为什么 BIND 在回答 RPZ(响应策略区域)的 NXDOMAIN 之前执行双重查询?

为什么 BIND 在回答 RPZ(响应策略区域)的 NXDOMAIN 之前执行双重查询?

目标是拥有具有以下具体内容的本地 DNS 服务器:

  • 拆分 DNS 设置,将 FQDN(例如 localdomain.com)解析为本地 IP,而不是外部 IP
  • 使用 RPZ(响应策略区域)通过 NXDOMAIN 响应来回答某些 DNS 查找(最好不要提前进行转发/查找)
  • 允许对所有其他 DNS 请求进行正向查找

运行该系统的系统是带有 BIND 9.9.9-P8 的 Synology NAS(显然它还不支持选项“qname-wait-recurse”,以便在给出 RPZ NXDOMAIN 答案之前消除查找,这将是理想的)。

这是当前的named.conf:

options {
    interface-interval 1;
    listen-on-v6 {
        "any";
    };
    recursive-clients 1000;
    tcp-clients 100;
    version "DNSServer";
    allow-recursion {
        192.168.1.0/24;
    };
    check-names master ignore;
    check-names slave ignore;
    check-names response ignore;
    max-cache-size 10485760;
    max-cache-ttl 86400;
    response-policy {
        zone "blocked-domains.rpz";
    };
    forward only;
    forwarders {
        84.200.69.80;
        84.200.70.40;
    };
    max-journal-size 1024;
    min-refresh-time 1;
    min-retry-time 1;
};
controls {
    inet 127.0.0.1 port 953 allow {
        127.0.0.1/32;
    } keys {
        "rndc-key";
    };
};
logging {
    channel "default-log" {
        syslog "user";
        severity Info;
    };
    category "default" {
        "default-log";
    };
    category "security" {
        "default-log";
    };
    category "resolver" {
        "default-log";
    };
    category "queries" {
        "default-log";
    };
    category "xfer-in" {
        "default-log";
    };
    category "xfer-out" {
        "default-log";
    };
    category "general" {
        "default-log";
    };
};
key "rndc-key" {
    algorithm "hmac-md5";
    secret "**redacted**";
};
zone "localdomain.com" {
    type master;
    file "/etc/zone/master/localdomain.com";
    allow-query {
        192.168.1.0/24;
    };
    allow-transfer {
        "none";
    };
    allow-update {
        "none";
    };
};
zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/zone/master/1.168.192.in-addr.arpa";
    allow-query {
        192.168.1.0/24;
    };
    allow-transfer {
        "none";
    };
    allow-update {
        "none";
    };
};
zone "blocked-domains.rpz" {
    type master;
    file "/etc/zone/master/blocked-domains.rpz";
    allow-query {
        "none";
    };
    allow-transfer {
        "none";
    };
    allow-update {
        "none";
    };
};

这是 /etc/zone/master/localdomain.com:

$ORIGIN localdomain.com.
$TTL 86400
localdomain.com. IN SOA ns.localdomain.com. hostmaster.localdomain.com. (2020031000 43200 180 1209600 10800)
ds.localdomain.com. 86400   A   192.168.1.10
localdomain.com.            NS  ns.localdomain.com.
ns.localdomain.com. 86400   A   192.168.1.10

这是 /etc/zone/master/1.168.192.in-addr.arpa:

$ORIGIN 1.168.192.in-addr.arpa.
$TTL 86400
1.168.192.in-addr.arpa. IN SOA ns.1.168.192.in-addr.arpa. hostmaster.1.168.192.in-addr.arpa. (2020031000 43200 180 1209600 10800)
10.1.168.192.in-addr.arpa.  86400   PTR ds.localdomain.com.
1.168.192.in-addr.arpa.     86400   NS  ns.localdomain.com.

这是 /etc/zone/master/blocked-domains.rpz:

$TTL 86400
@           86400   IN  SOA LOCALHOST.  hostmaster.blocked-domains.rpz. (2020031008 43200 180 2592000 10800)
@           86400   IN  NS  LOCALHOST.

reports.crashlytics.com     CNAME .
settings.crashlytics.com    CNAME .

但是,当客户端执行 DNS 查询时,在给出 RPZ NXDOMAIN 响应之前,日志会显示双重或四重查询(针对 A 和 AAAA 记录)。

样本对数双精度:

2020/03/10 21:55:11.430 rpz     query   client 192.168.1.22#45129 (reports.crashlytics.com): rpz QNAME NXDOMAIN rewrite reports.crashlytics.com via reports.crashlytics.com.blocked-domains.rpz
2020/03/10 21:55:11.430 queries query   client 192.168.1.22#45129 (reports.crashlytics.com): query: reports.crashlytics.com IN A + (192.168.1.10)
2020/03/10 21:55:11.425 rpz     query   client 192.168.1.22#41862 (reports.crashlytics.com): rpz QNAME NXDOMAIN rewrite reports.crashlytics.com via reports.crashlytics.com.blocked-domains.rpz
2020/03/10 21:55:11.406 queries query   client 192.168.1.22#41862 (reports.crashlytics.com): query: reports.crashlytics.com IN A + (192.168.1.10)

四轴对数样本:

2020/03/10 21:49:19.242 rpz     query   client 192.168.1.41#54615 (settings.crashlytics.com): rpz QNAME NXDOMAIN rewrite settings.crashlytics.com via settings.crashlytics.com.blocked-domains.rpz
2020/03/10 21:49:19.242 queries query   client 192.168.1.41#54615 (settings.crashlytics.com): query: settings.crashlytics.com IN A + (192.168.1.10)
2020/03/10 21:49:19.239 rpz     query   client 192.168.1.41#49403 (settings.crashlytics.com): rpz QNAME NXDOMAIN rewrite settings.crashlytics.com via settings.crashlytics.com.blocked-domains.rpz
2020/03/10 21:49:19.239 queries query   client 192.168.1.41#49403 (settings.crashlytics.com): query: settings.crashlytics.com IN AAAA + (192.168.1.10)
2020/03/10 21:49:19.236 rpz     query   client 192.168.1.41#49374 (settings.crashlytics.com): rpz QNAME NXDOMAIN rewrite settings.crashlytics.com via settings.crashlytics.com.blocked-domains.rpz
2020/03/10 21:49:19.236 queries query   client 192.168.1.41#49374 (settings.crashlytics.com): query: settings.crashlytics.com IN A + (192.168.1.10)
2020/03/10 21:49:19.230 rpz     query   client 192.168.1.41#35402 (settings.crashlytics.com): rpz QNAME NXDOMAIN rewrite settings.crashlytics.com via settings.crashlytics.com.blocked-domains.rpz
2020/03/10 21:49:19.212 queries query   client 192.168.1.41#35402 (settings.crashlytics.com): query: settings.crashlytics.com IN AAAA + (192.168.1.10)

有人可以解释为什么会发生双重查询以及是否有办法防止它吗?

相关内容