关闭或禁用 DNS 服务器上的 TCP 入站请求

关闭或禁用 DNS 服务器上的 TCP 入站请求

是否有可能关闭/禁用 DNS 服务器中的 TCP,以便它拒绝传入的 TCP 请求?

我希望请求到达 DNS 服务器然后在 DNS 服务器中被拒绝。

是否有一种简单的方法可以在需要时关闭或打开?

这仅用于测试目的。DNS 服务器不在公共域中

我的named.conf看起来像这样

options {

        # The directory statement defines the name server's working directory

        directory "/var/lib/named";

        # enable DNSSEC validation
        #
        # If BIND logs error messages about the root key being expired, you
        # will need to update your keys. See https://www.isc.org/bind-keys
        #
        # dnssec-enable yes (default), indicates that a secure DNS service
        # is being used which may be one, or more, of TSIG
        # (for securing zone transfers or DDNS updates), SIG(0)
        # (for securing DDNS updates) or DNSSEC.

        #dnssec-enable yes;

        # dnssec-validation yes (default), indicates that a resolver
        # (a caching or caching-only name server) will attempt to validate
        # replies from DNSSEC enabled (signed) zones. To perform this task
        # the server also needs either a valid trusted-keys clause
        # (containing one or more trusted-anchors or a managed-keys clause.

        #dnssec-validation auto;
        managed-keys-directory "/var/lib/named/dyn/";

        # Write dump and statistics file to the log subdirectory.  The
        # pathenames are relative to the chroot jail.

        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";

        # The forwarders record contains a list of servers to which queries
        # should be forwarded.  Enable this line and modify the IP address to
        # your provider's name server.  Up to three servers may be listed.

        #forwarders { 192.0.2.1; 192.0.2.2; };

        # Enable the next entry to prefer usage of the name server declared in
        # the forwarders section.

        #forward first;

        # The listen-on record contains a list of local network interfaces to
        # listen on.  Optionally the port can be specified.  Default is to
        # listen on all interfaces found on your system.  The default port is
        # 53.

        #listen-on port 53 { 127.0.0.1; };

        # The listen-on-v6 record enables or disables listening on IPv6
        # interfaces.  Allowed values are 'any' and 'none' or a list of
        # addresses.

        listen-on-v6 { any; };

        # The next three statements may be needed if a firewall stands between
        # the local server and the internet.

        #query-source address * port 53;
        #transfer-source * port 53;
        #notify-source * port 53;

        # The allow-query record contains a list of networks or IP addresses
        # to accept and deny queries from. The default is to allow queries
        # from all hosts.

        #allow-query { 127.0.0.1; };

        # If notify is set to yes (default), notify messages are sent to other
        # name servers when the the zone data is changed.  Instead of setting
        # a global 'notify' statement in the 'options' section, a separate
        # 'notify' can be added to each zone definition.

        notify no;

    disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};

答案1

您可以使用防火墙来阻止 tcp 数据包到达您的 dns 服务器。

根据这个邮政DNS 实现必须支持这两种协议才能符合 rfc。尽管如此,正如我所说,您可以配置防火墙来实现这一点,但您的 DNS 可能会错过一些请求。

相关内容