linux – bind9正确的递归设置
发布时间:2020-12-14 03:05:22 所属栏目:Linux 来源:网络整理
导读:如果我删除递归,那么我无法解析外部域,但仍然可以解析DNS服务器上的域. 正确设置递归的正确方法是什么,这样可以在不让DNS服务器打开的情况下解析外部域? named.conf.options options { version "One does not simply get my version"; directory "/var/cach
如果我删除递归,那么我无法解析外部域,但仍然可以解析DNS服务器上的域.
正确设置递归的正确方法是什么,这样可以在不让DNS服务器打开的情况下解析外部域? named.conf.options options { version "One does not simply get my version"; directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to,you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers,you probably want to use them as forwarders. // Uncomment the following block,and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired,// you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation yes; auth-nxdomain no; listen-on-v6 { any; }; allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; }; notify yes; dnssec-enable yes; dnssec-lookaside . trust-anchor dlv.isc.org.; also-notify { }; }; 我还在内部子网中添加了允许递归{subnet / xx; };但仍无法解析外部域名. 解决方法
筛选谁能够递归查询DNS以及谁不使用ACL.
acl my_net { 192.168.1.0/24; }; acl my_other_net { 10.0.0.0/8; }; options { [ ... ] recursion yes; allow-recursion { my_net; }; blackhole { my_other_net; }; }; 此外,在您的网关中设置入口(BCP 84)/出口过滤,以避免欺骗性UDP数据包到达您的网络并产生意外流量或中毒. Blackhole不受信任的本地基础设施部分. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |