我正在运行一个权威服务器,对BIND 9.11.3上不在我网络中的主机禁用递归.当从网络外部的主机查询不在服务器权限范围内的域时,我在权限部分中没有得到答案和根服务器列表.我理解为什么会发生这种情况,我想知道是否可以完全禁用权限部分.是否存在类似于最小响应的选项,在递归不可用时不会返回任何权限数据?
挖掘示例:
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @NS google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,status: NOERROR,id: 6847 ;; flags: qr rd; QUERY: 1,ANSWER: 0,AUTHORITY: 13,ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0,flags:; udp: 4096 ; COOKIE: 5ed7760df1d65f05baba487c5b75a318b3065456b81ca133 (good) ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. ;; Query time: 36 msec
我的选项看起来像这样:
options { listen-on { any; }; directory "/var/cache/bind"; allow-recursion { acls; }; rate-limit { responses-per-second 10; exempt-clients { acls; }; window 5; }; allow-query-cache { any; }; allow-query { any; }; allow-update { none; }; dnssec-enable no; dnssec-validation no; minimal-responses yes; forwarders { 208.67.222.222; 208.67.220.220; }; };