【基础服务】dns智能解析、view主从服务 - DNS(二)
测试环境如图:
主机名称 |
IP地址 |
备注 |
Nsmaster |
192.168.198.190 |
DNS服务器,负责区域:onepc.com |
lua1 |
10.1.1.10 |
10网段的病毒库升级服务器 |
lua2 |
192.168.198.100 |
192网段的病毒库升级服务器 |
DNS实现功能:域名lua.onepc.com有两个IP分别是lua1、lua2。DNS要实现不同网段访问lua.onepc.com解析出不同的IP。 |
||
例:甲公司有A、B两个办公地点,通过专线连接在一起(各自有自己的外网出口),客户机安装有symantec杀软设置lua.onepc.com为内网病毒库升级服务器,要求10网段访问lua.onepc.com它解析对应的IP为:10.1.1.10 ,192网段访问lua.onepc.com它解析对应的IP为:192.168.198.100。
DNS View:可以实现不同的IP段访问同一个域名解析出不同的IP地址,叫DNS智能解析。
DNS ACL语法:
Acl {
192.168.19.0/24; //一个网段
172.16.1.1; //单IP
!10.1.1.1; //排除这个IP
} ;
安装DNS:
Centos6.5 64bit 安装自带的bind rpm包
[root@nsmaster /]# /etc/init.d/named status
rndc: neither /etc/rndc.conf nor/etc/rndc.key was found
named is stopped
[root@nsmaster /]# rndc-confgen -r/dev/urandom -a
wrote key file "/etc/rndc.key"
[root@nsmaster /]# chown root:named/etc/rndc.key
[root@nsmaster /]# chmod 644 /etc/rndc.key
到这里已可以正常启动named服务。
配置nsmaster服务器的named.conf文件:
[root@nsmaster etc]# vi named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
"named.conf" 93L, 1550C
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//安义acl列表
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
// acl net_192 { !192.168.198.190;192.168.198.0/24; };
options {
listen-on port 53 { any; }; //在所有IP监听53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //允许所有IP查询
recursion yes; //启用递归,一般使用allow-recursion指定IP允许递归
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//定义dns view功能,需要把根(.)包含进去。
//dns服务器在192.168.198.0网段,所以包含include "/etc/named.rfc1912.zones"这个文件,在服务器解析localhost时可以正常解析。
view "netlan_192"
{
match-clients { net_192; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.192";
};
include "/etc/named.rfc1912.zones";
};
view "netlan_10"
{
match-clients { net_10; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.10";
};
};
//view "netlan_127"
//{
//
//match-clients { net_127; };
//include "/etc/named.rfc1912.zones";
//
//};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
区域文件如下:
[root@nsmaster named]# cat onepc.com.zone.192 onepc.com.zone.10
$TTL 600
@ IN SOA nsmaster.onepc.com. admin.onepc.com. (
2014050805; serial
1D ; refresh
1H ; retry
2D ; expire
3H ) ; minimum
IN NS nsmaster.onepc.com.
nsmaster IN A 192.168.198.190
lua IN A 192.168.198.100
$TTL 600
@ IN SOA nsmaster.onepc.com. admin.onepc.com. (
2014051201; serial
1D ; refresh
1H ; retry
2D ; expire
3H ) ; minimum
IN NS nsmaster.onepc.com.
nsmaster IN A 192.168.198.190
lua IN A 10.1.1.10
这样配置就可以实现在不同网段访问同一个域名解析出不同的IP地址。
在192网段解析:
在10网段解析:
Dns view的主从同步:
在上面的拓扑中的10网段添加一台nsslave服务器,IP:10.1.1.2,安装bind软件。
主dns的named.conf:
[root@nsmaster named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "netlan_192"
{
//注意这里,由于从dns在10网段,所以需要把从的ip地址添加在这里。
match-clients { 10.1.1.2;net_192; };
allow-transfer { 10.1.1.2; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.192";
};
include "/etc/named.rfc1912.zones";
};
view "netlan_10"
{
match-clients { net_10; };
allow-transfer { 10.1.1.3; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.10";
};
};
//view "netlan_127"
//{
//
//match-clients { net_127; };
//include "/etc/named.rfc1912.zones";
//
//};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
区域文件如下:
[root@nsmaster named]# cat onepc.com.zone.10 onepc.com.zone.192
$TTL 600
@ IN SOA nsmaster.onepc.com. admin.onepc.com. (
2014051201; serial
1D ; refresh
1H ; retry
2D ; expire
3H ) ; minimum
IN NS nsmaster.onepc.com.
IN NS nsslave.onepc.com.
nsmaster IN A 192.168.198.190
nsslave IN A 10.1.1.2
lua IN A 10.1.1.10
$TTL 600
@ IN SOA nsmaster.onepc.com. admin.onepc.com. (
2014050805; serial
1D ; refresh
1H ; retry
2D ; expire
3H ) ; minimum
IN NS nsmaster.onepc.com.
IN NS nsslave.onepc.com.
nsmaster IN A 192.168.198.190
nsslave IN A 10.1.1.2
lua IN A 192.168.198.100
从dns的named.conf配置(不需要配置匹配文件):
需要添加一个IP 地址来复制10这个区域配置:
Ifconfig eth1:0 10.1.1.3 netmask 255.255.255.0,实际环境中,添加多块网卡。
[root@nsslave slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "netlan_192"
{
match-clients { net_192; };
transfer-source 10.1.1.2;
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type slave;
masters { 192.168.198.190; };
file "slaves/onepc.com.zone.192";
};
};
view "netlan_10"
{
match-clients { net_10; };
transfer-source 10.1.1.3;
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type slave;
masters { 192.168.198.190; };
file "slaves/onepc.com.zone.10";
};
include "/etc/named.rfc1912.zones";
};
//view "netlan_127"
//{
//
//match-clients { net_127; };
//include "/etc/named.rfc1912.zones";
//
//};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
重启生效后,复制过来的区域文件如下:
[root@nsslave slaves]# cat onepc.com.zone.10 onepc.com.zone.192
$ORIGIN .
$TTL 600 ; 10 minutes
onepc.com IN SOA nsmaster.onepc.com. admin.onepc.com. (
2014051201 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
172800 ; expire (2 days)
10800 ; minimum (3 hours)
)
NS nsmaster.onepc.com.
NS nsslave.onepc.com.
$ORIGIN onepc.com.
lua A 10.1.1.10
nsmaster A 192.168.198.190
nsslave A 10.1.1.2
$ORIGIN .
$TTL 600 ; 10 minutes
onepc.com IN SOA nsmaster.onepc.com. admin.onepc.com. (
2014050805 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
172800 ; expire (2 days)
10800 ; minimum (3 hours)
)
NS nsmaster.onepc.com.
NS nsslave.onepc.com.
$ORIGIN onepc.com.
lua A 192.168.198.100
nsmaster A 192.168.198.190
nsslave A 10.1.1.2
View功能的dns主从配置注意点:
1、主服务器的每个view下面,都需要配置allow-transfer{ IP; };选项,表示允许这个IP完全复制这个view的匹配文件。
2、从服务器的每个view下面,都需要配置transfer-sourceIP;选项,这个IP要与主服务器的allow-transfer对应,表示这个IP地址从主服务器的view下面复制区域文件。
3、每个view只能一个IP地址访问,就是说每增加一个view,那么从服务器就需要添加一个IP来复制这个view。
例:
从dns服务器的10.1.1.3复制netlan_10视图,10.1.1.4复制netlan_172视图,10.1.1.5复制netlan_192视图:
主dns服务器的view配置:
view "netlan_10"
{
match-clients { 10.1.1.3;net_10; };
allow-transfer { 10.1.1.3; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.10";
};
};
view "netlan_172"
{
match-clients { 10.1.1.4;net_172; };
allow-transfer { 10.1.1.4; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.172";
};
};
view "netlan_192"
{
match-clients { 10.1.1.5;net_192; };
allow-transfer { 10.1.1.5; };
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type master;
file "onepc.com.zone.192";
};
};
从dns服务器至少需要三个IP地址,分别是10.1.1.3,10.1.1.4,10.1.1.5,配置如下:
view "netlan_10"
{
match-clients { net_10; };
transfer-source 10.1.1.3; //这里与主dns 服务器的view对应
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type slave;
masters { 192.168.198.190; }; //主服务器
file "slaves/onepc.com.zone.10";
};
};
view "netlan_172"
{
match-clients { net_172; };
transfer-source 10.1.1.4;
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type slave;
masters { 192.168.198.190; };
file "slaves/onepc.com.zone.172";
};
};
view "netlan_192"
{
match-clients { net_192; };
transfer-source 10.1.1.5;
zone "." IN {
type hint;
file "named.ca";
};
zone "onepc.com" IN {
type slave;
masters { 192.168.198.190; };
file "slaves/onepc.com.zone.192";
};
};