我一直在用头撞绑定手册和谷歌几个小时才能弄清楚这一点,但我不确定我在哪里搞砸了。我在几个本地虚拟机上构建了它,从服务器与主服务器交谈没有问题。这两个子网之间的防火墙没有阻止任何东西。两个虚拟机都有防火墙来接受 udp 端口 53 数据,但永久例外。任何建议将不胜感激。已设置配置,以便来自两个位置的 DHCP 更新主 DNS,然后 DNS 将填充 DNS 从属。为了空间,我删除了一些默认的 named.conf 文本(任何未包含的内容很可能是默认的)。这一切都在 Centos 7 上运行。
在 slave 上启动 Named 时出错
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: running
Jun 14 12:54:07 dns-vm-pa-01 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: zone 1.0.10.in-addr.arpa/IN: Transfer started.
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: connected using 10.0.1.5#36381
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: failed while receiving responses: SERVFAIL
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.146 secs (0 bytes/sec)
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: zone int.bubbhashramp.com/IN: Transfer started.
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: connected using 10.0.1.5#36067
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: failed while receiving responses: SERVFAIL
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.155 secs (0 bytes/sec)
主服务器上的 NetStat 结果
udp 0 0 10.0.0.5:53 0.0.0.0:* 26141/named
/var/named/dynamic/ 中区域文件的权限
-rw-r--r--. 1 root named 374 Jun 14 10:43 0.0.10.in-addr.arpa
-rw-r--r--. 1 root named 372 Jun 14 10:04 1.0.10.in-addr.arpa
-rw-r--r--. 1 root named 567 Jun 14 12:31 int.bubbhashramp.com
挖掘大师的回复
dig @10.0.0.5 vmhost-01.int.bubbhashramp.com
; <<>> DiG 9.8.3-P1 <<>> @10.0.0.5 vmhost-01.int.bubbhashramp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;vmhost-01.int.bubbhashramp.com. IN A
;; ANSWER SECTION:
vmhost-01.int.bubbhashramp.com. 10800 IN A 10.0.1.10
;; AUTHORITY SECTION:
int.bubbhashramp.com. 10800 IN NS dns-vm-pa-01.int.bubbhashramp.com.
int.bubbhashramp.com. 10800 IN NS dns-vm-nh-01.int.bubbhashramp.com.
;; ADDITIONAL SECTION:
dns-vm-nh-01.int.bubbhashramp.com. 10800 IN A 10.0.0.5
dns-vm-pa-01.int.bubbhashramp.com. 10800 IN A 10.0.1.5
;; Query time: 55 msec
;; SERVER: 10.0.0.5#53(10.0.0.5)
;; WHEN: Tue Jun 14 13:05:34 2016
;; MSG SIZE rcvd: 146
主配置
key "rndc-key" {
algorithm hmac-md5;
secret "bubbgumpkeys";
};
options {
listen-on port 53 { 10.0.0.5; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { 10.0.0.0/16; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forwarders {
8.8.8.8;
75.75.75.75;
8.8.4.4;
};
};
zone "int.bubbhashramp.com" {
type master;
file "dynamic/int.bubbhashramp.com";
allow-update { key rndc-key; };
};
zone "1.0.10.in-addr.arpa" {
type master;
file "dynamic/1.0.10.in-addr.arpa";
allow-update { key rndc-key; };
};
zone "0.0.10.in-addr.arpa" {
type master;
file "dynamic/0.0.10.in-addr.arpa";
allow-update { key rndc-key; };
};
从站配置
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forwarders {
8.8.8.8;
75.75.75.75;
8.8.4.4;
};
};
zone "int.bubbhashramp.com" {
type slave;
file "slaves/int.bubbhashramp.com";
masters { 10.0.0.5; };
};
zone "1.0.10.in-addr.arpa" {
type slave;
file "slaves/1.0.10.in-addr.arpa";
masters { 10.0.0.5; };
};
检查 BIND 目录的权限。BIND 目录和文件必须由 BIND 用户(最有可能命名)拥有或至少可写。
如果您的网络没有路由 IPv6,请从配置中删除 IPv6 行。
原来是从机上的 DNSMasq。它已经绑定到 ip 和端口 53,因此命名无法接受它正在侦听的返回流量。一旦我禁用了 dnsmasq 服务,它就开始工作了。