Back

dns - bind9 - rpz - response policy zone

发布时间: 2024-02-02 01:11:00

refer to:https://www.linuxbabe.com/ubuntu/set-up-response-policy-zone-rpz-in-bind-resolver-on-debian-ubuntu

RPZ: 用来覆盖或者修改named/bind9 这样的dns server解析的东东

虽然我们可以在 /etc/hosts 这样的文件中指定IP与域名的关系，但是扩展性不好，也不如DNS SERVER那样配置的灵活

1. 安装named / bind 9

2. 向配置文件的options中增加内容：

options {
    response-policy { 
        zone "rpz.local"; 
    };
}

3. 增加这个zone:

zone "rpz.local" {
    type master;
    file "/etc/bind/db.rpz.local";    // 这里换成你的文件绝对路径
    allow-query { localhost; };      // 仅允许本机访问
    allow-transfer { 12.34.56.78; };  // 改成你的dns server ip.  也可以改成 localhost
};

4. 增加对应的/etc/bind/db.rpz.local 配置文件：

$TTL 86400
@    IN    SOA   localhost.   root.localhost. (
                  2024012901 ; Serial
                  3600       ; Refresh
                  1800       ; Retry
                  604800     ; Expire
                  86400      ; Minimum TTL
                  )

@ IN NS localhost.
; 上面的不用动，把内容从下面开始添加
bad.com  A   3.3.3.3                                                                                                                                                                        *.pornhub.com   CNAME .                                                                                                                                                                     *.doubleclick.net  CNAME .      

5. 增加rpz 对应的logging

logging { 
    channel rpzlog {
  	file "/var/log/named/rpz.log" versions unlimited size 100m;
    	print-time yes;
    	print-category yes;
    	print-severity yes;
    	severity info;
    };
    category rpz { rpzlog; };
}

6. 运行 named-checkconf 与 named-checkzone

ubuntu@ip-xx-31-15-237:~/bind9$ ./bin/check/named-checkconf
ubuntu@ip-xxx-31-15-237:~/bind9$ ./bin/check/named-checkzone /tmp/named/
db.rpz.local  localhost     root.hints    test.com

$ ./bin/check/named-checkzone rpz /tmp/named/db.rpz.local
zone rpz/IN: loaded serial 2024012901
OK

7. 重启named

然后使用dig 命令查看；

$ ./bin/dig/dig bad.com @localhost

; <<>> DiG 9.19.22-dev <<>> bad.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: d447ef468713a8620100000065bc4caceb7236676a7818d7 (good)
;; QUESTION SECTION:
;bad.com.                       IN      A

;; ANSWER SECTION:
bad.com.                5       IN      A       3.3.3.3    // 已经使用了本机的rpz配置

;; ADDITIONAL SECTION:
rpz.local.              1       IN      SOA     localhost. root.localhost. 2024012901 3600 1800 604800 86400

;; Query time: 403 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Fri Feb 02 02:00:12 UTC 2024
;; MSG SIZE  rcvd: 139

Back