DNS 搭建,模拟视图功能

搭建一个主DNS服务器

搭建一个管理51cto.com区域的主DNS服务器

基本思路:
1、必须有一个固定IP

2、安装实现DNS协议的软件包,声明管理51cto.com区域
(前提是上一级域com域的DNS服务器授权本主机管理51cto.com区域)

3、会有一些相关区域后缀的域名,需要在本DNS服务器上注册

具体实现:
1、必须有一个固定IP
192.168.1.254
2、安装实现DNS协议的软件包,在主配置文件中声明管理51cto.com区域
(前提是上一级域com域的DNS服务器授权本主机管理51cto.com区域)
]# yum -y install bind bind-chroot caching-nameserver

bind 是主程序包
bind-chroot 是为了安全起见,
会把bind的程序运行在一个指定的根目录环境下.
bind程序会有一个运行身份是named用户,
一旦有非法的用户***了本DNS服务器,
对方将拿到named用户的权限,
此时,named的身份将得到对系统中的所有目录和文件的r-x/r--权限
为了安全一些,把named用户限制在一个指定的根目录环境下能有相应权限

安装了此包,限定的根目录默认是/var/named/chroot

caching-nameserver这个包装完后,
目的是生成一堆模板文件,比如zone文件的模板

开始修改主配置文件,声明管理51cto.com区域
]# vim /var/named/chroot/etc/named.caching-nameserver.conf

[root@localhost chroot]# cat /var/named/chroot/etc/named.caching-nameserver.conf
options {
listen-on port 53 { any; }; #定义监听本机哪个接口的53端口,any表示监听本地所有接口的53
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #定义zone文件所存的位置,可以在/var/named/chroot/var/named去创建并根据需要定义zone文件.
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许哪些客户端来找本DNS服务器查询
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};

所要管理的区域声明:
]# vim /var/named/chroot/etc/named.rfc1912.zones

zone "51cto.com" IN {
type master;
file "uplooking.com.zone";
};
]# cp -p /var/named/chroot/var/named/localhost.zone /var/named/chroot/var/named/51cto.com.zone




3、会有一些相关区域后缀的域名,需要在本DNS服务器上注册

]# vim /var/named/chroot/var/named/51cto.com.zone
在此配置文件中,会有很多种记录
SOA 起始授权机构,一般从本机往下授权,填写的应该是本DNS服务顺
器自己的域名(但是这个域并没有被解析 ,帮而一会必须 写一条A记录解析这个域名)
在我们的实验中,这个域名是dns.51cto.com
51cto.com IN SOA dns.51cto.com.
注意必须 加一个A记录解析 dns.51cto.com.
dns.51cto.com. IN A 192.168.1.254


NS 用于定义某个区域 的名称服务器是谁。
一般是定义本匹配的DNS服务器是自己
另外是定义下一级区域的DNS服务器是指定的主机(子域授权 )
51cto.com IN NS dns.51cto.com.


A 主机记录,用于把 域名--解析为--IP
dns.51cto.com IN A 192.168.1.254



]# cat /var/named/chroot/var/named/uplooking.com.zone
$TTL 86400
@ IN SOA dns.51cto.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

;51cto.com. IN NS dns.51cto.com.
;dns.51cto.com. IN A 192.168.1.254
IN NS dns.51cto.com.
dns IN A 192.168.1.254
;www.51cto.com. IN A 192.168.1.5
;mail.51cto.com. IN A 192.168.1.8
;news.51cto.com. IN A 192.168.1.122
www IN A 192.168.1.5
mail IN A 192.168.1.8
news IN A 192.168.1.122

]# service named start
]# tail -n 20 /var/log/messages 注意看日志中是否有报错


client 测试:
cat /etc/resolv.conf
nameserver 192.168.1.254
[root@localhost named]# host -l 51cto.com
51cto.com name server dns.51cto.com.
dns.51cto.com has address 192.168.1.254
mail.51cto.com has address 192.168.1.8
news.51cto.com has address 192.168.1.122
www.51cto.com has address 192.168.1.5
[root@localhost named]#


DNS 子域授权

基本思路:
1、搭建 com 域的主DNS服务器

2、搭建 51cto.com域的主dns服务器

3、在com域中对51cto.com进行授权

--------------
具体实现:

1、搭建 com 域的主DNS服务器 192.168.1.254

装包: 光盘中自带
[root@localhost pg]# rpm -q bind
bind-9.3.6-4.P1.el5_4.2
[root@localhost pg]# rpm -q bind-chroot
bind-chroot-9.3.6-4.P1.el5_4.2
[root@localhost pg]# rpm -q caching-nameserver
caching-nameserver-9.3.6-4.P1.el5_4.2
修改配置文件
]# vim /var/named/chroot/etc/named.caching-nameserver.conf
options {
listen-on port 53 { any; }; #定义监听本机哪个接口的53端口,any表示监听本地所有
接口的53
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #定义zone文件所存的位置,可以在/var/name/chroot/var/named去创建并根据需要定义zone文件.
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许哪些客户端来找本DNS服务器查询
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};

]# vim /var/named/chroot/etc/named.rfc1912.zones
zone "com" IN {
type master;
file "com.zone";
};

]# cat /var/named/chroot/var/named/com.zone
$TTL 86400
@ IN SOA dns.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

;51cto.com. IN NS dns.51cto.com.
;dns.51cto.com. IN A 192.168.1.254
IN NS dns.com.
dns IN A 192.168.1.254

[root@localhost named]# service named restart
停止 named [确定]
启动 named [确定]

2、同样在192.168.1.8上配置51cto.com区域的主DNS
定义解析如下域名的A记录
www.51cto.com
news.51cto.com

3、在com区域的主DNS上写授权的记录
vim /var/named/chroot/var/named/com.zone
添加两条记录:
51cto.com. IN NS dns.51cto.com.
dns.51cto.com. IN A 192.168.1.8
service named restart
tail -n 30 /var/log/messages看日志检查是否有错误发生

4、测试
找一clientDNS指定COM域的DNS服务器,也就是192.168.1.254
然后 nslookup 解析了域中的A记录.
nslookup www.51cto.com
nslookup news.51cto.com
若能解析成功,说明授权成功

view

思路

通过定义三个视图,实现不同的客户端来源,解析同一样域名为不同的IP

这种需求主要是解析 当前运营商为电信/联通时的南北通信问题。
www.51cto.com提供了电信和联通IP
联通的客户端找DNS解析www.51cto.com时,应该解析为联通的IP
电信的客户端找DNS解析www.51cto.com时,应该解析为电信的IP

这种功能又被称之为智能DNS

实现过程见下面节点的笔记:





named.caching-nameserver.conf

vim /var/named/chroot/etc/named.caching-nameserver.conf
主要是定义三个视图
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;

allow-query { any; };
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#view localhost_resolver {
# match-clients { any; };
# match-destinations { any; };
# recursion yes;
# include "/etc/named.rfc1912.zones";
#};
view cu {
match-clients { 192.168.1.32; 192.168.1.250; 192.168.1.249; };
recursion yes;
include "/etc/named.rfc1912.zones.cu";
};
view tel {
match-clients { 192.168.1.253; 192.168.1.38; 192.168.1.101; };
recursion yes;
include "/etc/named.rfc1912.zones.tel";
};
view other {
match-clients { any; };
recursion yes;
include "/etc/named.rfc1912.zones.other";
};



三个rfc1912.zones文件

]# cp /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones.cu
]# cp /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones.tel
]# cp /var/named/chroot/etc/named.rfc1912.zones /var/named/chroot/etc/named.rfc1912.zones.other
注意三个文件的权限问题:
或者cp -p

-p 选项的作用:
same as --preserve=mode,ownership,timestamps


]# chgrp named /var/named/chroot/etc/named.rfc1912.zones.*

每个文件中都添加如下的区域声明,重点是zone file 不一样,因而在不同的zone中的www.51cto.com对应的A记录解析的IP地址也就不一样
[root@www etc]# tail -n 4 /var/named/chroot/etc/named.rfc1912.zones.*
==> /var/named/chroot/etc/named.rfc1912.zones.cu <==
zone "51cto.com" IN {
type master;
file "51cto.com.zone.cu";
};

==> /var/named/chroot/etc/named.rfc1912.zones.other <==
zone "51cto.com" IN {
type master;
file "51cto.com.zone.other";
};

==> /var/named/chroot/etc/named.rfc1912.zones.tel <==
zone "51cto.com" IN {
type master;
file "51cto.com.zone.tel";
};

三个区域文件

创建如下三个区域文件,同样注意权限问题!!

]# ls /var/named/chroot/var/named/51cto.com.zone.cu
]# ls /var/named/chroot/var/named/51cto.com.zone.tel
]# ls /var/named/chroot/var/named/51cto.com.zone.other

-------------

]# cat 51cto.com.zone.cu
$TTL 86400
@ IN SOA dns.51cto.com. admin.51cto.com. (
;admin@51cto.com
2012122102 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

; FQDN
; www.51cto.com. www.51cto.com.
; www.51cto.com www.51cto.com.51cto.com.
IN NS dns.51cto.com.
dns IN A 192.168.1.8
www IN A 192.168.1.254

;$GENERATE 1-100 web$ IN A 192.168.1.$
;* IN A 192.168.1.8

-------------

]# cat 51cto.com.zone.tel
$TTL 86400
@ IN SOA dns.51cto.com. admin.51cto.com. (
;admin@51cto.com
2012122102 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

; FQDN
; www.51cto.com. www.51cto.com.
; www.51cto.com www.51cto.com .51cto.com.
IN NS dns.51cto.com.
dns IN A 192.168.1.8
www IN A 192.168.1.167

;$GENERATE 1-100 web$ IN A 192.168.1.$
;* IN A 192.168.1.8


-------------

]# cat 51cto.com.zone.other
$TTL 86400
@ IN SOA dns.51cto.com. admin.51cto.com. (
;admin@51cto.com
2012122102 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

; FQDN
; www.51cto.com. www.51cto.com.
; www.51cto.com www.51cto.com.51cto.com.
IN NS dns.51cto.com.
dns IN A 192.168.1.8
www IN A 192.168.1.167

;$GENERATE 1-100 web$ IN A 192.168.1.$
;* IN A 192.168.1.8

-------------

]# chgrp named 51cto.com.zone.*
]# ls 51cto.com.zone.* -l
-rw-r--r-- 1 root named 400 Apr 2 11:40 51cto.com.zone.cu
-rw-r--r-- 1 root named 400 Apr 2 11:40 51cto.com.zone.other
-rw-r--r-- 1 root named 400 Apr 2 11:40 51cto.com.zone.tel

启动DNS服务

[root@www named]# service named restart
[root@www named]# iptables -L
注意IPTABLES的策略,要允许所有主机访问udp 53端口

找不同的客户端测试

找不同的客户端测试

客户端都把DNS指向192.168.1.8
分析解析 www.51cto.com 看是否实现区分

ACL

我们可以定义把所有的IP集合定义成一个专门的名称。
在需要使用这些IP集合时,直接调用名称。

ACL功能
语法 :
acl acl-name {
address_match_list
};
举例:
acl tel { 192.168.1.253; 192.168.1.38; 192.168.1.101; };

--------------------
acl cu { 192.168.1.32; 192.168.1.250; 192.168.1.249; };
acl tel { 192.168.1.253; 192.168.1.38; 192.168.1.101; };

view cu {
match-clients { cu; };
recursion yes;
include "/etc/named.rfc1912.zones.cu";
};
view tel {
match-clients { tel; };
recursion yes;
include "/etc/named.rfc1912.zones.tel";
};
view other {
match-clients { any; };
recursion yes;
include "/etc/named.rfc1912.zones.other";
};

--------------------



或者把acl定义在专门的文件中,再包含到配置文件中:
[root@localhost etc]# pwd
/var/named/chroot/etc

[root@localhost etc]# cat aclfile_cu aclfile_tel
acl cu {
192.168.1.32;
192.168.1.250;
192.168.1.249;
192.168.2.0/24;
};

acl tel {
192.168.1.253;
192.168.1.38;
192.168.1.101;
192.168.3.0/24;
};

include "/etc/aclfile_cu";
include "/etc/aclfile_tel";
#acl cu { 192.168.1.32; 192.168.1.250; 192.168.1.249; };
#acl tel { 192.168.1.253; 192.168.1.38; 192.168.1.101; };
view cu {
match-clients { cu; };
recursion yes;
include "/etc/named.rfc1912.zones.cu";
};
view tel {
match-clients { tel; };
recursion yes;
include "/etc/named.rfc1912.zones.tel";
};
view other {
match-clients { any; };
recursion yes;
include "/etc/named.rfc1912.zones.other";
};













BIND 参考手册

file:///usr/share/doc/bind-9.3.6/arm/Bv9ARM.html