![Bind9 如何为特定子网使用 RPZ 区域](https://linux22.com/image/787631/Bind9%20%E5%A6%82%E4%BD%95%E4%B8%BA%E7%89%B9%E5%AE%9A%E5%AD%90%E7%BD%91%E4%BD%BF%E7%94%A8%20RPZ%20%E5%8C%BA%E5%9F%9F.png)
我已经有 1 个主服务器(192.168.130.32)、4 个从服务器(192.168.130.35)和 2 个权威服务器(192.168.130.33),并且带有 bind9。
我的观点是从外部 DNS 服务器获取 RPZ(192.168.130.37),但我想拆分此配置,例如:
我有两个 ACL,第一个是 192.168.1.0/24,第二个是 192.168.2.0/24,我怎样才能使第一个 ACL 仅使用 RPZ 区域,而第二个 ACL 应该像在互联网上一样访问所有内容。
我的主配置:
acl "sleivai" {
192.168.130.33; 192.168.130.35;
};
masters "notify_slaves" {
192.168.130.33; 192.168.130.35;
};
options {
directory "/var/cache/bind/";
query-source address 192.168.130.32;
notify-source 192.168.130.32;
transfer-source 192.168.130.32;
port 53;
allow-new-zones yes;
pid-file "named.pid";
listen-on { 192.168.130.32; };
listen-on-v6 { none; };
recursion no;
allow-transfer { "sleivai"; };
notify explicit;
version none;
also-notify { "notify_slaves"; };
response-policy { zone "filter.local"; };
};
//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";
zone "filter.local" {
type slave;
file "/var/cache/bind/filter.local.db";
allow-transfer { "sleivai"; };
notify explicit;
masters { 192.168.130.37; };
allow-query { "sleivai"; localhost; };
};
zone "catalog.forward" {
type master;
file "/etc/bind/zonesforward/catalog.forward.db";
also-notify { "notify_slaves"; };
allow-transfer { "sleivai"; };
notify explicit;
allow-query { "sleivai"; localhost; };
};
这是我的从属配置:
acl "trusted" {
localhost;
192.168.0.0/16;
};
acl "blocked" {
192.168.1.0/24
};
acl "not_blocked" {
192.168.2.0/24
};
//Global BIND options.
options {
directory "/var/cache/bind/";
memstatistics-file "/var/cache/bind/mem.stats";
max-cache-size 2000m;
query-source address 192.168.130.35;
notify-source 192.168.130.35;
transfer-source 192.168.130.35;
port 53;
pid-file "named.pid";
listen-on { 192.168.130.35; };
listen-on-v6 { none; };
notify no;
allow-recursion { "trusted"; };
allow-transfer { none;};
allow-notify { 192.168.130.32; };
version none;
disable-empty-zone "10.IN-ADDR.ARPA";
response-policy { zone "filter.local"; };
catalog-zones {
zone "catalog.forward."
zone-directory "/var/cache/bind"
in-memory no
default-masters { 192.168.130.32; };
};
};
//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";
zone "filter.local" {
type slave;
file "/var/cache/bind/filter.local.db";
masters { 192.168.130.32; };
allow-query { 192.168.130.32; localhost; };
//This is the forward/advertising catalog. It contains all name to IP address mapping
zone "catalog.forward" {
type slave;
file "/var/cache/bind/catalog.forward.db";
masters { 192.168.130.32; };
allow-query { 192.168.130.32; localhost; };
};