BIND DNS 使用RPZ 做局部代理

想要达到的效果：内部dns处理部分dns,其他由外部dns处理。

如www.sundayle.com api.sundayle.com static.sundayle.com 均在dnspod上解析了。
现在只想处理static.sundayle.com这个域名IP为内网IP,其他依旧由dnspod处理。

方案1. 单机的话直接在/etc/hosts绑定就可以了。

方案2. 多机的话就不是很方便了。这时可以使用bind rpz做局部解析。注意bind 9.0版本才支持这一功能。

注意使用zone的话，则全部由内部dns处理，在外网有解析，在内网没解析，则解析不了。所以要使用bind rpz处理。

options {
	listen-on port 53 { 192.168.1.91; };
	//listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { 192.168.1.0/24; };
	forwarders      { 114.114.114.114;119.29.29.29;223.5.5.5; };

	recursion yes;

	allow-transfer { 192.168.1.43;192.168.1.44; };
	also-notify { 192.168.1.43;192.168.1.44; };
	notify yes;

	;使用rpz
	response-policy { zone "rpz"; }; 

	dnssec-enable no;
	dnssec-validation no;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        ;配置rpz日志记录
        channel rpz-queries {
                file "/var/log/named/rpz.log" versions 10 size 500k;
                severity info;
        };  
        category rpz {
          rpz-queries;
        }; 
};

zone "." IN {
	type hint;
	file "named.ca";
};

vim /etc/named.rfc1912.zones

zone "rpz" {
	type master;
	file "rpz.zone";
	allow-update { none; };
};

vim /var/named/rpz.zone 

$TTL 1D
@       IN SOA ns1.sundayle.com. root.sundayle.com. (
                                2019110108      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@ IN NS ns1.sundayle.com.
@ IN A 192.168.1.91

sundayle.com IN CNAME @
api.sundayle.com IN A 192.168.1.41

刷新配置

1
2
3

#修改serial为2019110109
named-checkconf -z
systemctl reload named

匹配到的，则内部dns解析，匹配不到的，则外部dns解析

dig -t a api.sundayle.com +short
192.168.1.41

dig -t a www.sundayle.com +short
102.33.99.12

https://www.linuxhelp.com/how-to-block-a-domain-using-rpz-on-bind-dns-server-on-centos

FEATURED TAGS

FRIENDS