Bind9が特定のサブネットにRPZゾーンを使用する方法
私はすでに1つのマスター(192.168.130.32)、4つのスレーブ(192.168.130.35)、および2つの特権サーバー(192.168.130.33)を持っています。 私のポイントは、外部DNSサーバーからRPZ(192.168.130.37)をインポートすることですが、この構成を次のように分割したいと思います。 2つのACL(最初の192.168.1.0/24と2番目の192.168.2.0/24)があります。最初のACLのみがRPZゾーンを使用するように有効にし、2番目のACLはインターネットと同じようにアクセスできる必要があります。すべてのコンテンツ。 私の基本設定: acl "sleivai" { 192.168.130.33; 192.168.130.35; }; masters "notify_slaves" { 192.168.130.33; 192.168.130.35; }; options { directory "/var/cache/bind/"; query-source address 192.168.130.32; notify-source 192.168.130.32; transfer-source 192.168.130.32; port 53; allow-new-zones yes; pid-file "named.pid"; listen-on { 192.168.130.32; }; listen-on-v6 { none; }; recursion no; allow-transfer { "sleivai"; }; notify explicit; version none; also-notify { "notify_slaves"; }; response-policy { zone "filter.local"; }; }; //These are default zones for every BIND server. Root hints are commented out: include "/etc/bind/named.conf.default-zones"; zone "filter.local" { type slave; file "/var/cache/bind/filter.local.db"; allow-transfer { "sleivai"; }; notify explicit; masters { 192.168.130.37; }; allow-query { "sleivai"; localhost; }; }; zone "catalog.forward" { type master; file "/etc/bind/zonesforward/catalog.forward.db"; also-notify { "notify_slaves"; }; allow-transfer { "sleivai"; }; notify explicit; allow-query { "sleivai"; localhost; }; }; これは私のスレーブ構成です。 acl "trusted" { localhost; 192.168.0.0/16; }; acl "blocked" { 192.168.1.0/24 }; acl "not_blocked" { 192.168.2.0/24 }; //Global BIND options. options { directory "/var/cache/bind/"; memstatistics-file "/var/cache/bind/mem.stats"; max-cache-size 2000m; query-source address 192.168.130.35; notify-source 192.168.130.35; transfer-source 192.168.130.35; port 53; pid-file "named.pid"; listen-on { 192.168.130.35; }; listen-on-v6 { none; }; notify no; allow-recursion { "trusted"; }; allow-transfer { none;}; allow-notify { 192.168.130.32; }; version none; disable-empty-zone "10.IN-ADDR.ARPA"; response-policy { zone "filter.local"; }; catalog-zones { zone "catalog.forward." zone-directory "/var/cache/bind" in-memory no default-masters { 192.168.130.32; }; }; }; //These are default zones for every BIND server. Root hints are commented out: include "/etc/bind/named.conf.default-zones"; zone "filter.local" { type slave; file "/var/cache/bind/filter.local.db"; masters { 192.168.130.32; }; allow-query { 192.168.130.32; localhost; }; //This is the forward/advertising catalog. It contains all name to IP address mapping zone "catalog.forward" { type slave; file "/var/cache/bind/catalog.forward.db"; masters { 192.168.130.32; }; allow-query { 192.168.130.32; localhost; }; };