- DNS
- 为chinaskills.cn域提供域名解析
- 为www.chinaskills.cn、download.chinaskills.cn和mail.chinaskills.cn提供解析
- 启用内外网解析功能,当内网客户端请求解析的时候,解析到对应的内部服务器地址,当外部客户端请求解析的时候,请把解析结果解析到提供服务的公有地址
- 请将IspSrv作为上游DNS服务器,所有未知查询都由该服务器处理
一、安装dns服务
yum install bind -y
二、配置内外网解析
[root@appsrv /]# nano /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
#recursion yes; #三个全都注释掉否者会出问题
#dnssec-enable no;
#dnssec-validation no;
forwarders {81.6.63.100;};
#这里填的是未知域名转发给这个ip进行解析,要配置成功必须有nat地址转换和另一端的dns服务器option为空
#做dns转发
#zone "." IN { #注释掉该zone不然会报错
# type hint;
# file "named.ca";
#};
#include "/etc/named.rfc1912.zones";
include "/etc/named.zones"; #自己写一个配置文件
[root@appsrv /]# nano /etc/named.zones
acl "lan" {
192.168.0.0/16; #acl抓流
localhost; #必须要有本机地址localhost
};
view lan { #内网解析
match-clients { "lan"; }; #允许lan网段
zone "chinaskills.cn" {
type master;
file "named.lan";
masterfile-format text; #防止乱码
allow-update {81.6.63.254;}; #允许代理更新
};
};
view wan { #外网解析
match-clients { any; }; #允许外网所有ip
zone "chinaskills.cn" {
type master;
file "named.wan";
masterfile-format text;
allow-update {81.6.63.254;};
};
};
#编辑内外网正向解析文件
[root@appsrv named]# cp named.loopback named.lan
[root@appsrv named]# cp named.loopback named.wan
[root@appsrv named]# chgrp named named.lan named.wan
[root@appsrv named]# nano named.lan
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS www.chinaskills.cn.
www IN A 192.168.100.100
ftp IN A 192.168.100.200
mail IN A 192.168.100.100
@ IN MX 10 chinaskills.cn
[root@appsrv named]# nano named.wan
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS www.chinaskills.cn.
@ IN MX 10 mail
www IN A 81.6.63.254 #解析到公网地址
ftp IN A 81.6.63.254
mail IN A 81.6.63.254
* IN A 81.6.63.100 #外网所有未知域名转发到这个地址
#routersrv服务器上做ipnat
[root@routersrv /]#iptables -t nat -A PREROUTING -d 81.6.63.254 -p udp --dport 53 -j DNAT --to 192.168.100.100
[root@routersrv /]#iptables -t nat -A PREROUTING -d 81.6.63.254 -p tcp -m multiport --dport 53,80,443,465,993 -j DNAT --to 192.168.100.100
[root@routersrv /]#iptables -t nat -A PREROUTING -d 81.6.63.254 -p tcp -m multiport --dport 20,21,127,138,139,444,445,4500:5000 -j DNAT --to 192.168.100.200
三、客户端测试
#外
root@outsidecli:/# nslookup
www.chinaskills .cn
81.6.63.254
Server :
Address :
81.6.63.254#53
Name :www.chinaskills.cn
Address: 81.6.63.254
mail.chinaskills.cn
Server:
Address :
81.6.63.254
81.6.63.254#53
Name :mail.chinaskills.cn
Address: 81.6.63.254
ftp.chinaskills.cn
81.6.63.254
Server :
Address :
81.6.63.254#53
ftp.chinaskills.cnName :
Address :81.6.63.254
#内
[root@Insidesrv /]# nslookup
> host1.test.com
Server: 192.168.100.100
Address: 192.168.100.100#53
Non-authoritative answer:
Name: host1.test.com
Address: 81.6.63.100