Dns

我的A記錄消失了:會是什麼?

  • November 1, 2021

我有一個小伺服器配置為使用動態 dhcp(dhcp 自動更新 dns 上的主機名)。工作正常..但其中一個 A 記錄神奇地消失了,而 PTR 記錄還可以。這是我的配置

dhcpd.conf

authoritative;
ddns-update-style interim;
ddns-updates on;
ddns-ttl 600;
update-static-leases on;
ddns-domainname "mydomain.example";
ddns-rev-domainname "in-addr.arpa";
ignore client-updates;
update-conflict-detection off;
include "/etc/dhcp/dhcp.mydomain.example";
ddns-hostname = pick-first-value(ddns-hostname, option host-name, binary-to-ascii(10,8, "-", leased-address));
max-lease-time 86400;
default-lease-time 14400;
option domain-name-servers 192.168.0.4, 192.168.0.1;
option domain-search-order code 119 = string;
option domain-search-order "mydomain.example fritz.box";
subnet 192.168.0.0 netmask 255.255.255.0 {
       option broadcast-address 192.168.0.255;
       option subnet-mask 255.255.255.0;
       option routers 192.168.0.1;
   option domain-search "mydomain.example";
class "ignored" {
       match if substring(hardware,1,6) = ###################;
}
pool {
       deny members of "ignored";
       range 192.168.0.20 192.168.0.252;
       }
   }
#
# 
# The subnet where the server is attached
    
host samba4 {
hardware ethernet #####################;
fixed-address 192.168.0.5;
ddns-hostname "samba4";
ddns-ttl 604800;
}
zone mydomain.example.
{
primary 192.168.0.4;
key dhcp.mydomain.example;
}
zone 0.168.192.in-addr.arpa.
{
primary 192.168.0.4;
key dhcp.mydomain.example;
}

這是命名的.conf

options {
   listen-on port 53 { 127.0.0.1; 192.168.0.4; };
   listen-on-v6 port 53 { ::1; };
   querylog yes;
   directory   "/var/named";
   dump-file   "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   recursing-file  "/var/named/data/named.recursing";
   secroots-file   "/var/named/data/named.secroots";
   allow-query     { localhost; 192.168.0.0/24; 10.2.0.0/24;};
   /* 
    - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
    - If you are building a RECURSIVE (caching) DNS server, you need to enable 
      recursion. 
    - If your recursive DNS server has a public IP address, you MUST enable access 
      control to limit queries to your legitimate users. Failing to do so will
      cause your server to become part of large scale DNS amplification 
      attacks. Implementing BCP38 within your network would greatly
      reduce such attack surface 
   */
   recursion yes;
   dnssec-enable yes;
   dnssec-validation yes;
   /* Path to ISC DLV key */
   bindkeys-file "/etc/named.iscdlv.key";
   managed-keys-directory "/var/named/dynamic";
   pid-file "/run/named/named.pid";
   session-keyfile "/run/named/session.key";
       allow-new-zones yes;
       dnssec-must-be-secure "mydomain.example" yes;
       dnssec-must-be-secure "0.168.192.in-addr.arpa" yes;
       allow-transfer {127.0.0.1; };
       allow-recursion {127.0.0.1; 192.168.0.0/24; 10.2.0.24; };
       version "Proot";
       tkey-gssapi-keytab "/etc/dns.keytab";
       tkey-domain "MYDOMAIN.EXAMPLE";
};
server 10.3.0.2 {
   keys {  my-tsig; };
};
key dhcp.mydomain.example {
   algorithm hmac-sha512;
   secret "################";
};
key "my-tsig" {
algorithm HMAC-SHA512;
   secret "################";
};
key "my-tsig2" {
algorithm HMAC-SHA512;
   secret "################";
};
controls {
       inet 192.168.0.4 port 953 allow { 192.168.0.4; 127.0.0.1; } keys { dhcp.mydomain.example; };
       inet 127.0.0.1 port 953 allow { 127.0.0.1;  } keys { dhcp.mydomain.example; };
       };
zone "." IN {
   type hint;
   file "named.ca";
};
zone "mydomain.example." IN {
   type master;
   file "/var/named/data/mydomain.example.zone";
       allow-transfer {key my-tsig2; };
   update-policy {
   grant dhcp.mydomain.example. wildcard * A TXT SRV CNAME MX DHCID;
       grant SAMBA4$@mydomain.example wildcard * A AAAA TXT SRV CNAME MX;
       grant DNS1$@mydomain.example wildcard * A AAAA TXT SRV CNAME MX;
       grant Administrator@mydomain.example wildcard * A TXT SRV CNAME MX;
};
       key-directory "/var/named/data";
       auto-dnssec maintain;
       inline-signing yes;
   /*
    * the list of principals and what they can change is created
    * dynamically by Samba, based on the membership of the domain controllers
    * group. The provision just creates this file as an empty file.
    */
   #include "/var/lib/samba/private/named.conf.update";
   /* we need to use check-names ignore so _msdcs A records can be created */
   check-names ignore;
};
zone "0.168.192.in-addr.arpa" {
   type master;
   file "/var/named/data/0.168.192.in-addr.arpa";
       allow-transfer {key my-tsig2; };
   update-policy {
   grant dhcp.mydomain.example. wildcard * PTR;
       grant SAMBA4$@mydomain.example wildcard * PTR;
       grant DNS1$@mydomain.example wildcard * PTR;
       grant Administrator@mydomain.example wildcard * PTR;
   };
       auto-dnssec maintain;
       key-directory "/var/named/data";
       inline-signing yes;
};
zone "otherzone.priv." IN {
       type slave;
       masters {10.3.0.2; };
       file "/var/named/data/otherzone.priv.zone";
       key-directory "/var/named/data";
       auto-dnssec maintain;
       inline-signing yes;
       /*
        * the list of principals and what they can change is created
        * dynamically by Samba, based on the membership of the domain controllers
        * group. The provision just creates this file as an empty file.
        */
       #include "/var/lib/samba/private/named.conf.update";
       /* we need to use check-names ignore so _msdcs A records can be created */
       check-names ignore;
};
zone "0.3.10.in-addr.arpa" {
   type slave;
   file "/var/named/data/0.3.10.in-addr.arpa.zone";
       masters {10.3.0.2; };
       auto-dnssec maintain;
       key-directory "/var/named/data";
       inline-signing yes;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

在日誌上沒有什麼奇怪的,在命名的 datadir 中進行 grep,似乎我的失去記錄存在,但 dig 說沒有

grep -irl disappeared.mydomain.example *
0.168.192.in-addr.arpa
0.168.192.in-addr.arpa.signed
mydomain.example.zone.jnl
mydomain.example.zone.signed
mydomain.example.zone.signed.jnl

探勘消失的.mydomain.example

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> disappeared.mydomain.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 192
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 172e90668acc5f522b6add4b617edbeb3909928cefd32999 (good)
;; QUESTION SECTION:
;disappeared.mydomain.example.      IN  A

;; AUTHORITY SECTION:
mydomain.example.       86400   IN  SOA dns1.mydomain.example. root.mydomain.example. 2020140075 60 120 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Sun Oct 31 19:09:47 CET 2021
;; MSG SIZE  rcvd: 123

使 dig -x 192.168.0.32 返回正確的名稱。會是什麼?我看到從 dhcpd.leases 文件中手動刪除租約並從客戶端重新啟動網路管理器重新插入正確的 A 記錄。

該解決方案似乎有效:

ddns-ttl 600;
default-lease-time 14400;

有點不同

我嘗試對兩者使用相同的值

ddns-ttl 600;
default-lease-time 600;

工作,但我不得不重新創建租約文件。

引用自:https://unix.stackexchange.com/questions/675568

相關問答

Dns

dnsmasq 僅作為 dns,將 mac-address 映射到主機名以獲得動態 ip

  • April 5, 2019
檢視問答
Wifi

wifi路由器是否必須為其客戶端處理DHCP?

  • December 15, 2018
檢視問答
Dns

系統執行時 servresolv.conf 變為空白

  • November 3, 2018
檢視問答
Debian

DHCP DNS 和域解析 NetworkManager

  • August 3, 2018
檢視問答
Networking

freebsd全新安裝dns問題

  • May 26, 2018
檢視問答
Debian

如何在 resolv.conf 不斷被覆蓋時使用 dhclient 設置靜態 DNS?

  • May 9, 2018
檢視問答