Bind

使用 BIND9 中的視圖解決特定域查詢(轉發)

  • February 8, 2019

我正在嘗試在我的 bind9 中設置一個列入白名單的域轉發器,但可能由於我應用的配置而未能成功完成。

幾個月前,我確實在 Bind9 中設置了具有多個視圖的相同概念 DNS,它按預期完美執行。

現在發生了什麼:-(視圖配置為僅轉發 gmail.com)每當來自 172.22.172.32/27 的客戶端查詢gmail.com域以外的域時,DNS 仍然能夠解析預期/假定的客戶端的 IP失敗。

在我目前的配置中是否有任何好的解決方案或必須進行的任何調整?

綁定版本:9.9.5

命名.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
view "wifi-test" {
       match-clients {
               172.22.172.32/27;
       };
               zone "gmail.com" {
                       type forward;
                       forward only;
                       forwarders {
                               1.1.1.1;
                       };
               };
       //include "/etc/bind/named.conf.default-zones";
       recursion yes;
};

命名.conf.options

options {
       directory "/var/cache/bind";

       // Accept request
       allow-query-cache { 172.22.172.32/27; };
       allow-query { 172.22.172.32/27; };
       //allow-recursion { servers; };

       // If there is a firewall between you and nameservers you want
       // to talk to, you may need to fix the firewall to allow multiple
       // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

       // If your ISP provided one or more IP addresses for stable
       // nameservers, you probably want to use them as forwarders.
       // Uncomment the following block, and insert the addresses replacing
       // the all-0's placeholder.

       //forward only;
       //forwarders {
       //      8.8.8.8;
       // };

       //========================================================================
       // If BIND logs error messages about the root key being expired,
       // you will need to update your keys.  See https://www.isc.org/bind-keys
       //========================================================================

       // DNSSEC
       dnssec-validation auto;
       //dnssec-enable yes;
       //dnssec-lookaside auto;

       //key-directory "/etc/bind/keys";

       #fetch-glue no;
       recursion no;

       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { none; };
       //listen-on port 53 { localhost; 172.22.172.41; };

       // Exchange port between DNS Servers
       //query-source address * port *;

       // From 9.9.5 ARM, disables interface scanning to prevent unwanted stop listening
       //interface-interval 0;

       // Version 
       version "SecDNS";

       //bindkeys-file "/etc/bind/bind.keys";

};

命名.conf.local

// Manage the file logs
include "/etc/bind/named.conf.log";

查詢日誌

queries: info: client 172.22.172.48#59842 (gmail.com.mytd.com): view wifi-test: query: gmail.com.mytd.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#59843 (gmail.com.mytd.com): view wifi-test: query: gmail.com.mytd.com IN AAAA + (172.22.172.41)
queries: info: client 172.22.172.48#59844 (gmail.com): view wifi-test: query: gmail.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#59845 (gmail.com): view wifi-test: query: gmail.com IN AAAA + (172.22.172.41)

queries: info: client 172.22.172.48#53702 (www.forum.com.mytd.com): view wifi-test: query: www.forum.com.mytd.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#53703 (www.forum.com.mytd.com): view wifi-test: query: www.forum.com.mytd.com IN AAAA + (172.22.172.41)
queries: info: client 172.22.172.48#53704 (www.forum.com): view wifi-test: query: www.forum.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#53705 (www.forum.com): view wifi-test: query: www.forum.com IN AAAA + (172.22.172.41)

我找到了解決方案!好吧,這都是關於 dnssec-validation 的,我被迫選擇yes而不是 auto 或 no。

view "Test" {
       match-clients { 172.22.172.32/27; };
       minimal-responses yes;     
       include "/etc/bind/named.conf.local"; #Whitelist Domains
       include "/etc/bind/zones/hostedzones"; #Zones Files

       forward only;
       forwarders { 0.0.0.0; };
       recursion yes;
}; 

view "Others" {
       match-clients { any; };

       minimal-responses yes;

       include "/etc/bind/named.conf.local"; #Whitelist Domains
       include "/etc/bind/zones/hostedzones"; #Zones files 

       forward only;
       forwarders {};
       recursion yes;
};

基本上,這裡的配置允許**“其他”查詢其他任何域,“測試”**只允許查詢包含文件中的任何內容,forwarders { 0.0.0.0; };其他查詢轉發器將嘗試轉發到 0.0.0.0 並最終以connection refused resolving.

注意:在“named.conf.local”中都是轉發區域。

我還升級到 Bind 版本 9.10.3。

引用自:https://serverfault.com/questions/938494