智能DNS

一、实现原理

目标：dhs服务器对不同的的IP地址返回不同的IP地址
        通过172.17.16.169或172.17.17.0/16访问www.muzigan.com解析出111.112.113.114
        通过172.17.16.99或172.17.18.0/16访问www.muzigan.com解析出111.112.113.111
        其他IP访问www.muzigan.com的解析则由返回111.112.113.116；没有找到 111.112.113.116转发给DNSroot查找
实现原理：基于DNS服务器的ACL功能

二、实现

1.定义ACL：访问控制列表

在/etc/named.conf中option前面定义
注意：other是自带的acl；不用定义可直接使用

acl A_net{
  172.17.16.169;
  172.17.17.0/16;
};
acl B_net{
  172.17.16.99;
  172.17.18.0/16;
};

2.修改配置文件相关选项

vim /etc/named.conf对应属性的修改或注释

//      listen-on port 53 { 127.0.0.1; };
//      allow-query     { localhost; };
        dnssec-enable no;
        dnssec-validation no;

3.创建acl相对应的数据库文件

vim   /var/named/muzigan.com.zone.A
# muzigan.com.zone.A文件内容
$TTL 1D
@       IN SOA  dns1 mail.muzigan.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      dns1
dns1    A       172.17.16.173
www     CNAME   websrv
websrv  A       111.112.113.114

vim   /var/named/muzigan.com.zone.B
# muzigan.com.zone.B文件内容
$TTL 1D
@       IN SOA  dns1 mail.muzigan.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      dns1
dns1    A       172.17.16.173
www     CNAME   websrv
websrv  A       111.112.113.111

vim   /var/named/muzigan.com.zone.any 
# muzigan.com.zone.any 文件内容
$TTL 1D
@       IN SOA  dns1 mail.muzigan.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      dns1
dns1    A       172.17.16.173
www     CNAME   websrv
websrv  A       111.112.113.116

4.创建view，关联ACL和数据库

view  A_view{
        match-clients { A_net;};
        zone "muzigan.com" {
                type master;
                file "muzigan.com.zone.A";
        };
};
view  B_view{
        match-clients { B_net;};
        zone "muzigan.com" {
                type master;
                file "muzigan.com.zone.B";
        };
};
view  any{
        match-clients { any;};
#此处的include "/etc/named.rfc1912.zones"在此出现，就不能在此文件的最后一行出现，否则会产生冲突
        include "/etc/named.rfc1912.zones";
        zone "." IN {
                type hint;
                file "named.ca";
        };
};

三、总结

总共3个步骤，第二步只是进行基本DNS服务器的的配置修改

创建ACL
创建数据库
关联ACL和数据库

四、配置文件附上

1./etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl A_net{
  172.17.16.169;
  172.17.17.0/16;
};
acl B_net{
  172.17.16.99;
  172.17.18.0/16;
};
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

view  A_view{
        match-clients { A_net;};
        zone "muzigan.com" {
                type master;
                file "muzigan.com.zone.A";
        };
};
view  B_view{
        match-clients { B_net;};
        zone "muzigan.com" {
                type master;
                file "muzigan.com.zone.B";
        };
};
view  any{
        match-clients { any;};
        include "/etc/named.rfc1912.zones";
        zone "." IN {
                type hint;
                file "named.ca";
        };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


include "/etc/named.root.key";

2./etc/named.rfc1912.zones

zone "muzigan.com" IN {
        type master;
        file "muzigan.com.zone.any";
};
zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

3.数据库文件

第三步骤已经写上