目錄表

Authoritative DNS 伺服器的設定

Authoritative DNS server 為提供註冊 DNS 資源記錄所在的伺服器。

BIND 取消 recurion 設定

以下例子為設定 DNS 伺服器 140.114.XX.YY 的 named.conf 設定檔,取消使用遞迴查詢權限,以免造成 open DNS resolver 問題,讓有心人士利用。

options {
   //(其他參數略...)
   // Authoritative-only Name Server
   recursion no;
   allow-query-cache { none; };
   allow-query { any; };

};

修改完上述設定並重新啟動 named 後,再以指令測試,若查詢為所轄註冊資料,則可獲得正確回應資料(status: NOERROR);若非所轄註冊資料,則拒絕回應(status: REFUSED)。

# dig @140.114.64.10 www.nthu.edu.tw a

; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.64.10 www.nthu.edu.tw a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57004
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.nthu.edu.tw.               IN      A

;; ANSWER SECTION:
www.nthu.edu.tw.        86400   IN      A       140.114.69.135

;; AUTHORITY SECTION:
nthu.edu.tw.            86400   IN      NS      dns1.nthu.edu.tw.
nthu.edu.tw.            86400   IN      NS      dns3.twaren.net.
nthu.edu.tw.            86400   IN      NS      dns2.nthu.edu.tw.
nthu.edu.tw.            86400   IN      NS      dns3.nthu.edu.tw.

;; ADDITIONAL SECTION:
dns1.nthu.edu.tw.       86400   IN      A       140.114.64.10
dns1.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:64::10
dns2.nthu.edu.tw.       86400   IN      A       140.114.63.10
dns2.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:63::10
dns3.nthu.edu.tw.       86400   IN      A       140.114.63.20
dns3.nthu.edu.tw.       86400   IN      AAAA    2001:288:e001:63::20

;; Query time: 1 msec
;; SERVER: 140.114.64.10#53(140.114.64.10)
;; WHEN: Tue Sep 24 10:40:09 2013
;; MSG SIZE  rcvd: 267
# dig @140.114.64.10 gmail.com any

; <<>> DiG 9.6-ESV-R7-P2 <<>> @140.114.64.10 gmail.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20592
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gmail.com.                     IN      ANY

;; Query time: 1 msec
;; SERVER: 140.114.64.10#53(140.114.64.10)
;; WHEN: Tue Sep 24 10:39:58 2013
;; MSG SIZE  rcvd: 27

Authoritative-only DNS 伺服器

master DNS 伺服器

options {
    // Working directory
    directory "/etc/namedb";
    // Do not allow access to cache
    allow-query-cache { none; };
    // This is the default
    allow-query { any; };
    // Do not provide recursive service
    recursion no;
    // Notify slave
    notify yes;
    // Hidden version
    version none;
};

// Provide a reverse mapping for the loopback
// address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
    type master;
    file "localhost.rev";
    notify no;
};

// master server for nthu.edu.tw
zone "nthu.edu.tw" {
    type master;
    file "example.com.db";
    // IP addresses of slave servers allowed to
    // transfer example.com
    allow-transfer { 140.114.63.10; };  
};

slave DNS 伺服器

options {
    // Working directory
    directory "/etc/namedb";
    // Do not allow access to cache
    allow-query-cache { none; };
    // This is the default
    allow-query { any; };
    // Do not provide recursive service
    recursion no;
    // Hidden version
    version none;
};

// We are a slave server for nthu.edu.tw
zone "nthu.edu.tw" {
    type slave;
    file "nthu.edu.tw.bk";
    // IP address of eng.example.com master server
    masters { 140.114.64.10; };
};

參考資料

BIND documentation