[原创]bind view master/slave不能同步的解决方法
以前的一个客户发来msn信息,说他们的dns只能同步电信不能同步网通的VIEW.好久没有弄DNS server了都有些生疏了,后来看了看bind的帮助把问题解决了,记录下来以便日后翻阅.
环境介绍
客户提供两台server,要求按访客的IP来解析到不同的server上.利用BIND的ACL和VIEW选项来匹配不同访客的源地址,不同访客解析为请求则解析为不同的IP可以实现.
域名实例:www.abc.com
IP: A(master) 111.111.111.111
192.168.1.1
B (slave) 222.222.222.222
192.168.1.2
不能同步的原因
开始所有的VIEW都走内同同步.如果辅助域名服务器对主服务器来说,只看到一个特定的源地址,那么主域名服务器只会返回这个源地址所匹配的单一域的VIEW,192.168.1.2是包含在any里面的,所以只能同步CT的VIEW.BIND9中Transfer-source选项可以让指定辅助域名服务器用来做区域传送的源IP地址,这样可以在辅DNS上利用公网IP地址来解决该问题,或者copy eth1 eth1.1给内网只两个IP也行.还有就是要注意两台server的时间是否一致.
正确的配置如下:
A的配置
[code language="shell"]
options
{
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
notify yes;
};
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxx";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl "CNC" {
58.144.0.0/16;
..................
222.163.64.0/18;
};
view "CNC Net" {
match-clients {!222.222.222.222;CNC;};//CNC区域客户匹配地址中排除辅DNS的公网IP地址
recursion yes;
allow-transfer {192.168.1.2;};//允许辅DNS用于传送的CNC区域的IP地址
also-notify {192.168.1.2;};
zone "." IN {
type hint;
file "etc/named.root";
};
zone "abc.com" IN {
type master;
file "conf/cnc.abc.com.zone.db";
};
};
view "CT Net" {
match-clients { !192.168.1.2;any; };//CT区域客户匹配地址中排除辅DNS的内网IP地址
recursion yes;
allow-transfer {222.222.222.222;};//允许辅DNS用于传送的CT区域的IP地址
also-notify {222.222.222.222;};
zone "." IN {
type hint;
file "etc/named.root";
};
zone "abc.com" IN {
type master;
file "conf/ct.abc.com.zone.db";
};
};[/code]
B的配置
[code language="shell"]
options
{
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxx";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl "CNC" {
58.144.0.0/16;
..................
222.163.64.0/18;
};
view "CNC Net" {
match-clients { CNC; };
recursion yes;
transfer-source 192.168.1.2;//指定同步CNC的IP地址
zone "." IN {
type hint;
file "etc/named.root";
};
zone "abc.com" IN {
type slave;
masters { 192.168.1.1; };
file "conf/cnc.abc.com.zone.db";
};
};
view "CT Net" {
match-clients { any; };
recursion yes;
transfer-source 222.222.222.222;//指定同步CT的IP地址
zone "." IN {
type hint;
file "etc/named.root";
};
zone "abc.com" IN {
type slave;
masters { 111.111.111.111; };
file "conf/ct.abc.com.zone.db";
};
};[/code]
refresh: unexpected rcode (REFUSED) from master 10.0.0.4#53 (source 0.0.0.0#0) 看看这个是因为你的更新的IP是0.0.0.0是在主DNS不被允许的,在辅DNS的view加上transfer-source 10.0.0.15;选项。注意看”不能同步的原因”这部分!
主:10.0.0.4 从:10.0.0.15
如果是将view功能去掉,辅也将view去掉,就可以更新了.
系统freebsd7.2
bind 9.2p2
从服务器提示错误信息:
07-Jun-2009 01:01:19.660 running
07-Jun-2009 01:01:19.669 zone 0.0.10.in-addr.arpa/IN/host1: refresh: unexpected rcode (REFUSED) from master 10.0.0.4#53 (source 0.0.0.0#0)
07-Jun-2009 01:01:19.670 zone 0.0.10.in-addr.arpa/IN/host1: Transfer started.
07-Jun-2009 01:01:19.673 transfer of ’0.0.10.in-addr.arpa/IN/host1′ from 10.0.0.4#53: connected using 10.0.0.15#58259
07-Jun-2009 01:01:19.778 transfer of ’0.0.10.in-addr.arpa/IN/host1′ from 10.0.0.4#53: failed while receiving responses: REFUSED
07-Jun-2009 01:01:19.779 transfer of ’0.0.10.in-addr.arpa/IN/host1′ from 10.0.0.4#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.104 secs (0 bytes/sec)
07-Jun-2009 01:01:20.169 zone 0.168.192.in-addr.arpa/IN/host2: refresh: unexpected rcode (REFUSED) from master 10.0.0.4#53 (source 0.0.0.0#0)
07-Jun-2009 01:01:20.170 zone 0.168.192.in-addr.arpa/IN/host2: Transfer started.
07-Jun-2009 01:01:20.171 zone jazz.com/IN/host1: refresh: unexpected rcode (REFUSED) from master 10.0.0.4#53 (source 0.0.0.0#0)
07-Jun-2009 01:01:20.172 zone jazz.com/IN/host1: Transfer started.
07-Jun-2009 01:01:20.172 zone jazz.com/IN/host2: refresh: unexpected rcode (REFUSED) from master 10.0.0.4#53 (source 0.0.0.0#0)
07-Jun-2009 01:01:20.173 zone jazz.com/IN/host2: zone transfer deferred due to quota
07-Jun-2009 01:01:20.176 transfer of ’0.168.192.in-addr.arpa/IN/host2′ from 10.0.0.4#53: connected using 10.0.0.15#52706
07-Jun-2009 01:01:20.177 transfer of ‘jazz.com/IN/host1′ from 10.0.0.4#53: connected using 10.0.0.15#64332
07-Jun-2009 01:01:20.285 transfer of ’0.168.192.in-addr.arpa/IN/host2′ from 10.0.0.4#53: failed while receiving responses: REFUSED
07-Jun-2009 01:01:20.287 zone jazz.com/IN/host2: Transfer started.
07-Jun-2009 01:01:20.288 transfer of ’0.168.192.in-addr.arpa/IN/host2′ from 10.0.0.4#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.111 secs (0 bytes/sec)
07-Jun-2009 01:01:20.292 transfer of ‘jazz.com/IN/host2′ from 10.0.0.4#53: connected using 10.0.0.15#65072
07-Jun-2009 01:01:20.294 transfer of ‘jazz.com/IN/host1′ from 10.0.0.4#53: failed while receiving responses: REFUSED
07-Jun-2009 01:01:20.294 transfer of ‘jazz.com/IN/host1′ from 10.0.0.4#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.115 secs (0 bytes/sec)
07-Jun-2009 01:01:20.396 transfer of ‘jazz.com/IN/host2′ from 10.0.0.4#53: failed while receiving responses: REFUSED
07-Jun-2009 01:01:20.397 transfer of ‘jazz.com/IN/host2′ from 10.0.0.4#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.104 secs (0 bytes/sec)
主名字服务器配置文件:
options {
directory “/etc/namedb”;
pid-file “/var/run/named/pid”;
dump-file “named_dump.db”;
statistics-file “named.stats”;
allow-query {any; };
listen-on { 10.0.0.4; };
listen-on-v6 {none; };
};
logging {
channel query_log {
file “/etc/namedb/query.log” versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};
key “rndc-key” {
algorithm hmac-md5;
secret “3AhxRPcWm96YOglJ2po0KA==”;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
view “host1″ {
match-clients {10.0.0.10; };
zone “.” {
type hint;
file “named.root”;
};
zone “jazz.com” IN {
type master;
file “host1/jazz.zone”;
allow-transfer {10.0.0.15;};
};
zone “0.0.10.in-addr.arpa” {
type master;
file “host1/jazz.arpa”;
allow-transfer {10.0.0.15;};
};
};
view “host2″ {
match-clients {10.0.0.11; };
zone “.” {
type hint;
file “named.root”;
};
zone “jazz.com” IN {
type master;
file “host2/jazz.zone”;
allow-transfer {10.0.0.15;};
};
zone “0.168.192.in-addr.arpa” {
type master;
file “host2/jazz.arpa”;
allow-transfer {10.0.0.15;};
};
};
从名字服务器配置:
options {
directory “/etc/namedb”;
pid-file “/var/run/named/pid”;
dump-file “named_dump.db”;
statistics-file “named.stats”;
allow-query {any; };
listen-on { 10.0.0.15; };
listen-on-v6 {none; };
};
logging {
channel query_log {
file “/etc/namedb/query.log” versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};
key “rndc-key” {
algorithm hmac-md5;
secret “3AhxRPcWm96YOglJ2po0KA==”;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
view “host1″ {
match-clients {10.0.0.10; };
zone “.” {
type hint;
file “named.root”;
};
zone “jazz.com” IN {
type slave;
file “jazz.zone”;
masters { 10.0.0.4; };
};
zone “0.0.10.in-addr.arpa” {
type slave;
file “jazz.arpa”;
masters { 10.0.0.4; };
};
};
view “host2″ {
match-clients {10.0.0.11; };
zone “.” {
type hint;
file “named.root”;
};
zone “jazz.com” IN {
type slave;
file “host2/jazz.zone”;
masters { 10.0.0.4; };
};
zone “0.168.192.in-addr.arpa” {
type slave;
file “host2/jazz.arpa”;
masters { 10.0.0.4; };
};
};