如果我删除recursion,则无法parsing外部域,但仍可以parsingDNS服务器上的域。
什么是正确设置recursion正确的方式,所以外部域仍然可以解决而不离开DNS服务器打开?
named.conf.options
options { version "One does not simply get my version"; directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation yes; auth-nxdomain no; listen-on-v6 { any; }; allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; }; notify yes; dnssec-enable yes; dnssec-lookaside . trust-anchor dlv.isc.org.; also-notify { }; }; 我也在内部子网中添加allow-recursion {subnet / xx; }; 但仍然无法parsing外部域名。
筛选谁可以recursion查询DNS,谁不ACL。
acl my_net { 192.168.1.0/24; }; acl my_other_net { 10.0.0.0/8; }; options { [ ... ] recursion yes; allow-recursion { my_net; }; blackhole { my_other_net; }; };
此外,在网关中设置入口( BCP 84 )/出口过滤,以避免欺骗UDP数据包到达您的networking,并产生意外的stream量或中毒。 本地基础设施的黑洞不受信任的部分。