从9.11升级到9.16后,Bind不转发查询

分享于 

3分钟阅读

互联网

  繁體

问题:

我在FreeBSD 12.1服务器上使用Bind,作为samba DC的DNS后端。

我使用相同的编译选项将Bind从9.11更新为9.16,并且在此全局名称解析停止后,无法再处理下一条消息:


root@Desk1:~ # nslookup google.com 192.168.0.19


Server: 192.168.0.19


Address: 192.168.0.19#53



** server can't find google.com: SERVFAIL



我的named.conf:


options {


 directory "/usr/local/etc/namedb/working";


 pid-file "/var/run/named/pid";


 dump-file "/var/dump/named_dump.db";


 statistics-file "/var/stats/named.stats";


 auth-nxdomain yes;


 notify no;


 empty-zones-enable no;


 tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";


 minimal-responses yes;



 allow-query { 127.0.4.1; 192.168.0.0/24; };



 allow-recursion { 127.0.4.1; 192.168.0.0/24; };



 forwarders { 192.168.0.1; 192.168.0.2; };



 allow-transfer { 192.168.0.0/24; key dns.example.local; };



 listen-on { 127.0.4.1; 192.168.0.19; };



 query-source address * port 53;



 rate-limit { responses-per-second 15; window 5; };


 tcp-clients 1000000;


## bind916 options


 dnssec-validation no;


# auto-dnssec off;


 recursion yes;


# forward only;


};



zone "." {


 type hint;


 file "/usr/local/etc/namedb/named.root";


};



zone "localhost" {


 type master;


 file "/usr/local/etc/namedb/master/localhost-forward.db";


};



zone "127.in-addr.arpa" {


 type master;


 file "/usr/local/etc/namedb/master/localhost-reverse.db";


};



logging {


 channel update_debug {


 file "/var/log/named-update.log";


 severity debug 3;


 print-category yes;


 print-severity yes;


 print-time yes;


 };


 channel security_info {


 file "/var/log/named-auth.log";


 severity info;


 print-category yes;


 print-severity yes;


 print-time yes;


 };


 channel querylog {


 file "/var/log/named-debug.log";


 severity debug 10;


 print-category yes;


 print-severity yes;


 print-time yes;


 };


 category update { update_debug; };


 category security { security_info; };


 category queries { querylog; };


};



include "/var/db/samba4/bind-dns/named.conf";




答案1:

配置/数据有效性


named-checkconf -zj



其他配置问题,不太可能与当前的问题相关

除非确实有某种原因,否则我强烈建议删除它们:

 
auth-nxdomain yes;



强制BIND为非权威的NXDOMAIN响应发送不正确的NXDOMAIN响应,


query-source address * port 53;




dnssec-validation no;





for  BIN  Forward  转发