你能帮我解决下一个问题吗?
我已经设置了 Bind9 并添加了带有阻止规则的 RPZ。 这是 Bind9 的版本:
BIND 9.18.25 (Extended Support Version) <id:6dc676c>
running on Linux x86_64 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)
built by make with '--with-jemalloc=yes' '--with-tuning=large' '--disable-doh' 'CFLAGS=-O2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
以下是配置:
https://github.com/ousatov-ua/dns-filtering/tree/main/etc/bind
以下是已加载的 RPZ:
https://github.com/ousatov-ua/dns-filtering/blob/main/opt/bind9/update-blocklists.sh
当我为某些被阻止的域名输入dig
时,Bind9 响应延迟!=0。 例如:
dig @127.0.0.1 -p 5553 sql.ru
; <<>> DiG 9.18.25 <<>> @127.0.0.1 -p 5553 sql.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14713
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4a7ce26da4158386010000006606e1bba99a7ade2a9c0f1e (good)
;; QUESTION SECTION:
;sql.ru. IN A
;; ADDITIONAL SECTION:
rpz.blocklist.olus-dns.com. 1 IN SOA olus-dns.com. hostmaster.olus-dns.com. 1706637601 86400 3600 604800 86400
;; Query time: 495 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (UDP)
;; WHEN: Fri Mar 29 17:43:55 EET 2024
;; MSG SIZE rcvd: 148
看起来它首先解析命名,然后检查它是否存在于 RPZ 中:
dig @127.0.0.1 -p 5553 mail.ru
; <<>> DiG 9.18.25 <<>> @127.0.0.1 -p 5553 mail.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cd8c137dea6fb205010000006606e1eadcfc31e955e11317 (good)
;; QUESTION SECTION:
;mail.ru. IN A
;; ADDITIONAL SECTION:
rpz.blocklist.olus-dns.com. 1 IN SOA olus-dns.com. hostmaster.olus-dns.com. 1706637601 86400 3600 604800 86400
;; Query time: 139 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (UDP)
;; WHEN: Fri Mar 29 17:44:42 EET 2024
;; MSG SIZE rcvd: 149
在这种情况下,未绑定,PDNS 递归器响应为 0 延迟。
为什么会发生这种情况?怎么解决?
提前谢谢您!!!
附注似乎我需要将 qname-wait-recurse 和 nsip-wait-recurse 设置为“否” - 将检查它
默认情况下,Bind9 会进行递归,然后才应用策略。 要修复它,我只需要在策略旁边添加:
qname-wait-recurse false
recursive-only false
nsip-wait-recurse false
所以策略的完整配置应该用下面的方式定义:
response-policy {
zone "rpz.oisd-nsfw";
zone "rpz.hagezy-anti-privacy";
...
} qname-wait-recurse false
recursive-only false
nsip-wait-recurse false;