BIND子域授權的實現:
在父域的配置文件中添加如下項:
授權的子區域名稱子區域的名稱服務器子區域的名稱服務器的IP地址
1.在父域的區域配置件/var/named/mageedu.com.zone中添加子域子區域名稱、子區域名稱、子區域的名稱服務器的IP地址
# vim /var/named/mageedu.com.zone $TTL 86400 @ IN SOA dsn.mageedu.com. admin.mageedu.com ( 2014031901 1D 12H 1D 12H ) IN NS dns IN NS ns IN MX 20mail dns IN A 172.16.19.100 ns IN A 172.16.19.1 mail IN A 172.16.19.2 www IN A 172.16.19.3 pop IN CNAME mail ftp IN CNAME www zhou IN NS dns.zhou dns.zhou IN A 172.16.251.100
3.重啓服務
# rndc reload server reload successful
3.使用dig命令測試
# dig -t NS zhou.dns.mageedu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t NS zhou.dns.mageedu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12799 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;zhou.dns.mageedu.com. IN NS ;; AUTHORITY SECTION: mageedu.com. 43200IN SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200 ;; Query time: 1msec ;; SERVER: 172.16.19.100#53(172.16.19.100) ;; WHEN: Sun Mar 1617:21:352014 ;; MSG SIZE rcvd: 96
4.在子域的服務器中安裝bind同第一次安裝,在/etc/named.rfc1912.zones中添加正向區域和反向區域
zone "zhou.mageedu.com"IN { type master; file "zhou.mageedu.com.zone"; };
zone "251.16.172.in-addr.arpa"IN { type master; file "172.16.251.zone"; };
5.爲區域zhou.mageedu.com提供區域數據文件
# vim /var/named/zhou.mageedu.com.zone $TTL 86400 @ IN SOA dns.zhou.mageedu.com. admin.zhou.mageedu.com. ( 2014031901 1D 10M 3D 12H ) IN NS dns IN NS 20mail dns IN A 172.16.251.100 www IN A 172.16.251.101 mail IN A 172.16.251.102 pop IN CNAME mail ftp IN CNAME www
6.爲添加的正向區域數據文件設置屬主和屬組以及權限
# chown root:named /var/named/zhou.mageedu.com.zone # chmod 640/var/named/zhou.mageedu.com.zone # ls -l /var/named/zhou.mageedu.com.zone -rw-r----- 1root named 246Mar 1723:13/var/named/zhou.mageedu.com.zone
7.爲區域251.16.172.inaddr.arpa提供區域數據文件
# vim /var/named/172.16.251.zone $TTL 86400 @ IN SOA dsn.zhou.mageedu.com. admin.zhou.mageedu.com. ( 2014031902 1D 12H 1D 12H ) IN NS dns.zhou.mageedu.com. 100IN PTR dns.zhou.mageedu.com. 102IN PTR mail.mageedu.com. 101IN PTR www.mageedu.com.
8.爲添加的反向區域數據文件設置屬主和屬組以及權限
# chown root:named /var/named/172.16.251.zone # chmod 640/var/named/172.16.251.zone # ls -l /var/named/172.16.251.zone -rw-r----- 1root named 230Mar 1723:44/var/named/172.16.251.zone
9.測試文件是否有語法錯誤
# service named configtest zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone zhou.mageedu.com/IN: loaded serial 2014031901 zone 251.16.172.in-addr.arpa/IN: loaded serial 2014031902
10.使用dig測試
# dig -t NS zhou.mageedu.com @172.16.251.100 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t NS zhou.mageedu.com @172.16.251.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1352 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;zhou.mageedu.com. IN NS ;; ANSWER SECTION: zhou.mageedu.com. 86400IN NS dns.zhou.mageedu.com. ;; ADDITIONAL SECTION: dns.zhou.mageedu.com. 86400IN A 172.16.251.100 ;; Query time: 1msec ;; SERVER: 172.16.251.100#53(172.16.251.100) ;; WHEN: Mon Mar 1723:53:212014 ;; MSG SIZE rcvd: 68
11.子域能夠在本機中解析
# dig -t A www.zhou.mageedu.com @172.16.251.100 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.zhou.mageedu.com @172.16.251.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30650 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.zhou.mageedu.com. IN A ;; ANSWER SECTION: www.zhou.mageedu.com. 86400IN A 172.16.251.101 ;; AUTHORITY SECTION: zhou.mageedu.com. 86400IN NS dns.zhou.mageedu.com. ;; ADDITIONAL SECTION: dns.zhou.mageedu.com. 86400IN A 172.16.251.100 ;; Query time: 5msec ;; SERVER: 172.16.251.100#53(172.16.251.100) ;; WHEN: Mon Mar 1723:54:502014 ;; MSG SIZE rcvd: 88
實現區域轉發
允許使用轉發的前提:本機要在對方的允許的遞歸主機列表中;
區域轉發:解析某本機不負責的區域內的名稱時不轉發給根,而是轉給指定的主機
在子域的服務器中添加一條區域的轉發(需要註釋住配置文件中的include "/etc/named.root.key";)
zone "mageedu.com"IN { type forward; forwarders {172.16.19.100;}; };
重啓服務
# service named reload
區域轉發配置成功
# dig -t A www.mageedu.com @172.16.251.100 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.mageedu.com @172.16.251.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55304 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.mageedu.com. IN A ;; ANSWER SECTION: www.mageedu.com. 86112IN A 172.16.19.3 ;; AUTHORITY SECTION: mageedu.com. 86112IN NS ns.mageedu.com. mageedu.com. 86112IN NS dns.mageedu.com. ;; ADDITIONAL SECTION: ns.mageedu.com. 86112IN A 172.16.19.1 dns.mageedu.com. 86112IN A 172.16.19.100 ;; Query time: 1msec ;; SERVER: 172.16.251.100#53(172.16.251.100) ;; WHEN: Tue Mar 1800:20:312014 ;; MSG SIZE rcvd: 116
在options選項中添加全局轉發可以所有的區域轉發192.168.1.1能夠訪問互聯網
options { directory "/var/named"; recursion yes; forward first; forwarders { 192.168.1.1; }; };
在本機中使用dig解析www.goole.com
# dig -t A www.goole.com @172.16.251.100 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.goole.com @172.16.251.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13592 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.goole.com. IN A ;; ANSWER SECTION: www.goole.com. 3600IN A 213.165.70.39 ;; AUTHORITY SECTION: goole.com. 100722IN NS ns67.1and1.co.uk. goole.com. 100722IN NS ns68.1and1.co.uk. ;; ADDITIONAL SECTION: ns67.1and1.co.uk. 75290IN A 217.160.80.173 ns68.1and1.co.uk. 75290IN A 217.160.81.173 ;; Query time: 148msec ;; SERVER: 172.16.251.100#53(172.16.251.100) ;; WHEN: Tue Mar 1800:41:
ACL: BIND支持使用訪問控制列表
自定義ACL
acl ACL_NAME {
ACL列表;(每一行定義一項,並以";"結束) }; 訪問控制列表只有定義後才能使用;通常acl要定義在named.conf的最上方; BIND有四個內置的acl: any: 任何主機 none: 無一主機
local: 本機
localnet: 本機的所在的網絡;
只允許本機和172.16.0.0/16網絡進行遞歸,在named.conf的最上方定義ACL,並在option中使用
acl clientrecursion { 172.16.0.0/16; 127.0.0.1; };
options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; // recursion yes; allow-recursion { clientrecursion; }; };
DNS視圖:view
根據來自不同網絡用戶的訪問請求,對相同的域名解析成不同的IP,使用戶可以訪問離他最近的那臺服務器,以增加用戶的訪問速度。
場景:來自內網和外網的所有IP都解析到dns.mageedu.com中,使得反饋給用戶同一結果。
配置 view:
1.編輯配置文件,將所有的區域加入視圖中
view Innernet { match-clients { 172.16.0.0/16;}; zone "."IN { type hint; file "named.ca"; }; zone "localhost.localdomain"IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost"IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.a rpa"IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa"IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa"IN { type master; file "named.empty"; allow-update { none; }; }; zone "19.16.172.in-addr.arpa"IN { type master; file "172.16.19.zone"; allow-transfer {127.0.0.1;172.16.19.1;}; }; zone "mageedu.com"IN { type master; file "mageedu.com.Innernet"; }; }; view default{ match-clients { any; }; zone "mageedu.com"IN { type master; file "mageedu.com.default"; }; };
2 爲內網解析添加區域數據文件
# vim /var/named/mageedu.com.Innernet $TTL 86400 @ IN SOA dsn.mageedu.com. admin.mageedu.com ( 2014031901 1D 12H 1D 12H ) IN NS dns IN MX 20mail dns IN A 172.16.19.100 mail IN A 172.16.19.101 www IN A 172.16.19.102 pop IN CNAME mail ftp IN CNAME ww
3.爲其他網段添加區域數據文件
# vim /var/named/mageedu.com.default $TTL 86400 @ IN SOA dsn.mageedu.com. admin.mageedu.com ( 2014031901 1D 12H 1D 12H ) IN NS dns IN MX 20mail dns IN A 192.168.1.100 mail IN A 192.168.1.101 www IN A 192.168.1.102 pop IN CNAME mail ftp IN CNAME www
4.爲區域數據文件改變屬主、屬組hequanxian
# chown root:named /var/named/mageedu.com.default/var/named/mageedu.com.Innernet ]# chmod 640/var/named/mageedu.com.default/var/named/mageedu.com.Innernet # ll /var/named/mageedu.com.* -rw-r----- 1root named 233Mar 1619:40/var/named/mageedu.com.default -rw-r----- 1root named 232Mar 1619:31/var/named/mageedu.com.Innernet
5.驗證配置文件是否有錯誤
# service named configtest zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone 19.16.172.in-addr.arpa/IN: loaded serial 2014031902 zone mageedu.com/IN: loaded serial 2014031901 zone mageedu.com/IN: loaded serial 2014031901
6.啓動named服務
# named -u named
7.使用dig命令驗證,view視圖配置成功
# dig -t A www.mageedu.com @192.168.1.100 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.mageedu.com @192.168.1.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33369 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.mageedu.com. IN A ;; ANSWER SECTION: www.mageedu.com. 86400IN A 192.168.1.102 ;; AUTHORITY SECTION: mageedu.com. 86400IN NS dns.mageedu.com. ;; ADDITIONAL SECTION: dns.mageedu.com. 86400IN A 192.168.1.100 ;; Query time: 1msec ;; SERVER: 192.168.1.100#53(192.168.1.100) ;; WHEN: Sun Mar 1614:38:512014 ;; MSG SIZE rcvd: 83 # dig -t A www.mageedu.com @172.16.19.100 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.mageedu.com @172.16.19.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8257 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.mageedu.com. IN A ;; ANSWER SECTION: www.mageedu.com. 86400IN A 172.16.19.102 ;; AUTHORITY SECTION: mageedu.com. 86400IN NS dns.mageedu.com. ;; ADDITIONAL SECTION: dns.mageedu.com. 86400IN A 172.16.19.100 ;; Query time: 2msec ;; SERVER: 172.16.19.100#53(172.16.19.100) ;; WHEN: Sun Mar 1614:39:032014 ;; MSG SIZE rcvd: 83