本文基于Redhat Enterprise Linux 9.4操作系统,采用bind,bind-utils两个软件包,简要介绍一下在家庭内部网络环境中,自建递归解析服务以打破阿里DNS等提供公共DNS服务的请求频率限制:
1、安装软件包:
sudo dnf -y install bind bind-utils
2、修改递归服务器的配置,使其可以接受网络中发起的递归请求,
打开配置文件:
vim /etc/named.conf
这里我们只需要简单的对默认的配置进行一下修改即可,按下i进入编辑模式:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
allow-recursion { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
按下ESC,输入 :wq 退出并保存
在这里,listen-on port 53 { any; }; 以及 listen-on-v6 port 53 { any; };表示监听所有IPV4和IPV6,因为在家庭网络中普遍存在的NAT,这里不需要进行限制。allow-query { any; };表示允许所有地址向该递归服务器发起请求。allow-recursion { any; };表示允许所有地址向该服务器发起递归请求。
保持其他的配置部分不要变更。
3、使用命令检查配置文件是否存在错误:
named-checkconf /etc/named.conf
4、启动解析服务并配置其开机自动启动:
systemctl enable --now named
后言:请不要在任何中国大陆的服务器上部署递归解析服务,否则会导致服务器被警告或者成为DNS放大攻击的一部分甚至更严重的后果。此教程仅限在家庭以及企业的内部网络中部署递归解析服务。