DNS 搭建,模擬視圖功能
搭建一個主DNS服務器
搭建一個管理51cto.com區域的主DNS服務器
基本思路:
1、必須有一個固定IP、
2、安裝實現DNS協議的軟件包,聲明管理51cto.com區域
(前提是上一級域com域的DNS服務器授權本主機管理51cto.com區域)
3、會有一些相關區域後綴的域名,需要在本DNS服務器上註冊
具體實現:
1、必須有一個固定IP、
192.168.1.254
2、安裝實現DNS協議的軟件包,在主配置文件中聲明管理51cto.com區域
(前提是上一級域com域的DNS服務器授權本主機管理51cto.com區域)
]# yum -y install bind bind-chroot caching-nameserver
bind 是主程序包
bind-chroot 是爲了安全起見,
會把bind的程序運行在一個指定的根目錄環境下.
bind程序會有一個運行身份是named用戶,
一旦有非法的用戶***了本DNS服務器,
對方將拿到named用戶的權限,
此時,named的身份將得到對系統中的所有目錄和文件的r-x/r--權限
爲了安全一些,把named用戶限制在一個指定的根目錄環境下能有相應權限
安裝了此包,限定的根目錄默認是/var/named/chroot
caching-nameserver這個包裝完後,
目的是生成一堆模板文件,比如zone文件的模板
開始修改主配置文件,聲明管理51cto.com區域
]# vim /var/named/chroot/etc/named.caching-nameserver.conf
[root@localhost chroot]# cat /var/named/chroot/etc/named.caching-nameserver.conf
options {
listen-on port 53 { any; }; #定義監聽本機哪個接口的53端口,寫any表示監聽本地所有接口的53
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #定義zone文件所存的位置,可以在/var/named/chroot/var/named去創建並根據需要定義zone文件.
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允許哪些客戶端來找本DNS服務器查詢
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};
所要管理的區域聲明:
]# vim /var/named/chroot/etc/named.rfc1912.zones
zone "51cto.com" IN {
type master;
file "uplooking.com.zone";
};
]# cp -p /var/named/chroot/var/named/localhost.zone /var/named/chroot/var/named/51cto.com.zone
3、會有一些相關區域後綴的域名,需要在本DNS服務器上註冊
]# vim /var/named/chroot/var/named/51cto.com.zone
在此配置文件中,會有很多種記錄
SOA 起始授權機構,一般從本機往下授權,填寫的應該是本DNS服務順
器自己的域名(但是這個域並沒有被解析 ,幫而一會必須 寫一條A記錄解析這個域名)
在我們的實驗中,這個域名是dns.51cto.com
51cto.com IN SOA dns.51cto.com.
注意必須 加一個A記錄解析 dns.51cto.com.
dns.51cto.com. IN A 192.168.1.254
NS 用於定義某個區域 的名稱服務器是誰。
一般是定義本匹配的DNS服務器是自己
另外是定義下一級區域的DNS服務器是指定的主機(子域授權 )
51cto.com IN NS dns.51cto.com.
A 主機記錄,用於把 域名--解析爲--IP
dns.51cto.com IN A 192.168.1.254
]# cat /var/named/chroot/var/named/uplooking.com.zone
$TTL 86400
@ IN SOA dns.51cto.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;51cto.com. IN NS dns.51cto.com.
;dns.51cto.com. IN A 192.168.1.254
IN NS dns.51cto.com.
dns IN A 192.168.1.254
;www.51cto.com. IN A 192.168.1.5
;mail.51cto.com. IN A 192.168.1.8
;news.51cto.com. IN A 192.168.1.122
www IN A 192.168.1.5
mail IN A 192.168.1.8
news IN A 192.168.1.122
]# service named start
]# tail -n 20 /var/log/messages 注意看日誌中是否有報錯
client 測試:
cat /etc/resolv.conf
nameserver 192.168.1.254
[root@localhost named]# host -l 51cto.com
51cto.com name server dns.51cto.com.
dns.51cto.com has address 192.168.1.254
mail.51cto.com has address 192.168.1.8
news.51cto.com has address 192.168.1.122
www.51cto.com has address 192.168.1.5
[root@localhost named]#
DNS 子域授權
基本思路:
1、搭建 com 域的主DNS服務器
2、搭建 51cto.com域的主dns服務器
3、在com域中對51cto.com進行授權
--------------
具體實現:
1、搭建 com 域的主DNS服務器 192.168.1.254
裝包: 光盤中自帶
[root@localhost pg]# rpm -q bind
bind-9.3.6-4.P1.el5_4.2
[root@localhost pg]# rpm -q bind-chroot
bind-chroot-9.3.6-4.P1.el5_4.2
[root@localhost pg]# rpm -q caching-nameserver
caching-nameserver-9.3.6-4.P1.el5_4.2
修改配置文件
]# vim /var/named/chroot/etc/named.caching-nameserver.conf
options {
listen-on port 53 { any; }; #定義監聽本機哪個接口的53端口,寫any表示監聽本地所有
接口的53
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #定義zone文件所存的位置,可以在/var/name/chroot/var/named去創建並根據需要定義zone文件.
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允許哪些客戶端來找本DNS服務器查詢
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};
]# vim /var/named/chroot/etc/named.rfc1912.zones
zone "com" IN {
type master;
file "com.zone";
};
]# cat /var/named/chroot/var/named/com.zone
$TTL 86400
@ IN SOA dns.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;51cto.com. IN NS dns.51cto.com.
;dns.51cto.com. IN A 192.168.1.254
IN NS dns.com.
dns IN A 192.168.1.254
[root@localhost named]# service named restart
停止 named: [確定]
啓動 named: [確定]
2、同樣在192.168.1.8上配置51cto.com區域的主DNS
定義解析如下域名的A記錄
www.51cto.com
news.51cto.com
3、在com區域的主DNS上寫授權的記錄
vim /var/named/chroot/var/named/com.zone
添加兩條記錄:
51cto.com. IN NS dns.51cto.com.
dns.51cto.com. IN A 192.168.1.8
service named restart
tail -n 30 /var/log/messages看日誌檢查是否有錯誤發生
4、測試
找一client把DNS指定COM域的DNS服務器,也就是192.168.1.254
然後 nslookup 解析了域中的A記錄.
nslookup www.51cto.com
nslookup news.51cto.com
若能解析成功,說明授權成功
view
思路
通過定義三個視圖,實現不同的客戶端來源,解析同一樣域名爲不同的IP。
這種需求主要是解析 當前運營商爲電信/聯通時的南北通信問題。
www.51cto.com提供了電信和聯通IP
聯通的客戶端找DNS解析www.51cto.com時,應該解析爲聯通的IP
電信的客戶端找DNS解析www.51cto.com時,應該解析爲電信的IP
這種功能又被稱之爲智能DNS。
實現過程見下面節點的筆記:
named.caching-nameserver.conf
vim /var/named/chroot/etc/named.caching-nameserver.conf
主要是定義三個視圖
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { any; };
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#view localhost_resolver {
# match-clients { any; };
# match-destinations { any; };
# recursion yes;
# include "/etc/named.rfc1912.zones";
#};
view cu {
match-clients { 192.168.1.32; 192.168.1.250; 192.168.1.249; };
recursion yes;
include "/etc/named.rfc1912.zones.cu";
};
view tel {
match-clients { 192.168.1.253; 192.168.1.38; 192.168.1.101; };
recursion yes;
include "/etc/named.rfc1912.zones.tel";
};
view other {
match-clients { any; };
recursion yes;
include "/etc/named.rfc1912.zones.other";
};
三個rfc1912.zones文件
]# cp /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones.cu
]# cp /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones.tel
]# cp /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones.other
注意三個文件的權限問題:
或者cp -p
-p 選項的作用:
same as --preserve=mode,ownership,timestamps
]# chgrp named /var/named/chroot/etc/named.rfc1912.zones.*
每個文件中都添加如下的區域聲明,重點是zone file 不一樣,因而在不同的zone中的www.51cto.com對應的A記錄解析的IP地址也就不一樣
[root@www etc]# tail -n 4 /var/named/chroot/etc/named.rfc1912.zones.*
==> /var/named/chroot/etc/named.rfc1912.zones.cu <==
zone "51cto.com" IN {
type master;
file "51cto.com.zone.cu";
};
==> /var/named/chroot/etc/named.rfc1912.zones.other <==
zone "51cto.com" IN {
type master;
file "51cto.com.zone.other";
};
==> /var/named/chroot/etc/named.rfc1912.zones.tel <==
zone "51cto.com" IN {
type master;
file "51cto.com.zone.tel";
};
三個區域文件
創建如下三個區域文件,同樣注意權限問題!!
]# ls /var/named/chroot/var/named/51cto.com.zone.cu
]# ls /var/named/chroot/var/named/51cto.com.zone.tel
]# ls /var/named/chroot/var/named/51cto.com.zone.other
-------------
]# cat 51cto.com.zone.cu
$TTL 86400
@ IN SOA dns.51cto.com. admin.51cto.com. (
;[email protected]
2012122102 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; FQDN
; www.51cto.com. www.51cto.com.
; www.51cto.com www.51cto.com.51cto.com.
IN NS dns.51cto.com.
dns IN A 192.168.1.8
www IN A 192.168.1.254
;$GENERATE 1-100 web$ IN A 192.168.1.$
;* IN A 192.168.1.8
-------------
]# cat 51cto.com.zone.tel
$TTL 86400
@ IN SOA dns.51cto.com. admin.51cto.com. (
;[email protected]
2012122102 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; FQDN
; www.51cto.com. www.51cto.com.
; www.51cto.com www.51cto.com .51cto.com.
IN NS dns.51cto.com.
dns IN A 192.168.1.8
www IN A 192.168.1.167
;$GENERATE 1-100 web$ IN A 192.168.1.$
;* IN A 192.168.1.8
-------------
]# cat 51cto.com.zone.other
$TTL 86400
@ IN SOA dns.51cto.com. admin.51cto.com. (
;[email protected]
2012122102 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; FQDN
; www.51cto.com. www.51cto.com.
; www.51cto.com www.51cto.com.51cto.com.
IN NS dns.51cto.com.
dns IN A 192.168.1.8
www IN A 192.168.1.167
;$GENERATE 1-100 web$ IN A 192.168.1.$
;* IN A 192.168.1.8
-------------
]# chgrp named 51cto.com.zone.*
]# ls 51cto.com.zone.* -l
-rw-r--r-- 1 root named 400 Apr 2 11:40 51cto.com.zone.cu
-rw-r--r-- 1 root named 400 Apr 2 11:40 51cto.com.zone.other
-rw-r--r-- 1 root named 400 Apr 2 11:40 51cto.com.zone.tel
啓動DNS服務
[root@www named]# service named restart
[root@www named]# iptables -L
注意IPTABLES的策略,要允許所有主機訪問udp 53端口
找不同的客戶端測試
找不同的客戶端測試
客戶端都把DNS指向192.168.1.8
分析解析 www.51cto.com 看是否實現區分
ACL
我們可以定義把所有的IP集合定義成一個專門的名稱。
在需要使用這些IP集合時,直接調用名稱。
ACL功能
語法 :
acl acl-name {
address_match_list
};
舉例:
acl tel { 192.168.1.253; 192.168.1.38; 192.168.1.101; };
--------------------
acl cu { 192.168.1.32; 192.168.1.250; 192.168.1.249; };
acl tel { 192.168.1.253; 192.168.1.38; 192.168.1.101; };
view cu {
match-clients { cu; };
recursion yes;
include "/etc/named.rfc1912.zones.cu";
};
view tel {
match-clients { tel; };
recursion yes;
include "/etc/named.rfc1912.zones.tel";
};
view other {
match-clients { any; };
recursion yes;
include "/etc/named.rfc1912.zones.other";
};
--------------------
或者把acl定義在專門的文件中,再包含到配置文件中:
[root@localhost etc]# pwd
/var/named/chroot/etc
[root@localhost etc]# cat aclfile_cu aclfile_tel
acl cu {
192.168.1.32;
192.168.1.250;
192.168.1.249;
192.168.2.0/24;
};
acl tel {
192.168.1.253;
192.168.1.38;
192.168.1.101;
192.168.3.0/24;
};
include "/etc/aclfile_cu";
include "/etc/aclfile_tel";
#acl cu { 192.168.1.32; 192.168.1.250; 192.168.1.249; };
#acl tel { 192.168.1.253; 192.168.1.38; 192.168.1.101; };
view cu {
match-clients { cu; };
recursion yes;
include "/etc/named.rfc1912.zones.cu";
};
view tel {
match-clients { tel; };
recursion yes;
include "/etc/named.rfc1912.zones.tel";
};
view other {
match-clients { any; };
recursion yes;
include "/etc/named.rfc1912.zones.other";
};
BIND 參考手冊
file:///usr/share/doc/bind-9.3.6/arm/Bv9ARM.html