目录:
一、简介
二、服务规划
三、安装BIND及基本环境
四、配置Bind-View-DLZ-MYSQL
五、添加相关记录并进行测试
六、配置从DNS
七、本文以FreeBSD 10.2 stable系统为例
一、简介:
1、智能DNS(Bind-view):
智能DNS 原理很简单:在用户解析一个域名的时候的,判断一下用户使用的IP,然后跟DNS 服务器内
部的IP 表匹配一下,看看用户是电信还是网通用户,然后给用户返回对应的IP 地址。目前的域名服
务运营商不提供智能DNS 服务,所以必须自行架设DNS 服务或者使用网上免费的智能DNS 服务,如
DNSPOD.
2.Bind-DLZ
Bind-DLZ主页:http://bind-dlz.sourceforge.net/
DLZ(Dynamically Loadable Zones)与传统的BIND9不同,BIND的不足之处:
* BIND从文本文件中获取数据,这样容易因为编辑错误出现问题。
* BIND需要将数据加载到内存中,如果域或者记录较多,会消耗大量的内存。
* BIND启动时解析Zone文件,对于一个记录较多的DNS来说,会耽误更多的时间。
* 如果近修改一条记录,那么要重新加载或者重启BIND 才能生效,那么需要时间,可能会影响客户端查询。
而Bind-dlz 即将帮你解决这些问题, 对Zone文件操作也更方便了,直接对数据库操作,可以很方便扩充及开发管理程序。
二、服务规划:
1、nameserver服务器注册(需要到域名服务商那里注册)
主从dns之间实现mysql主从数据库同步:
主DNS: ns1.gov.com 192.168.1.60
从DNS: ns2.gov.com 192.168.1.61
网站(联通网通 CNC): www.gov.com 192.168.1.51
网站(电信 CT): www.gov.com 192.168.1.52
网站(移动 CMCC): www.gov.com 192.168.1.53
网站(教育 EDU): www.gov.com 192.168.1.54
网站(铁通 TIETONG): www.gov.com 192.168.1.55
网站(其他 ANY): www.gov.com 192.168.1.56
注:
当一个网通用户向本地DNS发www.gov.com的请求时,本地DNS会递归查询,最后把请求发给ns1.gov.com这台DNS服务
器上,ns1.gov.com会根据请求的用户IP所属的范围来择优选择,将www.gov.com在网通的ip返回给本地DNS.
2、Bind-view规划:
网通CNC cnc.txt
电信CT ct.txt
移动CMCC cmcc.txt
教育网EDU edu.txt
铁通TIETONG tietong.txt
include "/usr/local/bind/etc/view.conf";(ip库里面没有的IP,属于any区域)
IP库及ACL,如果你有比较详细的按城市或者地域的IP库,在设计BIND-VIEW这个字段的时候,VIEW就可以以城市或地区来命名和规划.
三、安装BIND及基本环境:
1、安装mysql:pkg install mysql5-server
cp /usr/local/share/mysql/my-medium.cnf /etc/my.cnf
echo 'mysql_enable="YES"' >> /etc/rc.conf
cd /usr/local/etc/rc.d
./mysql-server start //启动MYSQL
mysqladmin -u root -p password '123456' //修改MYSQL密码
编译安装bind:wget http://ftp.isc.org/isc/bind9/9.10.3-P2/bind-9.10.3-P2.tar.gz
tar zxvf bind-9.6.0-P1.tar.gz
cd bind-9.6.0-P1
./configure --with-dlz-mysql --enable-largefile --enable-threads=no --prefix=/usr/local/bind --disable-openssl-version-check
make && make install
创建相关配置文件:cd /usr/local/bind/etc/
../sbin/rndc-confgen >rndc.conf
tail -n10 rndc.conf | head -n9 | sed -e s/#\//g >named.conf
创建 localhost.zonevi localhost.zone
ttl 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
创建named.rootcd /usr/local/bind/etc/
wget ftp://ftp.rs.internic.net/domain/named.root
cat named.rot
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . "
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: December 01, 2015
; related version of root zone: 2015120100
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file
用dnssec-keygen产生加密密钥,一个为public key,另一个为private keycd /usr/local/bind/sbin
./dnssec-keygen -a hmac-md5 -b 128 -n HOST cnc
./dnssec-keygen -a hmac-md5 -b 128 -n HOST ct
./dnssec-keygen -a hmac-md5 -b 128 -n HOST edu
./dnssec-keygen -a hmac-md5 -b 128 -n HOST cmcc
./dnssec-keygen -a hmac-md5 -b 128 -n HOST tietong
./dnssec-keygen -a hmac-md5 -b 128 -n HOST any
named.conf内容如下:key "rndc-key" {
algorithm hmac-md5;
secret "D3wcCb9Dti/vZ8v4OUzXVA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
channel query_log {
file "/var/log/named.log" versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category queries {
query_log;
};
category lame-servers {
null;
};
};
options {
directory "/usr/local/bind/etc";
pid-file "named.pid";
allow-query {
any;
};
#allow-recursion { none; };
recursion no;
listen-on port 53 {
192.168.137.2;
127.0.0.1;
};
#listen-on-v6 port 53 { any;};
};
#TSIG-key
key "cnc" {
algorithm hmac-md5;
secret "zI17BnACwUMcSJCT0POefQ==";};
key "ct" {
algorithm hmac-md5;
secret "zb2zBOKBO9xqMRA6BGsUqA==";};
key "edu" {
algorithm hmac-md5;
secret "H4AzW3qXq2F5wzjWOGjnLg==";};
key "cmcc" {
algorithm hmac-md5;
secret "gzUux9/0x5v6aMu/1Ay6Kg==";};
key "tietong" {
algorithm hmac-md5;
secret "kOM29Ms1BS2qMai2pwtoAQ==";};
key "any" {
algorithm hmac-md5;
secret "lmEhKVBg6HHRSevRgi8Rcw==";};
acl "dns-ip-list"{
192.168.137.2; #master DNS IP
#192.168.137.3; #slave DNS IP
};
include "/usr/local/bind/etc/ip/cnc.txt";
include "/usr/local/bind/etc/ip/ct.txt";
include "/usr/local/bind/etc/ip/cmcc.txt";
include "/usr/local/bind/etc/ip/edu.txt";
include "/usr/local/bind/etc/ip/tietong.txt";
include "/usr/local/bind/etc/view.conf";
配置各个服务商的对应的ACL:cat ct.txt
acl ct{
1.0.1.0/24;
1.0.2.0/23;
1.0.8.0/21;
1.1.0.0/24;
1.1.2.0/23;
1.1.4.0/22;
1.1.8.0/21;
1.1.16.0/20;
1.1.32.0/19;
1.2.0.0/23;
1.2.5.0/24;
1.2.6.0/23;
1.2.9.0/24;
1.2.10.0/23;
1.2.12.0/22;
1.2.16.0/20;
1.2.32.0/19;
1.2.64.0/18;
1.3.0.0/16;
1.4.1.0/24;
1.4.2.0/23;
1.4.5.0/24;
1.4.8.0/21;
1.4.16.0/20;
1.4.32.0/19;
1.4.64.0/18;
1.10.0.0/21;
1.10.8.0/23;
1.10.11.0/24;
1.10.12.0/22;
1.10.16.0/20;
1.10.32.0/19;
1.10.64.0/18;
1.48.0.0/15;
1.50.0.0/16;
1.68.0.0/14;
1.80.0.0/13;
1.180.0.0/14;
1.192.0.0/13;
1.202.0.0/15;
1.204.0.0/14;
14.0.0.0/21;
14.0.12.0/22;
14.1.0.0/22;
14.16.0.0/12;
14.102.128.0/22;
14.104.0.0/13;
14.112.0.0/12;
14.134.0.0/15;
14.144.0.0/12;
14.156.124.0/24;
14.192.76.0/22;
14.208.0.0/12;
27.16.0.0/12;
27.34.232.0/21;
27.50.40.0/21;
27.54.72.0/21;
27.54.152.0/21;
27.121.72.0/21;
27.121.120.0/21;
27.128.0.0/15;
27.148.0.0/14;
27.152.0.0/13;
27.184.0.0/13;
27.224.0.0/14;
36.0.0.0/22;
36.0.16.0/20;
36.0.32.0/19;
36.1.0.0/16;
36.4.0.0/14;
36.16.0.0/12;
36.37.0.0/19;
36.37.36.0/23;
36.37.39.0/24;
36.37.40.0/21;
36.37.48.0/20;
36.40.0.0/13;
36.48.0.0/15;
36.56.0.0/13;
36.96.0.0/11;
39.0.0.0/24;
39.0.2.0/23;
39.0.4.0/22;
39.0.8.0/21;
39.0.16.0/20;
39.0.32.0/19;
39.0.64.0/18;
39.0.128.0/17;
42.0.0.0/22;
42.0.8.0/21;
42.0.16.0/21;
42.0.24.0/22;
42.0.32.0/19;
42.1.0.0/19;
42.1.32.0/20;
42.1.48.0/21;
42.1.56.0/22;
42.62.128.0/19;
42.62.160.0/20;
42.62.180.0/22;
42.62.184.0/21;
42.80.0.0/15;
42.83.64.0/20;
42.83.80.0/22;
42.83.88.0/21;
42.83.96.0/19;
42.88.0.0/13;
42.96.64.0/19;
42.96.96.0/21;
42.96.108.0/22;
42.96.112.0/20;
42.97.0.0/16;
42.99.0.0/18;
42.99.64.0/19;
42.99.96.0/20;
42.99.112.0/22;
42.99.120.0/21;
42.100.0.0/14;
42.122.0.0/16;
42.123.0.0/19;
42.123.36.0/22;
42.123.40.0/21;
42.123.48.0/20;
42.123.64.0/18;
42.156.0.0/19;
42.156.36.0/22;
42.156.40.0/21;
42.156.48.0/20;
42.156.64.0/18;
42.184.0.0/15;
42.187.0.0/18;
42.187.64.0/19;
42.187.96.0/20;
42.187.112.0/21;
42.187.120.0/22;
42.194.0.0/21;
42.194.8.0/22;
42.194.16.0/20;
42.194.32.0/19;
42.194.64.0/18;
42.202.0.0/15;
42.242.0.0/15;
42.248.0.0/13;
43.242.192.0/22;
43.243.232.0/22;
49.64.0.0/11;
49.112.0.0/13;
49.128.0.0/24;
49.128.2.0/23;
58.32.0.0/13;
58.40.0.0/15;
58.42.0.0/16;
58.43.0.0/16;
58.44.0.0/14;
58.48.0.0/13;
58.56.0.0/15;
58.58.0.0/16;
58.59.0.0/17;
58.59.128.0/17;
58.60.0.0/14;
58.65.232.0/21;
58.208.0.0/12;
59.32.0.0/13;
59.40.0.0/15;
59.42.0.0/16;
59.43.0.0/16;
59.44.0.0/14;
59.48.0.0/16;
59.49.0.0/17;
59.49.128.0/17;
59.50.0.0/16;
59.51.0.0/17;
59.51.128.0/17;
59.52.0.0/14;
59.56.0.0/14;
59.60.0.0/15;
59.62.0.0/15;
59.172.0.0/15;
59.174.0.0/15;
60.160.0.0/15;
60.162.0.0/15;
60.164.0.0/15;
60.166.0.0/15;
60.168.0.0/13;
60.176.0.0/12;
60.235.0.0/16;
61.4.84.0/22;
61.4.88.0/21;
61.45.224.0/20;
61.128.0.0/15;
61.130.0.0/15;
61.132.0.0/16;
61.133.128.0/17;
61.134.0.0/18;
61.134.64.0/19;
61.136.128.0/17;
61.137.0.0/17;
61.138.192.0/18;
61.139.0.0/17;
61.139.192.0/18;
61.140.0.0/14;
61.144.0.0/14;
61.150.0.0/15;
61.152.0.0/16;
61.153.0.0/16;
61.154.0.0/15;
61.157.0.0/16;
61.159.64.0/18;
61.159.128.0/17;
61.160.0.0/16;
61.161.64.0/18;
61.164.0.0/16;
61.165.0.0/16;
61.166.0.0/16;
61.169.0.0/16;
61.170.0.0/15;
61.172.0.0/14;
61.177.0.0/16;
61.178.0.0/16;
61.180.0.0/17;
61.183.0.0/16;
61.184.0.0/14;
61.188.0.0/16;
61.189.128.0/17;
61.190.0.0/15;
101.0.0.0/22;
101.1.0.0/22;
101.2.172.0/22;
101.50.56.0/22;
101.53.100.0/22;
101.55.224.0/21;
101.78.0.0/22;
101.80.0.0/12;
101.96.0.0/21;
101.96.8.0/22;
101.96.16.0/20;
101.99.96.0/19;
101.101.64.0/19;
101.101.100.0/24;
101.101.102.0/23;
101.101.104.0/21;
101.101.112.0/20;
101.102.64.0/19;
101.102.100.0/23;
101.102.102.0/24;
101.102.104.0/21;
101.102.112.0/20;
101.110.64.0/19;
101.110.96.0/20;
101.110.116.0/22;
101.110.120.0/21;
101.128.0.0/22;
101.128.8.0/21;
101.128.16.0/20;
101.128.32.0/19;
101.203.128.0/19;
101.203.160.0/21;
101.203.172.0/22;
101.203.176.0/20;
101.224.0.0/13;
101.234.64.0/21;
101.234.76.0/22;
101.234.80.0/20;
101.234.96.0/19;
101.248.0.0/15;
101.251.0.0/22;
101.251.8.0/21;
101.251.16.0/20;
101.251.32.0/19;
103.12.68.0/22;
103.22.0.0/22;
103.22.4.0/22;
103.22.8.0/22;
103.22.12.0/22;
103.22.16.0/22;
103.22.20.0/22;
103.22.24.0/22;
103.22.28.0/22;
103.22.32.0/22;
103.22.36.0/22;
103.22.40.0/22;
103.22.44.0/22;
103.22.48.0/22;
103.22.52.0/22;
103.22.56.0/22;
103.22.60.0/22;
103.22.64.0/22;
103.22.68.0/22;
103.22.72.0/22;
103.22.76.0/22;
103.22.80.0/22;
103.22.84.0/22;
103.22.88.0/22;
103.22.92.0/22;
103.22.100.0/22;
103.22.104.0/22;
103.22.108.0/22;
103.22.112.0/22;
103.22.116.0/22;
103.22.120.0/22;
103.22.124.0/22;
103.29.128.0/22;
103.38.76.0/22;
103.254.188.0/22;
106.0.0.0/24;
106.0.2.0/23;
106.0.4.0/22;
106.0.8.0/21;
106.0.16.0/20;
106.0.64.0/18;
106.4.0.0/14;
106.8.0.0/15;
106.16.0.0/12;
106.32.0.0/12;
106.56.0.0/13;
106.80.0.0/12;
106.108.0.0/14;
106.112.0.0/13;
106.120.0.0/13;
106.224.0.0/12;
110.76.156.0/22;
110.76.184.0/22;
110.80.0.0/13;
110.88.0.0/14;
110.93.32.0/19;
110.94.0.0/15;
110.152.0.0/14;
110.156.0.0/15;
110.166.0.0/15;
110.173.64.0/19;
110.176.0.0/13;
110.184.0.0/13;
111.72.0.0/13;
111.112.0.0/15;
111.120.0.0/14;
111.124.0.0/16;
111.126.0.0/15;
111.170.0.0/16;
111.172.0.0/14;
111.176.0.0/13;
111.224.0.0/14;
111.235.156.0/22;
112.66.0.0/15;
112.98.0.0/15;
112.100.0.0/14;
112.112.0.0/14;
112.116.0.0/15;
112.137.48.0/21;
113.12.0.0/14;
113.16.0.0/15;
113.24.0.0/14;
113.59.224.0/22;
113.62.0.0/15;
113.64.0.0/11;
113.96.0.0/12;
113.112.0.0/13;
113.120.0.0/13;
113.128.0.0/15;
113.132.0.0/14;
113.136.0.0/13;
113.208.128.0/17;
113.209.0.0/16;
113.212.184.0/21;
113.218.0.0/15;
113.220.0.0/14;
113.240.0.0/13;
113.248.0.0/14;
114.79.64.0/18;
114.80.0.0/12;
114.96.0.0/13;
114.104.0.0/14;
114.135.0.0/16;
最低0.47元/天 解锁文章
210
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
