Czy istnieje możliwość wyłączenia / wyłączenia TCP na serwerze DNS, aby odrzucał przychodzące żądania TCP?
Chciałbym, aby żądanie dotarło do serwera DNS, a następnie zostało odrzucone na serwerze DNS.
Czy istnieje prosty sposób, aby wyłączyć lub włączyć w razie potrzeby?
To jest tylko do celów testowych. Serwer DNS nie należy do domeny publicznej
mój named.conf wygląda tak
options {
# The directory statement defines the name server's working directory
directory "/var/lib/named";
# enable DNSSEC validation
#
# If BIND logs error messages about the root key being expired, you
# will need to update your keys. See https://www.isc.org/bind-keys
#
# dnssec-enable yes (default), indicates that a secure DNS service
# is being used which may be one, or more, of TSIG
# (for securing zone transfers or DDNS updates), SIG(0)
# (for securing DDNS updates) or DNSSEC.
#dnssec-enable yes;
# dnssec-validation yes (default), indicates that a resolver
# (a caching or caching-only name server) will attempt to validate
# replies from DNSSEC enabled (signed) zones. To perform this task
# the server also needs either a valid trusted-keys clause
# (containing one or more trusted-anchors or a managed-keys clause.
#dnssec-validation auto;
managed-keys-directory "/var/lib/named/dyn/";
# Write dump and statistics file to the log subdirectory. The
# pathenames are relative to the chroot jail.
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
# The forwarders record contains a list of servers to which queries
# should be forwarded. Enable this line and modify the IP address to
# your provider's name server. Up to three servers may be listed.
#forwarders { 192.0.2.1; 192.0.2.2; };
# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.
#forward first;
# The listen-on record contains a list of local network interfaces to
# listen on. Optionally the port can be specified. Default is to
# listen on all interfaces found on your system. The default port is
# 53.
#listen-on port 53 { 127.0.0.1; };
# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall stands between
# the local server and the internet.
#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;
# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.
#allow-query { 127.0.0.1; };
# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed. Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.
notify no;
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};
Odpowiedzi:
Możesz użyć zapory sieciowej, aby zapobiec dotarciu pakietu tcp do serwera dns.
Zgodnie z tym postem implementacja DNS musi obsługiwać oba protokoły, aby była zgodna z RFC. Niemniej jednak, jak powiedziałem, możesz tak skonfigurować swoją zaporę ogniową, ale twój DNS może przegapić jakieś żądanie.
źródło