 |
|
茫茫網海中的冷日
發生過的事,不可能遺忘,只是想不起來而已! |
|
|
恭喜您是本站第 1675694
位訪客!
登入 | 註冊
|
|
|
|
| 發表者 |
討論內容 |
冷日
(冷日) |
發表時間:2016/12/21 15:17 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15771
|
- [轉貼]How to Disable External DNS recursion?
- How to Disable External DNS recursion?
I know that to disable recursive queries in BIND, I need add the following lines to the options section of /etc/bind/named.conf.options
allow-transfer {"none";};
allow-recursion {"none";};
recursion no;
Will the above configuration disable all DNS recursive queries?
How can I disable DNS recursion only to external network queries and keep recursion only for Internal network?
If I disable the recursion, then what process will be performed by the BIND resolve the name request? Iterative or Inverse?
You can enable recursion for some clients and disable recursion for others using views, but it is not recommended because you will lose some of the advantages of turning off recursion in the first place. You should use different nameservers for recursive resolution and authoritative service. (The two servers could run on the same machine if necessary.) Still, here's how to do it:
// global options apply to external clients
options {
recursion no;
additional-from-auth no;
additional-from-cache no;
};
view "local" in {
// view options enable recursion only for local clients
match-clients { 172.16.45.80/23; 192.168.12.0/24; 127.0.0.1/8; ::1; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
type hint;
file "/etc/bind/db.root";
};
// put definitions for zones like "localhost" and "127.in-addr.arpa" here
}
// put definitions for real authoritative zones here.
As for the question in your last sentence, "what process will be performed by the BIND resolve the name request? Iterative or Inverse?", I do not understand the question. A nameserver configured not to offer recursive service will simply refuse to answer recursive queries.
原文出處:bind - How to Disable External DNS recursion? - Ask Ubuntu
|
|
|
討論串
|
[轉貼]如何避免DNS主機被當成攻擊跳板 (冷日