BIND（二）—— dns管理，acl，forward，子域授权，view

BIND（二）-- dns管理，acl，forward，子域授权，view

1、rndc

rndc（remote name domain controller）是BIND安装包提供的一种控制域名服务运行的工具，它可以运行在其他计算机上，通过网络与DNS服务器进行连接，然后根据管理员的指令对named进程进行远程控制，此时，管理员不需要DNS服务器的根用户权限。使用rndc可以在不停止DNS服务器工作的情况进行数据的更新，使修改后的配置文件生效。在实际情况下，DNS服务器是非常繁忙的，任何短时间的停顿都会给用户的使用带来影响。因此，使用rndc工具可以使DNS服务器更好地为用户提供服务。

rndc与DNS服务器实行连接时，需要通过数字证书进行认证，而不是传统的用户名/密码方式。在当前版本下，rndc和named都只支持HMAC-MD5认证算法，在通信两端使用共享密钥。rndc在连接通道中发送命令时，必须使用经过服务器认可的密钥加密。为了生成双方都认可的密钥，可以使用rndc-confgen命令产生密钥和相应的配置，再把这些配置分别放入named.conf和rndc的配置文件rndc.conf中

//配置rndc.conf 
rndc-confgen > /etc/bind/rndc.conf 
自动生成rndc.conf，内容如下： 
key "rndc-key" { 
 algorithm hmac-md5; 
 secret "oYV+NSAXam5nY1xa++tElQ=="; 
}; 

[root@node128 ~]# cat /etc/rndc.key //rndc联系服务器时候的密钥 
key "rndc-key" { 
 algorithm hmac-md5; 
 secret "aNAICkyq0s4EIxnhj92ntQ=="; 
}; 

//使用密钥 
options { 
 default-key "rndc-key"; 
 default-server 127.0.0.1; 
 default-port 953; 
}; 

[root@node128 ~]# cat /etc/named.root.key //named服务器连接根节点的时候通信密钥 
managed-keys { 
 # DNSKEY for the root zone. 
 # Updates are published on root-dnssec-announce@icann.org 
 . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; 
}; 

rndc：953/tcp 默认工作在本机 

2、管理bind

//查看状态 
[root@node128 ~]# rndc status  
version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 
CPUs found: 1 
worker threads: 1 
number of zones: 21 
debug level: 0 
xfers running: 0 
xfers deferred: 0 
soa queries in progress: 0 
query logging is OFF 
recursive clients: 0/0/1000 
tcp clients: 0/100 
server is up and running 

//调试级别，0,1,2,3，如果没有特殊必要，则不要打开查询日志 
[root@node128 ~]# rndc trace  
[root@node128 ~]# rndc status 
version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 
CPUs found: 1 
worker threads: 1 
number of zones: 21 
debug level: 2 
xfers running: 0 
xfers deferred: 0 
soa queries in progress: 0 
query logging is OFF 
recursive clients: 0/0/1000 
tcp clients: 0/100 
server is up and running 

//关闭trace 
[root@node128 ~]# rndc notrace 

rndc //查看帮助信息 
rndc flush <domain-name> //清空缓存或者清空某个域的缓存 
rndc reload //重新加载配置文件，也重新加载区域配置文件 
rndc reconfig //只重新加载配置文件 

3、bind访问控制列表

//常见bind控制指令

allow-tranfer {}; 
allow-query {}; 
allow-recursion {}; //允许递归查询 
allow-update {}; //动态DNS，ddns，一般不开启 

//先定义，后使用 
[root@node128 ~]# vim /etc/named.conf 
acl fulltransfer { 
 172.16.213.129; 
};

[root@node128 ~]# vim /etc/named.rfc1912.zones  
zone "test.com" IN { 
 type master; 
 notify yes; 
 file "test.com.zone"; 
 allow-transfer { fulltransfer; }; 
 also-notify { 172.16.213.129; }; 
}; 

//此时因不匹配ACL而查询失败 
[root@node128 ~]# rndc reload 
server reload successful 

[root@node128 ~]# dig -t axfr test.com @172.16.213.128 
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t axfr test.com @172.16.213.128 
;; global options: +cmd 
; Transfer failed. 

4、转发DNS

//基本语法 
forward only | first 
 only：只做转发 
 first：先转发，如果转发之后没有结果，才进行迭代 

转发的前提：接受转发的服务器必须能为请求者做递归查询 
全局转发和区域转发都定义的时候，优先级不同 

- 转发所有非本机解析的请求

options { 
 // listen-on port 53 { 127.0.0.1; }; 
 // listen-on-v6 port 53 { ::1; }; 
 directory "/var/named"; 
 dump-file "/var/named/data/cache_dump.db"; 
 statistics-file "/var/named/data/named_stats.txt"; 
 memstatistics-file "/var/named/data/named_mem_stats.txt"; 
 // allow-query { localhost; }; 

 recursion yes; 
 // dnssec-enable yes; 
// dnssec-validation yes; 
 // dnssec-lookaside auto; 

 /* Path to ISC DLV key */ 
 bindkeys-file "/etc/named.iscdlv.key"; 

 // managed-keys-directory "/var/named/dynamic"; 
 //将非自己解析的区域的请求转发到Google的DNS上解析，仅作转发 
 forward only; 
 forwarders { 8.8.8.8; }; 
};

- 只针对某个域做转发

zone "google.com" IN { 
 type forward; 
 forward only; 
 forwarders { 8.8.8.8; }; 
}; 

5、DNS子域授权

域内：划分出小子域
授权：委派

test.com
dev.test.com
  dev.test.com. IN NS dns.dev.test.com.
  dns.dev.test.com. IN A 172.16.213.129

ops.test.com

  ops.test.com. IN NS dns.ops.test.com.

  dns.ops.test.com. IN A 172.16.213.129
 

结构：
node128：父域
node130：子域

1、首先父域上进行子域授权 
[root@node128 named]# vim /var/named/test.com.zone  
增加 
dev IN NS dns.dev 
dns.dev IN A 172.16.213.130 

2、子域上进行配置 
[root@node130 named]# vim /etc/named.rfc1912.zones 
zone "dev.test.com" IN { 
 type master; 
 file "dev.test.com.zone"; 
}; 

[root@node130 named]# vim /var/named/dev.test.com.zone  
$TTL 1200 
@ IN SOA dns.dev.test.com. admin.dev.test.com. ( 
 20140601 
 1H 
 10M 
 3D 
 2H ) 
IN NS dns 
IN MX 10 mail 
dns IN A 172.16.213.130 
mail IN A 192.168.1.100 
www IN A 192.168.1.101 
www IN A 192.168.1.102 
www IN A 192.168.1.103

[root@node130 named]# dig -t A www.dev.test.com @172.16.213.130 
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1 

;; QUESTION SECTION: 
;www.dev.test.com. IN A
 
;; ANSWER SECTION: 
www.dev.test.com. 1200 IN A 192.168.1.103 
www.dev.test.com. 1200 IN A 192.168.1.101 
www.dev.test.com. 1200 IN A 192.168.1.102 

;; AUTHORITY SECTION: 
dev.test.com. 1200 IN NS dns.dev.test.com. 

;; ADDITIONAL SECTION: 
dns.dev.test.com. 1200 IN A 172.16.213.130 

6、view

实现不同来源解析同一个域名返回不同的结果

view internal { 
 match-clients { 172.16.213.128; 
}; 

zone "." IN { 
 type hint; 
 file "named.ca"; 
}; 

zone "localhost.localdomain" IN { 
 type master; 
 file "named.localhost"; 
 allow-update { none; }; 
}; 

zone "localhost" IN { 
 type master; 
 file "named.localhost"; 
 allow-update { none; }; 
}; 

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 
 type master; 
 file "named.loopback"; 
 allow-update { none; }; 
}; 

zone "1.0.0.127.in-addr.arpa" IN { 
 type master; 
 file "named.loopback"; 
 allow-update { none; }; 
}; 

zone "0.in-addr.arpa" IN { 
 type master; 
 file "named.empty"; 
 allow-update { none; }; 
}; 

zone "test.com" IN { 
 type master; 
 notify yes; 
 file "test.com.zone"; 
 allow-transfer { fulltransfer; }; 
 also-notify { 172.16.213.129; }; 
}; 

zone "test2.com" IN { 
 type master; 
 file "test2.com.zone"; }; 
}; 

view external { 
 match-clients { 172.16.213.130; 
}; 

zone "test.com" IN { 
 type master; 
 file "external.test.com.zone"; 
}; 

zone "test2.com" IN { 
 type master; 
 file "external.test2.com.zone"; 
}; 
}; 

//external 中www解析地址为192.168.1.0/24,130解析出来是192.168.1.0/24的地址 //internal 中www解析地址为172.16.213.0/24，内网地址解析出来是172.16.213.0/24的地址 

//测试 
[root@node128 named]# dig -t A www.test.com @172.16.213.128 
;; ANSWER SECTION: 
www.test.com. 600 IN A 172.16.213.131 
www.test.com. 600 IN A 172.16.213.130 

[root@node130 named]# dig -t A www.test.com @172.16.213.128 
;; ANSWER SECTION: 
www.test.com. 600 IN A 192.168.1.130 
www.test.com. 600 IN A 192.168.1.131