在 Bind9 中接受 RPZ 的最佳实践

tag-icon tag-icon ubuntu dns bind9 rpz
在 Bind9 中接受 RPZ 的最佳实践

我目前正在使用bind9 管理DNS 服务器。我有一个主服务器,作为四个从服务器和两个权威服务器的控制节点。

我有兴趣从外部 DNS 服务器到这些服务器实施远程响应策略区 (RPZ)。

我非常感谢有关实现这一目标的最佳实践的指导。

更新:

也许你应该知道我已经做了什么:

主配置:

acl "sleivai" {
        192.168.130.33; 192.168.130.35;

};

masters "notify_slaves" {
        192.168.130.33; 192.168.130.35;

};
// used for authoritative 
key "external" {
        algorithm hmac-md5;
        secret "";
};
// Used for recursive 
key "internal" {
        algorithm hmac-md5;
        secret "";

};
// used for RPZ
key "shared" {
        algorithm hmac-md5;
        secret "";
};

server 192.168.130.33 {
        keys external;
};

server 192.168.130.35 {
        keys internal;
};

server 192.168.130.37 {
        keys shared;
};


logging {
channel rpz_log {
        file "/var/log/named/rpz_log" versions unlimited size 1000m;
        print-time yes;
        print-category yes;
        print-severity yes;
        //severity info;
        severity debug 1;

};

category rpz { rpz_log; default_debug; };
};
options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.32;
        notify-source 192.168.130.32;
        transfer-source 192.168.130.32;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.32; };
        listen-on-v6 { none; };
        recursion no;
        allow-transfer { "sleivai"; };
        notify explicit;
        version none;
        also-notify { "notify_slaves"; };
        response-policy { zone "filter.local"; };
};

key rndc_key { secret ""; algorithm hmac-sha256; };

//Allow local controls
controls { inet 127.0.0.1  allow { any; } keys { rndc_key; }; };

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";


zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        allow-transfer { "sleivai"; };
        notify explicit;
        masters { 192.168.130.37; };
        allow-query { "sleivai"; localhost; };

};

zone "catalog.forward" {
        type master;
        file "/etc/bind/zonesforward/catalog.forward.db";
        also-notify { "notify_slaves"; };
        allow-transfer { "sleivai"; };
        notify explicit;
        allow-query { "sleivai"; localhost; };
};

Slave1(递归服务器)

acl "trusted" {
        localhost;
        192.168.0.0/16;
};

//This key is to be used for caching/recursive servers
key "internal" {
                   algorithm hmac-md5;
                   secret "";
           };

//Apply the appropriate key config
server 192.168.130.32 {
          keys internal;
};



//Global BIND options.
options {
        directory "/var/cache/bind/";
        memstatistics-file "/var/cache/bind/mem.stats";
        max-cache-size 2000m;
        query-source address 192.168.130.35;
        notify-source 192.168.130.35;
        transfer-source 192.168.130.35;
        port 53;
        pid-file "named.pid";
        listen-on { 192.168.130.35; };
        listen-on-v6 { none; };
        notify no;
        allow-recursion { "trusted"; };
        allow-transfer { none;};
        allow-notify { 192.168.130.32; };
        version none;
        disable-empty-zone "10.IN-ADDR.ARPA";
        response-policy { zone "filter.local"; };
        catalog-zones {
                zone "catalog.forward."
                      zone-directory "/var/cache/bind"
                      in-memory no
                      default-masters { 192.168.130.32; };
        };
};

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };


//This is the forward/advertising catalog. It contains all name to IP address mapping
zone "catalog.forward" {
        type slave;
        file "/var/cache/bind/catalog.forward.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };
};


logging {
channel rpz_log {
        file "/var/log/named/rpz_log" versions unlimited size 1000m;
        print-time yes;
        print-category yes;
        print-severity yes;
        //severity info;
        severity debug 1;

};

category rpz { rpz_log; default_debug; };
};

这里是“外部”RPZ DNS 服务器配置:

acl "master-ip" {
        192.168.130.32;
};


masters "notify_master" {
        192.168.130.32;
};

server 192.168.130.32 {
        keys shared;
};



key "shared" {
        algorithm hmac-md5;
        secret "";
};

//NS update key config
key rndc_key { secret ""; algorithm hmac-sha256; };


//Allow local controls
controls { inet 127.0.0.1  allow { any; } keys { rndc_key; }; };


options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.37;
        notify-source 192.168.130.37;
        transfer-source 192.168.130.37;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.37; };
        listen-on-v6 { none; };
        recursion yes;
        allow-transfer { "master-ip"; };
        notify explicit;
        version none;
        also-notify { "notify_master"; };
        ixfr-from-differences yes;

};


include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type master;
        file "/etc/bind/zonesblockedRPZ/filter.local";
        allow-transfer { "master-ip"; };
        allow-query { "master-ip"; localhost; };
        allow-update { none; };
        notify explicit;
};

这样实现这个功能好不好?或者还有另一种/更好的方法?

相关内容