Bind9 响应策略区 (RPZ),不适用于客户端 - 忽略是我的第一篇文章,这是偏离主题的抱歉
在我的单个 DNS 服务器 bind9(版本 9.11.5-P4-5.1)上,我配置了响应策略区域 ( RPZ) 来阻止某些域。 DNS 服务器的 IP 是 192.168.1.5
现在我将把相关部分放入不同文件和命令的配置中:
在服务器上:
在 /etc/bind/named 中.conf.options
acl trusted {
localhost; # this server
192.168.1.0/24; #my net
}
也
// Only allows trusted client to use the service
allow-query { trusted; };
forwarders {
The IP of the NS1 of IPS#1;
The IP of the NS2 of IPS#1;
The IP of the NS1 of IPS#2;
The IP of the NS2 of IPS#2;
8.8.8.8;
8.8.4.4;
1.1.1.1;
};
位于
// For Ad-Blocking/Blacklisting/Whitelisting
response-policy {
zone "rpz.blacklist";
zone "office.local" policy passthru;
zone "1.168.192.in-addr.arpa" policy passthru;
};
/etc/bind/named.conf.local 中
zone "rpz.blacklist" {
typemaster;
file "/etc/bind/zones/rpz.blacklist.db";
allow-query { trusted; };
allow-transfer { localhost; };
};
,最后位于 /etc/bind/zones/rpz.blacklist.db 中>
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800; Refresh
86400; Retry
2419200; expire
86400); Negative Cache TTL
;
@ IN NS localhost.
;.:#====================#:.
; Blacklist Domains
;.:#====================#:.
ads2000.hw.net IN A 127.0.0.1
还有更多域,但我只留下一个作为示例。
命令 [named-checkconf] 和 [named-checkconf "rpz.blacklist" /etc/bind/zones/rpz.blacklist.db] 返回 OK 并且服务启动成功
现在,如果我从同一服务器 ping ads2000.hw.net 它工作正常
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.201 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.034 ms
--- ads2000.hw.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 105ms
rtt min/avg/max/mdev = 0.034/0.069/0.201/0.066ms
现在,如果我从 Linux 客户端执行此操作,它不会:
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (65.8.181.28) 56(84) bytes of data.
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=1 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=2 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=3 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=4 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=5 ttl=246 time=131 ms
这是我的 DNS 设置在那台计算机
cat /etc/resolv.conf
## Generated by NetworkManager
domain office.local
search office.local
nameserver 192.168.1.5
nameserver 1.1.1.1
nameserver 8.8.8.8
现在,如果我从 Windows 客户端执行此操作,它也不起作用:
ping ads2000.hw.net
Ping ads2000.hw.net [65.8.181.28] with 32 bytes of data:
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Ping statistics for 65.8.181.28:
Packets: sent = 4, received = 4, lost = 0
(0% lost),
Approximate round trip times in milliseconds:
Minimum = 131ms, Maximum = 131ms, Average = 131ms
这是我在那台计算机上的 dns 设置
Ethernet Ethernet Adapter:
Specific DNS suffix for the connection. . : office.local
DNS servers. . . . . . . . . . . . . . : 192.168.1.5
1.1.1.1
8.8.8.8
如果我删除服务器“1.1.1.1”和来自客户端的“8.8.8.8”,它可以工作,但我失去了互联网(我无法解析来自客户端的互联网域的名称。)
我在做什么错误的?
我预先感谢您的帮助。
PS:抱歉我的英语不好
On my single DNS server, bind9 (version 9.11.5-P4-5.1), I have configured a Response Policy Zone (RPZ) to block certain domains. The IP of the DNS server is 192.168.1.5
Now I am going to put the relevant parts to the configuration of the different files and commands:
On the server:
In /etc/bind/named.conf.options
acl trusted {
localhost; # this server
192.168.1.0/24; #my net
}
Also
// Only allows trusted client to use the service
allow-query { trusted; };
forwarders {
The IP of the NS1 of IPS#1;
The IP of the NS2 of IPS#1;
The IP of the NS1 of IPS#2;
The IP of the NS2 of IPS#2;
8.8.8.8;
8.8.4.4;
1.1.1.1;
};
And also
// For Ad-Blocking/Blacklisting/Whitelisting
response-policy {
zone "rpz.blacklist";
zone "office.local" policy passthru;
zone "1.168.192.in-addr.arpa" policy passthru;
};
In /etc/bind/named.conf.local
zone "rpz.blacklist" {
typemaster;
file "/etc/bind/zones/rpz.blacklist.db";
allow-query { trusted; };
allow-transfer { localhost; };
};
And finally in /etc/bind/zones/rpz.blacklist.db
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800; Refresh
86400; Retry
2419200; expire
86400); Negative Cache TTL
;
@ IN NS localhost.
;.:#====================#:.
; Blacklist Domains
;.:#====================#:.
ads2000.hw.net IN A 127.0.0.1
There are more domains but I leave one only for the example.
The commands [named-checkconf] and [named-checkconf "rpz.blacklist" /etc/bind/zones/rpz.blacklist.db] return OK and the service starts successfully
Now if I ping ads2000.hw.net from the same server it works fine
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.201 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.034 ms
--- ads2000.hw.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 105ms
rtt min/avg/max/mdev = 0.034/0.069/0.201/0.066ms
Now if I do it from a linux client, it does not :
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (65.8.181.28) 56(84) bytes of data.
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=1 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=2 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=3 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=4 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=5 ttl=246 time=131 ms
This is my dns settings on that computer
cat /etc/resolv.conf
## Generated by NetworkManager
domain office.local
search office.local
nameserver 192.168.1.5
nameserver 1.1.1.1
nameserver 8.8.8.8
Now if I do it from a windows client, it does not work either:
ping ads2000.hw.net
Ping ads2000.hw.net [65.8.181.28] with 32 bytes of data:
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Ping statistics for 65.8.181.28:
Packets: sent = 4, received = 4, lost = 0
(0% lost),
Approximate round trip times in milliseconds:
Minimum = 131ms, Maximum = 131ms, Average = 131ms
This is my dns settings on that computer
Ethernet Ethernet Adapter:
Specific DNS suffix for the connection. . : office.local
DNS servers. . . . . . . . . . . . . . : 192.168.1.5
1.1.1.1
8.8.8.8
If I remove the servers "1.1.1.1" and "8.8.8.8" from the clients, it works but from them I lose Internet (I can not resolve names from internet domains from the clients.)
What am I doing wrong?
I thank you in advance for your help.
PS: Sorry for my bad English
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尝试一下:
如果没有帮助,
请添加来自 - 的输入返回
Try :
Incase it didn't help,
Please add the input return from -