很多東西都有ACLs…但每種東西設定的方法都不一樣~
那DNS的ACLs是做什麼功能吶?官方文件 <--這兒
根據官方文件第七章的Security Considerations所提到~
Access Control Lists (ACLs) are address match lists that you can set up and nickname for future use in allow-notify, allow-query, allow-query-on, allow-recursion, allow-recursion-on, blackhole, allow-transfer, etc.
Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses.
It is a good idea to use ACLs, and to control access to your server.
Limiting access to your server by outside parties can help prevent spoofing and denial of service (DoS) attacks against your server.
ACLs可以設定別名…然後可以用在allow-notify, allow-query, allow-query-on, allow-recursion, allow-recursion-on, blackhole, allow-transfer…等等的選項當中~
可以控制對DNS server的存取動作,也可以避免掉DoS的攻擊~
Specifies a list of addresses that the server will not accept queries from or use to resolve a query.
Specifies which hosts are allowed to ask ordinary DNS questions.
設定上並不難~
用include的方式…或者直接修改named.conf
#vi /etc/named.conf
acl bogusnets { //這邊定義一個名稱為bogusnets的acl,內容為造假的IP區段
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};
acl our-nets { //這邊定義一個名稱為our-nets的acl,內容為合法IP區段,x.x.x.x要換掉~
x.x.x.x/24; x.x.x.x/21;
};
options {
...
...
allow-query { our-nets; }; //合法可以對該台DNS提出問題的列表
allow-recursion { our-nets; }; //合法可以對該台DNS提出(recursive queries through this server)遞回詢問的列表
...
blackhole { bogusnets; }; //server不會接受DNS queries的位址列表,該選項只可加在options中
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};
完成了以上的範例…
這個example.com的zone…因為allow-query的內容(any)覆蓋掉了options中的allow-query的內容,所以option當中的allow-query對它無效
所有人(any)都可以對這個zone提出查詢
但options中blackhole中的內容為不會接受某些IP區段,所以這些IP區段一樣不能對這個zone提出查詢~
好了…結束了…對你的DNS做一下修改吧~會比較安全喔~
留言列表
