bind实现智能DNS(ACL,view
- 2020 年 1 月 10 日
- 筆記
一、功能描述
在实现了DNS主从同步,子域授权之后,还可以针对不同网络内的域名解析请求DNS能够指向不同的主机地址,以实现分流。
假设下图中两台主机互为镜像,要实现来源不同的主机对此域名的解析指向同网段内的镜像主机,而不用穿过路由器,跨段断访问。例如171.16.0.0/24网内对www.sunlinux.com的解析指向172.16.200.6的服务器,而192.168.0.0/24网段内主机对www.sunlinux.com的解析指向192.168.0.6的服务器。可以利用ACL及VIEW规则来实现。
二、实现步骤
1、将来源不同的两个网段定义到不同的ACL规则当中。
acl C_class { 192.168.0.0/24; }; acl B_class { 172.16.0.0/8; }; acl Other { !192.168.0.0/24; !172.16.0.0/8; any; }; # 除了上面两个网段之外的所有地址 #acl Other { any; }; # 所有地址
2、用view划分DNS。
view classC { # 每个view相当于一个独立的DNS match-clients { C_class; }; # 匹配规则 zone "." IN { # 根DNS、C网主机对非sunlinux.com请求则找根 type hint; file "named.ca"; }; zone "sunlinux.com" IN { # 解析区域 type master; file "sunlinux.com.Czone"; # C网主机对非sunlinux.com请求规则 }; }; view classB { # 若使用view则所有的区域都应该包含在view中 match-clients { B_class; }; zone "." IN { # 根DNS、B网主机对非sunlinux.com请求则找根 type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; # B网主机对非sunlinux.com请求规则 }; }; view anyother { match-clients { Other; }; # 非限定网段主机 zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; }; };
3、编辑bind配置文件将规则写入。
# vim /etc/named.conf options { directory "/var/named"; # 数据文件目录 ... # 定义全局信息 }; logging { channel default_debug { file "data/named.run"; # 定义日志信息 severity dynamic; }; }; acl C_class { 192.168.0.0/24; }; acl B_class { 172.16.0.0/8; }; #acl Other { !192.168.0.0/24; !172.16.0.0/8; any; }; acl Other { any; }; view classC { match-clients { C_class; }; zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Czone"; }; }; view classB { match-clients { B_class; }; zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; }; }; view anyother { match-clients { Other; }; zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; }; };
4、编辑C网段数据文件。
# vim /var/named/sunlinux.com.Czone $TTL 600 @ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. ( 20140312 1H 5M 3D 6H ) IN NS ns1.sunlinux.com. IN NS ns2.sunlinux.com. IN MX 10 mail ns1 IN A 172.16.251.58 ns2 IN A 172.16.251.61 www IN A 192.168.0.6 mail IN A 192.168.0.8
5、编辑B网段数据文件。
[root@localhost ~]# vim /var/named/sunlinux.com.Bzone $TTL 600 @ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. ( 20140312 1H 5M 3D 6H ) IN NS ns1.sunlinux.com. IN NS ns2.sunlinux.com. IN MX 10 mail blog IN NS ns3.blog.sunlinux.com. blog IN NS ns4.blog.sunlinux.com. ns3.blog IN A 172.16.251.64 ns4.blog IN A 172.16.251.67 ns1 IN A 172.16.251.58 ns2 IN A 172.16.251.61 www IN A 172.16.200.6 mail IN A 172.16.200.8 pop IN CNAME mail ftp IN CNAME www
6、检查配置文件语法错误,并启动。
# service named configtest zone sunlinux.com.Czone/IN: loaded serial 20140312 zone sunlinux.com.Bzone/IN: loaded serial 20140312 # service named start Starting named: [ OK ]
三、测试及验证
B 网段测试结果
# dig -t A www.sunlinux.com @172.16.251.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @172.16.251.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6742 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.sunlinux.com. IN A ;; ANSWER SECTION: www.sunlinux.com. 600 IN A 172.16.200.6 # B网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 1 msec ;; SERVER: 172.16.251.58#53(172.16.251.58) ;; WHEN: Tue Mar 18 10:26:12 2014 ;; MSG SIZE rcvd: 118 # dig -t A mail.sunlinux.com @172.16.251.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @172.16.251.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51869 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.sunlinux.com. IN A ;; ANSWER SECTION: mail.sunlinux.com. 600 IN A 172.16.200.8 # B网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 0 msec ;; SERVER: 172.16.251.58#53(172.16.251.58) ;; WHEN: Tue Mar 18 10:26:24 2014 ;; MSG SIZE rcvd: 119
C网段测试结果。
# dig -t A www.sunlinux.com @192.168.0.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @192.168.0.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22172 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.sunlinux.com. IN A ;; ANSWER SECTION: www.sunlinux.com. 600 IN A 192.168.0.6 # C网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 1 msec ;; SERVER: 192.168.0.58#53(192.168.0.58) ;; WHEN: Tue Mar 18 10:25:34 2014 ;; MSG SIZE rcvd: 118 # dig -t A mail.sunlinux.com @192.168.0.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @192.168.0.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.sunlinux.com. IN A ;; ANSWER SECTION: mail.sunlinux.com. 600 IN A 192.168.0.8 # C网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 0 msec ;; SERVER: 192.168.0.58#53(192.168.0.58) ;; WHEN: Tue Mar 18 10:25:39 2014 ;; MSG SIZE rcvd: 119
四、补充说明
acl:需要先定义后使用。内置ACL{any;none;local;localnet;}可以直接使用。
view:优先级从上至下,先匹配到的生效。
