DNS BIND 搭建域名智能解析DNS服务器之配置

智能 DNS 的原理很简单:在用户解析一个域名的时候,判断一下用户 IP ,然后跟 DNS 服务器内部的 IP 表匹配一下,看看用户是电信还是网通用户,然后给用户返回对应的 IP 地址。目前的域名服务运营商不提供智能 DNS 服务,所以必须自行架设 DNS 服务或者使用网上免费的智能 DNS 服务,如 DNSPOD.
目前智能DNS的实现主要有两种方式,一种是使用F5公司的BIG-IP GTM,另一种是使用bind自带的view来实现。BIG-IP GTM是一款商业产品,功能、性能极为强大,但是由于价格昂贵,中小型企业基本不会考虑花巨资购买此产品,所以只有一些门户网站将此用于核心业务,比如百度、阿里巴巴、金山;bind是一款开源程序,利用其自带的view可轻松实现智能DNS功能,其功能、性能都很好,一台普通配置的服务器,可每秒可处理2-4千查询请求。
使用上一节我们归类的国内IP地址段生成ACL文件,并通过ACL+VIEW实现智能解析。
1.生成ACL文件
根据http://ispip.clangcn.com/提供的运营商IP地址段我们分别生成如下格式的ACL文件:
acl "chinanet" {
	1.0.1.0/24;
	1.0.2.0/23;
	1.0.8.0/21;
        ......
	223.240.0.0/13;
	223.255.252.0/23;
};
#EOF
生成如下几份ACL文件:
中国电信  /etc/acl/chinanet
中国联通 /etc/acl/unicom
中国移动 /etc/acl/cmcc
中国铁通 /etc/acl/crtc
中国教育网 /etc/acl/cernet
以上包含常见运营商的IP地址段,但当如果用户的IP不在这些地址段里面,如何解析了?所以还需要一个默认的ACL,以上都不匹配的情况下走这个ACL:
默认 /etc/acl/default
acl "default" {
        any;
};
#EOF
ACL处理完了,下面生成TSIG共享秘钥。
2.TSIG共享秘钥
Transaction signatures (TSIG) 通常是一种确保DNS消息安全,并提供安全的服务器与服务器之间通讯(通常是在主从服务器之间)的机制,T可以保护以下类型的DNS服务器:Zone转换,Notify,动态升级更新,递归查询邮件。我们可以通过TSIG来判断view以更新zone数据库。
使用如下命令来生成密钥:
/home/slim/bind/sbin/dnssec-keygen -a HMAC-MD5 -b 256 -n HOST  testkey
dnssec-keygen:用来生成更新密钥。
-a HMAC-MD5:采用HMAC-MD5加密算法。
-b 128:生成的密钥长度为128位。
-n USER testkey:密钥的用户名为testkey,testkey我们制定为view名称,如:chinanet,unicom
例如:/home/slim/bind/sbin/dnssec-keygen -a HMAC-MD5 -b 256 -n HOST  chinanet
生成Kchinanet.+157+35249.key和Kchinanet.+157+35249.private
cat Kchinanet.+157+35249.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: CY6utSC4XLxG/agUSL5jJcmSH+s5jDNi/uTanl4AJXY=
Bits: AAA=
Created: 20150421131828
Publish: 20150421131828
Activate: 20150421131828
取出里面的Key生成如下TSIG文件:/etc/key/chinanet
key "chinanet" {
        algorithm       hmac-md5;
        secret "gbfozgBJ38KJomvaTrYaXuCldA7pYM0Hw3XVZM1tR3s=";
};
按照如上方式创建其他viewTSIG文件。
3.配置文件
1)view配置
vi /etc/view.conf
include "/etc/acl/unicom";
include "/etc/acl/chinanet";
include "/etc/acl/cmcc";
include "/etc/acl/crtc";
include "/etc/acl/cernet";
include "/etc/acl/default";

view unicom {
        match-clients { key unicom; unicom; };
        include "/etc/key/unicom";
        allow-transfer {
                permit_transfer;
        };
        include "/etc/base.conf";
};

view chinanet {
        match-clients { key chinanet; chinanet; };
        include "/etc/key/chinanet";
        allow-transfer {
                permit_transfer;
        };
        include "/etc/base.conf";
};

view cmcc {
        match-clients { key cmcc; cmcc; };
        include "/etc/key/cmcc";
        allow-transfer {
                permit_transfer;
        };
        include "/etc/base.conf";
};

view crtc {
        match-clients { key crtc; crtc; };
        include "/etc/key/crtc";
        allow-transfer {
                permit_transfer;
        };
        include "/etc/base.conf";
};

view cernet {
        match-clients { key cernet; cernet; };
        include "/etc/key/cernet";
        allow-transfer {
                permit_transfer;
        };
        include "/etc/base.conf";
};

view default {
        match-clients { key default; default; };
        include "/etc/key/default";
        allow-transfer {
                permit_transfer;
        };
        include "/etc/base.conf";
};
配置说明:
* acl过滤至上而下,所以default需要放在最后
* match-clients指定匹配的TSIG key,以及ACL,里面的参数是OR的关系
* allow-transfer 主辅通过限制,其中值为在named.conf 配置的ACL:permit_transfer
* 最后引入 根、localhost的zone配置
其中引入的/etc/base.conf配置:
zone "." IN {
        type hint;
        file "/var/named/root.zone";
};

zone "localhost" IN {
        type master;
        file "/var/named/localhost.zone";
};   

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "/var/named/localhost.rev";
};
2)主配置named.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "etMaaS+O06WFFUHxKAaTXA==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
        listen-on port 53{
                any;
        };
        version "slimsmart-dns v1.0";
        directory "/var/named";
        pid-file "/var/run/named.pid";
        session-keyfile "/var/run/session.key";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursion yes;
        allow-new-zones yes;
        allow-query{
                any;
        };
        allow-query-cache{
                any;
        };

};

logging {
        channel default_syslog {  
                syslog daemon;
                severity info;
        }; 
        channel default_log {
                file "/var/named/data/named.run";
                severity dynamic;
        };
        category default { 
                default_syslog;
                default_log; 
        };

        channel query_log { 
                file "/var/named/log/query.log" versions 1 size 100m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category queries { 
                query_log; 
        }; 

        channel general_log {
                file "/var/named/log/general_log" versions 1 size 100m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category general { 
                general_log;
        };
 
        channel notify_log { 
                file "/var/named/log/notify.log" versions 1 size 100m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category notify { 
                notify_log; 
        };
        channel xfer_in_log {    
                file "/var/named/log/xfer_in.log" versions 1 size 100m;  
                severity info;  
                print-category yes;  
                print-severity yes;  
                print-time yes;  
        };  
        category xfer-in { 
                xfer_in_log;
        };
        channel xfer_out_log {  
                file "/var/named/log/xfer_out.log" versions 1 size 100m;  
                severity info;  
                print-category yes;  
                print-severity yes;  
                print-time yes;  
        };      
        category xfer-out { 
                xfer_out_log;
        };
        channel update_log {
                file "/var/named/log/update.log" versions 1 size 100m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category update { 
                update_log;
        };
        channel unmatched_log {
                file "/var/named/log/unmatched.log" versions 1 size 100m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category unmatched {  
                unmatched_log;
        };
}; 

acl permit_transfer {
       none;
};

acl permit_allow_update {
        any;
};

include "/etc/view.conf";
到此配置已经完毕。接下来我们可以通过rndc 添加、删除zone和nsupdate添加删除解析记录。

你可能感兴趣的:(dns)