智能DNS

        智能DNS实现如下图:当用户通过浏览器访问www.sina.com,浏览器向DNS服务器查×××器地址,北京的用户,返回区域代理服务器1的ip地址,上海的用户返回区域服务器2的ip地址,以此类推。以北京用户为例:当DNS服务器返回区域代理服务器1的地址,用户访问区域代理服务器1,区域代理服务器一般存放静态的一些内容,当用户只访问静态的内容时,区域代理服务器1提供服务,当用户访问一些动态内容时,区域代理服务器1就向web服务器寻找,然后返回给用户。


实现智能DNS_第1张图片

实验:实现上海和北京和其他地区的智能DNS管理

     说明:  实现当上海地区访问www.sina.com 返回ip为6.6.6.6

                当北京地区访问www.sina.com 返回ip为1.1.1.1

                当其他地区访问www.sina.com 返回ip为2.2.2.2                                   

        以ip地址来划分区域,上海的ip地址段为:

      192.168.191.0/24;

                   192.168.192.0/24;

            北京的ip地址段为:                      

                172.17.251.0/24;

               172.18.251.0/24;

            以此来模拟智能DNS实现过程。

       实现步骤:三大步:

            第一、准备数据库文件

                        地址www.sina.com 返回的地址等信息 

            第二、定义acl

                       定义某个区域的ip地址

            第三、定义view

                        关联acl和数据库文件

    1、安装包

        yum  install bind

    2、启动服务

        systemctl start named

        注意:DNS服务的包名为bind ,服务名为named

                 主配置文件:/etc/named.conf, /etc/named.rfc1912.zones,/etc/rndc.key

         解析库文件 /var/named/ZONE_NAME.ZONE

    3、创建DNS数据库文件

        cd /var/named

        vim  sina.com.zone.beijing   

$TTL 1D
@       IN SOA  dns1 rname.invalid. (
                                        2017101101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      dns1
dns1    A      172.17.251.107
dns1        A  192.168.191.107
www     A      1.1.1.1

      vim  sina.com.zone.shanghai

$TTL 1D
@       IN SOA  dns1 rname.invalid. (
                                        2017101101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      dns1
dns1    A       172.17.251.107
dns2        A              192.168.191.107
www     A       6.6.6.6

    vim sina.com.zone.other   

$TTL 1D
@       IN SOA  dns1 rname.invalid. (
                                        2017101101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      dns1
dns1    A      172.17.251.107
dns1        A            192.168.191.107
www     A      2.2.2.2

    4、创建acl和view

        vim /etc/named.conf 

        (1)注释这两行 

options {
//      listen-on port 53 { localhost; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { any; };

第一行代表53端口绑定的ip,allow-query {};表示允许查询的主机

将这两行注释;或者改成上面,localhost表示允许该主机上的所有ip都可以绑定53端口,any代表所有ip         

        (2)在该文件添加     

acl shanghainet {
        192.168.191.0/24;
        192.168.192.0/24;
};
acl beijingnet {
        172.17.251.0/24;
        172.18.251.0/24;
};

    (3)创建view

        将下面的文件修改成下面

        创建view的方法1:关联数据库文件时,直接写文件名

         方法2:将文件写在/etc/named.rfc1912.zone.shanghai,中,在该文件中指定文件。

view  beijingview {
        match-clients { beijingnet;};  //连接acl
        zone "sina.com" {
                type master;
                file "sina.com.zone.beijing";  // 指定数据库文件
        };
        zone "." IN {
                type hint;    //允许该地区的用户直接访问根地址
                file "named.ca";
        };
};
view  shanghaiview {
        match-clients { shanghainet;};
        include "/etc/named.rfc1912.zones.shanghai"; 
        zone "." IN {
                type hint;
                file "named.ca";
        };
};
view otherview {
        match-clients {any;};
        include "/etc/named.rfc1912.zones.other";
         zone "." IN {
                type hint;
                file "named.ca";
        };
};
include "/etc/named.root.key";

   整个文件如下

acl shanghainet {
        192.168.191.0/24;
        192.168.192.0/24;
};
acl beijingnet {
        172.17.251.0/16;
        172.18.251.0/16;
};

options {
//      listen-on port 53 { localhost; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { any; };
        allow-transfer   { none; };
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view  beijingview {
        match-clients { beijingnet;};
        zone "sina.com" {
                type master;
                file "sina.com.zone.beijing";
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
};
view  shanghaiview {
        match-clients { shanghainet;};
        include "/etc/named.rfc1912.zones.shanghai";
        zone "." IN {
                type hint;
                file "named.ca";
        };
};
view otherview {
        match-clients {any;};
        include "/etc/named.rfc1912.zones.other";
         zone "." IN {
                type hint;
                file "named.ca";
        };
};
include "/etc/named.root.key";

  5、 将/etc/named.rfc1912.zones 复制两份命名为/etc/named.rfc1912.zones.shanghai

/etc/named.rfc1912.zones.other

        vim /etc/named.rfc1912.zones.shanghai

            添加如下内容

zone "sina.com" IN {
        type master;
        file "sina.com.zone.shanghai";
};

    vim /etc/named.rfc1912.zones.other   

         添加如下内容

zone "sina.com" IN {
        type master;
        file "sina.com.zone.other";
};

6、启动服务

        重新加载服务:rndc reload    

注意:在centos6或centos7上最好不要用restart,容易把服务死掉,起不来服务。

这里rndc reload  这个命令时专门管理DNS服务的,如果必要重启服务了,先关闭服务,再开启服务。

7、测试:

        在某一客户端上,将该客户端的DNS执行服务器主机

        (1)如果网络是自动获取的,则修改vim /etc/resolv.conf

           nameserver 172.17.251.107 

        (2)如果网络时自己配置的,/etc/sysconfig/network-scripts ,修改该目录下的桥接网卡的DNS1=172.17.251.107 。

            重启服务 systemctl restart network

        在客户端测试: 

        dig www.sina.com  @192.168.191.107

        dig www.sina.com  @172.17.251.107

     

[root@centos7 named]# dig www.sina.com @192.168.191.107


; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sina.com @192.168.191.107

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57522

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.sina.com.                  IN      A


;; Query time: 0 msec

;; SERVER: 192.168.191.107#53(192.168.191.107)

;; WHEN: Thu Oct 12 11:10:48 CST 2017

;; MSG SIZE  rcvd: 41

 遇到错误

排错:1、查看防火墙iptables -vnL  ,清除防火墙策略iptables -F

          2、查看网络连接。dig www.baidu.com 
            rndc flush  清除缓存

            rndc reload 重新启动

 发现这两个都清除了,还是出现相同错误

    最后发现是数据库文件的权限问题,在运行DNS时,是用named这个用户,执行操作的,所以当文件的所有者,所属组为root是,将权限改成644


上海用户,解析出来6.6.6.6。成功

[root@centos6 network-scripts]# dig www.sina.com @192.168.191.107 


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sina.com @192.168.191.107

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63539

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2


;; QUESTION SECTION:

;www.sina.com.                  IN      A


;; ANSWER SECTION:

www.sina.com.           86400   IN      A       6.6.6.6


;; AUTHORITY SECTION:

sina.com.               86400   IN      NS      dns1.sina.com.


;; ADDITIONAL SECTION:

dns1.sina.com.          86400   IN      A       172.17.251.107

dns1.sina.com.          86400   IN      A       192.168.191.107


;; Query time: 2 msec

;; SERVER: 192.168.191.107#53(192.168.191.107)

;; WHEN: Mon Oct  9 13:34:41 2017

;; MSG SIZE  rcvd: 97