Bind9에서 RPZ를 수락하는 모범 사례

tag-icon tag-icon ubuntu dns bind9 rpz
Bind9에서 RPZ를 수락하는 모범 사례

현재 DNS 서버를 관리하기 위해 Bind9을 사용하고 있습니다. 네 개의 슬레이브 서버와 두 개의 권한 있는 서버에 대한 제어 노드 역할을 하는 마스터 서버가 있습니다.

외부 DNS 서버에서 이러한 서버로 RPZ(원격 응답 정책 영역)를 구현하는 데 관심이 있습니다.

이를 달성하기 위한 모범 사례에 대한 지침을 주시면 정말 감사하겠습니다.

고쳐 쓰다:

아마도 당신은 내가 무슨 일을 했는지 알아야 할 것입니다.

주요 구성:

acl "sleivai" {
        192.168.130.33; 192.168.130.35;

};

masters "notify_slaves" {
        192.168.130.33; 192.168.130.35;

};
// used for authoritative 
key "external" {
        algorithm hmac-md5;
        secret "";
};
// Used for recursive 
key "internal" {
        algorithm hmac-md5;
        secret "";

};
// used for RPZ
key "shared" {
        algorithm hmac-md5;
        secret "";
};

server 192.168.130.33 {
        keys external;
};

server 192.168.130.35 {
        keys internal;
};

server 192.168.130.37 {
        keys shared;
};


logging {
channel rpz_log {
        file "/var/log/named/rpz_log" versions unlimited size 1000m;
        print-time yes;
        print-category yes;
        print-severity yes;
        //severity info;
        severity debug 1;

};

category rpz { rpz_log; default_debug; };
};
options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.32;
        notify-source 192.168.130.32;
        transfer-source 192.168.130.32;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.32; };
        listen-on-v6 { none; };
        recursion no;
        allow-transfer { "sleivai"; };
        notify explicit;
        version none;
        also-notify { "notify_slaves"; };
        response-policy { zone "filter.local"; };
};

key rndc_key { secret ""; algorithm hmac-sha256; };

//Allow local controls
controls { inet 127.0.0.1  allow { any; } keys { rndc_key; }; };

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";


zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        allow-transfer { "sleivai"; };
        notify explicit;
        masters { 192.168.130.37; };
        allow-query { "sleivai"; localhost; };

};

zone "catalog.forward" {
        type master;
        file "/etc/bind/zonesforward/catalog.forward.db";
        also-notify { "notify_slaves"; };
        allow-transfer { "sleivai"; };
        notify explicit;
        allow-query { "sleivai"; localhost; };
};

슬레이브1(재귀 서버)

acl "trusted" {
        localhost;
        192.168.0.0/16;
};

//This key is to be used for caching/recursive servers
key "internal" {
                   algorithm hmac-md5;
                   secret "";
           };

//Apply the appropriate key config
server 192.168.130.32 {
          keys internal;
};



//Global BIND options.
options {
        directory "/var/cache/bind/";
        memstatistics-file "/var/cache/bind/mem.stats";
        max-cache-size 2000m;
        query-source address 192.168.130.35;
        notify-source 192.168.130.35;
        transfer-source 192.168.130.35;
        port 53;
        pid-file "named.pid";
        listen-on { 192.168.130.35; };
        listen-on-v6 { none; };
        notify no;
        allow-recursion { "trusted"; };
        allow-transfer { none;};
        allow-notify { 192.168.130.32; };
        version none;
        disable-empty-zone "10.IN-ADDR.ARPA";
        response-policy { zone "filter.local"; };
        catalog-zones {
                zone "catalog.forward."
                      zone-directory "/var/cache/bind"
                      in-memory no
                      default-masters { 192.168.130.32; };
        };
};

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };


//This is the forward/advertising catalog. It contains all name to IP address mapping
zone "catalog.forward" {
        type slave;
        file "/var/cache/bind/catalog.forward.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };
};


logging {
channel rpz_log {
        file "/var/log/named/rpz_log" versions unlimited size 1000m;
        print-time yes;
        print-category yes;
        print-severity yes;
        //severity info;
        severity debug 1;

};

category rpz { rpz_log; default_debug; };
};

다음은 "외부" RPZ DNS 서버 구성입니다.

acl "master-ip" {
        192.168.130.32;
};


masters "notify_master" {
        192.168.130.32;
};

server 192.168.130.32 {
        keys shared;
};



key "shared" {
        algorithm hmac-md5;
        secret "";
};

//NS update key config
key rndc_key { secret ""; algorithm hmac-sha256; };


//Allow local controls
controls { inet 127.0.0.1  allow { any; } keys { rndc_key; }; };


options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.37;
        notify-source 192.168.130.37;
        transfer-source 192.168.130.37;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.37; };
        listen-on-v6 { none; };
        recursion yes;
        allow-transfer { "master-ip"; };
        notify explicit;
        version none;
        also-notify { "notify_master"; };
        ixfr-from-differences yes;

};


include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type master;
        file "/etc/bind/zonesblockedRPZ/filter.local";
        allow-transfer { "master-ip"; };
        allow-query { "master-ip"; localhost; };
        allow-update { none; };
        notify explicit;
};

이 기능을 구현하는 좋은 방법입니까? 아니면 다른/더 좋은 방법이 있나요?

관련 정보