linux – bind9正确的递归设置

如果我删除递归,那么我无法解析外部域,但仍然可以解析DNS服务器上的域.

正确设置递归的正确方法是什么,这样可以在不让DNS服务器打开的情况下解析外部域？

named.conf.options

options {
    version "One does not simply get my version";

    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to,you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers,you probably want to use them as forwarders.
    // Uncomment the following block,and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,// you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation yes;

    auth-nxdomain no;
    listen-on-v6 { any; };
    allow-recursion { any; };
    allow-query {
            any;
            };
    allow-query-cache { any; };
    notify yes;
    dnssec-enable yes;
    dnssec-lookaside . trust-anchor dlv.isc.org.;
    also-notify {
            };
};

我还在内部子网中添加了允许递归{subnet / xx; };但仍无法解析外部域名.

解决方法

筛选谁能够递归查询DNS以及谁不使用ACL.

acl my_net { 
    192.168.1.0/24;
};

acl my_other_net {
    10.0.0.0/8;
};

options {

    [ ... ]


    recursion yes;

    allow-recursion { my_net; };
    blackhole { my_other_net; };

};

此外,在您的网关中设置入口(BCP 84)/出口过滤,以避免欺骗性UDP数据包到达您的网络并产生意外流量或中毒. Blackhole不受信任的本地基础设施部分.

linux – bind9正确的递归设置

解决方法

相关文章