实验步骤:
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
一.建立反向域(先有正向域)
1.vim /etc/named.rfc1912.zones
-----------------------------------
zone "0.168.192.in-addr.arpa" IN {
type master;
file "czx.local";(自定义)
};
-----------------------------------
2.cd /var/named/chroot/var/named/
cp named.local czx.local
vim czx.local
--------------------------------------------------------------
$TTL 86400
czx.com. IN SOA dns.czx.com. root.czx.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS dns.czx.com.
<?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />1 IN PTR www.czx.com.
-------------------------------------------------------------
3.重启服务.host测试
二.转发器和泛解析
1.转发器
vim /etc/named.caching-nameserver.conf
-------------------------------------
添加 forward first;
forwarders { 192.168.0.1; };
------------------------------------
2.泛解析
cd /var/named/chroot/var/named/
vim czx.zone
---------------------------------
情况1:www.uplooking.com 0 IN A 192.168.0.1
www.uplooking.com 0 IN A 192.168.0.2
www.uplooking.com 0 IN A 192.168.0.3
www.uplooking.com 0 IN A 192.168.0.4
可用以下方式代替:
$GENERATE 1-4 www.uplooking.com. 0 IN A 192.168.0.$
情况二:客户端查询时不管输入什么.uplooking.com 都能解析到IP 192.168.0.1
*.uplooking.com. IN A 192.168.0.1
三.TSIG(主服务器和从服务器拥有相同的KEY才可以传输)
[1].随机生成KEY
dnssec-keygen -a(类型) hmac-md5 -b(长度) 128 -n HOST czx(名字随意)
cat Kczx.+157+52687.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: WFpWIzKn0WqH60UDaUPfcA==
[2].主服务器上的配置
1.vim /etc/named.rfc1912.zones
----------------------------------
zone "czx.com" IN {
type master;
file "czx.zone";
allow-transfer { key czx; };
};
key czx {
algorithm hmac-md5;
secret "WFpWIzKn0WqH60UDaUPfcA==";
};
-----------------------------------------
2.cd /var/named/chroot/var/named/
vim czx.zone(添加SQA.NS.A记录)
3.修改czx.zone的权限
chgrp czx.zone named
4.重启服务.测试.
[3].从服务器上的配置
1.vim /etc/named.rfc1912.zones
----------------------------------
zone "czx.com" IN {
type slave;
file "slaves/czx.zone";
masters { 192.168.0.1 key czx; }; (主服务器IP 使用的KEY名字,最好与主服务
的一致)
};
key czx {
algorithm hmac-md5;
secret "WFpWIzKn0WqH60UDaUPfcA==";
};
2.重启服务.查看czx.zone文件
四.视图+主从+KEY:
(以CNC.TEL为例,目的是让北方用户解析出来的是网通的,南方用户解析出来的是电信的,本>实验中0.0网段为网通范围,1.0网段为电信范围)
[1].主服务器上的配置
view "cnc" {
match-clients { key cnc;!192.168.0.160; 192.168.0.0/24; };(客户端匹配上
KEY或者是除了0.160的0网段的用户才可以查询,假设不除去0.160的主机,那么当160客户端>用TEL的KEY匹配不上时,可以利用IP再次匹配成功,查询的依旧是网通的记录)
zone "." IN {
type hint;
file "named.ca";
};
zone "uplooking.com" IN {
type master;
file "cnc.uplooking.com.db";
allow-transfer { key cnc; };(匹配上KEY才可以传输资源)
};
};
view "tel" {
match-clients { key tel;192.168.1.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
zone "uplooking.com" IN {
type master;
file "tel.uplooking.com.db";
};
};
key cnc {
algorithm hmac-md5;
secret "e7meQD05v0KjPOgqaEUEwg==";
};
key tel {
algorithm hmac-md5;
secret "/VN+XGVmnNHnzQ8bv/icLg==";
};
----------------------------------------------------
2.cd /var/named/chroot/var/named/
vim cnc.uplooking.com.db的SQA.NS.A 记录为0.0网段
vim tel.uplooking.com.db的SQA.NS.A 记录为1.0网段
3.重启服务.做测试
[2].从服务器上的配置
view "cnc" {
match-clients { 192.168.0.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
zone "uplooking.com" IN {
type slave;
file "slaves/cnc.uplooking.com.db";
masters { 192.168.0.1 key cnc; };
};
};
view "tel" {
match-clients { 192.168.1.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
zone "uplooking.com" IN {
type slave;
file "slaves/tel.uplooking.com.db";
masters { 192.168.0.1 key tel; };
};
};
key cnc {
algorithm hmac-md5;
secret "e7meQD05v0KjPOgqaEUEwg==";
};
key tel {
algorithm hmac-md5;
secret "/VN+XGVmnNHnzQ8bv/icLg==";
};
重启服务.做测试
转载于:https://blog.51cto.com/yfang/187759
扫一扫
6939
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
