Bind9でRPZを受け入れるベストプラクティス

Bind9でRPZを受け入れるベストプラクティス

現在、DNSサーバーを管理するためにBind9を使用しています。 4つのスレーブサーバーと2つの特権サーバーの制御ノードとして機能するマスターサーバーがあります。

外部DNSサーバーからこれらのサーバーにリモートレスポンスポリシーゾーン(RPZ)を実装することに興味があります。

これを達成するためのベストプラクティスに関するガイダンスをいただきありがとうございます。

修正する:

おそらくあなたは私が何をしたかを知る必要があります。

主な構成:

acl "sleivai" {
        192.168.130.33; 192.168.130.35;

};

masters "notify_slaves" {
        192.168.130.33; 192.168.130.35;

};
// used for authoritative 
key "external" {
        algorithm hmac-md5;
        secret "";
};
// Used for recursive 
key "internal" {
        algorithm hmac-md5;
        secret "";

};
// used for RPZ
key "shared" {
        algorithm hmac-md5;
        secret "";
};

server 192.168.130.33 {
        keys external;
};

server 192.168.130.35 {
        keys internal;
};

server 192.168.130.37 {
        keys shared;
};


logging {
channel rpz_log {
        file "/var/log/named/rpz_log" versions unlimited size 1000m;
        print-time yes;
        print-category yes;
        print-severity yes;
        //severity info;
        severity debug 1;

};

category rpz { rpz_log; default_debug; };
};
options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.32;
        notify-source 192.168.130.32;
        transfer-source 192.168.130.32;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.32; };
        listen-on-v6 { none; };
        recursion no;
        allow-transfer { "sleivai"; };
        notify explicit;
        version none;
        also-notify { "notify_slaves"; };
        response-policy { zone "filter.local"; };
};

key rndc_key { secret ""; algorithm hmac-sha256; };

//Allow local controls
controls { inet 127.0.0.1  allow { any; } keys { rndc_key; }; };

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";


zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        allow-transfer { "sleivai"; };
        notify explicit;
        masters { 192.168.130.37; };
        allow-query { "sleivai"; localhost; };

};

zone "catalog.forward" {
        type master;
        file "/etc/bind/zonesforward/catalog.forward.db";
        also-notify { "notify_slaves"; };
        allow-transfer { "sleivai"; };
        notify explicit;
        allow-query { "sleivai"; localhost; };
};

スレーブ1(再帰サーバー)

acl "trusted" {
        localhost;
        192.168.0.0/16;
};

//This key is to be used for caching/recursive servers
key "internal" {
                   algorithm hmac-md5;
                   secret "";
           };

//Apply the appropriate key config
server 192.168.130.32 {
          keys internal;
};



//Global BIND options.
options {
        directory "/var/cache/bind/";
        memstatistics-file "/var/cache/bind/mem.stats";
        max-cache-size 2000m;
        query-source address 192.168.130.35;
        notify-source 192.168.130.35;
        transfer-source 192.168.130.35;
        port 53;
        pid-file "named.pid";
        listen-on { 192.168.130.35; };
        listen-on-v6 { none; };
        notify no;
        allow-recursion { "trusted"; };
        allow-transfer { none;};
        allow-notify { 192.168.130.32; };
        version none;
        disable-empty-zone "10.IN-ADDR.ARPA";
        response-policy { zone "filter.local"; };
        catalog-zones {
                zone "catalog.forward."
                      zone-directory "/var/cache/bind"
                      in-memory no
                      default-masters { 192.168.130.32; };
        };
};

//These are default zones for every BIND server. Root hints are commented out:
include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type slave;
        file "/var/cache/bind/filter.local.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };


//This is the forward/advertising catalog. It contains all name to IP address mapping
zone "catalog.forward" {
        type slave;
        file "/var/cache/bind/catalog.forward.db";
        masters { 192.168.130.32; };
        allow-query { 192.168.130.32; localhost; };
};


logging {
channel rpz_log {
        file "/var/log/named/rpz_log" versions unlimited size 1000m;
        print-time yes;
        print-category yes;
        print-severity yes;
        //severity info;
        severity debug 1;

};

category rpz { rpz_log; default_debug; };
};

以下は、「外部」RPZ DNSサーバー構成です。

acl "master-ip" {
        192.168.130.32;
};


masters "notify_master" {
        192.168.130.32;
};

server 192.168.130.32 {
        keys shared;
};



key "shared" {
        algorithm hmac-md5;
        secret "";
};

//NS update key config
key rndc_key { secret ""; algorithm hmac-sha256; };


//Allow local controls
controls { inet 127.0.0.1  allow { any; } keys { rndc_key; }; };


options {
        directory "/var/cache/bind/";
        query-source address 192.168.130.37;
        notify-source 192.168.130.37;
        transfer-source 192.168.130.37;
        port 53;
        allow-new-zones yes;
        pid-file "named.pid";
        listen-on { 192.168.130.37; };
        listen-on-v6 { none; };
        recursion yes;
        allow-transfer { "master-ip"; };
        notify explicit;
        version none;
        also-notify { "notify_master"; };
        ixfr-from-differences yes;

};


include "/etc/bind/named.conf.default-zones";

zone "filter.local" {
        type master;
        file "/etc/bind/zonesblockedRPZ/filter.local";
        allow-transfer { "master-ip"; };
        allow-query { "master-ip"; localhost; };
        allow-update { none; };
        notify explicit;
};

この機能を実装する良い方法ですか?それとも他の/より良い方法がありますか?

関連情報