本节以前面主、从DNS为实验环境,讲解DNS acl、view、日志系统相关使用
一、配置DNS acl访问控制列表
acl定义格式: acl string { address_match_element; ... };
常用几钟类型格式:
allow-transfer {}; 允许做区域传送主机
allow-query {}; 允许做查询限定
allow-recursion {}; 允许做递归查询列表,通常只给本地客户端做递归
allow-update {}; 允许DNS动态更新,但只能由DHCP指定DNS更新
[root@master named]# vim /etc/named.conf #编辑named主配置文件
acl query { 192.168.8.7; }; #定义acl限定主机,可限定网段 IP/Netmask
acl transfer { 192.168.8.9; }; #定义acl限定查询
options { 注: acl后面名称可自行定义
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
allow-query { query; }; #限定查询,只允许前面query内定义主机查询
allow-transfer { transfer; }; #限定区域传送,只允许前面transfer内定义主机传送
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
dig测试前面所定义列表
#在从DNS上测试查询请求
[root@Slave named]# dig -t A www.dove.com @192.168.8.7 #查询请求失败
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.dove.com @192.168.8.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 25085
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
#提示警告:不提供递归请求
;; QUESTION SECTION:
;www.dove.com. IN A
;; Query time: 1 msec
;; SERVER: 192.168.8.7#53(192.168.8.7)
;; WHEN: Wed Apr 22 10:30:15 2015
;; MSG SIZE rcvd: 30
#在主DNS上测试区域传送请求
[root@master named]# dig -t axfr dove.com @192.168.8.7 #区域传送请求失败
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr dove.com
;; global options: +cmd
; Transfer failed. #提示区域传送失败
二、配置DNS转发
如何实现将请求转发出去:
转发类型:
转发所有针对非本机负责解析的区域的请求;
options {};
仅转发对特定区域的请求;
zone {
type forward;
};
格式: forward ( first | only );
forwarders [ port integer ] {
( ipv4_address | ipv6_address ) [ port integer ]; ...};
forward only|first; only表示仅转发 first表示先转发后查询
forwarders { IP; }; 表示转发
注: 转发的前提:接收转发请求的服务器必须能够为请求者做递归查询;
如: 将不能上网解析DNS转发请求至可上网DNS解析
1、编辑主配置文件、注释相关选项
[root@Slave named]# vim /etc/named.conf #编辑主配置文件
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
forward only; #定义仅转发
forwarders { 172.16.1.16; }; #定义转发目标DNS IP,前面必须写为forwarders
// dnssec-enable yes; #注释dnssec安全选项
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic"; #注释密钥文件
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
//include "/etc/named.root.key"; #注释key文件
2、编辑区域配置文件
[root@Slave named]# vim /etc/named.rfc1912.zones #编辑区域配置文件
zone "google.com" IN { #添加区域
type forward; #type指定类型为forward(转发)
forward only; #转发选项为仅转发
forwarders { 172.16.1.16; }; #指定转发目标DNS IP
};
3、修改本机DNS查询文件
[root@Slave ~]# vim /etc/resolv.conf #编辑DNS查询文件
; generated by /sbin/dhclient-script
nameserver 172.16.2.245 #修改为本机IP
[root@Slave ~]# rndc reload #重读named配置文件
server reload successful
4、dig工具测试解析
[root@Slave ~]# dig -t A www.google.com #测试解析,转发成功
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21943
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 216.58.221.68
;; AUTHORITY SECTION:
google.com. 164414 IN NS NS2.google.com.
google.com. 164414 IN NS ns4.google.com.
google.com. 164414 IN NS ns3.google.com.
google.com. 164414 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
NS2.google.com. 164414 IN A 216.239.34.10
ns3.google.com. 164414 IN A 216.239.36.10
ns1.google.com. 164414 IN A 216.239.32.10
ns4.google.com. 164414 IN A 216.239.38.10
;; Query time: 49 msec
;; SERVER: 172.16.2.245#53(172.16.2.245)
;; WHEN: Wed Apr 22 13:46:30 2015
;; MSG SIZE rcvd: 184
三、配置view智能解析
实验环境: 虚拟机CentOS6.4配置两块网卡192.168.8.7/25 192.168.1.4/25
虚拟机CentOS6.4配置两块网卡192.168.8.9/25 192.168.1.3/25
用法:
view string optional_class {
match-clients { address_match_element; ... };
zone string optional_class {... };
}
注:view需注意
通常只为内网客户端提供递归功能,提供根区域等;
通常只为外网客户端提供本机所负责的区域的解析;
1、编辑区域配置文件
[root@master named]# vim /etc/named.rfc1912.zones #编辑区域配置文件
view internal { #指定view名称为internal
match-clients { 192.168.8.0/24; }; #指定IP匹配范围
zone "." IN { #必须将/etc/named.conf中根区域包含在view中,否则报错
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "dove.com" IN {
type master;
file "dove.com.zone";
};
zone "8.168.192.in-addr.arpa" IN {
type master;
file "192.168.8.zone";
};
}; #view结尾段
2、配置192.168.1.0网段view
[root@master named]# vim /etc/named.rfc1912.zones #编辑区域配置文件
view external { #指定view名称为external
match-clients { 192.168.1.0/24; }; #指定IP匹配范围
zone "dove.com" IN { #指定使用view的区域
type master;
file "external.dove.com.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "external.192.168.1.zone";
};
};
[root@master named]# cp -p dove.com.zone external.dove.com.zone #复制原区域修改
[root@master named]# cp -p 192.168.8.zone external.192.168.8.zone
3、修改view中使用区域
[root@master named]# vim external.dove.com.zone #编辑区域文件
$TTL 600
@ IN SOA dove.com. admin.dove.com. (
2015041802
2H
5M
3D
1D )
IN NS dns
dns IN A 192.168.8.7 #区域NS对应A记录保持不变
mail IN A 192.168.1.8
www IN A 192.168.1.8
4、dig测试解析
[root@master named]# dig -t A www.dove.com @192.168.8.7 #解析结果为8.0网段
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.dove.com @192.168.8.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39566
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.dove.com. IN A
;; ANSWER SECTION:
www.dove.com. 600 IN A 192.168.8.8
;; AUTHORITY SECTION:
dove.com. 600 IN NS Slave.dove.com.
dove.com. 600 IN NS dns.dove.com.
;; ADDITIONAL SECTION:
dns.dove.com. 600 IN A 192.168.8.7
Slave.dove.com. 600 IN A 192.168.8.9
;; Query time: 0 msec
;; SERVER: 192.168.8.7#53(192.168.8.7)
;; WHEN: Wed Apr 22 16:33:20 2015
;; MSG SIZE rcvd: 116
[root@Slave ~]# dig -t A www.dove.com @192.168.1.4 #解析结果为1.0网段
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.dove.com @192.168.1.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41704
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.dove.com. IN A
;; ANSWER SECTION:
www.dove.com. 600 IN A 192.168.1.8
;; AUTHORITY SECTION:
dove.com. 600 IN NS dns.dove.com.
;; ADDITIONAL SECTION:
dns.dove.com. 600 IN A 192.168.8.7
;; Query time: 0 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Apr 22 16:33:45 2015
;; MSG SIZE rcvd: 80
四、DNS日志系统
DNS收集日志两种方式 :
一、file: /var/log/query.log 指定日志文件
二、rsyslog 日志服务器
格式:
logging {
channel string {
file log_file;
syslog optional_facility;
null;
stderr;
severity log_severity;
print-time boolean;
print-severity boolean;
print-category boolean;
};
category string { string; ... };
};
channel categroy
categroy : 记录哪个功能产生的日志信息,一共内置有15种category;
channel : 日志信息记录到何处,一般有两种形式,一种为file,另一种为syslog;同时,还需要指定日志级别;
一个category产生的日志可以发往多个channel;而一个channel只能为一个category记录日志;
如:
[root@master named]# vim /etc/named.conf #编辑主配置文件
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel querylog { #定义channel名称为querylog
file "/var/log/dns.log"; #定义日志文件
severity dynamic; #severity定义日志级别,类型为dynamic
print-severity yes; #print定义显示日志级别
print-category yes; #print定义显示category类别
print-time yes; #print定义显示日志记录时间
};
category queries { querylog; }; #category定义日志种类,对应上面channel
};
[root@master named]# named-checkconf #检查配置文件
[root@master named]# touch /var/log/dns.log #创建日志文件
由于named服务进程是以named用户运行,所以请确保此文件事先存在,且属主、组为named
[root@master named]# chown named:named /var/log/dns.log #修改文件属主、组
[root@master ~]# service named restart #重启服务,为确保测试成功
[root@master named]# dig -t A www.dove.com #dig测试解析
[root@master ~]# cat /var/log/dns.log #查看日志文件
22-Apr-2015 20:58:05.785 queries: info: client 192.168.8.7#51360: query: www.dove.com IN A + (192.168.8.7) #日志信息:记录日期、日志级别、客户端、随机端口、请求记录类型
The End! 相关配置完成.
转载于:https://blog.51cto.com/mydove/1637346