我被要求只允许属于特定域的客户端recursion。 我以为我可以去我的named.conf并添加在这一行的选项区域: allow-recursion { myDomain ; }; allow-recursion { myDomain ; }; 但后来我意识到这是一个巨大的错误,是否有任何方法允许DNSrecursion到我的域中的客户端,而不必在allow-recursion{};上写每个IP地址allow-recursion{}; 清单?
如果有一个特定的子网,那么可以通过如下的方式进行recursion:
acl trustednets { # server itself localhost; # the subnet 192.0.2.0/24; # any others... (BIND also has a "localnets" to trust # connected subnets, if that is appropriate) }; options { ... allow-recursion { trustednets; }; };
另一种select是使用视图; 这可能适合公开给客户端系统使用的DNS服务器,虽然比较复杂:
acl trustednets { ... # as above }; view favoredclients { match-clients { trustednets; }; match-destinations { trustednets; }; recursion yes; zone ... # zones probably best done via include }; view thewashedmasses { recursion no; # https://rhn.redhat.com/errata/RHSA-2013-0550.html rate-limit { responses-per-second 5; window 5; }; zone ... # best done via include (because duplicated here) };