Linux

bind9 正確的遞歸設置

  • January 1, 2018

如果刪除遞歸,則無法解析外部域,但仍可以解析 DNS 伺服器上的域。

正確設置遞歸以便在不打開 DNS 伺服器的情況下仍然可以解析外部域的正確方法是什麼?

命名.conf.options

options {
   version "One does not simply get my version";

   directory "/var/cache/bind";

   // If there is a firewall between you and nameservers you want
   // to talk to, you may need to fix the firewall to allow multiple
   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

   // If your ISP provided one or more IP addresses for stable
   // nameservers, you probably want to use them as forwarders.
   // Uncomment the following block, and insert the addresses replacing
   // the all-0's placeholder.

   // forwarders {
   //      0.0.0.0;
   // };

   //========================================================================
   // If BIND logs error messages about the root key being expired,
   // you will need to update your keys.  See https://www.isc.org/bind-keys
   //========================================================================
   dnssec-validation yes;

   auth-nxdomain no;
   listen-on-v6 { any; };
   allow-recursion { any; };
   allow-query {
           any;
           };
   allow-query-cache { any; };
   notify yes;
   dnssec-enable yes;
   dnssec-lookaside . trust-anchor dlv.isc.org.;
   also-notify {
           };
};

我還添加了內部子網以允許遞歸 { 子網/xx; }; 但仍然無法解析外部域。

過濾誰能夠遞歸查詢 DNS,誰不能使用 ACL。

acl my_net { 
   192.168.1.0/24;
};

acl my_other_net {
   10.0.0.0/8;
};

options {

   [ ... ]


   recursion yes;

   allow-recursion { my_net; };
   blackhole { my_other_net; };

};

此外,在您的網關中設置入口(BCP 84)/出口過濾,以避免欺騙性 UDP 數據包到達您的網路並產生意外流量或中毒。黑洞本地基礎設施中不受信任的部分。

引用自:https://serverfault.com/questions/634546