PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : BIND9 - Probleme mit Zonentransfer zum Secondary Server



Imagine
09.05.19, 10:22
Hallo,

ich habe auf einem Debian Stretch Linux (192.168.0.2) mit KVM zwei DNS-Server als VMs installiert DNS-Master 192.168.200.2 und DNS-Slave 192.168.200.3. Die BIND-Dateien sind wie folgt angelegt:

Primary DNS, 192.168.200.2:
named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.local

include "/etc/bind/named.conf.log";
zone "linux.local" {
type master;
file "de/db.linux.local.txt";
allow-transfer {
127.0.0.1; # localhost
192.168.200.2; # Primary DNS
192.168.200.3; # Secondary DNS
};
notify yes;
};

zone "200.168.192.in-addr.arpa" {
type master;
file "db.200.168.192";
allow-transfer {
192.168.200.3; # Secondary DNS
};
notify yes;
};

named.conf.options

options {
directory "/var/lib/bind";

version "My version is so secret that I even don't know what I'm running on";

auth-nxdomain no; # conform to RFC1035

allow-transfer {
192.168.200.3;
};

allow-recursion {
trusted;
};

allow-notify {
ns2.linux.local;
192.168.200.3;
};

listen-on {
any;
};

// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
blackhole {
bogon;
};
};

acl trusted {
192.168.200.2;
192.168.200.3;
localhost;
192.168.0.2;
};

acl bogon {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
92.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};


/var/lib/bind/de/db.linux.local.txt

$TTL 172800
linux.local. IN SOA ns1.linux.local. hostmaster.linux.local. (
2019050803 ; Serial
8H ; refresh after 8 hours
2H ; retry after 2 hours
1W ; expire after 1 week
3H ) ; NX (TTL Negative Cache) of 3 hours

; Name Servers
IN NS ns1.linux.local. ; 192.168.200.2
@ IN NS ns2.linux.local. ; 192.168.200.3

; Mail Exchanger
@ IN MX 10 mx.linux.local.
@ IN MX 20 mx2.linux.local.

; Resource Records
@ IN A 192.168.200.2
ns1 IN A 192.168.200.2
ns2 IN A 192.168.200.3
mx IN A 192.168.200.4
mx2 IN A 192.168.200.5
www IN A 192.168.200.7
project IN CNAME 188.40.80.7


/var/lib/bind/db.200.168.192

$TTL 172800
@ IN SOA ns1.linux.local. hostmaster.linux.local. (
2019050803 ; Serial
8H ; refresh after 8 hours
2H ; retry after 2 hours
1W ; expire after 1 week
3H ) ; NX (TTL Negative Cache) of 3 hours

@ IN NS ns1.linux.local. ; 192.168.200.2
@ IN NS ns2.linux.local. ; 192.168.200.3

2 IN PTR ns1.linux.local.
3 IN PTR ns2.linux.local.
4 IN PTR mx.linux.local.
5 IN PTR mx2.linux.local.
7 IN PTR www.linux.local.

Secondary DNS, 192.168.200.3:
named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.local

zone "linux.local" {
type slave;
file "slaves/db.linux.local.txt";
masters {
192.168.200.2;
};
};

zone "200.168.192.in-addr.arpa" {
type slave;
file "slaves/db.200.168.192";
masters {
192.168.200.2;
};
};


named.conf.options

options {
directory "/var/lib/bind";

version "My version is so secret that I even don't know what I'm running on";

recursion yes;

auth-nxdomain no; # conform to RFC1035

allow-recursion {
trusted;
};

allow-transfer { none; };

listen-on {
any;
};
blackhole {
bogon;
};
};

acl trusted {
192.168.200.2;
192.168.200.3;
localhost;
192.168.0.2;
};

acl bogon {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
92.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};

Wenn ich jetzt beide Server starte, sehe ich wie der Primary DNS korrekt die Daten liefert:


ns1:/etc/bind # dig @127.0.0.1 ns2.linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 ns2.linux.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opCODE: QUERY, status: NOERROR, id: 22787
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.linux.local. IN A

;; ANSWER SECTION:
ns2.linux.local. 172800 IN A 192.168.200.3

;; AUTHORITY SECTION:
linux.local. 172800 IN NS ns2.linux.local.
linux.local. 172800 IN NS ns1.linux.local.

;; ADDITIONAL SECTION:
ns1.linux.local. 172800 IN A 192.168.200.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 08 18:08:32 CEST 2019
;; MSG SIZE rcvd: 108


dig @127.0.0.1 MX linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 MX linux.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opCODE: QUERY, status: NOERROR, id: 29821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;linux.local. IN MX

;; ANSWER SECTION:
linux.local. 172800 IN MX 20 mx2.linux.local.
linux.local. 172800 IN MX 10 mx.linux.local.

;; AUTHORITY SECTION:
linux.local. 172800 IN NS ns1.linux.local.
linux.local. 172800 IN NS ns2.linux.local.

;; ADDITIONAL SECTION:
mx.linux.local. 172800 IN A 192.168.200.4
mx2.linux.local. 172800 IN A 192.168.200.5
ns1.linux.local. 172800 IN A 192.168.200.2
ns2.linux.local. 172800 IN A 192.168.200.3

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 08 18:09:38 CEST 2019
;; MSG SIZE rcvd: 179

Das Logfile /var/log/bind/bind.log zeigt auch, dass notify gesendet wird:

08-May-2019 17:51:17.929 general: info: received control channel command 'stop'
08-May-2019 17:51:17.930 general: info: shutting down: flushing changes
08-May-2019 17:51:17.930 general: notice: stopping command channel on 127.0.0.1#953
08-May-2019 17:51:17.930 general: notice: stopping command channel on ::1#953
08-May-2019 17:51:17.930 network: info: no longer listening on ::#53
08-May-2019 17:51:17.930 network: info: no longer listening on 127.0.0.1#53
08-May-2019 17:51:17.930 network: info: no longer listening on 192.168.200.2#53
08-May-2019 17:51:17.934 general: notice: exiting
08-May-2019 17:51:17.980 general: info: managed-keys-zone: loaded serial 0
08-May-2019 17:51:17.980 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:51:17.982 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:51:17.982 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:51:17.983 general: info: zone localhost/IN: loaded serial 2
08-May-2019 17:51:17.983 general: info: zone 200.168.192.in-addr.arpa/IN: loaded serial 2019050803
08-May-2019 17:51:17.983 general: info: zone linux.local/IN: loaded serial 2019050803
08-May-2019 17:51:17.983 general: notice: all zones loaded
08-May-2019 17:51:17.983 general: notice: running
08-May-2019 17:51:17.984 notify: info: zone 200.168.192.in-addr.arpa/IN: sending notifies (serial 2019050803)
08-May-2019 17:51:17.984 notify: info: zone linux.local/IN: sending notifies (serial 2019050803)


Auf dem Secondary DNS 192.168.200.3 kommen aber keine Transfers an:

# ll /var/lib/bind/slaves/
insgesamt 0

08-May-2019 15:49:37.968 general: info: managed-keys-zone: loaded serial 0
08-May-2019 15:49:37.968 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
08-May-2019 15:49:37.970 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
08-May-2019 15:49:37.972 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
08-May-2019 15:49:37.973 general: info: zone localhost/IN: loaded serial 2
08-May-2019 15:49:37.973 general: notice: all zones loaded
08-May-2019 15:49:37.973 general: notice: running
08-May-2019 17:47:17.782 general: info: received control channel command 'stop'
08-May-2019 17:47:17.782 general: info: shutting down: flushing changes
08-May-2019 17:47:17.782 general: notice: stopping command channel on 127.0.0.1#953
08-May-2019 17:47:17.782 general: notice: stopping command channel on ::1#953
08-May-2019 17:47:17.782 network: info: no longer listening on ::#53
08-May-2019 17:47:17.782 network: info: no longer listening on 127.0.0.1#53
08-May-2019 17:47:17.782 network: info: no longer listening on 192.168.200.3#53
08-May-2019 17:47:17.785 general: notice: exiting
08-May-2019 17:47:17.820 general: info: managed-keys-zone: loaded serial 0
08-May-2019 17:47:17.820 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:47:17.825 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:47:17.827 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:47:17.827 general: info: zone localhost/IN: loaded serial 2
08-May-2019 17:47:17.827 general: notice: all zones loaded
08-May-2019 17:47:17.827 general: notice: running


Zusätzlich habe ich beiden Servern folgende Iptables-Rules gesetzt:

iptables -A INPUT -p udp --sport 53 -d 192.168.200.2 -j ACCEPT
iptables -A OUTPUT -p udp --dport domain -d 192.168.200.2 -j ACCEPT
iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere ns1.linux.local udp spt:domain

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere ns1.linux.local udp dpt:domain

und


iptables -A INPUT -p udp --sport 53 -d 192.168.200.3 -j ACCEPT
iptables -A OUTPUT -p udp --dport domain -d 192.168.200.3 -j ACCEPT
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere ns2.linux.local udp spt:domain

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere ns2.linux.local udp dpt:domain

Auf dem Secondary DNS:


dig @127.0.0.1 ns2.linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 ns2.linux.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opCODE: QUERY, status: SERVFAIL, id: 44354
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.linux.local. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 08 18:17:17 CEST 2019
;; MSG SIZE rcvd: 44

Vom KVM-Host 192.168.0.2 aus:

dig @192.168.200.2 ns2.linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @192.168.200.2 ns2.linux.local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Ein Telnet auf den Namerservern klappt:


telnet 127.0.0.1 53
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.


Zu den Nameservern klappt der Telnet nicht:

telnet 192.168.200.2 53
Trying 192.168.200.2...
Connected to 192.168.200.2.
Escape character is '^]'.
Connection closed by foreign host.

Mich interessiert jetzt, was ich noch falsch mache, damit a) ein Zonentransfer zum Secondary DNS stattfindet und b) ich auch vom Host aus beide Server abfragen kann.

Viele Grüße

Imagine