Bind
使用 BIND9 中的視圖解決特定域查詢(轉發)
我正在嘗試在我的 bind9 中設置一個列入白名單的域轉發器,但可能由於我應用的配置而未能成功完成。
幾個月前,我確實在 Bind9 中設置了具有多個視圖的相同概念 DNS,它按預期完美執行。
現在發生了什麼:-(視圖配置為僅轉發 gmail.com)每當來自 172.22.172.32/27 的客戶端查詢gmail.com域以外的域時,DNS 仍然能夠解析預期/假定的客戶端的 IP失敗。
在我目前的配置中是否有任何好的解決方案或必須進行的任何調整?
綁定版本:9.9.5
命名.conf
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; view "wifi-test" { match-clients { 172.22.172.32/27; }; zone "gmail.com" { type forward; forward only; forwarders { 1.1.1.1; }; }; //include "/etc/bind/named.conf.default-zones"; recursion yes; };
命名.conf.options
options { directory "/var/cache/bind"; // Accept request allow-query-cache { 172.22.172.32/27; }; allow-query { 172.22.172.32/27; }; //allow-recursion { servers; }; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. //forward only; //forwarders { // 8.8.8.8; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== // DNSSEC dnssec-validation auto; //dnssec-enable yes; //dnssec-lookaside auto; //key-directory "/etc/bind/keys"; #fetch-glue no; recursion no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; //listen-on port 53 { localhost; 172.22.172.41; }; // Exchange port between DNS Servers //query-source address * port *; // From 9.9.5 ARM, disables interface scanning to prevent unwanted stop listening //interface-interval 0; // Version version "SecDNS"; //bindkeys-file "/etc/bind/bind.keys"; };
命名.conf.local
// Manage the file logs include "/etc/bind/named.conf.log";
查詢日誌
queries: info: client 172.22.172.48#59842 (gmail.com.mytd.com): view wifi-test: query: gmail.com.mytd.com IN A + (172.22.172.41) queries: info: client 172.22.172.48#59843 (gmail.com.mytd.com): view wifi-test: query: gmail.com.mytd.com IN AAAA + (172.22.172.41) queries: info: client 172.22.172.48#59844 (gmail.com): view wifi-test: query: gmail.com IN A + (172.22.172.41) queries: info: client 172.22.172.48#59845 (gmail.com): view wifi-test: query: gmail.com IN AAAA + (172.22.172.41) queries: info: client 172.22.172.48#53702 (www.forum.com.mytd.com): view wifi-test: query: www.forum.com.mytd.com IN A + (172.22.172.41) queries: info: client 172.22.172.48#53703 (www.forum.com.mytd.com): view wifi-test: query: www.forum.com.mytd.com IN AAAA + (172.22.172.41) queries: info: client 172.22.172.48#53704 (www.forum.com): view wifi-test: query: www.forum.com IN A + (172.22.172.41) queries: info: client 172.22.172.48#53705 (www.forum.com): view wifi-test: query: www.forum.com IN AAAA + (172.22.172.41)
我找到了解決方案!好吧,這都是關於 dnssec-validation 的,我被迫選擇
yes
而不是 auto 或 no。view "Test" { match-clients { 172.22.172.32/27; }; minimal-responses yes; include "/etc/bind/named.conf.local"; #Whitelist Domains include "/etc/bind/zones/hostedzones"; #Zones Files forward only; forwarders { 0.0.0.0; }; recursion yes; }; view "Others" { match-clients { any; }; minimal-responses yes; include "/etc/bind/named.conf.local"; #Whitelist Domains include "/etc/bind/zones/hostedzones"; #Zones files forward only; forwarders {}; recursion yes; };
基本上,這裡的配置允許**“其他”查詢其他任何域,“測試”**只允許查詢包含文件中的任何內容,
forwarders { 0.0.0.0; };
其他查詢轉發器將嘗試轉發到 0.0.0.0 並最終以connection refused resolving
.注意:在“named.conf.local”中都是轉發區域。
我還升級到 Bind 版本 9.10.3。