BIND9+VIEW+Master-Slave+TSIG
1.主DNS 192.168.1.19
2.从DNS 192.168.1.20
视图为电信跟其它
主DNS配置文件(/etc/named.conf)
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named_stats";
version "DNS";
dump-file "/var/named/data/cache_dump.db";
allow-query { any; };
allow-transfer { 192.168.1.19; };
};
logging {
channel error
{
file "/var/named/log/dns_warnings" versions 3 size 3m;
severity error;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{
file "/var/named/log/dns_logs" versions 3 size 3m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { error; };
category queries { general_dns; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "G2TWhCl4fK6XFPrlk7JiKA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "tel" {
algorithm hmac-md5;
secret "ls1Qn0p8o2ikoReMGSVnkQ==";
};
key "default" {
algorithm hmac-md5;
secret "hWJct6myvWH4AGNE09Dk9A==";
};
include "acl_tel";
view "tel" {
match-clients { key "tel";tel; };
server 192.168.1.19 { keys "tel"; };
zone "mail.com" {
type master;
also-notify { 192.168.1.19; };
file "mail.com.view";
};
zone "." {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
};
view "default" {
match-clients { key "default"; any;};
server 192.168.1.19 { keys "default"; };
zone "mail.com" {
type master;
also-notify { 192.168.1.19; };
file "mail.com.default";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
};
从DNS主配置文件
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named_stats";
version "DNS";
dump-file "/var/named/data/cache_dump.db";
allow-query { any; };
max-refresh-time 10;
};
logging {
channel error
{
file "/var/named/log/dns_warnings" versions 3 size 3m;
severity error;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{
file "/var/named/log/dns_logs" versions 3 size 3m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { error; };
category queries { general_dns; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "EiQ80ZRd9PvqXgMy0zBe9A==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "tel" {
algorithm hmac-md5;
secret "ls1Qn0p8o2ikoReMGSVnkQ==";
};
key "default" {
algorithm hmac-md5;
secret "hWJct6myvWH4AGNE09Dk9A==";
};
include "acl_tel";
view "tel" {
match-clients { key "tel";tel; };
server 192.168.1.9 { keys "tel"; };
zone "mail.com" {
type slave;
file "mail.com.view";
masters {192.168.1.9;};
};
zone "." {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
};
view "default" {
match-clients { key "default"; any;};
server 192.168.1.9 { keys "default"; };
zone "mail.com" {
type slave;
file "mail.com.default";
masters {192.168.1.9;};
};
zone "." {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
};
调试命令:
rndc reload 加载所有区
rndc reload mail.com IN tel 只加载tel视图的mail.com区
named -g 前台调试模式
dnssec-keygen -a hmac-md5 -b 128 -n HOST tel tel视图key生成(把生成的key文件中的密串贴到主配置文件中)
dnssec-keygen -a hmac-md5 -b 128 -n HOST default default视图key生成(把生成的key文件中的密串贴到主配置文件中)
区域文件示例:
$TTL 86400 ; 1 day
mail.com IN SOA mail.com. root.mail.com. (
110 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
IN NS ns.mail.com.
IN MX 10 mail.mail.com.
www IN A 10.0.0.1
cache IN CNAME www.mail.com.
ACL文件示例:
acl "tel" {
192.168.1.51/32; //电信IP网段
};
localhost.rev
$TTL 86400 ;
@ IN SOA localhost. root.localhost. (
45 ; Serial
3h ; Refresh
15 ; Retry
1w ; Expire
3h ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
localhost.zone
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
named.root //此文件可从 wget ftp://ftp.internic.org/domain/named.root 下载最新版,查询根域
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jun 8, 2011
; related version of root zone: 2011060800
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File