Debian

與視圖綁定 RPZ 無效

  • February 19, 2017

我有一個 DNS 伺服器,它有兩個視圖,一個用於內部使用者,一個用於外部(例如 Internet)。我想配置 RPZ,以便當內部使用者請求(無論如何都會拒絕外部遞歸查詢)範例網站時,他們將被重定向到另一個網站(過濾頁面),顯示不允許訪問該網站。但是 RPZ 不起作用,查詢 bad.com 會返回其真實地址。我無法找出問題所在。

命名.conf.options:

options {
   directory "/var/cache/bind";

   // If there is a firewall between you and nameservers you want
   // to talk to, you may need to fix the firewall to allow multiple
   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

   // If your ISP provided one or more IP addresses for stable 
   // nameservers, you probably want to use them as forwarders.  
   // Uncomment the following block, and insert the addresses replacing 
   // the all-0's placeholder.

forwarders {
   8.8.8.8;
};


   response-policy {zone "filter" recursive-only no;};

   //========================================================================
   // If BIND logs error messages about the root key being expired,
   // you will need to update your keys.  See https://www.isc.org/bind-keys
   //========================================================================
#   dnssec-validation auto;

   auth-nxdomain no;    # conform to RFC1035
   listen-on-v6 { any; };
};

命名的.conf.local:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


acl internal {172.17.116/24; 192.168.20/24; 127/8;};

view "internal" {
   match-clients {internal;};
   recursion yes;
   zone "wsi.org" {
       type master;
       file "/etc/bind/internal.zone";
   };

   zone "filter" {
       type master;
       file "/etc/bind/filter.zone";
   };



   include "/etc/bind/named.conf.default-zones";
};

view "external" {
   match-clients {any;};
   recursion no;
   zone "wsi.org" {
       type master;
       file "/etc/bind/external.zone";
   };

   zone "filter" {
       type master;
       file "/etc/bind/filter2.zone";
   };


   include "/etc/bind/named.conf.default-zones";
};

filter.zone:

TTL 604800
@   IN  SOA wsi.org. root.wsi.org. (
                 3     ; Serial
            604800     ; Refresh
             86400     ; Retry
           2419200     ; Expire
            604800 )   ; Negative Cache TTL

bad.com A   filter.wsi.org
bad.net A   filter.wsi.org

過濾器2區:

TTL 604800
@   IN  SOA wsi.org. root.wsi.org. (
                 3     ; Serial
            604800     ; Refresh
             86400     ; Retry
           2419200     ; Expire
            604800 )   ; Negative Cache TTL

bad.com A   filter.wsi.org
bad.net CNAME   rpz-passthru

nslookup始終顯示 bad.net 和 bad.com 的真實地址。

我正在試驗,這就是為什麼有兩個區域。

第一個正確的 A 記錄來自:

bad.com A   filter.wsi.org

到:

bad.com A   192.168.1.1

或更改如下:

bad.com CNAME   filter.wsi.org

並使用以下測試配置:

response-policy {zone "filter";};

我發現了另一個你沒有在 rpz 區域文件中定義 ns 記錄的問題。

@   NS    127.0.0.1.

並使用綁定工具對您的配置進行故障排除。檢查配置語法:

named-checkconf

並檢查區域文件語法:

named-checkzone filter /etc/bind/filter.zone

並檢查 bind 是否執行沒有錯誤:

netstat -lntup | grep 53

引用自:https://unix.stackexchange.com/questions/317976

相關問答

Debian

僅將 BIND 配置為轉發器(無根提示),加密 + RPZ 黑名單/白名單一起

  • March 1, 2018
檢視問答
Debian

解析主機名需要 5 秒

  • November 26, 2021
檢視問答
Debian

主機命令成功,但 DNS 無法解析

  • April 16, 2018
檢視問答
Debian

用於將大量域和一些 TLD 列入黑名單的 DNS 伺服器

  • March 1, 2018
檢視問答
Debian

本地 NS 列表與父 NS 列表不匹配

  • June 29, 2017
檢視問答
Debian

DNS 伺服器不工作

  • August 28, 2016
檢視問答