Loading... <pre class="prettyprint lang-bsh"> </pre> <p> <span style="font-size:18px"><strong>DNS以及域名分发布式数据库相关知识 </strong></span> </p> <p> <span style="font-size:18px"><span style="font-size:12px">一、 DNS相关介绍</span> </span> </p> <p> 1. DNS(Domain Name Service):域名解析服务协议 </p> <p> <span style="line-height:1.5"> 2. 通常监听段脱口:UDP:53 和 TCP: 53 </span> </p> <p> <span style="line-height:1.5"> 3. 实现应用程序:BIND(Berkeley Internet Name Domain), PowerDNS, etc <br /> </span> </p> <p> <span style="line-height:1.5"> 4. DNS服务主要工作于域名解析分布式数据库, 用来做域名IP之间的解析 <br /> </span> </p> <p> <span style="line-height:1.5"><br /> </span> </p> <p> <span style="line-height:1.5"><span style="font-size:12px"> </span><span style="font-size:18px"> <span style="font-size:12px">二、 域名分布式数据库</span><span style="font-size:12px"> </span></span><br /> </span> </p> <p> <span style="line-height:1.5"><img src="//cto.wang/usr/uploads/2016/07/20160703180104-67.jpg" alt="" /><br /> </span> </p> <p> <span style="line-height:1.5"> 1. 根域:. <br /> </span> </p> <p> <span style="line-height:1.5"> 2. 一级域: 组织域(.com .org .mil ; 国家域 (.cn, .tw .jp .us); 反向域 (.in-addr.arpa )</span> </p> <p> <span style="line-height:1.5"> 3. 解析方式: </span> </p> <ul> <li> <span style="line-height:1.5">FQDN (Full Qualified Domain Name) –> IP : 正向解析</span> </li> <li> IP –> FQDN:反向解析 </li> </ul> <p> <span style="line-height:1.5"> 4. 递归与迭代</span> </p> <ul> <li> <span style="line-height:1.5">递归:DNS请求被服务器接收后,如果属于此服务器管辖范围则请求上级服务器依次传递请求,并且依次传递结果给发出请求的主机。客户机指向的服务器一定给递归服务。 </span><span style="line-height:1.5"> </span> </li> <li> <span style="line-height:1.5">迭代: DNS请求被服务器接收后,如果不是自己管辖范围,让客户端访问根域服务器,然后跟域通知客户端去访问下级服务器,直到最后客户端访问管辖请求域名的服务器为止。</span> </li> </ul> <p> <span style="line-height:1.5"> 5. 资源记录(Resource Record):资源记录用用于存储域名解析数据记录, 几种记录类型如下</span> </p> <p> </p> <ul> <li> <span style="line-height:1.5">SOA:Start Of Authority, 其实授权:用于声明本地域被授权</span> </li> <li> <span style="line-height:1.5">NS:Name Server, 域名服务器:用于记录域名服务器信息 </span> </li> <li> <span style="line-height:1.5">MX:Mail eXchanger,邮件交换器:记录邮件服务器信息 </span> </li> <li> <span style="line-height:1.5">A:Address, FQDN –> IP <br /> </span> </li> <li> <span style="line-height:1.5">PTR:PoiTeR,IP –> FQDN</span> </li> <li> AAAA:Address, FQDN –> IPv6 </li> <li> CNAME: Canonical Name, 咩名记录 </li> </ul> <p> <span style="line-height:1.5"> 6. 域(Domain) 和 区域(zone)</span> </p> <ul> <li> <span style="line-height:1.5">域(Domain):逻辑概念</span> </li> <li> <span style="line-height:1.5">区域(zone):物理概念,特指存储资源记录的硬件设备,如文本文件,或者数据库</span> </li> <li> 正向区域和反向区域域不能存储在一个文件或者数据库中,由于解析技术不同 </li> </ul> <p> <span style="line-height:1.5"> 7. DNS服务器类型</span> </p> <ul> <li> <span style="line-height:1.5">主DNS服务器</span> </li> <li> 从DNS服务器 </li> <li> 缓存名称服务器 </li> </ul> <p> <span style="line-height:1.5"> 8. DNS数据文件格式(bind为例):文本文件,包含资源记录或宏定义</span> </p> <ul> <li> 资源记录格格式 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> 资源记录的格式: name [ttl] IN RRtype Value 例子: www 600 IN A 1.2.3.4 www.playground.com. 600 IN A 1.2.3.4</pre> <p> </p> <ul> <li> SOA记录 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> SOA: 只能有一个 name: 区域名称, 通常可以简写为@,例如:magedu.com. value: 主DNS服务器的FQDN 注意:SOA必须是区域数据库文件第一条记录 例子:@ 600 IN SOA ns.playground.com. dnsadmin.playground. ( serial number ;序列号,十进制数字,不能超过10位,通常使用日期,例如2014031001 refresh time ;刷新时间,即每隔多久到主服务器检查一次 retry time ;重试时间,应该小于refresh time expire time ;过期时间 negative answer ttl ;否定答案的ttl ) </pre> <p> </p> <ul> <li> NS记录 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> NS:可以有多条 name: 区域名称,通常可以简写为@ value: DNS服务器的FQDN(可以使用相对名称) 例子:</pre> <pre class="prettyprint lang-bsh"> @ 600 IN NS ns</pre> <p> </p> <ul> <li> A记录 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> A: 只能定义在正向区域数据库文件中 name: FQDN(可以使用相对名称) value: IP 例子: www 600 IN A 1.2.3.4 www 600 IN A 1.2.3.5 www 600 IN A 1.2.3.4 ftp 600 IN A 1.2.3.4 </pre> <p> </p> <ul> <li> MX记录 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> MX: 可以有多个 name: 区域名称,用于标识smtp服务器 value: 包含优先级和FQDN 优先级:0-99, 数字越小,级别越高; 例子:</pre> <pre class="prettyprint lang-bsh"> @ 600 IN MX 10 mail</pre> <pre class="prettyprint lang-bsh"><span style="font-size:13.1999998092651px;line-height:1.5"> @ 600 IN MX 20 mail2</span></pre> <p> </p> <ul> <li> CNAME记录 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> CNAME: name: FQDN value: FQDN</pre> <pre class="prettyprint lang-bsh"> 例子: ftp IN CNAME www mail IN CNAME www</pre> <p> </p> <ul> <li> PTR记录格式 </li> </ul> <p> <span style="line-height:1.5"></span> </p> <pre class="prettyprint lang-bsh"> PTR: IP-->FQDN, 只能定义在反向区域数据文件中,反向区域名称为逆向网络地址加.in-addr.arpa.后缀组成 name: IP, 逆向的主机地址,例如172.16.100.7的name为7.100,完全格式为7.100.16.172.in-addr.arpa. value: FQDN 例子: 4.3.2 600 IN PTR www.playground.com.</pre> <p> </p> <p> <span style="line-height:1.5">9. 区域传送:</span> </p> <ul> <li> <span style="line-height:1.5">辅助DNS服务器从主DNS服务器或其他辅助DNS服务器请求传输数据的过程</span> </li> </ul> <ul> <li> <span style="line-height:1.5">完全区域传送:传送区域的所有数据,AXFER</span> </li> <li> 增量区域传送:传送区域中改变的数据不符,IXFER </li> </ul> <p> </p> <p> <span style="font-size:18px"><strong>DNS程序软件bind简介</strong></span> </p> <p> 一、 BIND简介 </p> <p> 1. BIND: www.isc.org </p> <p> 2. 服务程序名称: named, 由named:named 执行 </p> <p> 3. bind安装包组 </p> <p> </p> <pre class="prettyprint lang-bsh">bind.x86_64 : 包含bind应用程序 bind-chroot.x86_64 : 支持change root 机制 bind-devel.i686 : 32bit bind开发包 bind-devel.x86_64 : 64bit bind开发包 bind-dyndb-ldap.x86_64 : 支持动态数据库 bind-libs.i686 : bind相关库文件 bind-libs.x86_64 : 64bit 库文件 bind-sdb.x86_64 : 支持数据库接口 bind-to-tinydns.x86_64 : 微型DNS服务器程序 bind-utils.x86_64 : 工具包 </pre> <p> </p> <p> 二、主配置文件和区域文件 /etc/named.conf, /var/named/ </p> <p> 1. 必须的三个区域: 跟 . localhost 127.0.0.1 </p> <p> </p> <pre class="prettyprint lang-bsh"> 主配置文件: options { // 全局选项 }; zone "ZONE name" { // 定义区域 }; logging { // 定义日志系统 }; </pre> <p> </p> <p> 2. 域类型 </p> <ul> <ul> <li> <span style="line-height:1.5"> </span><span style="line-height:1.5">hint:缓存域,用于缓存服务器</span> </li> <li> <span style="line-height:1.5"> master:主域,用于主服务器</span> </li> <li> <span style="line-height:1.5"> slave:从域,用于从服务器</span> </li> <li> <span style="line-height:1.5"> forward:转发域 </span> </li> </ul> </ul> <p> <span style="line-height:1.5"></span><span style="line-height:1.5"> 三、 named服务正向以及反向解析事例</span> </p> <p> <span style="line-height:1.5"> 举例: 添加正向域域.playground 和 反向域233.168.192.in-addr.arpa </span> </p> <p> <span style="line-height:1.5"> mail, 192.168.98.12</span><br /> <span style="line-height:1.5"> www 192.168.98.13</span><br /> <span style="line-height:1.5"> pop –> mail</span><br /> <span style="line-height:1.5"> ftp –> www</span> </p> <p> dns: 192.168.233.128 </p> <p> </p> <blockquote><p> <span style="line-height:1.5">1. 编辑主配置文件</span> </p></blockquote> <pre class="prettyprint lang-bsh">options { # listen-on port 53 { 127.0.0.1; }; # 注释后监听所有ip的53号端口 # listen-on-v6 port 53 { ::1; }; # 注释后监听所有ipv5的53号端口 directory "/var/named"; # 区域文件所在目录 dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; # allow-query { 127.0.0.1; 192.168.233.128; 192.168.233.131; }; # 允许访问的白名单,注释后允许所有IP访问 recursion yes; # 是否提供递归 # dnssec-enable yes; # dnssec-validation yes; # dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; # 读取的域文件信息 #include "/etc/named.root.key"; # 与远程操控相关</pre> <p> 2. 添加新的域 .playground.com于/etc/named.rfc1912.zones 中 </p> <pre class="prettyprint lang-bsh">## 添加正向区域</pre> <pre class="prettyprint lang-bsh">zone "playground.com" IN { type master; file "playground.zone"; }; </pre> <pre class="prettyprint lang-bsh">## 添加反向区域</pre> <p> </p> <pre class="prettyprint lang-bsh">zone "98.168.192.in-addr.arpa" IN { type master; file "192.168.98.zone"; };</pre> <p> </p> <p> 3. 编辑区域文件 </p> <pre class="prettyprint lang-js">## 在/var/named/编辑正向区域文件保存为 playground.zone, 与配置文件中输入的文件名一致</pre> <pre class="prettyprint lang-js">$TTL 600 @ IN SOA dns.playground.com. dnsadmin.playground.com. ( 20150305 1H 5M 3D 12H ) @ IN NS dns @ IN MX 10 mail dns IN A 192.168.233.128 mail IN A 192.168.98.12 www IN A 192.168.98.13 ftp IN CNAME www pop IN CNAME www</pre> <pre class="prettyprint lang-js">## 在/var/named/编辑反向区域文件保存为 192.168.233.zone, 与配置文件中输入的文件名一直</pre> <p> </p> <pre class="prettyprint lang-bsh">$TTL 600 @ IN SOA dns.playground.com. dnsadmin.playground.com.( 20150305 1H 5M 3D 12H ) @ IN NS dns.playground.com. 128 IN PTR dns.playground.com. 12 IN PTR mail.playground.com. 13 IN PTR www.playground.com. ns IN A 192.158.98.128 mail IN A 192.168.98.12 www IN A 192.168.98.13</pre> <p> </p> <p> </p> <p> 4. 修改配置文件属组属组为named:named, 权限位640 </p> <pre class="prettyprint lang-js">## 如果不修改属主属组,named将无法读取配置文件,由于named服务是通过named用户启动 chown named:named /etc/named.rfc1912.zones chown named:named /etc/named.conf ## 修改配置文件权限,主要为了安全,即便named服务被攻破,也不至于重要信息泄露 chmod 640 /etc/named.conf chmod 640 /etc/named.rfc1912.zones</pre> <pre class="prettyprint lang-bsh">chown named:named /var/named/playground.zone chmod 640 /var/named/playground.zone </pre> <p> 5. 启动服务,查看TCP/UDP 53号端口是否被监听, 查看/var/log/message </p> <pre class="prettyprint lang-bsh">ss -tunl | grep ":53" </pre> <pre class="prettyprint lang-bsh">udp UNCONN 0 0 192.168.233.128:53 *:* udp UNCONN 0 0 172.25.137.40:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 3 192.168.233.128:53 *:* tcp LISTEN 0 3 172.25.137.40:53 *:* tcp LISTEN 0 3 127.0.0.1:53 *:* </pre> <pre class="prettyprint lang-bsh">service named configtest ## 测试配置文件语法是否正确 zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone playground.com/IN: loaded serial 20150305 zone 98.168.192.in-addr.arpa/IN: loaded serial 20150305 service named start ## 启动服务 Starting named: [ OK ] tail /var/log/messages ## 查看服务日志 Mar 13 22:40:26 www named[47455]: zone 0.in-addr.arpa/IN: loaded serial 0 Mar 13 22:40:26 www named[47455]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Mar 13 22:40:26 www named[47455]: zone 98.168.192.in-addr.arpa/IN: loaded serial 20150305 Mar 13 22:40:26 www named[47455]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Mar 13 22:40:26 www named[47455]: zone playground.com/IN: loaded serial 20150305 Mar 13 22:40:26 www named[47455]: zone localhost.localdomain/IN: loaded serial 0 Mar 13 22:40:26 www named[47455]: zone localhost/IN: loaded serial 0 Mar 13 22:40:26 www named[47455]: managed-keys-zone ./IN: loaded serial 288 Mar 13 22:40:26 www named[47455]: zone 98.168.192.in-addr.arpa/IN: sending notifies (serial 20150305) Mar 13 22:40:26 www named[47455]: running</pre> <p> </p> <p> 6 使用dig命令测试 </p> <pre class="prettyprint lang-bsh">dig www.playground.com @192.168.233.128 ## 测试正向解析 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> www.playground.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34061 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.playground.com. IN A ;; ANSWER SECTION: www.playground.com. 600 IN A 192.168.98.13 ;; AUTHORITY SECTION: playground.com. 600 IN NS dns.playground.com. ;; ADDITIONAL SECTION: dns.playground.com. 600 IN A 172.25.137.40 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 13 22:47:49 2015 ;; MSG SIZE rcvd: 86 dig -x 192.168.98.13 @192.168.233.128 ## 测试反向解析 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> -x 192.168.98.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17843 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.98.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.98.168.192.in-addr.arpa. 600 IN PTR www.playground.com. ;; AUTHORITY SECTION: 98.168.192.in-addr.arpa. 600 IN NS ns.playground.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 13 22:48:07 2015 ;; MSG SIZE rcvd: 93</pre> <p> </p> <p> 四、 区域传送以及从服务器配置 </p> <p> <img src="//cto.wang/usr/uploads/2016/07/20160703180104-1.jpg" alt="" /> </p> <p> 1. dig 模拟完全区域传送 </p> <pre class="prettyprint lang-js"># dig -t axfr playground.com @192.168.233.128 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> -t axfr playground.com @192.168.233.128 ;; global options: +cmd playground.com. 600 IN SOA dns.playground.com. dnsadmin.playground.com. 20150305 3600 300 259200 43200 playground.com. 600 IN NS dns.playground.com. playground.com. 600 IN MX 10 mail.playground.com. dns.playground.com. 600 IN A 172.25.137.40 ftp.playground.com. 600 IN CNAME www.playground.com. mail.playground.com. 600 IN A 192.168.98.12 pop.playground.com. 600 IN CNAME www.playground.com. www.playground.com. 600 IN A 192.168.98.13 playground.com. 600 IN SOA dns.playground.com. dnsadmin.playground.com. 20150305 3600 300 259200 43200 ;; Query time: 16 msec ;; SERVER: 192.168.233.128#53(192.168.233.128) ;; WHEN: Fri Mar 13 23:30:15 2015 ;; XFR size: 9 records (messages 1, bytes 240) </pre> <p> 2. 主从兼容关系:主服务器bind版本可以低于从服务器bind版本 </p> <p> 3. 向区域文件中添加从服务器关键两步奏: </p> <blockquote></blockquote> <p> <span style="line-height:1.5"></span> </p> <ul> <li> <span style="line-height:1.5">往上级获得授权(这里指的DNS上级父域服务器)</span> </li> <li> <span style="line-height:1.5">在主区域文件中为从服务器添加NS记录和对应的A或PTR记录</span> </li> </ul> <p> </p> <p> <span style="line-height:1.5"> 4. 从服务器,事例。</span> </p> <p> <span style="line-height:1.5"> 假设:有另一个主机,IP地址为192.168.233.129,作为192.168.233.128(接续上面的事例)的从服务器。</span> </p> <p> <span style="line-height:1.5"><br /> </span> </p> <p> <span style="line-height:1.5">首先在主DNS服务器的区域文件中,添加从服务器的NS记录 </span> </p> <p> <span style="line-height:1.5"> </span> </p> <pre class="prettyprint lang-js">## 正向,添加从服务器的NS记录 @ IN NS ns ns IN A 192.168.233.129 ## 反向, 添加从服务器的NS记录 @ IN NS ns.playground.com. 129 IN PTR ns.playground.com. ## 添加完成后,如果不是使用named用户操作,一定注意修把文件属主属组改为named:named, 另外修改一下序列号</pre> <pre class="prettyprint lang-js">service named reload ## 重启服务 </pre> <p> </p> <p> 然后在从服务器主机上bind配置文件中添加,与主服务器相同的两个正反向域 </p> <p> <span style="line-height:1.5"> </span> </p> <pre class="prettyprint lang-bsh">## 从服务器正向域 zone "playground.com" IN { type slave; masters { 192.168.233.128; }; file "slaves/playground.com.zone"; }; ## 从服务器反向域 zone "233.168.192.in-addr.arpa" IN { type slave; masters { 192.168.233.128; }; file "slaves/192.168.233.com.zone"; }; ## 重启服务 service named restart </pre> <p> </p> <p> 查看日志文件,同步过来的区域文件,尝试用从服务器解析 </p> <p> <span style="line-height:1.5"> </span> </p> <pre class="prettyprint lang-bsh">tail /var/log/message Mar 17 03:59:52 www named[2533]: running Mar 17 03:59:52 www named[2533]: zone 233.168.192.in-addr.arpa/IN: sending notifies (serial 20150305) Mar 17 03:59:52 www named[2533]: zone playground.com/IN: sending notifies (serial 3934520385) ls /var/named/slaves ## 查看区域文件是否成功同步过来 -rw-r--r--. 1 named named 482 Mar 17 03:47 192.168.233.com.zone -rw-r--r--. 1 named named 497 Mar 17 03:54 playground.com.zone dig -t A www.playground.com @192.168.233.129 ## 尝试解析 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> -t A www.playground.com @192.168.233.129 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17894 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.playground.com. IN A ;; ANSWER SECTION: www.playground.com. 600 IN A 192.168.98.13 ;; AUTHORITY SECTION: playground.com. 600 IN NS dns.playground.com. playground.com. 600 IN NS ns.playground.com. ;; ADDITIONAL SECTION: dns.playground.com. 600 IN A 172.25.137.40 ns.playground.com. 600 IN A 192.168.233.129 ;; Query time: 0 msec ;; SERVER: 192.168.233.129#53(192.168.233.129) ;; WHEN: Tue Mar 17 04:02:31 2015 ;; MSG SIZE rcvd: 119</pre> <p> 五、 子域授权 </p> <p> 1. BIND子域授权的实现:首先需要在父域区域文件中添加胶水记录(glue record)说要授权的子域信息和主机IP,父域区域文件中需要添加如下几项 </p> <p> 授权的子区域域名称 </p> <p> 子区域的名称服务器 </p> <p> 子区域的名称服务器IP地址 </p> <p> </p> <p> 例子: </p> <pre class="prettyprint lang-bsh"> bio.playground.com. IN NS dns.bio.playground.com. bio.playground.com. IN NS ns2.bio.playground.com. dns.bio.playground.com. IN A 172.16.200.21 ns2.bio.playground.com. IN A 172.16.200.22</pre> <p> </p> <p> 2. 配置区域转发:转发域 </p> <p> 解析某本机不负责的区域内的名称时不转发给跟,而是转发给指定主机 </p> <pre class="prettyprint lang-bsh"> zone "ZONE NAME" IN { type forward; forwarders { DNS_SERVER; }; forward only|first; };</pre> <p> </p> <p> </p> <p> 配置转发方式: </p> <pre class="prettyprint lang-bsh"> 转发非本机负责解析的所有区域: options { forward only|first; forwarders { IP; } }; 转发某特定区域: zone "特定区域" IN { type forward; forwarders { IP; } forward only|first; }; </pre> <p> </p> <p> 3. ACL:bind实现支持的访问控制列表 </p> <pre class="prettyprint lang-bsh"> acl ACL_NAME { 172.16.0.0/16; 192.168.0.0/24 127.0.0.0/8; };</pre> <p> 访问控制列表只有定义后才能使用;通常acl要定义在named.conf的最上方;</p> <p> BIND有四个内置的acl:<br /> any: 任何主机<br /> none: 无一主机<br /> local: 本机 </p> <p> localnet: 本机的所在的网络 </p> <p> </p> <p> 4. 实例, 接续上面上面的例子, </p> <p> 父域为playground.com. 地址为192.168.233.128, </p> <p> 需要授权给另一台主机192.168.233.129, </p> <p> 子域bio.playground.com. 并且要求子域服务器可以解析父域其他域名 </p> <p> </p> <p> </p> <p> 在父域playground.com区域文件中添加胶水记录 </p> <pre class="prettyprint lang-bsh">bio IN NS ns.bio ns.bio IN A 192.168.233.129</pre> <p> </p> <p> 在子域主机配置文件中添加这个域 </p> <pre class="prettyprint lang-bsh">zone "bio.playground.com" IN { type master; file "bio.playground.com.zone"; };</pre> <p> </p> <p> 在子域主机编辑并添加/var/named/bio.playground.com.zone 子域区域文件, 并修改权限和属主属组(named:named) </p> <pre class="prettyprint lang-bsh">@ IN SOA ns.bio.playground.com. nsbioadmin.playground.com. ( 20150309001 1H 5M 3D 12H ) @ IN NS ns.bio.playground.com. @ IN MX 10 mail.bio.playground.com. ns IN A 192.168.233.129 mail IN A 192.168.233.140 www IN A 192.168.233.141 ftp IN A 192.168.233.142 pop IN CNAME ftp</pre> <p> 在子域配置文件中,添加转发域,使得子域主机可以解析父域域名 </p> <p> 此时注意要开启父域配置文件中的recursion yes, 或者建立recursion白名单,这里笔者偷懒直接用recursion yes 解决,在生产条件下这样设定很不安全 </p> <pre class="prettyprint lang-bsh">zone "playground.com" IN { type forward; forwarders { 192.168.233.128; }; forward only; };</pre> <p> </p> <p> 重启或者重新载入父子域服务器后,尝试解析 </p> <pre class="prettyprint lang-bsh">在子域服务器上解析子域域名 dig www.bio.playground.com @192.168.233.129 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> www.bio.playground.com @192.168.233.129 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17622 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.bio.playground.com. IN A ;; ANSWER SECTION: www.bio.playground.com. 43200 IN A 192.168.233.141 ;; AUTHORITY SECTION: bio.playground.com. 43200 IN NS ns.bio.playground.com. ;; ADDITIONAL SECTION: ns.bio.playground.com. 43200 IN A 192.168.233.129 ;; Query time: 0 msec ;; SERVER: 192.168.233.129#53(192.168.233.129) ;; WHEN: Tue Mar 17 17:16:39 2015 ;; MSG SIZE rcvd: 89 ## 在子域服务器上解析父域域名 dig www.playground.com @192.168.233.129 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> www.playground.com @192.168.233.129 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9272 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.playground.com. IN A ;; ANSWER SECTION: www.playground.com. 600 IN A 192.168.98.13 ;; AUTHORITY SECTION: playground.com. 600 IN NS dns.playground.com. ;; ADDITIONAL SECTION: dns.playground.com. 600 IN A 192.168.233.129 ;; Query time: 15 msec ;; SERVER: 192.168.233.129#53(192.168.233.129) ;; WHEN: Tue Mar 17 17:18:02 2015 ;; MSG SIZE rcvd: 86 两次解析结果差别在于flags, 如果在子域解析父域,则少一个aa flag说明不是权威答案,只是参考答案</pre> <p> </p> <p> 六、view视图, 实现主机对于不同IP访问对于同一域名产生不同的应答机制,用于解决不同网络间解析效率问题 ,需要注意的是,如果使用view则所有区域都必须在view中 </p> <p> <img src="//cto.wang/usr/uploads/2016/07/20160703180104-50.jpg" alt="" /> </p> <p> 1. 语法格式如下 </p> <pre class="prettyprint lang-bsh">以中国移动和中国联通为例 acl telecom { 1.2.0.0/16; 4.5.8.0/24; }; acl unicom { }; view telecom { match-clients { telecom; }; zone "playground.com" IN { type master; file "playground.com.telecom"; }; }; view unicom { match-clients { unicom; }; recursion no; zone "playground.com" IN { type master; file "playground.com.unicom"; }; }; view default { match-clients { any; }; zone "playground.com" IN { type master; file "playground.com.unicom"; }; };</pre> <p> </p> <p> 2. 实验事例, </p> <p> 假定有一个域,playground.com, 如果通过172.25.137.41访问则返回一组解析结果, 如果通过192.168.233.129 访问则返回另一组结果。 </p> <p> 第一台主机,为DNS服务器, 拥有两个端口,192.168.233.128 和 172.25.137.40,这里笔者使用别名实现 </p> <p> 另两台主句, 一台为192.168.233.129 一台为172.25.137.41 </p> <p> </p> <p> </p> <p> 设置,DNS服务器IP </p> <pre class="prettyprint lang-bsh">ifconfig eth0 192.168.233.128/24 ifconfig eth0:1 172.24.137.43/24</pre> <pre class="prettyprint lang-bsh">eth0 Link encap:Ethernet HWaddr 00:0C:29:E0:A2:0E inet addr:192.168.233.128 Bcast:192.168.233.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fee0:a20e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:45186 errors:0 dropped:0 overruns:0 frame:0 TX packets:32619 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:18628316 (17.7 MiB) TX bytes:2974242 (2.8 MiB) eth0:1 Link encap:Ethernet HWaddr 00:0C:29:E0:A2:0E inet addr:172.25.137.40 Bcast:172.25.137.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 </pre> <p> </p> <p> 修改bind配置文件,添加view </p> <pre class="prettyprint lang-bsh">acl localArea { 127.0.0.1/4; }; acl vm1 { 192.168.233.131/24; 192.168.233.128/24; }; acl vm2 { 172.25.137.41/24; 172.25.137.40/24; }; view localArea { match-clients { localArea; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; }; view vm1 { match-clients { vm1; }; zone "playground.com" IN { type master; file "playground.vm1"; }; zone "98.168.192.in-addr.arpa" IN { type master; file "192.168.98.vm1"; }; }; view vm2 { match-clients { vm2; }; zone "playground.com" IN { type master; file "playground.vm2"; }; zone "137.25.172.in-addr.arpa" IN { type master; file "172.25.137.vm2"; }; }; view default { match-clients { any;}; zone "." IN { type hint; file "named.ca"; }; };</pre> <p> </p> <p> 编辑vm1的正反向域区域文件 </p> <pre class="prettyprint lang-bsh">## vm1这是正向域 $TTL 600 @ IN SOA dns.playground.com. dnsadmin.playground.com. ( 20150305 1H 5M 3D 12H ) @ IN NS dns @ IN MX 10 mail dns IN A 192.168.233.128 mail IN A 192.168.98.12 www IN A 192.168.98.13 ftp IN CNAME www pop IN CNAME www</pre> <p> </p> <pre class="prettyprint lang-bsh">## vm1这是反向域 $TTL 600 @ IN SOA dns.playground.com. dnsadmin.playground.com.( 20150305 1H 5M 3D 12H ) @ IN NS ns.playground.com. 128 IN PTR ns.playground.com. 12 IN PTR mail.playground.com. 13 IN PTR www.playground.com.</pre> <p> </p> <p> 编辑vm2正反向域区域文件 </p> <pre class="prettyprint lang-bsh">## 这是vm2正向域 $TTL 600 @ IN SOA dns.playground.com. dnsadmin.playground.com. ( 20150305 1H 5M 3D 12H ) @ IN NS dns @ IN MX 10 mail dns IN A 172.25.137.40 mail IN A 172.25.137.12 www IN A 172.25.137.13 ftp IN CNAME www pop IN CNAME www </pre> <pre class="prettyprint lang-bsh">## 这是vm2反向域 $TTL 600 @ IN SOA dns.playground.com. dnsadmin.playground.com.( 20150305 1H 5M 3D 12H ) @ IN NS dns.playground.com. 40 IN PTR dns.playground.com. 12 IN PTR mail.playground.com. 13 IN PTR www.playground.com.</pre> <p> </p> <p> 全部设置完成后,修改权限重启服务,然后开始测试 </p> <pre class="prettyprint lang-bsh">## 测试192.168.233.128 dig www.playground.com @192.168.233.128 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> www.playground.com @192.168.233.128 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38934 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.playground.com. IN A ;; ANSWER SECTION: www.playground.com. 600 IN A 192.168.98.13 ;; AUTHORITY SECTION: playground.com. 600 IN NS dns.playground.com. ;; ADDITIONAL SECTION: dns.playground.com. 600 IN A 192.168.233.128 ;; Query time: 1 msec ;; SERVER: 192.168.233.128#53(192.168.233.128) ;; WHEN: Sat Mar 14 14:34:47 2015 ;; MSG SIZE rcvd: 86 ## 测试172.25.137.40 dig www.playground.com @172.25.137.40 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> www.playground.com @172.25.137.40 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12736 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.playground.com. IN A ;; ANSWER SECTION: www.playground.com. 600 IN A 172.25.137.13 ;; AUTHORITY SECTION: playground.com. 600 IN NS dns.playground.com. ;; ADDITIONAL SECTION: dns.playground.com. 600 IN A 172.25.137.40 ;; Query time: 0 msec ;; SERVER: 172.25.137.40#53(172.25.137.40) ;; WHEN: Sat Mar 14 14:35:39 2015 ;; MSG SIZE rcvd: 86 测试成功,我们可以看到,相同域名解析不同的IP </pre> <p> </p> <p> </p> <p> </p> <p> <span style="line-height:1.5"></span></p> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信