Linux

named.conf 中的 DNS 保護

  • March 23, 2015

貓 /etc/named.conf

[...]
acl "trusted" {
IPS HERE
};

options {
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
allow-query { trusted; };
directory "/var/named";
dump-file "/var/named/named_cache_dump.db";
statistics-file "/var/named/named_stats.log";
empty-zones-enable no;
};
[...]

我看到以下內容,想知道我需要將哪些 IP 列入白名單?我要添加根名稱伺服器嗎?

我想知道如何保護自己免受非法傳輸/遞歸/中毒等 DNS 攻擊。

您確實需要兩個 ACL 才能正確處理。一個用於對等名稱伺服器,一個用於客戶端。

acl "nameservers" {
   # A list of all the name servers that this server has transfers or receices zones from
   # should basically be all the masters/slave name servers, for all defines zones
};

acl "internalclients" {
   # all your internal networks/client machines that can use this name server for resolution.
   127.0.0.0/8;
   10.0.0.0/8;
   172.16.0.0/12;
   192.168.0.0/16;
};

options {
   allow-notify { nameservers; };
   allow-transfer { nameservers; };
   allow-recursion { internalclients; };
   allow-query { internalclients; };
};

zone "example.org" {
   allow-query {any;};
   allow-transfer { nameservers; };
};

但是,為了獲得最佳級別的中毒保護,您確實不應該從用於客戶端解析的同一 DNS 伺服器為區域提供服務。但是,如果您信任您的內部客戶,那麼我相信這樣的設置就足夠了。

引用自:https://serverfault.com/questions/476590