bind rpz和rrl作为bind 10里默认包含的2个模块,为bind的安全提供了有力的支撑。但实际使用不当会事得其反。
[ response-policy {
zone zone_name
[ policy (given | disabled | passthru | drop |
nxdomain | nodata | cname domain) ]
[ recursive-only yes_or_no ]
[ max-policy-ttl number ]
; [...]
} [ recursive-only yes_or_no ]
[ max-policy-ttl number ]
[ break-dnssec yes_or_no ]
[ min-ns-dots number ]
[ qname-wait-recurse yes_or_no ]
; ]
在服务器上配置如下的rpz策略
response-policy { zone "rpz.zone" policy given; }
zone "rpz.zone" { type master; file "master/rpz.zone"; };
zone "lala.com" { type forward; forwarders { 8.8.8.8; };};
rpz.zone内配置如下的内容,请求www.test.fr和*.lala.com都会阻塞很久,因为虽然我们做了策略,实际bind还是会等着取回结果再去操作。
$TTL 30
@ SOA nsa.vix.com. hostmaster.vix.com. 29 3600 1800 604800 30
NS localhost.
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.drop.domain.com CNAME rpz-drop.
google.com IN CNAME google.com.
www.test.fr IN A 193.252.1.2
*.lala.com IN A 200.237.2.1
文档上这样说明:
qname-wait-recurse: May only appear in the global section of the response-policy statement. Takes the single value of either yes (default) or no. In normal operation, policy processing is invoked only when the results of any query are available (when the query process completes - successfully or unsuccessfully). This allows the "normal" resolver cache to contain the real results but can delay query response to the end user to an unacceptable level. The value no allows policy processing to occur when the query is received without waiting for a response. This behaviour control effectively only applies to QNAME Policy Triggers since all other triggers require query results to determine their actions.
因此需要设置qname-wait-recurse no;才能使得rpz操作的时候直接生效。