BIND DNS 递归仅到我的域

Question

如果存在特定的子网，则可以通过以下方式允许递归：

acl trustednets {
    # server itself
    localhost;
    # the subnet
    192.0.2.0/24;
    # any others... (BIND also has a "localnets" to trust
    # connected subnets, if that is appropriate)
};
options {
    ...
    allow-recursion { trustednets; };
};

另一种选择是使用视图；这可能适合向公众开放且也可由客户端系统使用的 DNS 服务器，但更为复杂：

acl trustednets {
    ...  # as above
};
view favoredclients {
    match-clients      { trustednets; };
    match-destinations { trustednets; };
    recursion yes;
    zone ...  # zones probably best done via include
};
view thewashedmasses {
    recursion no;
    # https://rhn.redhat.com/errata/RHSA-2013-0550.html
    rate-limit {
            responses-per-second 5;
            window 5;
    };
    zone ...  # best done via include (because duplicated here)
};

Answer 1

如果存在特定的子网，则可以通过以下方式允许递归：

acl trustednets {
    # server itself
    localhost;
    # the subnet
    192.0.2.0/24;
    # any others... (BIND also has a "localnets" to trust
    # connected subnets, if that is appropriate)
};
options {
    ...
    allow-recursion { trustednets; };
};

另一种选择是使用视图；这可能适合向公众开放且也可由客户端系统使用的 DNS 服务器，但更为复杂：

acl trustednets {
    ...  # as above
};
view favoredclients {
    match-clients      { trustednets; };
    match-destinations { trustednets; };
    recursion yes;
    zone ...  # zones probably best done via include
};
view thewashedmasses {
    recursion no;
    # https://rhn.redhat.com/errata/RHSA-2013-0550.html
    rate-limit {
            responses-per-second 5;
            window 5;
    };
    zone ...  # best done via include (because duplicated here)
};

BIND DNS 递归仅到我的域

答案1

相关内容