Hallo,

ich habe auf einem Debian Stretch Linux (192.168.0.2) mit KVM zwei DNS-Server als VMs installiert DNS-Master 192.168.200.2 und DNS-Slave 192.168.200.3. Die BIND-Dateien sind wie folgt angelegt:

Primary DNS, 192.168.200.2:
named.conf
Code:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.local
Code:
include "/etc/bind/named.conf.log";
zone "linux.local" {
        type master;
        file "de/db.linux.local.txt";
        allow-transfer {
                127.0.0.1;                      # localhost
                192.168.200.2;                  # Primary DNS
                192.168.200.3;                  # Secondary DNS
        };
        notify yes;
};

zone "200.168.192.in-addr.arpa" {
        type master;
        file "db.200.168.192";
        allow-transfer {
                192.168.200.3;                   # Secondary DNS
        };
        notify yes;
};
named.conf.options
Code:
options {
        directory "/var/lib/bind";

        version "My version is so secret that I even don't know what I'm running on";

        auth-nxdomain no;    # conform to RFC1035

        allow-transfer {
                192.168.200.3;
                };

        allow-recursion {
                trusted;
                };

        allow-notify { 
                ns2.linux.local; 
                192.168.200.3;
                };

        listen-on {
                any;
                };

        // Deny anything from the bogon networks as
        // detailed in the "bogon" ACL.
        blackhole {
                bogon;
                };
};

acl trusted {
        192.168.200.2;
        192.168.200.3;
        localhost;
        192.168.0.2;
        };

acl bogon {
        0.0.0.0/8;
        1.0.0.0/8;
        2.0.0.0/8;
        5.0.0.0/8;
        7.0.0.0/8;
        10.0.0.0/8;
        23.0.0.0/8;
        27.0.0.0/8;
        31.0.0.0/8;
        36.0.0.0/8;
        37.0.0.0/8;
        39.0.0.0/8;
        42.0.0.0/8;
        49.0.0.0/8;
        50.0.0.0/8;
        92.0.0.0/8;
        94.0.0.0/8;
        95.0.0.0/8;
        100.0.0.0/8;
        101.0.0.0/8;
        102.0.0.0/8;
        103.0.0.0/8;
        104.0.0.0/8;
        105.0.0.0/8;
        106.0.0.0/8;
        107.0.0.0/8;
        108.0.0.0/8;
        109.0.0.0/8;
        110.0.0.0/8;
        111.0.0.0/8;
        112.0.0.0/8;
        113.0.0.0/8;
        114.0.0.0/8;
        115.0.0.0/8;
        116.0.0.0/8;
        117.0.0.0/8;
        118.0.0.0/8;
        119.0.0.0/8;
        120.0.0.0/8;
        169.254.0.0/16;
        172.16.0.0/12;
        173.0.0.0/8;
        174.0.0.0/8;
        175.0.0.0/8;
        176.0.0.0/8;
        177.0.0.0/8;
        178.0.0.0/8;
        179.0.0.0/8;
        180.0.0.0/8;
        181.0.0.0/8;
        182.0.0.0/8;
        183.0.0.0/8;
        184.0.0.0/8;
        185.0.0.0/8;
        186.0.0.0/8;
        187.0.0.0/8;
        192.0.2.0/24;
        192.168.0.0/16;
        197.0.0.0/8;
        223.0.0.0/8;
        224.0.0.0/3;
        };

/var/lib/bind/de/db.linux.local.txt

Code:
$TTL 172800
linux.local.            IN      SOA     ns1.linux.local. hostmaster.linux.local. (
                                        2019050803              ; Serial
                                        8H                      ; refresh after 8 hours
                                        2H                      ; retry after 2 hours
                                        1W                      ; expire after 1 week
                                        3H )                    ; NX (TTL Negative Cache) of 3 hours

; Name Servers
                        IN      NS      ns1.linux.local.        ; 192.168.200.2
@                       IN      NS      ns2.linux.local.        ; 192.168.200.3

; Mail Exchanger
@                       IN      MX 10   mx.linux.local.
@                       IN      MX 20   mx2.linux.local.

; Resource Records
@                       IN      A       192.168.200.2
ns1                     IN      A       192.168.200.2
ns2                     IN      A       192.168.200.3
mx                      IN      A       192.168.200.4
mx2                     IN      A       192.168.200.5
www                     IN      A       192.168.200.7
project                 IN      CNAME   188.40.80.7
/var/lib/bind/db.200.168.192
Code:
$TTL 172800
@                       IN      SOA     ns1.linux.local. hostmaster.linux.local. (
                                        2019050803              ; Serial
                                        8H                      ; refresh after 8 hours
                                        2H                      ; retry after 2 hours
                                        1W                      ; expire after 1 week
                                        3H )                    ; NX (TTL Negative Cache) of 3 hours

@                       IN      NS      ns1.linux.local.      ; 192.168.200.2
@                       IN      NS      ns2.linux.local.      ; 192.168.200.3

2                       IN      PTR     ns1.linux.local.
3                       IN      PTR     ns2.linux.local.
4                       IN      PTR     mx.linux.local.
5                       IN      PTR     mx2.linux.local.
7                       IN      PTR     www.linux.local.
Secondary DNS, 192.168.200.3:
named.conf
Code:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.local
Code:
zone "linux.local" {
        type slave;
        file "slaves/db.linux.local.txt";
        masters {
                192.168.200.2;
        };
};

zone "200.168.192.in-addr.arpa" {
        type slave;
        file "slaves/db.200.168.192";
        masters {
                192.168.200.2;
        };
};
named.conf.options
Code:
options {
        directory "/var/lib/bind";

        version "My version is so secret that I even don't know what I'm running on";

        recursion yes;

        auth-nxdomain no;    # conform to RFC1035

        allow-recursion {
                trusted;
                };
                
        allow-transfer { none; };

        listen-on {
                any;
                };
        blackhole {
                bogon;
                };
};

acl trusted {
        192.168.200.2;
        192.168.200.3;
        localhost;
        192.168.0.2;
        };

acl bogon {
        0.0.0.0/8;
        1.0.0.0/8;
        2.0.0.0/8;
        5.0.0.0/8;
        7.0.0.0/8;
        10.0.0.0/8;
        23.0.0.0/8;
        27.0.0.0/8;
        31.0.0.0/8;
        36.0.0.0/8;
        37.0.0.0/8;
        39.0.0.0/8;
        42.0.0.0/8;
        49.0.0.0/8;
        50.0.0.0/8;
        92.0.0.0/8;
        94.0.0.0/8;
        95.0.0.0/8;
        100.0.0.0/8;
        101.0.0.0/8;
        102.0.0.0/8;
        103.0.0.0/8;
        104.0.0.0/8;
        105.0.0.0/8;
        106.0.0.0/8;
        107.0.0.0/8;
        108.0.0.0/8;
        109.0.0.0/8;
        110.0.0.0/8;
        111.0.0.0/8;
        112.0.0.0/8;
        113.0.0.0/8;
        114.0.0.0/8;
        115.0.0.0/8;
        116.0.0.0/8;
        117.0.0.0/8;
        118.0.0.0/8;
        119.0.0.0/8;
        120.0.0.0/8;
        169.254.0.0/16;
        172.16.0.0/12;
        173.0.0.0/8;
        174.0.0.0/8;
        175.0.0.0/8;
        176.0.0.0/8;
        177.0.0.0/8;
        178.0.0.0/8;
        179.0.0.0/8;
        180.0.0.0/8;
        181.0.0.0/8;
        182.0.0.0/8;
        183.0.0.0/8;
        184.0.0.0/8;
        185.0.0.0/8;
        186.0.0.0/8;
        187.0.0.0/8;
        192.0.2.0/24;
        192.168.0.0/16;
        197.0.0.0/8;
        223.0.0.0/8;
        224.0.0.0/3;
        };
Wenn ich jetzt beide Server starte, sehe ich wie der Primary DNS korrekt die Daten liefert:

Code:
ns1:/etc/bind # dig @127.0.0.1 ns2.linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 ns2.linux.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opCODE: QUERY, status: NOERROR, id: 22787
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.linux.local.               IN      A

;; ANSWER SECTION:
ns2.linux.local.        172800  IN      A       192.168.200.3

;; AUTHORITY SECTION:
linux.local.            172800  IN      NS      ns2.linux.local.
linux.local.            172800  IN      NS      ns1.linux.local.

;; ADDITIONAL SECTION:
ns1.linux.local.        172800  IN      A       192.168.200.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 08 18:08:32 CEST 2019
;; MSG SIZE  rcvd: 108
Code:
dig @127.0.0.1 MX linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 MX linux.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opCODE: QUERY, status: NOERROR, id: 29821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;linux.local.                   IN      MX

;; ANSWER SECTION:
linux.local.            172800  IN      MX      20 mx2.linux.local.
linux.local.            172800  IN      MX      10 mx.linux.local.

;; AUTHORITY SECTION:
linux.local.            172800  IN      NS      ns1.linux.local.
linux.local.            172800  IN      NS      ns2.linux.local.

;; ADDITIONAL SECTION:
mx.linux.local.         172800  IN      A       192.168.200.4
mx2.linux.local.        172800  IN      A       192.168.200.5
ns1.linux.local.        172800  IN      A       192.168.200.2
ns2.linux.local.        172800  IN      A       192.168.200.3

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 08 18:09:38 CEST 2019
;; MSG SIZE  rcvd: 179
Das Logfile /var/log/bind/bind.log zeigt auch, dass notify gesendet wird:
Code:
08-May-2019 17:51:17.929 general: info: received control channel command 'stop'
08-May-2019 17:51:17.930 general: info: shutting down: flushing changes
08-May-2019 17:51:17.930 general: notice: stopping command channel on 127.0.0.1#953
08-May-2019 17:51:17.930 general: notice: stopping command channel on ::1#953
08-May-2019 17:51:17.930 network: info: no longer listening on ::#53
08-May-2019 17:51:17.930 network: info: no longer listening on 127.0.0.1#53
08-May-2019 17:51:17.930 network: info: no longer listening on 192.168.200.2#53
08-May-2019 17:51:17.934 general: notice: exiting
08-May-2019 17:51:17.980 general: info: managed-keys-zone: loaded serial 0
08-May-2019 17:51:17.980 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:51:17.982 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:51:17.982 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:51:17.983 general: info: zone localhost/IN: loaded serial 2
08-May-2019 17:51:17.983 general: info: zone 200.168.192.in-addr.arpa/IN: loaded serial 2019050803
08-May-2019 17:51:17.983 general: info: zone linux.local/IN: loaded serial 2019050803
08-May-2019 17:51:17.983 general: notice: all zones loaded
08-May-2019 17:51:17.983 general: notice: running
08-May-2019 17:51:17.984 notify: info: zone 200.168.192.in-addr.arpa/IN: sending notifies (serial 2019050803)
08-May-2019 17:51:17.984 notify: info: zone linux.local/IN: sending notifies (serial 2019050803)
Auf dem Secondary DNS 192.168.200.3 kommen aber keine Transfers an:
Code:
# ll /var/lib/bind/slaves/
insgesamt 0
Code:
08-May-2019 15:49:37.968 general: info: managed-keys-zone: loaded serial 0
08-May-2019 15:49:37.968 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
08-May-2019 15:49:37.970 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
08-May-2019 15:49:37.972 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
08-May-2019 15:49:37.973 general: info: zone localhost/IN: loaded serial 2
08-May-2019 15:49:37.973 general: notice: all zones loaded
08-May-2019 15:49:37.973 general: notice: running
08-May-2019 17:47:17.782 general: info: received control channel command 'stop'
08-May-2019 17:47:17.782 general: info: shutting down: flushing changes
08-May-2019 17:47:17.782 general: notice: stopping command channel on 127.0.0.1#953
08-May-2019 17:47:17.782 general: notice: stopping command channel on ::1#953
08-May-2019 17:47:17.782 network: info: no longer listening on ::#53
08-May-2019 17:47:17.782 network: info: no longer listening on 127.0.0.1#53
08-May-2019 17:47:17.782 network: info: no longer listening on 192.168.200.3#53
08-May-2019 17:47:17.785 general: notice: exiting
08-May-2019 17:47:17.820 general: info: managed-keys-zone: loaded serial 0
08-May-2019 17:47:17.820 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:47:17.825 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:47:17.827 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
08-May-2019 17:47:17.827 general: info: zone localhost/IN: loaded serial 2
08-May-2019 17:47:17.827 general: notice: all zones loaded
08-May-2019 17:47:17.827 general: notice: running
Zusätzlich habe ich beiden Servern folgende Iptables-Rules gesetzt:
Code:
iptables -A INPUT -p udp --sport 53 -d 192.168.200.2 -j ACCEPT
iptables -A OUTPUT -p udp --dport domain -d 192.168.200.2 -j ACCEPT
iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             ns1.linux.local      udp spt:domain

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             ns1.linux.local      udp dpt:domain
und

Code:
iptables -A INPUT -p udp --sport 53 -d 192.168.200.3 -j ACCEPT
iptables -A OUTPUT -p udp --dport domain -d 192.168.200.3 -j ACCEPT
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             ns2.linux.local      udp spt:domain

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             ns2.linux.local      udp dpt:domain
Auf dem Secondary DNS:

Code:
dig @127.0.0.1 ns2.linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 ns2.linux.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opCODE: QUERY, status: SERVFAIL, id: 44354
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.linux.local.               IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed May 08 18:17:17 CEST 2019
;; MSG SIZE  rcvd: 44
Vom KVM-Host 192.168.0.2 aus:
Code:
dig @192.168.200.2 ns2.linux.local

; <<>> DiG 9.10.3-P4-Debian <<>> @192.168.200.2 ns2.linux.local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Ein Telnet auf den Namerservern klappt:

Code:
telnet 127.0.0.1 53
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Zu den Nameservern klappt der Telnet nicht:
Code:
telnet 192.168.200.2 53
Trying 192.168.200.2...
Connected to 192.168.200.2.
Escape character is '^]'.
Connection closed by foreign host.
Mich interessiert jetzt, was ich noch falsch mache, damit a) ein Zonentransfer zum Secondary DNS stattfindet und b) ich auch vom Host aus beide Server abfragen kann.

Viele Grüße

Imagine