最近ネットワークを再構成し、すべてのサーバーを変更するプロセスを実行しようとしています。これを行う過程で、dns/dhcpサーバーに問題があることがわかりました。順方向ゾーンは期待どおりに機能していますが、私は一生、逆ゾーンを機能させることはできません。エラーを引き起こしているログはありません。 dhcpはどちらのゾーンの更新にも問題はありません。ただし、arp、Dig -x、およびHostは、IPをホスト名に解決しません。私のサーバーとネットワークはipv4でのみ動作しますが、localhost ipv6ステートメントは残っています。
問題が解決するまで、サーバーのファイアウォールは無効になっています。フェールオーバーサーバーも無効になっています。マスターdhcpサーバーをrecoverから通常の通信中断状態に移動する場合を除きます。サーバーの詳細と追跡するログ:
OS:Ubuntu 14.04.4(AMD64)、カーネル:4.2.0-34-generic、bind9:1:9.9.5.dfsg-3ubuntu0.8、isc-dhcp-server:4.2.4-7ubuntu12.4、Network(マスク):10.94.78.0/23
named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
inet 10.xxx.78.11 allow { 10.xxx.78.11; 10.xxx.78.13; } keys { "rndc-key"; };
};
logging {
<Logging details omitted as it is working as expected>
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
// OpenDNS Servers
// 208.67.222.222; // Use for Primary
// 208.67.220.220; // Use for Secondary
// Google Public DNS
// 8.8.8.8; // Use for Primary
// 8.8.4.4; // Use for Secondary
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
# dnssec-validation auto;
dnssec-enable no;
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
# listen-on-v6 { any; };
# added thanks to bigdinosaur.org
allow-query {
10.xxx.78/23;
<VPN IPs omitted>
127.0.0.1;
};
allow-transfer {
10.xxx.78/23;
127.0.0.1;
};
};
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/rndc/rndc.key";
include "/etc/bind/zones.rfc1918";
include "/var/lib/bind/spywaredomains.zones";
include "/var/lib/bind/ads.zones";
// Defining ACLs
acl "Secondary DNS" {
10.xxx.78.xx;
};
// Defining Forward Lookup Zone
zone "hili-caffinated.local" {
type master;
file "/var/lib/bind/db.hili-caffinated.local";
allow-update { key "rndc-key"; };
allow-transfer { "Secondary DNS"; };
};
// Defining Reverse Lookup Zone
zone "xxx.10.in-addr.arpa" {
type master;
// notify no;
file "/var/lib/bind/db.xxx.10.in-addr.arpa";
allow-update { key "rndc-key"; };
allow-transfer { "Secondary DNS"; };
};
named.conf.default-zonesは、パッケージで提供されるものとまったく同じです。
db.hili-caffinated.local
;
; BIND data file for hili-caffinated.local
;
$TTL 604800
@ IN SOA hcsvrxx.hili-caffinated.local. nseadm.hcsvr11.hili-caffinated.local. (
032816102 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS hcsvrxx.hili-caffinated.local.
@ IN NS hcsvrxx.hili-caffinated.local.
@ IN PTR hili-caffinated.local.
@ IN A 10.xxx.78.xx
@ IN AAAA ::1
; Printers
hcptrxx IN A 10.xxx.78.xx
<entries omitted after verified syntax is same as above>
; CNAME Entries
; hcptrxx
hp8600 IN CNAME hcptrxx
<entries omitted after verifying syntax is same as above>
db.xxx.10.in-addr.arpa
;
; BIND reverse data file for hili-caffinated .local
;
$TTL 604800
@ IN SOA hcsvrxx.hili-caffinated.local. nseadm.hcsvrxx.hili-caffinated.local. (
032816202 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS hcsvrxx.hili-caffinated.local.
@ IN NS hcsvrxx.hili-caffinated.local.
; Printers
78.xx IN PTR hcptrxx.hili-caffinated.local.
<entries omitted after verifying syntax is same as above>
; Broadcast
79.255 IN PTR hcbroadcast.hili-caffinated.local.
Pingの結果
PING hcwknxxx.hili-caffinated.local (10.xxx.78.xx) 56(84) bytes of data.
64 bytes from 10.xxx.78.xx: icmp_seq=1 ttl=64 time=0.168 ms
--- hcwknxxx.hili-caffinated.local ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.168/0.168/0.168/0.000 ms
ARP結果
arp 10.xxx.78.xx
Address HWtype HWaddress Flags Mask Iface
10.xxx.78.xx ether <correct mac address> C eth0
Dig -Xの結果
Dig -x 10.xxx.78.xx
; <<>> Dig 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 10.xxx.78.xx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39726
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xx.78.xxx.10.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
xxx.10.in-addr.arpa. 604800 IN SOA hcsvrxx.hili-caffinated.local. <username_omitted>.hcsvrxx.hili-caffinated.local. 32816206 604800 86400 2419200 604800
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 28 20:06:05 CDT 2016
;; MSG SIZE rcvd: 125
ホスト結果
Host 10.xxx.78.xx
Host xx.78.xxx.10.in-addr.arpa. not found: 3(NXDOMAIN)
バインド再始動からのSYSLOG
Mar 28 21:03:47 hcsvrxx rbind.sh[5627]: root has restart the bind9 service...
Mar 28 21:03:48 hcsvrxx named[5687]: starting BIND 9.9.5-3ubuntu0.8-Ubuntu -u bind
Mar 28 21:03:48 hcsvrxx named[5687]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
Mar 28 21:03:48 hcsvrxx named[5687]: ----------------------------------------------------
Mar 28 21:03:48 hcsvrxx named[5687]: BIND 9 is maintained by Internet Systems Consortium,
Mar 28 21:03:48 hcsvrxx named[5687]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 28 21:03:48 hcsvrxx named[5687]: corporation. Support and training for BIND 9 are
Mar 28 21:03:48 hcsvrxx named[5687]: available at https://www.isc.org/support
Mar 28 21:03:48 hcsvrxx named[5687]: ----------------------------------------------------
Mar 28 21:03:48 hcsvrxx named[5687]: adjusted limit on open files from 4096 to 1048576
Mar 28 21:03:48 hcsvrxx named[5687]: found 2 CPUs, using 2 worker threads
Mar 28 21:03:48 hcsvrxx named[5687]: using 2 UDP listeners per interface
Mar 28 21:03:48 hcsvrxx named[5687]: using up to 4096 sockets
Mar 28 21:03:48 hcsvrxx named[5687]: loading configuration from '/etc/bind/named.conf'
Mar 28 21:03:49 hcsvrxx named[5687]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Mar 28 21:03:49 hcsvrxx named[5687]: using default UDP/IPv4 port range: [1024, 65535]
Mar 28 21:03:49 hcsvrxx named[5687]: using default UDP/IPv6 port range: [1024, 65535]
Mar 28 21:03:49 hcsvrxx named[5687]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 28 21:03:49 hcsvrxx named[5687]: listening on IPv4 interface eth0, 10.xxx.78.xx#53
Mar 28 21:03:49 hcsvrxx named[5687]: generating session key for dynamic DNS
Mar 28 21:03:49 hcsvrxx named[5687]: sizing zone task pool based on 17835 zones
Mar 28 21:03:50 hcsvrxx named[5687]: set up managed keys zone for view _default, file 'managed-keys.bind'
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 64.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 65.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 66.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 67.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 68.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 69.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 70.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 71.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 72.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 73.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 74.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 75.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 76.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 77.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 78.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 79.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 80.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 81.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 82.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 83.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 84.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 85.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 86.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 87.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 88.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 89.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 90.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 91.100.IN-ADDR.ARPA
Mar 28 21:03:50 hcsvrxx named[5687]: automatic empty zone: 92.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 93.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 94.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 95.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 96.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 97.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 98.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 99.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 100.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 101.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 102.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 103.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 104.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 105.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 106.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 107.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 108.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 109.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 110.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 111.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 112.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 113.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 114.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 115.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 116.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 117.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 118.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 119.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 120.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 121.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 122.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 123.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 124.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 125.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 126.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 127.100.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: D.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: A.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: B.E.F.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Mar 28 21:03:51 hcsvrxx named[5687]: command channel listening on 127.0.0.1#953
Mar 28 21:03:51 hcsvrxx named[5687]: command channel listening on 10.xxx.78.xx#953
Mar 28 21:03:56 hcsvrxx rbind.sh[5694]: ...The bind9 service has restarted.
general.log
28-Mar-2016 13:37:16.169 running
28-Mar-2016 21:03:47.629 received control channel command 'stop -p'
28-Mar-2016 21:03:47.630 shutting down: flushing changes
28-Mar-2016 21:03:47.630 stopping command channel on 127.0.0.1#953
28-Mar-2016 21:03:47.630 stopping command channel on 10.xxx.78.xx#953
28-Mar-2016 21:03:48.010 exiting
28-Mar-2016 21:03:51.577 managed-keys-zone: loaded serial 4
28-Mar-2016 21:03:51.603 zone 200words.ae/IN: loaded serial 32816300
<Irrellevant zone entries omitted though very similar to above>
28-Mar-2016 21:03:54.975 zone hili-caffinated.local/IN: loaded serial 32816102
28-Mar-2016 21:03:54.975 zone glassbu.info/IN: loaded serial 32816300
<Irrellevant one entries omitted though very similar to above>
28-Mar-2016 21:03:51.635 zone xxx.10.in-addr.arpa/IN: loaded serial 32816202
28-Mar-2016 21:03:51.635 zone comunadepilar.gob.ar/IN: loaded serial 32816300
<Irrellevant one entries omitted though very similar to above>
28-Mar-2016 21:03:55.791 all zones loaded
28-Mar-2016 21:03:56.137 running
*注意:無関係なゾーンは同じスクリプトを介して作成され、すべて同じマシン上の以前の環境で機能します。ネットワーク情報のみが変更されました。
DHCP交換からのSYSLOGエントリ
Mar 28 22:14:47 hcsvrxx dhcpd: DHCPDISCOVER from xx:xx:xx:xx:96:d8 via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: DHCPOFFER on 10.xxx.78.xx to xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: Can't create new lease file: Permission denied
Mar 28 22:14:48 hcsvrxx dhcpd: DHCPREQUEST for 10.xxx.78.xx (10.xxx.78.xx) from xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: DHCPACK on 10.xxx.78.xx to xx:xx:xx:xx:96:d8 (hcvmwdxx) via eth0
Mar 28 22:14:48 hcsvrxx dhcpd: Added new forward map from hcvmwdxx.hili-caffinated.local to 10.xxx.78.xx
Mar 28 22:14:48 hcsvrxx dhcpd: Added reverse map from xx.78.xxx.10.in-addr.arpa to hcvmwdxx.hili-caffinated.local
注:リースファイルは、現在適切な担当者が取り組んでいる問題であり、ここで対処する必要はありません。
他に何かが必要な場合は、お知らせください。
問題は、逆zone
ファイル/var/lib/bind/db.xxx.10.in-addr.arpa
のIPアドレスオクテットの順序です。
逆のzone
宣言では、xxx.10.in-addr.arpa
を$Origin
として使用しましたが、使用したゾーンファイルでは:
78.xx IN PTR hcptrxx.hili-caffinated.local.
その結果、10.xxx.xx.78
はhcptrxx.hili-caffinated.local
に解決されますが、これは明らかにあなたが望むものではありません。
PTR
レコードの順序を修正します。
xx.78 IN PTR hcptrxx.hili-caffinated.local.
つまり、10.xxx.78.xx
はhcptrxx.hili-caffinated.local
に正しく解決されます。
同様に、次のことを行います。
255.79 IN PTR hcbroadcast.hili-caffinated.local.
理解を深めるために、IPオクテットは常にzone
およびPTR
レコード宣言の逆方向で逆に機能することに注意してください。