定如何继续前进或如何进一步调试。任何帮助表示赞赏。
编辑 - 这是 dig 命令的输出。这是我看到“拒绝”消息的地方
dig @192.168.155.128 x99moyu.net
; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc22 <<>> @192.168.155.128 x99moyu.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51880
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;x99moyu.net. IN A
;; Query time: 1 msec
;; SERVER: 192.168.155.128#53(192.168.155.128)
;; WHEN: Thu Jan 28 12:30:08 CST 2016
;; MSG SIZE rcvd: 40
据我所知,该问题似乎实际上并不涉及 RPZ,而只是归结为您有一个依赖于递归的设置(即,您似乎希望处理对不在任何名称中的名称的查询您自己的区域?)但是您在配置中关闭了递归。
现在,从技术上讲,查询中特定名称的查找将通过您的 RPZ 配置被覆盖,但在此之前查询被拒绝,因为递归关闭并且查询的名称是您的一个区域的一部分。