mas o servidor responderá com "AVISO: recursão solicitada mas não disponível" porque meu cliente 104.200.17.225 está indo para externo. Mas o cliente está na ACL confiável. Bind está ignorando minha lista confiável inteiramente.
mlr01 ~ # dig facebook.com
; <<>> DiG 9.9.5 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10440
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;facebook.com. IN A
;; AUTHORITY SECTION:
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
;; Query time: 42 msec
;; SERVER: 66.228.35.79#53(66.228.35.79)
;; WHEN: Thu Oct 16 23:28:20 UTC 2014
;; MSG SIZE rcvd: 252
O nome parece estar ignorando minha ACL:
cat /etc/bind/named.conf
acl "outside" {
any;
};
acl "trusted" {
173.255.211.166;
104.200.17.225; //this is the client in question
10.8.0.0/24;
10.8.1.0/24;
127.0.0.1/32;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
transfer-source 198.74.49.126;
listen-on-v6 { ::1; 2600:3c03::f03c:91ff:feae:9e6d;};
listen-on { 127.0.0.1; 66.228.35.79;};
max-cache-ttl 1600;
version none;
allow-query {
any;
};
allow-query-cache {
any;
};
allow-transfer {
trusted;
};
allow-update {
trusted;
};
//forward first;
forwarders {
109.74.192.20;
97.107.133.4;
198.74.49.126; //internal router1
};
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
severity warning;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_log; };
category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
view "internal" {
match-clients { trusted; };
allow-query-cache { any; };
allow-recursion { trusted; };
recursion yes;
zone "azevedomd.com" {
type master;
file "pri/azevedomd.com.internal";
};
zone "35.228.66.in-addr.arpa"{
type master;
file "pri/reverse.internal";
};
zone "127.in-addr.arpa" {
type master;
file "pri/127.0.0.1";
};
};
view "external" {
match-clients { any; };
match-destinations { any; };
recursion no;
allow-query { any; };
zone "." IN {
type hint;
file "/var/bind/named.ca";
};
zone "azevedomd.com" {
type master;
file "pri/azevedomd.com.external";
};
zone "35.228.66.in-addr.arpa"{
type master;
file "pri/reverse.external";
};
zone "127.in-addr.arpa" {
type master;
file "pri/127.0.0.1";
};
};
O log de consulta diz que será externo. Por que ignorar a lista interna e confiável? O cliente está na lista.
17-Oct-2014 00:17:03.886 client 104.200.17.225#41300 (facebook.com): view external: query: facebook.com IN A +E (66.228.35.79
O seu cliente 104.200.17.225 estava combinando o acl "externo" primeiro. Reorganizar a ordem dos acls provavelmente ajudou, mas a maneira mais confiável de fazer isso é excluir seu endereço "confiável" de "fora":
acl "outside" {
!173.255.211.166;
!104.200.17.225; //this is the client in question
!10.8.0.0/24;
!10.8.1.0/24;
!127.0.0.1/32;
!::1/128;
any;
};