Linux
named.conf 中的 DNS 保護
貓 /etc/named.conf
[...] acl "trusted" { IPS HERE }; options { allow-recursion { trusted; }; allow-notify { trusted; }; allow-transfer { trusted; }; allow-query { trusted; }; directory "/var/named"; dump-file "/var/named/named_cache_dump.db"; statistics-file "/var/named/named_stats.log"; empty-zones-enable no; }; [...]
我看到以下內容,想知道我需要將哪些 IP 列入白名單?我要添加根名稱伺服器嗎?
我想知道如何保護自己免受非法傳輸/遞歸/中毒等 DNS 攻擊。
您確實需要兩個 ACL 才能正確處理。一個用於對等名稱伺服器,一個用於客戶端。
acl "nameservers" { # A list of all the name servers that this server has transfers or receices zones from # should basically be all the masters/slave name servers, for all defines zones }; acl "internalclients" { # all your internal networks/client machines that can use this name server for resolution. 127.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; options { allow-notify { nameservers; }; allow-transfer { nameservers; }; allow-recursion { internalclients; }; allow-query { internalclients; }; }; zone "example.org" { allow-query {any;}; allow-transfer { nameservers; }; };
但是,為了獲得最佳級別的中毒保護,您確實不應該從用於客戶端解析的同一 DNS 伺服器為區域提供服務。但是,如果您信任您的內部客戶,那麼我相信這樣的設置就足夠了。