一:實驗準備:
1、智能DNS底層是基於acl控制的,由view將定義好的acl與區域數據庫相連接
2、相關內容:
acl:把一個或多個地址歸併爲一個集合,並通過一個統一的名稱調用
view:視圖,一個bind服務器可定義多個view,每個view中可定義一個或多個zone;每個view用來匹配一組客戶端
注意:一旦啓用了view,所有的zone都只能定義在view中;客戶端請求到達時,是自上而下檢查每個view所服務的客戶端列表
3、準備兩臺虛擬機,DNS服務器端ip:192.168.242.248;172.17.250.107; DNS客戶端ip:192.168.242.202;172.17.250.106;
[root@localhost /var/named]# cat /etc/resolv.conf #服務器的DNS指向自己 #客戶端的DNS不做限制 ; generated by /usr/sbin/dhclient-script search magedu.com nameserver 172.17.250.107 [root@localhost /var/named]#
4、實驗目的:根據acl定義的網段,訪問相應的區域數據庫文件,模擬現實網絡中,根據地區區域號就近訪問該地區的DNS服務器
二:實驗步驟:
1、創建數據庫文件:
[root@Centos6 /var/named]# vim /var/named/sjj.com.zone.beijing #beijing的數據庫文件 $TTL 1D @ IN SOA dns1 mail.sjj.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns1 #NS後面接的是DNS服務器名字,配合A將名字解析出相應的服務器ip dns1 A 172.17.250.107 #服務器ip www CNAME websrv1 websrv1 A 172.17.6.6 #此處的ip是隨意定義的 [root@Centos6 /var/named]# vim /var/named/sjj.com.zone.shanghai #shanghai的數據庫文件 $TTL 1D @ IN SOA dns1 mail.sjj.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns1 dns1 A 192.168.242.248 www CNAME websrv2 websrv2 A 192.168.12.1
2、在/etc/named.conf中創建acl
[root@Centos6 /var/named]# vim /etc/named.conf #在options前加入以下代碼
acl beijingnet {
172.17.0.0/16;
};
acl shanghainet {
192.168.242.0/24;
};3、在/etc/named.conf中創建view
[root@Centos6 /var/named]# vim /etc/named.conf #在logging{}下面的區域信息中加入以下代碼
view beijingview {
match-clients { beijingnet; };
zone "sjj.com" { #此處與第二個view用了兩種方法,這種方法不需要再改/etc/named.rfc1912.zones
type master;
file "sjj.com.zone.beijing";
};
zone "." IN {
type hint;
file "named.ca";
};
};
view shanghaiview {
match-clients { shanghainet; };
include "/etc/named.rfc1912.zones"; # 此處的寫法,需要去/etc/named.rfc1912.zones裏定義
zone "." IN {
type hint;
file "named.ca";
};
};4、根據第三步中,shanghaiview裏的include "/etc/named.rfc1912.zones.shanghai";所以需要在"/etc/named.rfc1912.zones"文件裏定義如下代碼:
[root@Centos6 /var/named]# vim /etc/named.rfc1912.zones
zone "sjj.com" IN {
type master;
file "sjj.com.zone.shanghai";
};5、寫完配置文件和區域數據庫文件後,可以檢查一下,是否有語法錯誤
[root@Centos6 /var/named]# named-checkconf # 檢查配置文件/etc/named.conf文件 [root@Centos6 /var/named]# named-checkzone sjj.com /var/named/sjj.com.zone.shanghai #檢查數據庫文件 zone sjj.com/IN: loaded serial 0 OK [root@Centos6 /var/named]# named-checkzone sjj.com /var/named/sjj.com.zone.beijing zone sjj.com/IN: loaded serial 0 OK [root@Centos6 /var/named]# [root@Centos6 /var/named]# rndc flush #清空緩存 [root@Centos6 /var/named]# rndc reload #重新加載 server reload successful [root@Centos6 /var/named]#
6、看一下named服務是否開啓,若出現如下所示顯示關閉,則開啓。
[root@Centos6 /var/named]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped #顯示服務關閉 [root@Centos6 /var/named]#
[root@Centos6 /var/named]# service named start #開啓服務 Starting named: [ OK ] [root@Centos6 /var/named]# service named status #查詢服務狀態 version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 CPUs found: 1 worker threads: 1 number of zones: 38 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 5359) is running... #運行 [root@Centos6 /var/named]#
看一下防火牆是否開啓,可以直接執行iptables -F將其關閉(若本來已關閉,也無妨),也可以看一下SElinux是否關閉---》getenforce,若結果不是“Permissive”,則用---》setenforce 0將其關閉(也可做可不做,但做了不會有負面影響)
三:實驗測試:
1、在客戶端主機上用兩個ip分別測試
[root@Centos6 /var/named]# dig www.sjj.com @192.168.242.248 #用192.168.242.0網段的服務端ip測試 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sjj.com @192.168.242.248 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.sjj.com. IN A ;; ANSWER SECTION: www.sjj.com. 86400 IN CNAME websrv2.sjj.com. websrv2.sjj.com. 86400 IN A 192.168.12.1 ;; AUTHORITY SECTION: sjj.com. 86400 IN NS dns1.sjj.com. ;; ADDITIONAL SECTION: dns1.sjj.com. 86400 IN A 192.168.242.248 ;; Query time: 2 msec ;; SERVER: 192.168.242.248#53(192.168.242.248) ;; WHEN: Thu Oct 12 11:54:25 2017 ;; MSG SIZE rcvd: 102 [root@Centos6 /var/named]# [root@Centos6 /var/named]# dig www.sjj.com @172.17.250.107 #用172.17.0.0網段的服務端ip測試 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sjj.com @172.17.250.107 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9394 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.sjj.com. IN A ;; ANSWER SECTION: www.sjj.com. 86400 IN CNAME websrv1.sjj.com. websrv1.sjj.com. 86400 IN A 172.17.6.6 ;; AUTHORITY SECTION: sjj.com. 86400 IN NS dns1.sjj.com. ;; ADDITIONAL SECTION: dns1.sjj.com. 86400 IN A 172.17.250.107 ;; Query time: 3 msec ;; SERVER: 172.17.250.107#53(172.17.250.107) ;; WHEN: Thu Oct 12 11:56:24 2017 ;; MSG SIZE rcvd: 102 [root@Centos6 /var/named]#
2、可以在服務器端自己檢測一下:
[root@localhost ~]# dig #先直接dig www.sjj.com ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sjj.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26146 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.sjj.com. IN A ;; ANSWER SECTION: www.sjj.com. 86400 IN CNAME websrv1.sjj.com. websrv1.sjj.com. 86400 IN A 172.17.1.1 #默認走的是172。17.0.0網絡 ;; AUTHORITY SECTION: sjj.com. 86400 IN NS dns1.sjj.com. ;; ADDITIONAL SECTION: dns1.sjj.com. 86400 IN A 172.17.250.107 ;; Query time: 2 msec ;; SERVER: 172.17.250.107#53(172.17.250.107) ;; WHEN: Fri Oct 13 12:27:50 CST 2017 ;; MSG SIZE rcvd: 113 [root@localhost ~]# dig www.sjj.com @192.168.242.248 # 所以可以再用192.168.242.0網絡段的ip測 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sjj.com @192.168.242.248 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32378 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.sjj.com. IN A ;; ANSWER SECTION: www.sjj.com. 86400 IN CNAME websrv2.sjj.com. websrv2.sjj.com. 86400 IN A 192.168.1.1 ;; AUTHORITY SECTION: sjj.com. 86400 IN NS dns1.sjj.com. ;; ADDITIONAL SECTION: dns1.sjj.com. 86400 IN A 192.168.242.248 ;; Query time: 1 msec ;; SERVER: 192.168.242.248#53(192.168.242.248) ;; WHEN: Fri Oct 13 12:28:02 CST 2017 ;; MSG SIZE rcvd: 113 [root@localhost ~]#
四:實驗總結:
試驗其實不難,但是還是不是太順利,從昨天晚上到今天上午,一直處於測試階段
1、檢查文件覺得沒有問題,可是就是dig不出結果,然後就將bind包刪除重新安裝,重新配置文件,但結果仍然是不行,就問了下同學,我本來在每個數據庫文件裏設置了兩個dns,他給我刪的剩一個,檢查檢查防火牆、SElinux、從客戶端ping服務器。。。。然後dig時可以通過192.168.242.0網段的ip測試,但是172.17.0.0網段的不行,然後就用服務器端去ping客戶端,結果發現,ping 172.17.250.106時卡住了,過了大概有幾秒左右,就通了,然後這時在客戶端去dig www.sjj.com @172.17.250.107就出結果了,就這樣嘗試了幾次,發現,服務器ping客戶機通時,測試出結果,不通時出不了結果;
2、我忘記NS後面放的是服務器的名字,所以相對應的其下的名字對應解析出的ip必須是服務器的ip(如下圖所示,192.168.242.248是本次實驗中服務器的ip地址),而我剛開始是胡亂寫的一個ip,所以在測試dig時找不到服務器,故而不能解析出服務器上的記錄。
NS dns1 dns1 A 192.168.242.248