智能
DNS
的原理很简单:在用户解析一个域名的时候,判断一下用户
的
IP
,然后跟
DNS
服务器内部的
IP
表匹配一下,看看用户是电信还是网通用户,然后给用户返回对应的
IP
地址。目前的域名服务运营商不提供智能
DNS
服务,所以必须自行架设
DNS
服务或者使用网上免费的智能
DNS
服务,如
DNSPOD.
目前智能DNS的实现主要有两种方式,一种是使用F5公司的BIG-IP GTM,另一种是使用bind自带的view来实现。BIG-IP GTM是一款商业产品,功能、性能极为强大,但是由于价格昂贵,中小型企业基本不会考虑花巨资购买此产品,所以只有一些门户网站将此用于核心业务,比如百度、阿里巴巴、金山;bind是一款开源程序,利用其自带的view可轻松实现智能DNS功能,其功能、性能都很好,一台普通配置的服务器,可每秒可处理2-4千查询请求。
使用上一节我们归类的国内IP地址段生成ACL文件,并通过ACL+VIEW实现智能解析。
1.生成ACL文件
根据http://ispip.clangcn.com/提供的运营商IP地址段我们分别生成如下格式的ACL文件:
acl "chinanet" {
1.0.1.0/24;
1.0.2.0/23;
1.0.8.0/21;
......
223.240.0.0/13;
223.255.252.0/23;
};
#EOF
生成如下几份ACL文件:
中国电信 /etc/acl/chinanet
中国联通 /etc/acl/unicom
中国移动 /etc/acl/cmcc
中国铁通 /etc/acl/crtc
中国教育网 /etc/acl/cernet
以上包含常见运营商的IP地址段,但当如果用户的IP不在这些地址段里面,如何解析了?所以还需要一个默认的ACL,以上都不匹配的情况下走这个ACL:
默认 /etc/acl/default
acl "default" {
any;
};
#EOF
ACL处理完了,下面生成TSIG共享秘钥。
2.TSIG共享秘钥
Transaction signatures (TSIG) 通常是一种确保DNS消息安全,并提供安全的服务器与服务器之间通讯(通常是在主从服务器之间)的机制,T可以保护以下类型的DNS服务器:Zone转换,Notify,动态升级更新,递归查询邮件。我们可以通过TSIG来判断view以更新zone数据库。
使用如下命令来生成密钥:
/home/slim/bind/sbin/dnssec-keygen -a HMAC-MD5 -b 256 -n HOST testkey
dnssec-keygen:用来生成更新密钥。
-a HMAC-MD5:采用HMAC-MD5加密算法。
-b 128:生成的密钥长度为128位。
-n USER testkey:密钥的用户名为testkey,testkey我们制定为view名称,如:chinanet,unicom
例如:/home/slim/bind/sbin/dnssec-keygen -a HMAC-MD5 -b 256 -n HOST chinanet
生成Kchinanet.+157+35249.key和Kchinanet.+157+35249.private
cat Kchinanet.+157+35249.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: CY6utSC4XLxG/agUSL5jJcmSH+s5jDNi/uTanl4AJXY=
Bits: AAA=
Created: 20150421131828
Publish: 20150421131828
Activate: 20150421131828
取出里面的Key生成如下TSIG文件:/etc/key/chinanet
key "chinanet" {
algorithm hmac-md5;
secret "gbfozgBJ38KJomvaTrYaXuCldA7pYM0Hw3XVZM1tR3s=";
};
按照如上方式创建其他viewTSIG文件。
3.配置文件
1)view配置
vi /etc/view.conf
include "/etc/acl/unicom";
include "/etc/acl/chinanet";
include "/etc/acl/cmcc";
include "/etc/acl/crtc";
include "/etc/acl/cernet";
include "/etc/acl/default";
view unicom {
match-clients { key unicom; unicom; };
include "/etc/key/unicom";
allow-transfer {
permit_transfer;
};
include "/etc/base.conf";
};
view chinanet {
match-clients { key chinanet; chinanet; };
include "/etc/key/chinanet";
allow-transfer {
permit_transfer;
};
include "/etc/base.conf";
};
view cmcc {
match-clients { key cmcc; cmcc; };
include "/etc/key/cmcc";
allow-transfer {
permit_transfer;
};
include "/etc/base.conf";
};
view crtc {
match-clients { key crtc; crtc; };
include "/etc/key/crtc";
allow-transfer {
permit_transfer;
};
include "/etc/base.conf";
};
view cernet {
match-clients { key cernet; cernet; };
include "/etc/key/cernet";
allow-transfer {
permit_transfer;
};
include "/etc/base.conf";
};
view default {
match-clients { key default; default; };
include "/etc/key/default";
allow-transfer {
permit_transfer;
};
include "/etc/base.conf";
};
配置说明:
* acl过滤至上而下,所以default需要放在最后
* match-clients指定匹配的TSIG key,以及ACL,里面的参数是OR的关系
* allow-transfer 主辅通过限制,其中值为在named.conf 配置的ACL:permit_transfer
* 最后引入
根、localhost的zone配置
其中引入的/etc/base.conf配置:
zone "." IN {
type hint;
file "/var/named/root.zone";
};
zone "localhost" IN {
type master;
file "/var/named/localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/var/named/localhost.rev";
};
2)主配置named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "etMaaS+O06WFFUHxKAaTXA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
listen-on port 53{
any;
};
version "slimsmart-dns v1.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
allow-new-zones yes;
allow-query{
any;
};
allow-query-cache{
any;
};
};
logging {
channel default_syslog {
syslog daemon;
severity info;
};
channel default_log {
file "/var/named/data/named.run";
severity dynamic;
};
category default {
default_syslog;
default_log;
};
channel query_log {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
query_log;
};
channel general_log {
file "/var/named/log/general_log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category general {
general_log;
};
channel notify_log {
file "/var/named/log/notify.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category notify {
notify_log;
};
channel xfer_in_log {
file "/var/named/log/xfer_in.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category xfer-in {
xfer_in_log;
};
channel xfer_out_log {
file "/var/named/log/xfer_out.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category xfer-out {
xfer_out_log;
};
channel update_log {
file "/var/named/log/update.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category update {
update_log;
};
channel unmatched_log {
file "/var/named/log/unmatched.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category unmatched {
unmatched_log;
};
};
acl permit_transfer {
none;
};
acl permit_allow_update {
any;
};
include "/etc/view.conf";
到此配置已经完毕。接下来我们可以通过rndc
添加、删除zone和nsupdate添加删除解析记录。