一、实现原理
目标:dhs服务器对不同的的IP地址返回不同的IP地址
通过172.17.16.169或172.17.17.0/16访问www.muzigan.com解析出111.112.113.114
通过172.17.16.99或172.17.18.0/16访问www.muzigan.com解析出111.112.113.111
其他IP访问www.muzigan.com的解析则由返回111.112.113.116;没有找到 111.112.113.116转发给DNSroot查找
实现原理:基于DNS服务器的ACL功能
二、实现
1.定义ACL:访问控制列表
在/etc/named.conf中option前面定义
注意:other是自带的acl;不用定义可直接使用
acl A_net{
172.17.16.169;
172.17.17.0/16;
};
acl B_net{
172.17.16.99;
172.17.18.0/16;
};
2.修改配置文件相关选项
vim /etc/named.conf对应属性的修改或注释
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
3.创建acl相对应的数据库文件
vim /var/named/muzigan.com.zone.A
# muzigan.com.zone.A文件内容
$TTL 1D
@ IN SOA dns1 mail.muzigan.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 172.17.16.173
www CNAME websrv
websrv A 111.112.113.114
vim /var/named/muzigan.com.zone.B
# muzigan.com.zone.B文件内容
$TTL 1D
@ IN SOA dns1 mail.muzigan.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 172.17.16.173
www CNAME websrv
websrv A 111.112.113.111
vim /var/named/muzigan.com.zone.any
# muzigan.com.zone.any 文件内容
$TTL 1D
@ IN SOA dns1 mail.muzigan.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 172.17.16.173
www CNAME websrv
websrv A 111.112.113.116
4.创建view,关联ACL和数据库
view A_view{
match-clients { A_net;};
zone "muzigan.com" {
type master;
file "muzigan.com.zone.A";
};
};
view B_view{
match-clients { B_net;};
zone "muzigan.com" {
type master;
file "muzigan.com.zone.B";
};
};
view any{
match-clients { any;};
#此处的include "/etc/named.rfc1912.zones"在此出现,就不能在此文件的最后一行出现,否则会产生冲突
include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "named.ca";
};
};
三、总结
总共3个步骤,第二步只是进行基本DNS服务器的的配置修改
创建ACL
创建数据库
关联ACL和数据库
四、配置文件附上
1./etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl A_net{
172.17.16.169;
172.17.17.0/16;
};
acl B_net{
172.17.16.99;
172.17.18.0/16;
};
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
view A_view{
match-clients { A_net;};
zone "muzigan.com" {
type master;
file "muzigan.com.zone.A";
};
};
view B_view{
match-clients { B_net;};
zone "muzigan.com" {
type master;
file "muzigan.com.zone.B";
};
};
view any{
match-clients { any;};
include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "named.ca";
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.root.key";
2./etc/named.rfc1912.zones
zone "muzigan.com" IN {
type master;
file "muzigan.com.zone.any";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
3.数据库文件
第三步骤已经写上