1분 이상 TLD에 대해 BIND(DNS)를 신뢰할 수 있게 만드는 방법

.zip내 노트북(Fedora 38 실행)에서 TLD를 차단하기 위해 바인딩을 사용해 보았습니다 .

1. 바인딩 설치

2. 업데이트 중 named.conf:

   options {
       listen-on port 53 { 127.0.0.1; };
       listen-on-v6 port 53 { ::1; };
       directory   "/var/named";
       dump-file   "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
       memstatistics-file "/var/named/data/named_mem_stats.txt";
       secroots-file   "/var/named/data/named.secroots";
       recursing-file  "/var/named/data/named.recursing";
       allow-query     { localhost; };
   
       /* 
       - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
       - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
       - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
       */
       recursion yes;
   
       forwarders { 8.8.8.8; };
   
       dnssec-validation yes;
   
       managed-keys-directory "/var/named/dynamic";
       geoip-directory "/usr/share/GeoIP";
   
       pid-file "/run/named/named.pid";
       session-keyfile "/run/named/session.key";
   
       /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
       include "/etc/crypto-policies/back-ends/bind.config";
   
       /* this makes it block everything */
       // response-policy { zone "zip"; };
   };
   
   logging {
           channel default_debug {
                   file "data/named.run";
                   severity dynamic;
           };
   };
   
   zone "zip" IN {
       type master;
       file "zip-rpz";
       allow-update { none; };
   };
   
   zone "." IN {
       type hint;
       file "named.ca";
   };
   
   include "/etc/named.rfc1912.zones";
   include "/etc/named.root.key";
   

3. 다음에 추가 /var/named/zip-rpz:

   $TTL 1D                ; default expiration time (in seconds) of all RRs without their own TTL value
   @       IN  SOA   ns.zip. postmaster.ns.zip. ( 2020091025 7200 3600 1209600 3600 )
   @       IN      NS      ns1                    ; nameserver
   *       IN      A       127.0.0.1              ; localhost
           IN      AAAA    ::                     ; localhost
   

4. 임시 신청

   sudo systemctl enable named
   sudo service named restart
   resolvectl dns wlp0s20f3 127.0.0.1
   

그러나 실행은 dig url.zip다음 1분 정도 동안만 127.0.0.1을 반환합니다. 그 후에는 "올바른" IP가 표시됩니다(브라우저에서 사이트에 다시 액세스할 수 있습니다). 왜 재설정되나요?

해당 줄을 제거해도 forwarders결과는 동일합니다.

설정하면 recursion no;아무것도 고칠 수 없어다른.zip URL보다(127.0.0.1을 가리킴)