bind9を使用するDNSサーバーは逆ゾーンを解決できません

Question

最近ネットワークを再構成し、すべてのサーバーを変更するプロセスを実行しようとしています。これを行う過程で、dns/dhcpサーバーに問題があることがわかりました。順方向ゾーンは期待どおりに機能していますが、私は一生、逆ゾーンを機能させることはできません。エラーを引き起こしているログはありません。 dhcpはどちらのゾーンの更新にも問題はありません。ただし、arp、Dig -x、およびHostは、IPをホスト名に解決しません。私のサーバーとネットワークはipv4でのみ動作しますが、localhost ipv6ステートメントは残っています。

問題が解決するまで、サーバーのファイアウォールは無効になっています。フェールオーバーサーバーも無効になっています。マスターdhcpサーバーをrecoverから通常の通信中断状態に移動する場合を除きます。サーバーの詳細と追跡するログ：

OS：Ubuntu 14.04.4（AMD64）、カーネル：4.2.0-34-generic、bind9：1：9.9.5.dfsg-3ubuntu0.8、isc-dhcp-server：4.2.4-7ubuntu12.4、Network（マスク）：10.94.78.0/23

named.conf

// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; }; inet 10.xxx.78.11 allow { 10.xxx.78.11; 10.xxx.78.13; } keys { "rndc-key"; }; }; logging { <Logging details omitted as it is working as expected> }; category default { default_file; }; category general { general_file; }; category database { database_file; }; category security { security_file; }; category config { config_file; }; category resolver { resolver_file; }; category xfer-in { xfer-in_file; }; category xfer-out { xfer-out_file; }; category notify { notify_file; }; category client { client_file; }; category unmatched { unmatched_file; }; category queries { queries_file; }; category network { network_file; }; category update { update_file; }; category dispatch { dispatch_file; }; category dnssec { dnssec_file; }; category lame-servers { lame-servers_file; }; };

named.conf.options

options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { // OpenDNS Servers // 208.67.222.222; // Use for Primary // 208.67.220.220; // Use for Secondary // Google Public DNS // 8.8.8.8; // Use for Primary // 8.8.4.4; // Use for Secondary }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== # dnssec-validation auto; dnssec-enable no; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 # listen-on-v6 { any; }; # added thanks to bigdinosaur.org allow-query { 10.xxx.78/23; <VPN IPs omitted> 127.0.0.1; }; allow-transfer { 10.xxx.78/23; 127.0.0.1; }; };

named.conf.local

// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/rndc/rndc.key"; include "/etc/bind/zones.rfc1918"; include "/var/lib/bind/spywaredomains.zones"; include "/var/lib/bind/ads.zones"; // Defining ACLs acl "Secondary DNS" { 10.xxx.78.xx; }; // Defining Forward Lookup Zone zone "hili-caffinated.local" { type master; file "/var/lib/bind/db.hili-caffinated.local"; allow-update { key "rndc-key"; }; allow-transfer { "Secondary DNS"; }; }; // Defining Reverse Lookup Zone zone "xxx.10.in-addr.arpa" { type master; // notify no; file "/var/lib/bind/db.xxx.10.in-addr.arpa"; allow-update { key "rndc-key"; }; allow-transfer { "Secondary DNS"; }; };

named.conf.default-zonesは、パッケージで提供されるものとまったく同じです。

db.hili-caffinated.local

; ; BIND data file for hili-caffinated.local ; $TTL 604800 @ IN SOA hcsvrxx.hili-caffinated.local. nseadm.hcsvr11.hili-caffinated.local. ( 032816102 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS hcsvrxx.hili-caffinated.local. @ IN NS hcsvrxx.hili-caffinated.local. @ IN PTR hili-caffinated.local. @ IN A 10.xxx.78.xx @ IN AAAA ::1 ; Printers hcptrxx IN A 10.xxx.78.xx <entries omitted after verified syntax is same as above> ; CNAME Entries ; hcptrxx hp8600 IN CNAME hcptrxx <entries omitted after verifying syntax is same as above>

db.xxx.10.in-addr.arpa

; ; BIND reverse data file for hili-caffinated .local ; $TTL 604800 @ IN SOA hcsvrxx.hili-caffinated.local. nseadm.hcsvrxx.hili-caffinated.local. ( 032816202 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS hcsvrxx.hili-caffinated.local. @ IN NS hcsvrxx.hili-caffinated.local. ; Printers 78.xx IN PTR hcptrxx.hili-caffinated.local. <entries omitted after verifying syntax is same as above> ; Broadcast 79.255 IN PTR hcbroadcast.hili-caffinated.local.

Pingの結果

PING hcwknxxx.hili-caffinated.local (10.xxx.78.xx) 56(84) bytes of data. 64 bytes from 10.xxx.78.xx: icmp_seq=1 ttl=64 time=0.168 ms --- hcwknxxx.hili-caffinated.local ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.168/0.168/0.168/0.000 ms

ARP結果

arp 10.xxx.78.xx Address HWtype HWaddress Flags Mask Iface 10.xxx.78.xx ether <correct mac address> C eth0

Dig -Xの結果

Dig -x 10.xxx.78.xx ; <<>> Dig 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 10.xxx.78.xx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39726 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;xx.78.xxx.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: xxx.10.in-addr.arpa. 604800 IN SOA hcsvrxx.hili-caffinated.local. <username_omitted>.hcsvrxx.hili-caffinated.local. 32816206 604800 86400 2419200 604800 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Mar 28 20:06:05 CDT 2016 ;; MSG SIZE rcvd: 125

ホスト結果

Host 10.xxx.78.xx Host xx.78.xxx.10.in-addr.arpa. not found: 3(NXDOMAIN)

バインド再始動からのSYSLOG

Mar 28 21:03:47 hcsvrxx rbind.sh[5627]: root has restart the bind9 service... Mar 28 21:03:48 hcsvrxx named[5687]: starting BIND 9.9.5-3ubuntu0.8-Ubuntu -u bind Mar 28 21:03:48 hcsvrxx named[5687]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' Mar 28 21:03:48 hcsvrxx named[5687]: ---------------------------------------------------- Mar 28 21:03:48 hcsvrxx named[5687]: BIND 9 is maintained by Internet Systems Consortium, Mar 28 21:03:48 hcsvrxx named[5687]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Mar 28 21:03:48 hcsvrxx named[5687]: corporation. Support and training for BIND 9 are Mar 28 21:03:48 hcsvrxx named[5687]: available at https://www.isc.org/support Mar 28 21:03:48 hcsvrxx named[5687]: ---------------------------------------------------- Mar 28 21:03:48 hcsvrxx named[5687]: adjusted limit on open files from 4096 to 1048576 Mar 28 21:03:48 hcsvrxx named[5687]: found 2 CPUs, using 2 worker threads Mar 28 21:03:48 hcsvrxx named[5687]: using 2 UDP listeners per interface Mar 28 21:03:48 hcsvrxx named[5687]: using up to 4096 sockets Mar 28 21:03:48 hcsvrxx named[5687]: loading configuration from '/etc/bind/named.conf' Mar 28 21:03:49 hcsvrxx named[5687]: reading built-in trusted keys from file '/etc/bind/bind.keys' Mar 28 21:03:49 hcsvrxx named[5687]: using default UDP/IPv4 port range: [1024, 65535] Mar 28 21:03:49 hcsvrxx named[5687]: using default UDP/IPv6 port range: [1024, 65535] Mar 28 21:03:49 hcsvrxx named[5687]: listening on IPv4 interface lo, 127.0.0.1#53 Mar 28 21:03:49 hcsvrxx named[5687]: listening on IPv4 interface eth0, 10.xxx.78.xx#53 Mar 28 21:03:49 hcsvrxx named[5687]: generating session key for dynamic DNS Mar 28 21:03:49 hcsvrxx named[5687]: sizing zone task pool based on 17835 zones Mar 28 21:03:50 hcsvrxx named[5687]: set up managed keys zone for view _default, file 'managed-keys.bind' Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 64.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 65.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 66.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 67.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 68.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 69.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 70.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 71.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 72.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 73.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 74.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 75.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 76.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 77.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 78.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 79.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 80.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 81.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 82.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 83.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 84.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 85.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 86.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 87.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 88.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 89.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 90.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 91.100.IN-ADDR.ARPA Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 92.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 93.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 94.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 95.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 96.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 97.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 98.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 99.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 100.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 101.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 102.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 103.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 104.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 105.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 106.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 107.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 108.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 109.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 110.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 111.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 112.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 113.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 114.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 115.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 116.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 117.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 118.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 119.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 120.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 121.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 122.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 123.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 124.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 125.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 126.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 127.100.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 254.169.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: D.F.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 8.E.F.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 9.E.F.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: A.E.F.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: B.E.F.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Mar 28 21:03:51 hcsvrxx named[5687]: command channel listening on 127.0.0.1#953 Mar 28 21:03:51 hcsvrxx named[5687]: command channel listening on 10.xxx.78.xx#953 Mar 28 21:03:56 hcsvrxx rbind.sh[5694]: ...The bind9 service has restarted.

general.log

28-Mar-2016 13:37:16.169 running 28-Mar-2016 21:03:47.629 received control channel command 'stop -p' 28-Mar-2016 21:03:47.630 shutting down: flushing changes 28-Mar-2016 21:03:47.630 stopping command channel on 127.0.0.1#953 28-Mar-2016 21:03:47.630 stopping command channel on 10.xxx.78.xx#953 28-Mar-2016 21:03:48.010 exiting 28-Mar-2016 21:03:51.577 managed-keys-zone: loaded serial 4 28-Mar-2016 21:03:51.603 zone 200words.ae/IN: loaded serial 32816300 <Irrellevant zone entries omitted though very similar to above> 28-Mar-2016 21:03:54.975 zone hili-caffinated.local/IN: loaded serial 32816102 28-Mar-2016 21:03:54.975 zone glassbu.info/IN: loaded serial 32816300 <Irrellevant one entries omitted though very similar to above> 28-Mar-2016 21:03:51.635 zone xxx.10.in-addr.arpa/IN: loaded serial 32816202 28-Mar-2016 21:03:51.635 zone comunadepilar.gob.ar/IN: loaded serial 32816300 <Irrellevant one entries omitted though very similar to above> 28-Mar-2016 21:03:55.791 all zones loaded 28-Mar-2016 21:03:56.137 running

*注意：無関係なゾーンは同じスクリプトを介して作成され、すべて同じマシン上の以前の環境で機能します。ネットワーク情報のみが変更されました。

DHCP交換からのSYSLOGエントリ

Mar 28 22:14:47 hcsvrxx dhcpd: DHCPDISCOVER from xx:xx:xx:xx:96:d8 via eth0 Mar 28 22:14:48 hcsvrxx dhcpd: DHCPOFFER on 10.xxx.78.xx to xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0 Mar 28 22:14:48 hcsvrxx dhcpd: Can't create new lease file: Permission denied Mar 28 22:14:48 hcsvrxx dhcpd: DHCPREQUEST for 10.xxx.78.xx (10.xxx.78.xx) from xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0 Mar 28 22:14:48 hcsvrxx dhcpd: DHCPACK on 10.xxx.78.xx to xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0 Mar 28 22:14:48 hcsvrxx dhcpd: Added new forward map from hcvmwdxx.hili-caffinated.local to 10.xxx.78.xx Mar 28 22:14:48 hcsvrxx dhcpd: Added reverse map from xx.78.xxx.10.in-addr.arpa to hcvmwdxx.hili-caffinated.local

注：リースファイルは、現在適切な担当者が取り組んでいる問題であり、ここで対処する必要はありません。

他に何かが必要な場合は、お知らせください。

heemayl · Accepted Answer

問題は、逆zoneファイル/var/lib/bind/db.xxx.10.in-addr.arpaのIPアドレスオクテットの順序です。

逆のzone宣言では、xxx.10.in-addr.arpaを$Originとして使用しましたが、使用したゾーンファイルでは：

78.xx IN PTR hcptrxx.hili-caffinated.local.

その結果、10.xxx.xx.78はhcptrxx.hili-caffinated.localに解決されますが、これは明らかにあなたが望むものではありません。

PTRレコードの順序を修正します。

xx.78 IN PTR hcptrxx.hili-caffinated.local.

つまり、10.xxx.78.xxはhcptrxx.hili-caffinated.localに正しく解決されます。

同様に、次のことを行います。

255.79 IN PTR hcbroadcast.hili-caffinated.local.

理解を深めるために、IPオクテットは常にzoneおよびPTRレコード宣言の逆方向で逆に機能することに注意してください。