如何在BIND9中彻底禁用递归,限制只解析本机域名
作为域名NS记录指向的DNS服务器,不同于开放给公众的DNS服务器,不需要提供本机配置域名之外的域名解析。当DNS解析的域名本机中没有的时候,就会发起递归(recursion)或者转发(forward)到远程DNS去查询。
递归:本机直接从根服务器上寻找对应域名的NS记录,再由本机到NS指向的服务器中查询记录
转发:本机将解析请求转发到指定的服务器去解析,将转发服务器的响应结果直接反馈给查询者
BIND9默认打开递归查询和关闭转发功能,如何彻底关闭递归,就成了主要问题,设置中还发现一些有趣的问题。
测试平台:Debian 5.0.4
BIND9版本:BIND 9.5.1.dfsg.P3-1+lenny1
配置文件:/etc/bind/named.conf.options
1、只设置“recursion no;”
C:\>nslookup
> server 192.168.99.104
> www.google.com
Server: [192.168.99.104]
Address: 192.168.99.104
Name: www.google.com
Served by:
- K.ROOT-SERVERS.NET
- I.ROOT-SERVERS.NET
- L.ROOT-SERVERS.NET
- B.ROOT-SERVERS.NET
- M.ROOT-SERVERS.NET
- G.ROOT-SERVERS.NET
- F.ROOT-SERVERS.NET
- A.ROOT-SERVERS.NET
- J.ROOT-SERVERS.NET
- C.ROOT-SERVERS.NET
服务器虽然没有进行递归查询,但是还是响应了客户端根服务器的地址。如何彻底关闭呢,这个问题折腾了很久,未果。BIND9的文档(http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html)中有这样的描述:
recursion
If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. See also fetch-glue above.
allow-recursion
Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive queries for a host does not prevent the host from retrieving data that is already in the server's cache.
可问题是,这个cache如何关闭呢?文档里没有详细描述,找了很久,发现个配置allow-query-cache,这个似乎在官方的文档中没有呢?
2、同时设置“recursion no;”和"allow-query-cache { none; };"
C:\>nslookup
> server 192.168.99.104
> www.google.com
Server: [192.168.99.104]
Address: 192.168.99.104
*** [192.168.99.104] can't find www.google.com: Query refused
彻底关闭了递归查询,拒绝响应,达到目的。
3、只设置"allow-recursion { none; };"
测试结果同2
这是在后来改配置的时候偶尔发现的,allow-recursion貌似不需要关闭cache。一直认为allow-recursion和recursion是完全一样的,看来不是这样。当然,这个也许是我的测试有限。
附1:转发BIND9默认是关闭的,如果需要声明可以在named.conf.options这样写
forwarders {};
forward only;
附2:如何关闭BIND9对于ls命令功能,对于有slave或者特殊需要的,用ip替换none即可
allow-transfer { none; };
已有1位网友发表了看法:
发表评论