问题[named-conf](server)

我的系统日志中充斥着类似的消息

Jan 12 11:09:25 xxx named[902]: client 74.74.75.74#47561 (.): query (cache) './ANY/IN' denied
Jan 12 11:09:25 xxx named[902]: client 74.74.75.74#47561 (.): query (cache) './ANY/IN' denied
Jan 12 11:09:25 xxx named[902]: client 74.74.75.74#47561 (.): query (cache) './ANY/IN' denied
Jan 12 11:09:25 xxx named[902]: client 74.74.75.74#47561 (.): query (cache) './ANY/IN' denied
Jan 12 11:09:25 xxx named[902]: client 74.74.75.74#47561 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:19 xxx named[902]: client 68.12.225.198#58807 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:19 xxx named[902]: client 68.12.225.198#58807 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:19 xxx named[902]: client 68.12.225.198#58807 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:19 xxx named[902]: client 68.12.225.198#58807 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:19 xxx named[902]: client 68.12.225.198#58807 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:26 xxx named[902]: client 68.12.225.198#9414 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:26 xxx named[902]: client 68.12.225.198#9414 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:26 xxx named[902]: client 68.12.225.198#9414 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:26 xxx named[902]: client 68.12.225.198#9414 (.): query (cache) './ANY/IN' denied
Jan 12 11:11:26 xxx named[902]: client 68.12.225.198#9414 (.): query (cache) './ANY/IN' denied

而且我不知道这是 DDoS 攻击还是只是奇怪的绑定行为。

所以我建立了一个简单的fail2ban监狱，它可以阻止在24小时内产生超过20个此类错误的IP。周末后，我检查并感到惊讶：超过 1000 个 IP 已被阻止。包括像1.1.1.1这样的著名的。所以这是不对的。

我的服务器是通过 Plesk Obsidian 管理的 Debian 9。我没有对 bind9/named 进行特殊配置（据我所知）。它是我所有域的主要 ns 服务器。

所以问题是：我能做些什么来保护我的服务器免受如此大量的 dns 查询的影响，或者我应该忽略它们。

我正在推出外部 DNS 服务器以解决所有最终用户查询

在我们将解决方案投入生产之前，我希望尽可能多地进行有用的日志记录

这是 named.conf 文件（命名空间称为 gi-named.conf 文件）

options {
        listen-on port 53 { Public IP; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        allow-query-on  { PublicIP; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;
        allow-query-cache { Internal Range; };
        allow-query-cache-on  { PublicIP; };



        query-source address Public IP ;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};


logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        /*channel default_debug {
                print-time yes;
                print-category yes;
                print-severity yes;
                file "data/named.run";
                severity dynamic;
        };*/
        channel queries_log {
                file "/var/log/queries" versions 1 size 20m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 3;
        };
        channel default_log {
           file "/var/named/log/default" versions 3 size 20m;
           print-time yes;
           print-category yes;
           print-severity yes;
           severity info;
    };
       channel query-errors_log {
           file "/var/named/log/query-errors" versions 5 size 20m;
           print-time yes;
           print-category yes;
           print-severity yes;
           severity dynamic;
    };

        category queries { queries_log; };
        category client { queries_log;  };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

我遇到的问题是，当我看到填充 /var/named/log/queries 文件的日志时，我在 /var/named/log/query-error 日志文件或 /var/named/log 中都看不到任何日志/default 日志文件，我不确定我到底哪里出错了，或者我是否遗漏了一些配置

任何人以前经历过这种情况吗？

我正在 Linux Academy 上一门 DNS 课程。在其中一个实验室中，他们定义了一个反向区域。在这个区域中，他们添加了 MXs 记录。在反向区域中定义 MX 记录是否有意义？

细节：

为此他们做

vim /etc/named.conf

zone "1.0.10.in-addr.arpa" {
    type master;
    file "/var/named/1.0.10.db";
};

内容/var/named/1.0.10.db是：

TTL    86400
@       IN      SOA     nameserver.myserver.com. root.myserver.com. (
                          10030         ; Serial
                           3600         ; Refresh
                           1800         ; Retry
                         604800         ; Expiry
                          86400         ; Minimum TTL
 )
; Name Server
@        IN      NS       nameserver.myserver.com.
; PTR Record Definitions
240         IN      PTR       nameserver.myserver.com.
241         IN      PTR       mailprod.myserver.com.
242         IN      PTR       mailbackup.myserver.com.
; which is last octet of my IP
; Mail Exchange Records
@        IN    MX    10    mailprod.myserver.com.
@        IN    MX    20    mailbackup.myserver.com.

同样，我尝试反向添加 A 记录，但它不相关，因为可以通过以下方式进行查找：

nslookup <dns-name>.1.0.10.in-addr.arpa localhost

正在做

ns lookup <dns-name>.mylabserver.com localhost

不起作用，（或者如果是，它是一个非权威的答案，DNS递归）。我对么？

我从 https://en.wikipedia.org/wiki/MX_record了解到，定义 MX 记录需要 A 记录。因此，我们可以使用 PTR 对 MX 进行反向查找吗？

因此，我想知道在反向区域中添加 MX 记录是否有意义，那么我们将如何检索此 MX？

我错过了什么？

我正在尝试仅为孩子应用“restrictmoderate.youtube.com”，并让其他人使用 Bind9 访问标准的“youtube.com”。

# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
==========================================================================
# cat named.conf.options 
acl goodclients {
    192.168.0.0/16;
    localhost;
    localnets;
};
acl kids   { 192.168.2.0/24; };
acl adults { 192.168.1.0/24; };

options {
    directory "/var/cache/bind";

    recursion yes;
    allow-query { goodclients; };

    // forward traffic to opendns
    forwarders { 208.67.222.222; 208.67.220.220; };

    forward only;

    dnssec-enable yes;
    dnssec-validation yes;

    // Conform to RFC1035
    auth-nxdomain no;

    // Force youtube.com to restrictmoderate.youtube.com
    response-policy { zone "rpz"; };

    listen-on-v6 { none; };
    querylog yes;
};
==========================================================================
# cat named.conf.local 
//include "/etc/bind/zones.rfc1918";
logging{
    channel simple_log {
        file "/var/log/bind/query.log" versions 3;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    category default{
        simple_log;
    };
};

zone "rpz" IN {
    type master;
    file "/etc/bind/rpdb.zone";
    allow-query { kids; !adults; };
};
==========================================================================
# cat rpdb.zone 
$ORIGIN rpz.
$TTL 1H
@       IN       SOA       localhost. root.localhost. (
                           7
                           1H
                           15m
                           30d
                           2h )
                           NS LOCALHOST.

www.youtube.com           IN CNAME restrictmoderate.youtube.com.
m.youtube.com             IN CNAME restrictmoderate.youtube.com.
youtubei.googleapis.com   IN CNAME restrictmoderate.youtube.com.
youtube.googleapis.com    IN CNAME restrictmoderate.youtube.com.
www.youtube-nocookie.com  IN CNAME restrictmoderate.youtube.com.
google.com                IN CNAME forcesafesearch.google.com.
www.google.com            IN CNAME forcesafesearch.google.com.

我不明白为什么“rpz”区域适用于所有人（192.168.1.0/24 和 192.168.2.0/24），而我希望它只适用于“儿童”ACL（192.168.2.0/24） ：

allow-query { kids; !adults; };

我究竟做错了什么？谢谢你的帮助。

我在 OpenWrt 15.05.1 上运行 Bind 作为 DNS 服务器。我想设置多个视图，具有不同的区域。

acl "trusted" {
        10.0.1.0/24;
        localhost;
        localnets;
};

acl "blacklisted" {
        10.0.1.10;
};

options {
        directory "/tmp";
        recursion yes;
        allow-recursion { trusted; };
        allow-transfer { none; };
        dnssec-validation auto;
        forwarders {
                8.8.8.8;
        };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

view "blacklist" {
        match-clients { blacklisted; };
        zone "example.com" { type master; file "/etc/bind/zones/db.example"; };
};

view "normal" {
        match-clients { any; };
        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };
};

它运行良好，但前提是“黑名单”acl 中的 IP 地址在其末尾有一个子网（如：10.0.1.10/28）。但我试图只针对一个 IP，由于某种原因它不起作用。

感谢您的回复。

我有一个关于如何在区域文件中配置记录的方式对以下记录进行排序的查询

我做了2个不同的测试

我在区域文件 e164enum.net 中配置了以下记录，TTL 值为 0

2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:[email protected];user=phone!" .
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:[email protected];user=phone!" .

现在，每当我在绑定服务器上运行“dig”查询“dig 2.7.5.2.7.9.2.5.3.1.8.e164enum.net.NAPTR”时

我收到回复，如在“答案”部分切换

第一次挖掘查询

;; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> 2.7.5.2.7.9.2.5.3.1.8.e164enum.net. NAPTR
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR

;; ANSWER SECTION:
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .

;; AUTHORITY SECTION:
e164enum.net.           0       IN      NS      HP3bl10VM5DNS.e164enum.net.

;; ADDITIONAL SECTION:
HP3bl10VM5DNS.e164enum.net. 0   IN      A       10.54.212.235

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 19 00:31:16 IST 2016
;; MSG SIZE  rcvd: 261

二次挖掘查询

; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> 2.7.5.2.7.9.2.5.3.1.8.e164enum.net. NAPTR
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40073
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR

;; ANSWER SECTION:
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .

;; AUTHORITY SECTION:
e164enum.net.           0       IN      NS      HP3bl10VM5DNS.e164enum.net.

;; ADDITIONAL SECTION:
HP3bl10VM5DNS.e164enum.net. 0   IN      A       10.54.212.235

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 19 00:31:19 IST 2016
;; MSG SIZE  rcvd: 261

如我所见，来自绑定服务器的响应（RR Answers）为每次挖掘切换

由于我不希望在每个后续挖掘中切换答案，并且我希望答案与它们在区域文件中配置的顺序相同（因为这两个记录的顺序和首选项相同），我启用了这个在 named.conf 的选项字段中的行

rrset-order {order fixed;};

并重新启动命名

我再次运行了 dig 查询 这次，Answers 没有切换，但我发现，第二个配置的 RR 总是第一个被回答这个记录总是第一个被回答，尽管在我配置的首选项中是第二个（假设配置 rrset -order 将始终以与区域文件中配置的顺序相同的顺序返回 RR 答案）

查询#1

; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> 2.7.5.2.7.9.2.5.3.1.8.e164enum.net. NAPTR
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18221
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR

;; ANSWER SECTION:
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .

;; AUTHORITY SECTION:
e164enum.net.           0       IN      NS      HP3bl10VM5DNS.e164enum.net.

;; ADDITIONAL SECTION:
HP3bl10VM5DNS.e164enum.net. 0   IN      A       10.54.212.235

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 19 00:36:30 IST 2016
;; MSG SIZE  rcvd: 261

查询#2

; <<>> DiG 9.9.5-rpz2+rl.14038.05-P1 <<>> 2.7.5.2.7.9.2.5.3.1.8.e164enum.net. NAPTR
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17082
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR

;; ANSWER SECTION:
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .
2.7.5.2.7.9.2.5.3.1.8.e164enum.net. 0 IN NAPTR  100 10 "u" "E2U+sip" "!^.*$!sip:[email protected]\;user=phone!" .

;; AUTHORITY SECTION:
e164enum.net.           0       IN      NS      HP3bl10VM5DNS.e164enum.net.

;; ADDITIONAL SECTION:
HP3bl10VM5DNS.e164enum.net. 0   IN      A       10.54.212.235

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 19 00:36:33 IST 2016
;; MSG SIZE  rcvd: 261

为什么 Bind 将第二个 RR 作为第一个答案而不是我原来的第一个 RR 作为第一个答案？

BIND 似乎是从上到下查看配置文件，并根据匹配客户端将查询分配给第一个匹配视图。根据http://www.zytrax.com/books/dns/ch7/view.html这正是它应该如何工作的。

在我的配置中，可能还有其他适用于 match-clients 配置中的用户的视图，我想以某种方式遍历它们。如果没有积极的打击（从上到下很好），理想情况下应该继续检查以下视图。

这在某种程度上可能与 BIND 一起使用吗？这是一个例子。在下面的配置中，来自 192.168.1.100 或 192.168.200 的用户都只会进入第一个视图。相反，我希望用户 192.168.1.200 也可以访问第二个视图。

acl "kids" {
        192.168.1.100;
        192.168.1.200;
};

view "kids"{
        response-policy { zone "kids"; };
        match-clients { kids; };
        recursion yes;
        zone "kids" {
                type master;
                file "kids.db";
                allow-query { none; };
        };
};

acl "teens" {
        192.168.1.200;
};

view "teens"{
        response-policy { zone "teens"; };
        match-clients { teens; };
        recursion yes;
        zone "teens" {
                type master;
                file "teens.db";
                allow-query { none; };
        };
};

我一直在用头撞绑定手册和谷歌几个小时才能弄清楚这一点，但我不确定我在哪里搞砸了。我在几个本地虚拟机上构建了它，从服务器与主服务器交谈没有问题。这两个子网之间的防火墙没有阻止任何东西。两个虚拟机都有防火墙来接受 udp 端口​​ 53 数据，但永久例外。任何建议将不胜感激。已设置配置，以便来自两个位置的 DHCP 更新主 DNS，然后 DNS 将填充 DNS 从属。为了空间，我删除了一些默认的 named.conf 文本（任何未包含的内容很可能是默认的）。这一切都在 Centos 7 上运行。

在 slave 上启动 Named 时出错

Jun 14 12:54:07 dns-vm-pa-01 named[26045]: running
Jun 14 12:54:07 dns-vm-pa-01 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: zone 1.0.10.in-addr.arpa/IN: Transfer started.
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: connected using 10.0.1.5#36381
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: failed while receiving responses: SERVFAIL
Jun 14 12:54:07 dns-vm-pa-01 named[26045]: transfer of '1.0.10.in-addr.arpa/IN' from 10.0.0.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.146 secs (0 bytes/sec)
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: zone int.bubbhashramp.com/IN: Transfer started.
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: connected using 10.0.1.5#36067
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: failed while receiving responses: SERVFAIL
Jun 14 12:54:08 dns-vm-pa-01 named[26045]: transfer of 'int.bubbhashramp.com/IN' from 10.0.0.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.155 secs (0 bytes/sec)

主服务器上的 NetStat 结果

udp        0      0 10.0.0.5:53             0.0.0.0:*                           26141/named  

/var/named/dynamic/ 中区域文件的权限

-rw-r--r--. 1 root named 374 Jun 14 10:43 0.0.10.in-addr.arpa
-rw-r--r--. 1 root named 372 Jun 14 10:04 1.0.10.in-addr.arpa
-rw-r--r--. 1 root named 567 Jun 14 12:31 int.bubbhashramp.com

挖掘大师的回复

dig @10.0.0.5 vmhost-01.int.bubbhashramp.com

; <<>> DiG 9.8.3-P1 <<>> @10.0.0.5 vmhost-01.int.bubbhashramp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;vmhost-01.int.bubbhashramp.com.    IN  A

;; ANSWER SECTION:
vmhost-01.int.bubbhashramp.com. 10800 IN    A   10.0.1.10

;; AUTHORITY SECTION:
int.bubbhashramp.com.   10800   IN  NS  dns-vm-pa-01.int.bubbhashramp.com.
int.bubbhashramp.com.   10800   IN  NS  dns-vm-nh-01.int.bubbhashramp.com.

;; ADDITIONAL SECTION:
dns-vm-nh-01.int.bubbhashramp.com. 10800 IN A   10.0.0.5
dns-vm-pa-01.int.bubbhashramp.com. 10800 IN A   10.0.1.5

;; Query time: 55 msec
;; SERVER: 10.0.0.5#53(10.0.0.5)
;; WHEN: Tue Jun 14 13:05:34 2016
;; MSG SIZE  rcvd: 146

主配置

key "rndc-key" {
        algorithm hmac-md5;
        secret "bubbgumpkeys";
};

options {
    listen-on port 53 { 10.0.0.5; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    allow-transfer     { 10.0.0.0/16; };
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    forwarders {
        8.8.8.8;
        75.75.75.75;
        8.8.4.4;
    };
};


zone "int.bubbhashramp.com" {
    type master;
    file "dynamic/int.bubbhashramp.com";
    allow-update { key rndc-key; };
};

zone "1.0.10.in-addr.arpa" {
        type master;
        file "dynamic/1.0.10.in-addr.arpa";
        allow-update { key rndc-key; };
};

zone "0.0.10.in-addr.arpa" {
        type master;
        file "dynamic/0.0.10.in-addr.arpa";
        allow-update { key rndc-key; };
};

从站配置

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    recursion no;
    dnssec-enable yes;
    dnssec-validation yes;
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    forwarders {
        8.8.8.8;
        75.75.75.75;
        8.8.4.4;
    };
};

zone "int.bubbhashramp.com" {
    type slave;
    file "slaves/int.bubbhashramp.com";
    masters { 10.0.0.5; };
};

zone "1.0.10.in-addr.arpa" {
        type slave;
        file "slaves/1.0.10.in-addr.arpa";
        masters { 10.0.0.5; };
};

我有两台使用 Plesk 的服务器，不幸的是我不是专业人士，如果我的问题很愚蠢，很抱歉。第一台服务器用作具有许多域的主服务器。在此之前，此服务器是主要和次要名称服务器。

我不得不购买另一台带有新许可证的服务器，所以我决定将它用作辅助名称服务器。

在主服务器上，我安装了“Slave Manager”扩展，并使用https://devblog.plesk.com/2013/10/slave-dns-and-plesk/上的教程在主服务器上配置它。

当我在主服务器上添加域时，看起来一切正常：

transfer of 'domain.es/IN' from 136.xxx.xxx.xxx#53: Transfer completed: 1 messages, 22 records, 519 bytes, 0.012 secs (43250 bytes/sec)

在辅助服务器上，我添加了一个新域，并使用 DIG 获取有关主名称服务器上域的信息，但不幸的是：

NS not responding or not authoritative

看起来辅助服务器没有同步到主服务器。这是正常行为吗？如何将辅助服务器上的记录同步到主服务器？

我一直在阅读有关如何配置我自己的 DNS 服务器的内容。我有很多问题，但这是第一个出现的问题：

1. 我编辑/etc/named.conf并创建了适当的区域文件。
2. 我尝试用service bind9 restart.
3. syslog 的快速 grep 显示它没有按照我在/etc/named.conf.

我如何/etc/named.conf才能加载？

（过了一会儿我放弃了，在查看了 的输出后，我开始在以及 中named-checkconf -p编辑文件）/var/cache/bind/etc/bind/