ablog

不器用で落着きのない技術者のメモ

DNS サーバの自ホスト内で名前解決を行うと他ホストから名前解決した場合と異なる IP アドレスが返ってくる

Linux

環境

  • node01: DNS サーバ (bind-9.3.6-4.P1.el5_4.2)
  • node01, node02: DNS クライアント
  • node01 も node02 も OS は CentOS 5.5 x86 (2.6.18-194.el5xen)

現象

node01 から名前解決した場合と node02 から名前解決した場合で返ってくる IP アドレスが異なる。

  • node01 から問い合わせると、80.13.134.55 が返ってくる。なんでやねん。
[root@node01 ~]# nslookup rac-scan.ablog.com
Server:         192.168.18.121
Address:        192.168.18.121#53

Non-authoritative answer:
Name:   rac-scan.ablog.com
Address: 80.13.134.55
  • node02 から問い合わせると、192.168.18.131/132/133 が返ってくる。期待通り。
[root@node02 ~]# nslookup rac-scan.ablog.com
Server:         192.168.18.121
Address:        192.168.18.121#53

Name:   rac-scan.ablog.com
Address: 192.168.18.132
Name:   rac-scan.ablog.com
Address: 192.168.18.133
Name:   rac-scan.ablog.com
Address: 192.168.18.131

原因

  • /etc/named.conf の設定を行った際に「view "internal"」のみにAレコードを記述して、 「view "localhost_resolver"」には記述していなかったため。
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
        match-clients           { localhost; };
        match-destinations      { localhost; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
        match-clients           { localnets; };
        match-destinations      { localnets; };
        recursion yes;
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";

        // include "named.rfc1912.zones";
        // you should not serve your rfc1912 names to non-localhost clients.
 
        // These are your "authoritative" internal zones, and would probably
        // also be included in the "localhost_resolver" view above :

        zone "ablog.com" { 
                type master;
                file "ablog.com.local";
        };
        zone "18.168.192.in-addr.arpa" {
                type master;
                file "18.168.192.in-addr.arpa.local";
        };      

};

対処

/etc/named.conf の「view "localhost_resolver"」にも設定を記述して、named を再起動する。

  • /etc/named.conf を変更して、
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
        match-clients           { localhost; };
        match-destinations      { localhost; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";

        zone "ablog.com" {
                type master;
                file "ablog.com.local";
        };
        zone "18.168.192.in-addr.arpa" {
                type master;
                file "18.168.192.in-addr.arpa.local";
        };

}
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
        match-clients           { localnets; };
        match-destinations      { localnets; };
        recursion yes;
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";

        // include "named.rfc1912.zones";
        // you should not serve your rfc1912 names to non-localhost clients.
 
        // These are your "authoritative" internal zones, and would probably
        // also be included in the "localhost_resolver" view above :

        zone "ablog.com" { 
                type master;
                file "ablog.com.local";
        };
        zone "18.168.192.in-addr.arpa" {
                type master;
                file "18.168.192.in-addr.arpa.local";
        };      

};
  • named を再起動すると、
[root@node01 ~]# service named restart
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]
  • node01 から問い合わせても、
[root@node01 ~]# nslookup rac-scan.ablog.com
Server:         192.168.18.121
Address:        192.168.18.121#53

Name:   rac-scan.ablog.com
Address: 192.168.18.131
Name:   rac-scan.ablog.com
Address: 192.168.18.132
Name:   rac-scan.ablog.com
Address: 192.168.18.133
  • node02 から問い合わせても、
[root@node02 ~]# nslookup rac-scan.ablog.com
Server:         192.168.18.121
Address:        192.168.18.121#53

Name:   rac-scan.ablog.com
Address: 192.168.18.132
Name:   rac-scan.ablog.com
Address: 192.168.18.133
Name:   rac-scan.ablog.com
Address: 192.168.18.131

同じ!

補足

/etc/named.conf を良く見ると説明がおもいっきり書かれてますね。

// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the 
// "default" view, which matches all clients.
// 
// If named.conf contains any "view" clause, then all zones MUST be in a view; 
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.

昔、bind9 on Linux を使ってDNSサーバを構築・運用していたことがありますが、こんなのあった記憶がありません。
変わったのか、それとも見えてなかっただけなのか。。。