Bind9 如何为特定子网使用 RPZ 区域

tag-icon tag-icon linux domain-name-system bind rpz
Bind9 如何为特定子网使用 RPZ 区域

我已经有 1 个主服务器(192.168.130.32)、4 个从服务器(192.168.130.35)和 2 个权威服务器(192.168.130.33),并且带有 bind9。

我的观点是从外部 DNS 服务器获取 RPZ(192.168.130.37),但我想拆分此配置,例如:

我有两个 ACL,第一个是 192.168.1.0/24,第二个是 192.168.2.0/24,我怎样才能使第一个 ACL 仅使用 RPZ 区域,而第二个 ACL 应该像在互联网上一样访问所有内容。

我的主配置:


acl "sleivai" {
        192.168.130.33; 192.168.130.35;

};

masters "notify_slaves" {
        192.168.130.33; 192.168.130.35;

};
options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.32;
        notify-source 192.168.130.32;
        transfer-source 192.168.130.32;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.32; };
        listen-on-v6 { none; };
        recursion no;
        allow-transfer { "sleivai"; };
        notify explicit;
        version none;
        also-notify { "notify_slaves"; };
        response-policy { zone "filter.local"; };
};


//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";


zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        allow-transfer { "sleivai"; };
        notify explicit;
        masters { 192.168.130.37; };
        allow-query { "sleivai"; localhost; };

};

zone "catalog.forward" {
        type master;
        file "/etc/bind/zonesforward/catalog.forward.db";
        also-notify { "notify_slaves"; };
        allow-transfer { "sleivai"; };
        notify explicit;
        allow-query { "sleivai"; localhost; };
};

这是我的从属配置:

acl "trusted" {
        localhost;
        192.168.0.0/16;
};

acl "blocked" {
        192.168.1.0/24
 };
acl "not_blocked" {
        192.168.2.0/24
};

//Global BIND options.
options {
        directory "/var/cache/bind/";
        memstatistics-file "/var/cache/bind/mem.stats";
        max-cache-size 2000m;
        query-source address 192.168.130.35;
        notify-source 192.168.130.35;
        transfer-source 192.168.130.35;
        port 53;
        pid-file "named.pid";
        listen-on { 192.168.130.35; };
        listen-on-v6 { none; };
        notify no;
        allow-recursion { "trusted"; };
        allow-transfer { none;};
        allow-notify { 192.168.130.32; };
        version none;
        disable-empty-zone "10.IN-ADDR.ARPA";
        response-policy { zone "filter.local"; };
        catalog-zones {
                zone "catalog.forward."
                      zone-directory "/var/cache/bind"
                      in-memory no
                      default-masters { 192.168.130.32; };
        };
};

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };


//This is the forward/advertising catalog. It contains all name to IP address mapping
zone "catalog.forward" {
        type slave;
        file "/var/cache/bind/catalog.forward.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };
};

相关内容