猫/etc/named.conf
[...]
acl "trusted" {
IPS HERE
};
options {
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
allow-query { trusted; };
directory "/var/named";
dump-file "/var/named/named_cache_dump.db";
statistics-file "/var/named/named_stats.log";
empty-zones-enable no;
};
[...]
我看到以下内容,想知道我需要将哪些 IP 列入白名单?我是否要添加根名称服务器?
我想知道如何保护自己免受非法传输/递归/中毒等 DNS 攻击。
答案1
您确实需要两个 ACL 才能正确处理该问题。一个用于对等名称服务器,一个用于客户端。
acl "nameservers" {
# A list of all the name servers that this server has transfers or receices zones from
# should basically be all the masters/slave name servers, for all defines zones
};
acl "internalclients" {
# all your internal networks/client machines that can use this name server for resolution.
127.0.0.0/8;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
allow-notify { nameservers; };
allow-transfer { nameservers; };
allow-recursion { internalclients; };
allow-query { internalclients; };
};
zone "example.org" {
allow-query {any;};
allow-transfer { nameservers; };
};
不过,为了获得最佳级别的防毒保护,您确实不应该从用于客户端解析的同一 DNS 服务器提供区域。但如果您信任内部客户端,那么我相信这样的设置就足够了。