我正在尝试在我的 bind9 中设置白名单域转发器,但可能是由于我应用的配置而未能成功完成。
几个月前,我确实在 Bind9 中设置了具有多个视图的相同概念 DNS,并且它可以按预期完美运行。
现在发生了什么:-(视图配置为仅转发 gmail.com)每当来自 172.22.172.32/27 的客户端查询gmail.com域,DNS 仍然能够解析预期/应该失败的客户端的 IP。
有没有什么好的解决方案或者需要对我当前的配置进行什么调整?
绑定版本:9.9.5
命名配置文件
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
view "wifi-test" {
match-clients {
172.22.172.32/27;
};
zone "gmail.com" {
type forward;
forward only;
forwarders {
1.1.1.1;
};
};
//include "/etc/bind/named.conf.default-zones";
recursion yes;
};
命名的.conf.选项
options {
directory "/var/cache/bind";
// Accept request
allow-query-cache { 172.22.172.32/27; };
allow-query { 172.22.172.32/27; };
//allow-recursion { servers; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//forward only;
//forwarders {
// 8.8.8.8;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
// DNSSEC
dnssec-validation auto;
//dnssec-enable yes;
//dnssec-lookaside auto;
//key-directory "/etc/bind/keys";
#fetch-glue no;
recursion no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
//listen-on port 53 { localhost; 172.22.172.41; };
// Exchange port between DNS Servers
//query-source address * port *;
// From 9.9.5 ARM, disables interface scanning to prevent unwanted stop listening
//interface-interval 0;
// Version
version "SecDNS";
//bindkeys-file "/etc/bind/bind.keys";
};
命名的.conf.本地
// Manage the file logs
include "/etc/bind/named.conf.log";
查询日志
queries: info: client 172.22.172.48#59842 (gmail.com.mytd.com): view wifi-test: query: gmail.com.mytd.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#59843 (gmail.com.mytd.com): view wifi-test: query: gmail.com.mytd.com IN AAAA + (172.22.172.41)
queries: info: client 172.22.172.48#59844 (gmail.com): view wifi-test: query: gmail.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#59845 (gmail.com): view wifi-test: query: gmail.com IN AAAA + (172.22.172.41)
queries: info: client 172.22.172.48#53702 (www.forum.com.mytd.com): view wifi-test: query: www.forum.com.mytd.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#53703 (www.forum.com.mytd.com): view wifi-test: query: www.forum.com.mytd.com IN AAAA + (172.22.172.41)
queries: info: client 172.22.172.48#53704 (www.forum.com): view wifi-test: query: www.forum.com IN A + (172.22.172.41)
queries: info: client 172.22.172.48#53705 (www.forum.com): view wifi-test: query: www.forum.com IN AAAA + (172.22.172.41)
答案1
我找到解决方案了!其实这都是关于 dnssec-validation 的,我强制选择它yes而不是自动或否。
view "Test" {
match-clients { 172.22.172.32/27; };
minimal-responses yes;
include "/etc/bind/named.conf.local"; #Whitelist Domains
include "/etc/bind/zones/hostedzones"; #Zones Files
forward only;
forwarders { 0.0.0.0; };
recursion yes;
};
view "Others" {
match-clients { any; };
minimal-responses yes;
include "/etc/bind/named.conf.local"; #Whitelist Domains
include "/etc/bind/zones/hostedzones"; #Zones files
forward only;
forwarders {};
recursion yes;
};
基本上,这里的配置允许“其他的”查询其他任何域名,“测试”只允许查询包含文件中的任何内容,forwarders { 0.0.0.0; };其他查询转发器将尝试转发到 0.0.0.0 & 最终得到connection refused resolving。
注意:“named.conf.local”中都是正向区域。
我也升级到 Bind 版本 9.10.3。