功能需求
内网客户端请求时,解析到服务器的内网地址
公网客户端解析时,解析到提供服务的公网地址
基本拓扑
注:主机之间路由可达,且路由上需配置NAT,使两台服务器可互相访问公网地址互联
安装服务
在两台服务器上安装bind9:
[root@CentOS ~]# yum install bind -y
[root@CentOS ~]# root@UOS:~# apt install bind9 -y
root@UOS:~# CentOS配置要求
为chinaskills.cn 域提供域名解析;
为www.chinaskills.cn、download.chinaskills.cn 和 mail.chinaskills.cn 提供解析;
启用内外网解析功能,当内网客户端请求解析的时候,解析到对应的内部服务器地址,当外部客户端请求解析的时候,请把解析结果解析 到提供服务的公有地址;
请将UOS作为上游DNS服务器,所有未知查询都由该服务器处理。
CentOS服务器配置
修改CentOS的bind配置文件
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9 // See the BIND Administrator's Reference Manual (ARM) for details about the
10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
11
12 options {
13 listen-on port 53 { any; };
#修改监听任意地址
14 listen-on-v6 port 53 { ::1; };
15 directory "/var/named";
16 dump-file "/var/named/data/cache_dump.db";
17 statistics-file "/var/named/data/named_stats.txt";
18 memstatistics-file "/var/named/data/named_mem_stats.txt";
19 recursing-file "/var/named/data/named.recursing";
20 secroots-file "/var/named/data/named.secroots";
21 allow-query { any; };
#修改允许任何主机查询
22 forwarders { 192.168.100.254; };
#指定转发器
23
24 /*
25 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
26 - If you are building a RECURSIVE (caching) DNS server, you need to enable
27 recursion.
28 - If your recursive DNS server has a public IP address, you MUST enable access
29 control to limit queries to your legitimate users. Failing to do so will
30 cause your server to become part of large scale DNS amplification
31 attacks. Implementing BCP38 within your network would greatly
32 reduce such attack surface
33 */
34 recursion yes;
35
36 dnssec-enable yes;
37 dnssec-validation yes;
38
39 /* Path to ISC DLV key */
40 bindkeys-file "/etc/named.root.key";
41
42 managed-keys-directory "/var/named/dynamic";
43
44 pid-file "/run/named/named.pid";
45 session-keyfile "/run/named/session.key";
46 };
47
48 logging {
49 channel default_debug {
50 file "data/named.run";
51 severity dynamic;
52 };
53 };
54
55 acl LAN {
56 127.0.0.0/8;
57 192.168.0.0/16;
58 };
#创建ACL,匹配内网客户端网段
59
60 view LANDNS {
#创建内网VIEW
61 match-clients { LAN; };
#匹配上面的ACL,使用下面的配置
62 recursion yes;
63
64 zone "." IN {
65 type hint;
66 file "named.ca";
67 };
68
69
70 include "/etc/named.rfc1912.zones";
71 include "/etc/named.root.key";
72 include "/etc/named.lan.zones";
#在新文件中创建内网客户端使用的区域
73 };
#内网VIEW结束
74
75 view WANDNS {
#创建公网VIEW
76 match-clients { any; };
#匹配除内网的其他地址,bind配置文件从第一行到最后一行执行,内网ACL匹配失败才会匹配到这里
77 recursion no;
78 include "/etc/named.wan.zones";
#在新文件中创建外网客户端使用的区域
79 };创建内网区域配置文件
vi /etc/named.lan.zones
zone "chinaskills.cn" IN {
type master;
file "chinaskills.zone";
allow-update { 192.168.100.254; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "192.168.100.zone";
allow-update { none; };
};创建公网区域配置文件
vi named.wan.zones
zone "chinaskills.cn" IN {
type master;
file "chinaskills.wan.zone";
allow-update { 192.168.100.254; };
};创建区域文件
vi chinaskills.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www A 192.168.100.100
download A 192.168.100.100
mail A 192.168.100.100
* A 81.6.63.100
chinaskills.cn. MX 10 mail.chinaskills.cn. vi 192.168.100.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
100 PTR www.chinaskills.cn.
100 PTR download.chinaskills.cn.
100 PTR mail.chinaskills.cn.vi chinaskills.wan.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www A 81.6.63.254
download A 81.6.63.254
mail A 81.6.63.254
* A 81.6.63.100
chinaskills.cn. MX 10 mail.chinaskills.cn.检查配置文件是否有错误
重启named服务
检测基本DNS功能
UOS配置要求
配置为DNS根域服务器;
其他未知域名解析,统一解析为该本机IP;
创建正向区域“chinaskills.cn”;
类型为Slave;
主服务器为“CentOS”;
UOS服务器配置
修改UOS的bind配置文件
vi named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
listen-on port 53 { any; };
#修改监听任意地址
allow-query { any; };
#修改允许任何主机查询
};vi named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.lan.view";
#定义内网VIEW
include "/etc/bind/named.conf.wan.view";
#定义公网VIEW创建内网VIEW配置文件
vi named.conf.lan.view
acl LAN {
127.0.0.0/8;
192.168.0.0/16;
};
view LANDNS {
match-clients { LAN; };
recursion yes;
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.lan.zones";
};创建内网区域配置文件
vi named.conf.lan.zones
zone "chinaskills.cn" {
type slave;
file "/etc/bind/chinaskills.zone";
masters "81.6.63.254"
};
zone "." {
type master;
file "/etc/bind/root.zone";
};创建公网配置文件
vi named.conf.wan.view
view WANDNS {
match-clients { any; };
recursion no;
include "/etc/bind/named.conf.wan.zones";
};创建公网区域配置文件
vi named.conf.wan.zones
zone "chinaskills.cn" {
type slave;
file "/etc/bind/chinaskills.wan.zone";
masters "81.6.63.254"
};
zone "." {
type master;
file "/etc/bind/root.zone";
};创建区域文件
vi chinaskills.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www A 192.168.100.100
download A 192.168.100.100
mail A 192.168.100.100
* A 81.6.63.100
chinaskills.cn. MX 10 mail.chinaskills.cn.vi chinaskills.wan.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www A 81.6.63.254
download A 81.6.63.254
mail A 81.6.63.254
* A 81.6.63.100
chinaskills.cn. MX 10 mail.chinaskills.cn.vi root.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
2 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
. NS ispsrv
ispsrv A 81.6.63.100检测配置文件是否有错误
重启bind9服务
检测基本DNS功能
进行测试
内网
公网
342
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
