我想为域配置未绑定的 DNS,例如domain.com
,使其仅响应 *.domain.com,而其他任何查询(如 gmail.com 或 hotmail.com)均被拒绝。我有以下配置,但它无法按预期工作。
server:
interface: a.b.c.d (public IP)
verbosity: 2
logfile: "unbound.log"
log-queries: yes
hide-identity: yes
hide-version: yes
access-control: 127.0.0.1/8 allow
access-control: 192.168.0.0/24 allow
access-control: 0.0.0.0/0 refuse_non_local
local-zone: "domain.com" transparent
forward-zone:
name: "domain.com"
forward-addr: 192.168.0.1 #### local DNS server
因此,这个想法是,查询来自区域的实时/公共接口(IP abcd)domain.com
,查询被转发到本地 DNS 192.168.0.1
,然后答案被转发到,a.b.c.d
然后发送到客户端/互联网。如果查询到达,假设是,gmail.com
那么a.b.c.d
答案REFUSED
应该是这样的
** server can't find gmail.com: REFUSED
我无法实现拒绝,除了domains(e.g. gmail/hotmail)
简而言之domain.com
,我无法access-control: 0.0.0.0/0 refuse_non_local
上班
答案1
librhnylmz 解决方案有效。以下方法有效。
server:
interface: a.b.c.d (public IP)
verbosity: 2
logfile: "unbound.log"
log-queries: yes
extended-statistics: no
access-control: 0.0.0.0/0 allow
local-zone: "." refuse
local-zone: "domain.com." transparent
forward-zone:
name: "domain.com"
forward-addr: 192.168.0.1 ### Local DNS