建立内部动态DNS服务器
建立内部动态DNS服务器
因为各种不同的原因,企业内部往往会有多台DHCP服务器,负责分发IP地址,给内部网络管理带来不便。本文将介绍如何在企业内部用BIND9建立内部DDNS服务,解决网络管理不便的问题。
假设企业内部有三台DHCP服务器负责为三个子域分发IP地址,三个子域分别是rd.lswin.cn(192.168.230.0/24)、ga.lswin.cn(192.168.231.0/24)和sm.lswin.cn(192.168.232.0/24)。
示例中,DDNS服务器的名称为ddns.lswin.cn。
安装 /配置BIND9
安装 BIND9
root@ddns:~# apt-get update && apt-get install bind9
配置BIND9
修改/etc/bind/named.conf.local 文件
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//
// ___***___ Own DynDNS
//
include "/etc/bind/ddns-keys.conf";
//
// rd.lswin.cn zone 配置
//
zone "rd.lswin.cn" {
type master;
file "/var/lib/bind/rd.lswin.cn.zone";
allow-update { key rd-lswin-cn.;};
notify no;
};
// Reverse DNS 的定义. 用您的子域地址替代 230.168.192
zone "230.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/rd.lswin.cn.rev.zone";
allow-update { key rd-lswin-cn.; };
};
//
// ga.lswin.cn zone 配置
//
zone "ga.lswin.cn" {
type master;
file "/var/lib/bind/ga.lswin.cn.zone";
allow-update { key ga-lswin-cn.;};
notify no;
};
// Reverse DNS 的定义. 用您的子域地址替代 231.168.192
zone "231.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/ga.lswin.cn.rev.zone";
allow-update { key ga-lswin-cn.; };
};
//
// sm.lswin.cn zone 配置
//
zone "sm.lswin.cn" {
type master;
file "/var/lib/bind/sm.lswin.cn.zone";
allow-update { key sm-lswin-cn.;};
notify no;
};
// Reverse DNS 的定义. 用您的子域地址替代 232.168.192
zone "232.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/sm.lswin.cn.rev.zone";
allow-update { key sm-lswin-cn.; };
};
为子域配置库文件
/var/lib/bind/rd.lswin.cn.zone
$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
rd.lswin.cn IN SOA ns1.rd.lswin.cn. (
2014071478 ; serial
28800 ; refresh (8 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS ns1.rd.lswin.cn.
$ORIGIN rd.lswin.cn.
ns1 A 192.168.230.1
/var/lib/bind/rd.lswin.cn.rev.zone
$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
230.168.192.in-addr.arpa IN SOA ns1.rd.lswin.cn. (
2014071452 ; serial
28800 ; refresh (8 hours)
604800 ; retry (1 week)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.rd.lswin.cn.
$ORIGIN 230.168.192.in-addr.arpa.
1 PTR rd.lswin.cn.
PTR ns1.rd.lswin.cn.
PTR admin.rd.lswin.cn.
其他二个zone的和这个配置基本一致,只需修改IP地址和子域名即可。
为子域配置生成密匙
首先为三个子域生成不同的密匙,然后将生成的密匙放入密匙文件 /etc/bind/ddns-keys.conf
root@ddns:~# tsig-keygen -a hmac-sha512 rd-lswin-cn.
root@ddns:~# tsig-keygen -a hmac-sha512 rd-lswin-cn.
root@ddns:~# tsig-keygen -a hmac-sha512 rd-lswin-cn.
key "rd-lswin-cn." {
algorithm hmac-sha512;
secret "dWZM3Go6hz7AL/VX3ihaQpTgwyigx27hIoKgxVooYblnFkgKTPjBiUhScM+eOpO4PrD1EgYwCIc/zb3WzoUadg==";
};
key "ga-lswin-cn." {
algorithm hmac-sha512;
secret "0avlbJzkK0DWB0XZbYDjK5Q7gAjmbTCPliHaV19di0KnH7lKitclqOF/l/S8SP5BFSUbpDQTen0OY/9mvcfGbA==";
};
key "sm-lswin-cn." {
algorithm hmac-sha512;
secret "HxyVoX1/i5293TD3fXUxRLyuyjofdnKUy3fsvamB4myAAva4etoa+4rQliXb2+PoVpLxOyOkwN8ksY5ypioG1A==";
};
检查配置/重启BIND9
检查配置
root@ddns:~# named-checkconf
root@ddns:~# named-checkzone rd.lswin.cn /var/lib/bind/rd.lswin.cn.zone
zone rd.lswin.cn/IN: loaded serial 2014071478
OK
root@ddns:~# named-checkzone ga.lswin.cn /var/lib/bind/ga.lswin.cn.zone
zone ga.lswin.cn/IN: loaded serial 2014071478
OK
root@ddns:~# named-checkzone sm.lswin.cn /var/lib/bind/sm.lswin.cn.zone
zone sm.lswin.cn/IN: loaded serial 2014071478
OK
root@ddns:~#
如没问题,就可以重启BIND9。
root@ddns:~# service bind9 restart
root@ddns:~#
测试动态更新功能
三组配置完全相似,我们只测试一组配置。
建立key文件 ga-lswin-cn.key
从现有配置中,将ga.lswin.cn的key复制过来。
key "ga-lswin-cn." {
algorithm hmac-sha512;
secret "0avlbJzkK0DWB0XZbYDjK5Q7gAjmbTCPliHaV19di0KnH7lKitclqOF/l/S8SP5BFSUbpDQTen0OY/9mvcfGbA==";
};
测试正向DDNS添加
root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn
Server: ddns.lswin.cn
Address: 192.168.220.109#53
** server can't find test.ga.lswin.cn: NXDOMAIN
root@ddns:~# nsupdate -k ./ga-lswin-cn.key
> server ddns.lswin.cn
> zone ga.lswin.cn
> update add test.ga.lswin.cn 7200 IN A 192.168.231.123
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;ga.lswin.cn. IN SOA
;; UPDATE SECTION:
test.ga.lswin.cn. 7200 IN A 192.168.231.123
> send
> quit
root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn
Server: ddns.lswin.cn
Address: 192.168.220.109#53
Name: test.ga.lswin.cn
Address: 192.168.231.123
root@ddns:~#
记录 test.ga.lswin.cn 已成功加入DDNS。
测试正向DDNS删除
root@ddns:~#
root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn
Server: ddns.lswin.cn
Address: 192.168.220.109#53
Name: test.ga.lswin.cn
Address: 192.168.231.123
root@ddns:~# nsupdate -k ./ga-lswin-cn.key
> server ddns.lswin.cn
> zone ga.lswin.cn
> update delete test.ga.lswin.cn A
> send
> quit
root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn
Server: ddns.lswin.cn
Address: 192.168.220.109#53
** server can't find test.ga.lswin.cn: NXDOMAIN
root@ddns:~#
记录test.ga.lswin.cn已从DDNS中成功删除。
**测试逆向DDNS添加**
root@ddns:~#
root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn
** server can't find 123.231.168.192.in-addr.arpa: NXDOMAIN
root@ddns:~# nsupdate -k ./ga-lswin-cn.key
> server ddns.lswin.cn
> update add 123.231.168.192.in-addr.arpa. 7200 PTR test.ga.lswin.cn
> send
> quit
root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn
123.231.168.192.in-addr.arpa name = test.ga.lswin.cn.
root@ddns:~#
192.168.231.123已成功添加。
**测试逆向DDNS删除**
root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn
123.231.168.192.in-addr.arpa name = test.ga.lswin.cn.
root@ddns:~# nsupdate -k ./ga-lswin-cn.key
> server ddns.lswin.cn
> update delete 123.231.168.192.in-addr.arpa. PTR
> send
> quit
root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn
** server can't find 123.231.168.192.in-addr.arpa: NXDOMAIN
root@ddns:~#
192.168.231.123已成功删除。
配置DHCP服务器推送更新
在我们的系统中,只有下列二种DHCPD,所以只有以下二种示例。
假设:ddns.lswin.cn的IP地址是192.168.220.109。
ISC DHCPD
如子网 ga.lswin.cn子网上的DHCPD是ISC的DHCPD,在dhcpd.conf中加上下列内容即可:
# Turn on DDNS
ddns-updates on;
update-static-leases on;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style standard;
update-static-leases on;
key "ga-lswin-cn." {
algorithm hmac-sha512;
secret "0avlbJzkK0DWB0XZbYDjK5Q7gAjmbTCPliHaV19di0KnH7lKitclqOF/l/S8SP5BFSUbpDQTen0OY/9mvcfGbA==";
};
#
# update ga.lswin.cn DNS zones and its reverse zone
zone ga.lswin.cn. {
primary 192.168.220.109;
key ga-lswin-cn.;
}
zone 231.168.192.in-addr.arpa. {
primary 192.168.220.109;
key ga-lswin-cn.;
}
OPNSense
如子网 ga.lswin.cn子网上的DHCPD是来自OPNSense,在dhcpd.conf中加上下列内容即可:
pfSense的配置方式一样。
示例中BIND9的options配置文件:
/etc/bind/named.conf.options
/
// for security, only in acl can inquery this DNS
//
// --------------------- ACLs -------------------------
// 允许使用该DNS的IP列表
acl internal {
// 本地
127.0.0.1;
// CIDR of 192.168.0.0 - 192.168.255.255
192.168.0.0/16;
// CIDR of 10.10.0.0 - 10.10.0.255
10.10.0.0/24;
};
// ------------------- Options -------------------------
options {
directory "/var/cache/bind";
// 使用114.114.114.114 和 阿里公共DNS做外部DNS
forwarders {
// 114 DNS
114.114.114.114;
// Ali's DNS
223.5.5.5;
};
// 安全设置,只允许ACL中的IP访问
allow-query {
internal;
};
allow-query-cache {
internal;
};
// enables recursive queries but on from our local nets and local hosts
// Do not allow externals to do recursive queries.
recursion yes;
allow-recursion {
internal;
};
allow-transfer {
internal;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
// turn off zone encryption. The auto flag still generates
// warnings in the log file
dnssec-enable no;
//dnssec-enable yes;
//dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
内部DDNS服务器已经建立完成,DHCP服务器只要将内部主DNS服务器指向ddns.lswin.cn即可。采用内部DDNS服务,可以给内网的管理带来很大方便,如服务器的备份、迁移等等。