Bind9响应策略区域(RPZ),不工作于客户端-忽略是我的第一篇文章,它的主题为“对不起”。
在我的单个DNS服务器bind9 (version 9.11.5-P4-5.1)上,我已经配置了一个响应策略区域(RPZ)来阻止某些域。DNS服务器的IP为192.168.1.5
现在,我将把相关部分放到不同文件和命令的配置上:
在服务器上:
在/etc/bind/named.conf.options中
acl trusted {
localhost; # this server
192.168.1.0/24; #my net
}也是
// Only allows trusted client to use the service
allow-query { trusted; };
forwarders {
The IP of the NS1 of IPS#1;
The IP of the NS2 of IPS#1;
The IP of the NS1 of IPS#2;
The IP of the NS2 of IPS#2;
8.8.8.8;
8.8.4.4;
1.1.1.1;
};而且还
// For Ad-Blocking/Blacklisting/Whitelisting
response-policy {
zone "rpz.blacklist";
zone "office.local" policy passthru;
zone "1.168.192.in-addr.arpa" policy passthru;
};在/etc/bind/named.conf.local中
zone "rpz.blacklist" {
typemaster;
file "/etc/bind/zones/rpz.blacklist.db";
allow-query { trusted; };
allow-transfer { localhost; };
};最后在/etc/bind/zones/rpz.blacklist.db中
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800; Refresh
86400; Retry
2419200; expire
86400); Negative Cache TTL
;
@ IN NS localhost.
;.:#====================#:.
; Blacklist Domains
;.:#====================#:.
ads2000.hw.net IN A 127.0.0.1有更多的领域,但我只留下一个例子。
名为-checkconf“named-checkconf”/etc/bind/zones/rpz.blacklist.db的命令返回OK,服务成功启动。
现在,如果我从同一个服务器ads2000.hw.net中ping ,那么它可以很好地工作。
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.201 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.034 ms
--- ads2000.hw.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 105ms
rtt min/avg/max/mdev = 0.034/0.069/0.201/0.066ms现在,如果我是从linux客户端执行此操作,则不是:
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (65.8.181.28) 56(84) bytes of data.
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=1 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=2 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=3 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=4 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=5 ttl=246 time=131 ms这是我在那台计算机上的dns设置
cat /etc/resolv.conf
## Generated by NetworkManager
domain office.local
search office.local
nameserver 192.168.1.5
nameserver 1.1.1.1
nameserver 8.8.8.8现在,如果我从windows客户端执行此操作,则也不能工作,也不能工作。
ping ads2000.hw.net
Ping ads2000.hw.net [65.8.181.28] with 32 bytes of data:
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Ping statistics for 65.8.181.28:
Packets: sent = 4, received = 4, lost = 0
(0% lost),
Approximate round trip times in milliseconds:
Minimum = 131ms, Maximum = 131ms, Average = 131ms这是我在那台计算机上的dns设置
Ethernet Ethernet Adapter:
Specific DNS suffix for the connection. . : office.local
DNS servers. . . . . . . . . . . . . . : 192.168.1.5
1.1.1.1
8.8.8.8如果我从客户端删除服务器"1.1.1.1“和"8.8.8.8”,它可以工作,但从它们中我丢失了互联网(无法解析来自客户端的Internet域名称。)
我做错了什么?
我预先感谢你的帮助。
PS:对不起,我的英语不好,
回答 1
Stack Overflow用户
发布于 2022-04-14 13:55:26
试着:
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved如果没有帮助,请添加从-
dig hw.nethttps://stackoverflow.com/questions/71620483
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号