DNS高级应用:子域授权、转发和view的实现方法
在上面的功能实现之前我们先来复习一下DNS 一些配置的基本格式:
- ACL:
acl string { address_match_element; address_match_element; ... };
- ZONE :
#主服务器 zone string optional_class { type master ; file quoted_string; ... }; #从服务器 zone string optional_class { type slave ; masters { MASTER_ADDRESS; } file quoted_string; ... }; #转发服务器 zone string optional_class { type forward ; forward {first|only}; forwarders { forward_address; } ... };
- VIEW
-
# 一旦启动view,所有的zone只能定义在view中。 view string optional_class { match-clients { address_match_element; ... }; match-destinations { address_match_element; ... }; zone string optional_class { ... };
- 访问控制指令:
allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-recursion { address_match_element; ... }; allow-update { address_match_element; ... };
详情man named.conf
子域授权:
环境:两台centos6.5
IP1:192.168.1.16 , IP2:192.168.1.20
实现方式:将IP1配置成DNS服务器,在其下配置一个以IP2为域名的DNS服务器(子域)。只需在IP1的解析库文件里定义一个子域即可。
START:
- 关闭防火墙和selinux
- 首先配置IP1(192.168.1.16):
修改配置文件
# cat /etc/named.conf options { listen-on port 53 { 192.168.1.16; 127.0.0.1; };//or delete this line // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; // managed-keys-directory "/var/named/dynamic"; };
添加zone:
# tail /etc/named.rfc1912.zones zone "jiajie.com" IN { type master; file "jiajie.zone"; };
配置解析库文件:
# vim /var/named/jiajie.zone $TTL 1D @ IN SOA ns1.jiajie.com. jjzgood.126.com. ( 20170509 1H 10M 5D 1D ) IN NS ns1 IN NS ns2 ns1 IN A 192.168.1.16 ns2 IN A 192.168.1.17 www IN A 192.168.1.17 * IN A 192.168.1.16 #在解析库里定义一个字域 ops IN NS ns1.ops ops IN NS ns2.ops ns1.ops IN A 192.168.1.20 ns2.ops IN A 192.168.1.21
修改权限和组:
#chmod 640 /var/named/jiajie.zone # chown :named /var/named/jiajie.zone # ll /var/named/jiajie.zone -rw-r----- 1 root named 292 5月 9 16:30 /var/named/jiajie.zone
重启服务:# service named restart
查看端口号:# ss -tlnp|grep :53
验证:
# host -t a www.jiajie.com 192.168.1.16 Using domain server: Name: 192.168.1.16 Address: 192.168.1.16#53 Aliases: www.jiajie.com has address 192.168.1.17
3.配置子域(IP2:192.168.1.20)
修改配置文件:
# cat /etc/named.conf options { listen-on port 53 { 192.168.1.16; 127.0.0.1; };//or delete this line // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; // managed-keys-directory "/var/named/dynamic"; };
添加ZONE:
# tail /etc/named.rfc1912.zones zone "ops.jiajie.com" IN { type master; file "ops.jiajie.com.zone"; };
配置解析库文件:
# vim /var/named/ops.jiajie.com.zone $TTL 1D @ IN SOA ns1.ops.jiajie.com. jjzgood.126.com. ( 20170509 1H 10M 5D 1D ) IN NS ns1 IN NS ns2 ns1 IN A 192.168.1.20 ns2 IN A 192.168.1.21 www IN A 192.168.1.20 * IN A 192.168.1.21
修改权限和组:
# chmod 640 /var/named/ops.jiajie.com.zone # chown named /var/named/ops.jiajie.com.zone
重启服务:# service named restart
查看端口号:# ss -tlnp|grep :53
验证:
# host -t a www.ops.jiajie.com 192.168.1.20 Using domain server: Name: 192.168.1.20 Address: 192.168.1.20#53 Aliases: www.ops.jiajie.com has address 192.168.1.20 # host -t a ftp.ops.jiajie.com 192.168.1.20 Using domain server: Name: 192.168.1.20 Address: 192.168.1.20#53 Aliases: ftp.ops.jiajie.com has address 192.168.1.21 -------------------------------------------- #注意上下两个使用的dns服务器是不同的 --------------------------------------------- # host -t a www.ops.jiajie.com 192.168.1.16 Using domain server: Name: 192.168.1.16 Address: 192.168.1.16#53 Aliases: www.ops.jiajie.com has address 192.168.1.20 [[email protected] ~]# host -t a ftp.ops.jiajie.com 192.168.1.16 Using domain server: Name: 192.168.1.16 Address: 192.168.1.16#53 Aliases: ftp.ops.jiajie.com has address 192.168.1.21
由上可以看出如果用父域来解析子域的地址是可以的,但是如果使用子域去解析父域的是解析不出来的(如下图)。此时我们可以在子域上设置一个转发服务器来解决上面的尴尬状况。
如下图:
# host -t a ftp.jiajie.com 192.168.1.20 Using domain server: Name: 192.168.1.20 Address: 192.168.1.20#53 Aliases: Host ftp.jiajie.com not found: 3(NXDOMAIN)
转发服务器
注意:本实验是基于上面的实验进行的。
首先在IP2(192.168.1.20)服务器上增加一个转发区域:
# tail /etc/named.rfc1912.zones zone "jiajie.com" IN { type forward; forward only; forwarders { 192.168.1.16; }; };
重新加载配置服务:# rndc reload
此时我们就可以在子域上解析父域的地址了:
# host -t A ftp.jiajie.com 192.168.1.20 Using domain server: Name: 192.168.1.20 Address: 192.168.1.20#53 Aliases: ftp.jiajie.com has address 192.168.1.16
- 转发分为全局转发和区域转发
- 全局转发:凡是非本机所负责的解析区域的,统统转发给指定服务器。
option { forward {first|only}; forwarders { address; } };
- 区域转发:只转发对特定区域的请求到指定服务器
zone { type forward; forward {first|only}; forwarders { address; } };
智能view的实现:
本实验是在上面两个实验的基础上进行修改的。
注意
- 一旦启用view,所有的zone都能定义在view中
- 一个bind可以定义多个view,每个view中可以定义一个或者多个zone。
- 多个view内可能需要对同一个区域进行解析,但使用不同的区域解析文件。
- 客户端请求到达时是自上而下检查view的。
配置:
配置IP1(192.168.1.16)
1.首先先把/etc/named.conf
中的根区域移到/etc/named.rfc1912.zones
文件中。
# vim /etc/named.conf zone "." IN { type hint; file "named.ca"; };
2.在/etc/named.conf
文件首部添加一个acl
#vim /etc/named.conf acl in_net { 192.168.1.16; 192.168.1.10; 127.0.0.0/24; };
3.添加两个view,注意第一个view将文件中的zone都圈起来,第二个view添加在文件的底部。
#将匹配acl内的IP # vim /etc/named.rfc1912.zones view innet { match-clients { in_net; }; allow-recursion { in_net; }; zone ... ... }; }; #匹配acl以外的IP view outnet { match-clients { any; }; zone "jiajie.com" IN { type master; file "jiajie.com.out"; allow-update { none; }; }; };
4.cp /var/named/jiajie.zone /var/named/jiajie.com.out -a
5.编辑/var/named/jiajie.zone.out
# vim /var/named/jiajie.com.out $TTL 1D @ IN SOA ns1.jiajie.com. jjzgood.126.com. ( 20170509 1H 10M 5D 1D ) IN NS ns1 IN NS ns2 ns1 IN A 192.168.1.16 ns2 IN A 192.168.1.17 www IN A 2.2.2.2 * IN A 2.2.2.3
6.运行# rndc reload
7.验证:
#基于IP1(192.168.1.16)平台验证 # host www.jiajie.com 192.168.1.16 Using domain server: Name: 192.168.1.16 Address: 192.168.1.16#53 Aliases: www.jiajie.com has address 192.168.1.17 #基于IP2(192.168.1.20)平台验证 # host www.jiajie.com 192.168.1.16 Using domain server: Name: 192.168.1.16 Address: 192.168.1.16#53 Aliases: www.jiajie.com has address 2.2.2.2
windows平台验证:
由上面可以看出你虽然是访问同一个URL,但是如果你的IP地址不同,将会返回给你不同的地址,这样就实现了智能化。
2017/5/9 22:04:59