SundayHK

Bind9 rpz 局部解析

2024-07-22 436 0

想要达到的效果:内部dns处理部分dns,其他由外部dns处理。

www.sundayhk.com api.sundayhk.com static.sundayhk.com 均在dnspod上解析了。
现在只想处理

  • harbor.sundayhk.com 纯内网解析
  • api.sundayhk.com 内网服务器解析为内网IP (即内部DNS优先于外部)
  • 其余依旧由dnspod处理。

方案1. 单机的话直接在/etc/hosts绑定就可以了。

方案2. 多机的话就不是很方便了。这时可以使用bind rpz做局部解析。注意bind 9.0版本才支持这一功能。

注意使用zone的话,则全部由内部dns处理,在外网有解析,在内网没解析,则解析不了。所以要使用bind rpz处理。

options {
    listen-on port 53 { 192.168.77.8; };
    //listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { 192.168.77.0/24; };
    forwarders      { 119.29.29.29;223.5.5.5; };

    recursion yes;

    allow-transfer { 192.168.77.43;192.168.77.44; };
    also-notify { 192.168.77.43;192.168.77.44; };
    notify yes;

    ;使用rpz
    response-policy { zone "rpz"; }; 

    dnssec-enable no;
    dnssec-validation no;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        ;配置rpz日志记录
        channel rpz-queries {
                file "/var/log/named/rpz.log" versions 10 size 500k;
                severity info;
        };  
        category rpz {
          rpz-queries;
        }; 
};

zone "." IN {
    type hint;
    file "named.ca";
};
vim /etc/named.rfc1912.zones

zone "rpz" {
    type master;
    file "rpz.zone";
    allow-update { none; };
};
vim /var/named/rpz.zone 

$TTL 1D
@       IN SOA ns.sundayhk.com. root.sundayhk.com. (
                                2019110108      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@ IN NS ns.sundayhk.com.
@ IN A 192.168.77.8

sundayhk.com IN CNAME @
api.sundayhk.com IN A 192.168.77.41
harbor.sundayhk.com IN A 192.168.77.15

刷新配置

#修改serial为2019110109
named-checkconf -z
systemctl reload named

匹配到的,则内部dns解析,匹配不到的,则外部dns解析

dig -t a api.sundayhk.com +short
192.168.77.41

dig -t a harbor.sundayhk.com +short
192.168.77.15

dig -t a www.sundayhk.com +short
102.33.99.12

https://www.linuxhelp.com/how-to-block-a-domain-using-rpz-on-bind-dns-server-on-centos

sunday
Linux
0 0

相关文章

Linux Sudo 权限配置
阿里云ECS云盘IOPS压测
nextcloud preview-generate 报错文件无权限解决
tcpdump 抓包使用小结
Linux Tcpdump抓包
Ubuntu 18 SSH禁用密码登陆失效

发布评论

sunday

文章124 评论0