【基础服务】dns智能解析、view主从服务 - DNS（二）

原创

hxw168 2014-05-13 08:45:34 博主文章分类：Linux ©著作权

文章标签 dns acl view 文章分类 服务器

©著作权归作者所有：来自51CTO博客作者hxw168的原创作品，请联系作者获取转载授权，否则将追究法律责任

测试环境如图：

主机名称	IP地址	备注
Nsmaster	192.168.198.190	DNS服务器，负责区域：onepc.com
lua1	10.1.1.10	10网段的病毒库升级服务器
lua2	192.168.198.100	192网段的病毒库升级服务器
DNS实现功能：域名lua.onepc.com有两个IP分别是lua1、lua2。DNS要实现不同网段访问lua.onepc.com解析出不同的IP。

例：甲公司有A、B两个办公地点，通过专线连接在一起（各自有自己的外网出口），客户机安装有symantec杀软设置lua.onepc.com为内网病毒库升级服务器，要求10网段访问lua.onepc.com它解析对应的IP为：10.1.1.10 ，192网段访问lua.onepc.com它解析对应的IP为：192.168.198.100。

DNS View：可以实现不同的IP段访问同一个域名解析出不同的IP地址，叫DNS智能解析。

DNS ACL语法：

Acl {

192.168.19.0/24; //一个网段

172.16.1.1; //单IP

!10.1.1.1; //排除这个IP

} ;

安装DNS：

Centos6.5 64bit 安装自带的bind rpm包

[root@nsmaster /]# /etc/init.d/named status

rndc: neither /etc/rndc.conf nor/etc/rndc.key was found

named is stopped

[root@nsmaster /]# rndc-confgen -r/dev/urandom -a

wrote key file "/etc/rndc.key"

[root@nsmaster /]# chown root:named/etc/rndc.key

[root@nsmaster /]# chmod 644 /etc/rndc.key

到这里已可以正常启动named服务。

配置nsmaster服务器的named.conf文件：

[root@nsmaster etc]# vi named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
"named.conf" 93L, 1550C
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//安义acl列表
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
// acl net_192 { !192.168.198.190;192.168.198.0/24; };
options {
        listen-on port 53 { any; };  //在所有IP监听53端口
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; }; //允许所有IP查询
        recursion yes;  //启用递归，一般使用allow-recursion指定IP允许递归
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//定义dns view功能，需要把根（.）包含进去。
//dns服务器在192.168.198.0网段，所以包含include "/etc/named.rfc1912.zones"这个文件，在服务器解析localhost时可以正常解析。
view  "netlan_192"
{
match-clients { net_192; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.192";
};
include "/etc/named.rfc1912.zones";
};
view "netlan_10"
{
match-clients { net_10; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.10";
};
};
//view "netlan_127"
//{
//
//match-clients { net_127; };
//include "/etc/named.rfc1912.zones";
//
//};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

区域文件如下：

[root@nsmaster named]# cat onepc.com.zone.192 onepc.com.zone.10
$TTL 600
@       IN SOA  nsmaster.onepc.com. admin.onepc.com. (
                                        2014050805; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        2D      ; expire
                                        3H )    ; minimum
                IN NS   nsmaster.onepc.com.
nsmaster        IN A 192.168.198.190
lua             IN A 192.168.198.100
$TTL 600
@       IN SOA  nsmaster.onepc.com. admin.onepc.com. (
                                        2014051201; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        2D      ; expire
                                        3H )    ; minimum
                IN NS   nsmaster.onepc.com.
nsmaster        IN A 192.168.198.190
lua             IN A 10.1.1.10

这样配置就可以实现在不同网段访问同一个域名解析出不同的IP地址。

在192网段解析：

在10网段解析：

Dns view的主从同步：

在上面的拓扑中的10网段添加一台nsslave服务器，IP:10.1.1.2，安装bind软件。

主dns的named.conf：

[root@nsmaster named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view  "netlan_192"
{
//注意这里，由于从dns在10网段，所以需要把从的ip地址添加在这里。
match-clients { 10.1.1.2;net_192; };
allow-transfer { 10.1.1.2; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.192";
};
include "/etc/named.rfc1912.zones";
};
view "netlan_10"
{
match-clients { net_10; };
allow-transfer { 10.1.1.3; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.10";
};
};
//view "netlan_127"
//{
//
//match-clients { net_127; };
//include "/etc/named.rfc1912.zones";
//
//};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

区域文件如下：

[root@nsmaster named]# cat onepc.com.zone.10 onepc.com.zone.192
$TTL 600
@       IN SOA  nsmaster.onepc.com. admin.onepc.com. (
                                        2014051201; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        2D      ; expire
                                        3H )    ; minimum
                IN NS   nsmaster.onepc.com.
                IN NS   nsslave.onepc.com.
nsmaster        IN A 192.168.198.190
nsslave         IN A 10.1.1.2
lua             IN A 10.1.1.10
$TTL 600
@       IN SOA  nsmaster.onepc.com. admin.onepc.com. (
                                        2014050805; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        2D      ; expire
                                        3H )    ; minimum
                IN NS   nsmaster.onepc.com.
                IN NS   nsslave.onepc.com.
nsmaster        IN A 192.168.198.190
nsslave         IN A 10.1.1.2
lua             IN A 192.168.198.100

从dns的named.conf配置(不需要配置匹配文件)：

需要添加一个IP 地址来复制10这个区域配置：

Ifconfig eth1:0 10.1.1.3 netmask 255.255.255.0，实际环境中，添加多块网卡。

[root@nsslave slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl net_10 { 10.1.1.0/24; };
acl net_192 { 192.168.198.0/24; };
//acl net_127 { 127.0.0.0/8;192.168.198.190; };
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view  "netlan_192"
{
match-clients { net_192; };
transfer-source 10.1.1.2;
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type slave;
        masters { 192.168.198.190; };
        file "slaves/onepc.com.zone.192";
};
};
view "netlan_10"
{
match-clients { net_10; };
transfer-source 10.1.1.3;
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type slave;
        masters { 192.168.198.190; };
        file "slaves/onepc.com.zone.10";
};
include "/etc/named.rfc1912.zones";
};
//view "netlan_127"
//{
//
//match-clients { net_127; };
//include "/etc/named.rfc1912.zones";
//
//};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

重启生效后，复制过来的区域文件如下：

[root@nsslave slaves]# cat onepc.com.zone.10 onepc.com.zone.192
$ORIGIN .
$TTL 600        ; 10 minutes
onepc.com               IN SOA  nsmaster.onepc.com. admin.onepc.com. (
                                2014051201 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                172800     ; expire (2 days)
                                10800      ; minimum (3 hours)
                                )
                        NS      nsmaster.onepc.com.
                        NS      nsslave.onepc.com.
$ORIGIN onepc.com.
lua                     A       10.1.1.10
nsmaster                A       192.168.198.190
nsslave                 A       10.1.1.2
$ORIGIN .
$TTL 600        ; 10 minutes
onepc.com               IN SOA  nsmaster.onepc.com. admin.onepc.com. (
                                2014050805 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                172800     ; expire (2 days)
                                10800      ; minimum (3 hours)
                                )
                        NS      nsmaster.onepc.com.
                        NS      nsslave.onepc.com.
$ORIGIN onepc.com.
lua                     A       192.168.198.100
nsmaster                A       192.168.198.190
nsslave                 A       10.1.1.2

View功能的dns主从配置注意点：

1、主服务器的每个view下面，都需要配置allow-transfer{ IP; };选项，表示允许这个IP完全复制这个view的匹配文件。

2、从服务器的每个view下面，都需要配置transfer-sourceIP;选项，这个IP要与主服务器的allow-transfer对应，表示这个IP地址从主服务器的view下面复制区域文件。

3、每个view只能一个IP地址访问，就是说每增加一个view，那么从服务器就需要添加一个IP来复制这个view。

例：

从dns服务器的10.1.1.3复制netlan_10视图，10.1.1.4复制netlan_172视图，10.1.1.5复制netlan_192视图：

主dns服务器的view配置：

view "netlan_10"
{
match-clients { 10.1.1.3;net_10; };
allow-transfer { 10.1.1.3; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.10";
};
};
view "netlan_172"
{
match-clients { 10.1.1.4;net_172; };
allow-transfer { 10.1.1.4; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.172";
};
};
view "netlan_192"
{
match-clients { 10.1.1.5;net_192; };
allow-transfer { 10.1.1.5; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type master;
        file "onepc.com.zone.192";
};
};

从dns服务器至少需要三个IP地址，分别是10.1.1.3，10.1.1.4，10.1.1.5，配置如下：

view "netlan_10"
{
match-clients { net_10; };
transfer-source 10.1.1.3; //这里与主dns 服务器的view对应
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type slave;
        masters { 192.168.198.190; }; //主服务器
        file "slaves/onepc.com.zone.10";
};
};
view "netlan_172"
{
match-clients { net_172; };
transfer-source 10.1.1.4;
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type slave;
        masters { 192.168.198.190; };
        file "slaves/onepc.com.zone.172";
};
};
view "netlan_192"
{
match-clients { net_192; };
transfer-source 10.1.1.5;
zone "." IN {
        type hint;
        file "named.ca";
};
zone "onepc.com" IN {
        type slave;
        masters { 192.168.198.190; };
        file "slaves/onepc.com.zone.192";
};
};