我试图.zip
用 bind 在我的笔记本电脑(运行 fedora 38)上阻止 TLD。
安装绑定
更新
named.conf
:options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; forwarders { 8.8.8.8; }; dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; geoip-directory "/usr/share/GeoIP"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; /* this makes it block everything */ // response-policy { zone "zip"; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "zip" IN { type master; file "zip-rpz"; allow-update { none; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
添加
/var/named/zip-rpz
:$TTL 1D ; default expiration time (in seconds) of all RRs without their own TTL value @ IN SOA ns.zip. postmaster.ns.zip. ( 2020091025 7200 3600 1209600 3600 ) @ IN NS ns1 ; nameserver * IN A 127.0.0.1 ; localhost IN AAAA :: ; localhost
临时申请
sudo systemctl enable named sudo service named restart resolvectl dns wlp0s20f3 127.0.0.1
然而,运行dig url.zip
仅在下一分钟左右返回 127.0.0.1——之后它显示“正确”的 ip(我可以再次在浏览器中访问该站点)。为什么要重置?
如果我删除该forwarders
行,结果相同。
如果我设置recursion no;
,我无法解析除 .zip url 之外的任何内容(指向 127.0.0.1 的那些)