文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Openvpn

Openvpn
EN

Server Fault用户
提问于 2018-07-11 19:23:34
回答 1查看 663关注 0票数 0

我试图在我能找到的任何地方搜索,找出为什么一个看似合法的设置不起作用。我试图利用OpenVPN服务器的--learn-address将DDNS与OpenVPN客户端进行归档。DNS服务器是bind9。我不确定有三件事:

  • 我的同名者正确吗?
  • 我为什么要得到SERVFAIL?
  • 当我ping 587-gc2 (或587-gc2.proxy.example.com)时,我得到了Name or service not known,即使我的区域文件目前有一个手动条目。

db.vpn区域文件在/var/lib/bind/中:

代码语言:javascript
复制
$ORIGIN .
$TTL 60 ; 1 minute
proxy.example.com   IN SOA  ns4.example.com. (
    20180711 ; serial
    60         ; refresh (1 minute)
    120        ; retry (2 minutes)
    60         ; expire (1 minute)
    60         ; minimum (1 minute)
    )
NS      ns1.example.com.
NS      ns4.example.com.
$ORIGIN proxy.example.com.
$TTL 14400      ; 4 hours
587-gc2         A   172.XX.XX.26

尝试nsupdate查询:

代码语言:javascript
复制
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  17693
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;proxy.example.com.              IN      SOA

;; UPDATE SECTION:
587-gc2.proxy.example.com. 60 IN A       172.XX.XX.26

;; TSIG PSEUDOSECTION:
keyname.         0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1531335476 300 16 TSIGSECRET 17693 NOERROR 0

以上nsupdate查询的答复:

代码语言:javascript
复制
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  17693
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;proxy.example.com.              IN      SOA
;; TSIG PSEUDOSECTION:
SECRETKEY.          0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1531335476 300 16 TSIGSECRET 17693 NOERROR 0

重新连接设备时的完整syslog日志(命名日志)

代码语言:javascript
复制
setup_system()
Creating key...
namefromtext
keycreate
reset_system()
user_interaction()
do_next_command()
message repeated 3 times: [ do_next_command()]
evaluate_update()
update_addordelete()
do_next_command()
start_update()
send_update()
Sending update to 127.0.0.1#53
show_message()
update_completed()
tsig verification successful
show_message()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  36239
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;proxy.example.com.              IN      SOA
;; TSIG PSEUDOSECTION:
SECRETKEY.          0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1531416897 300 16 TSIGSECRET 36239 NOERROR 0
done_update()
reset_system()
user_interaction()
cleanup()
detach tsigkey x0x7fb6a35cf0b8
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Destroying hash context
Destroying name state
Removing log context
Destroying memory context

-学习-地址脚本在/usr/local/sbin/

代码语言:javascript
复制
#!/usr/bin/php
&1 > /dev/null"), $output);
    if (DEBUG) {
    syslog(LOG_ERR, print_r($output, true));
    }
    // clean up
    unlink($filepath);
}
function removeRecord($record) {
    $domain = $record.".".DOMAIN;
    $filepath = TMP_PATH."/". __FUNCTION__."_" .rand(900, 999);
    $fh = fopen($filepath, "w");
    fwrite($fh, "server ".NS_ADDR."\n");
    fwrite($fh, "debug ".(DEBUG?'yes':'no')."\n");
    fwrite($fh, "zone ".DOMAIN."\n");
    fwrite($fh, "update delete {$domain}\n");
    fwrite($fh, "send\n");
    fclose($fh);
    $output = [];
    exec(NSUPDATE." -y ".PRIVATE_KEY." -v ".escapeshellarg($filepath).(DEBUG?"":" 2>&1 > /dev/null"), $output);
    if (DEBUG) {
    syslog(LOG_ERR, print_r($output, true));
    }
    // clean up
    unlink($filepath);
}
if ($argc < 3) {
    failWithError("Incorrect number of params");
}
$slashpos = strpos($argv[2], "/");
if ($slashpos !== false) {
    // Remove subnet from ip
    $argv[2] = substr($argv[2], $slashpos);
}
if (inet_pton($argv[2]) === false) {
    failWithError("{$argv[2]} is not a valid ip address");
}
switch($argv[1]) {
    case "update":
    case "add":
    if (isset($argv[3])) {
        removeRecord($argv[3]);
        addRecordWithIP($argv[3], $argv[2]);
    }
    break;
    case "remove":
    // Since openvpn only provides the ip on this request we cannot remove the 
    break;
}
// Success
exit(0);

named.conf.local in /etc/bind/

代码语言:javascript
复制
include "/etc/bind/named.conf.log";
acl vpnnets { 172.XX.XX.XX/16; 192.168.3.0/24; };
acl ourservers { SERVERIP; };
key dhcpupdate {
  algorithm hmac-md5;
  secret "SECRETHASH";
};
view "vpn" {
        match-clients { vpnnets;ourservers; };
        recursion yes;
         zone "proxy.example.com" {
                type master;
                file "/var/cache/bind/db.vpn";
                allow-update { key SECRETKEY;};
        };
include "/etc/bind/named.conf.default-zones-vpn";
     allow-query { vpnnets;ourservers;any; };
     allow-query-cache { vpnnets;ourservers; };
     allow-recursion { vpnnets;ourservers; };
};
view "external" {
        match-clients {any;};
        recursion yes;
         zone "proxy.example.com" {
                type master;
                file "/var/cache/bind/db.vpn-external";
                allow-update { key SECRETKEY;};

        };
};

resolv.conf in /etc/

代码语言:javascript
复制
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 172.XX.XX.1
nameserver 169.254.169.254
search c.GOOGLEPROJECT.internal google.internal

从587-gc2.proxy.example.com

代码语言:javascript
复制
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> 587-gc2.proxy.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50282
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3e50511a4a2fe8a1f5ba4f2d5b47943d6559b3ba4abf601e (good)
;; QUESTION SECTION:
;587-gc2.proxy.example.com. IN      A
;; Query time: 46 msec
;; SERVER: 172.XX.XX.1#53(172.XX.XX.1)
;; WHEN: Thu Jul 12 12:47:41 CDT 2018
;; MSG SIZE  rcvd: 86

当尝试挖掘完整的587-gc2.proxy.example.com时,命名/绑定日志

代码语言:javascript
复制
13-Jul-2018 12:49:49.445 queries: info: client @0x7f69407fa110 172.XX.XX.1#54377 (587-gc2.proxy.example.com): view vpn: query: 587-gc2.proxy.example.com IN A +E(0)K (172.XX.XX.1)
13-Jul-2018 12:49:49.445 query-errors: info: client @0x7f69407fa110 172.XX.XX.1#54377 (587-gc2.proxy.example.com): view vpn: query failed (SERVFAIL) for 587-gc2.proxy.example.com/IN/A at ../../../bin/named/query.c:6984
openvpn
bind
nameserver
nsupdate
EN

回答 1

Server Fault用户

发布于 2018-07-12 15:59:18

当您尝试nsupdate命令时,从time窗口查看已命名的日志也会非常有用。在我看来,在更新过程中出现了一个问题。SERVERFAIL响应表明存在问题。NOERROR最有可能与加密相关。

票数 0
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/920535

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档