bind實現智慧DNS(ACL,view
- 2020 年 1 月 10 日
- 筆記
一、功能描述
在實現了DNS主從同步,子域授權之後,還可以針對不同網路內的域名解析請求DNS能夠指向不同的主機地址,以實現分流。
假設下圖中兩台主機互為鏡像,要實現來源不同的主機對此域名的解析指向同網段內的鏡像主機,而不用穿過路由器,跨段斷訪問。例如171.16.0.0/24網內對www.sunlinux.com的解析指向172.16.200.6的伺服器,而192.168.0.0/24網段內主機對www.sunlinux.com的解析指向192.168.0.6的伺服器。可以利用ACL及VIEW規則來實現。
二、實現步驟
1、將來源不同的兩個網段定義到不同的ACL規則當中。
acl C_class { 192.168.0.0/24; }; acl B_class { 172.16.0.0/8; }; acl Other { !192.168.0.0/24; !172.16.0.0/8; any; }; # 除了上面兩個網段之外的所有地址 #acl Other { any; }; # 所有地址
2、用view劃分DNS。
view classC { # 每個view相當於一個獨立的DNS match-clients { C_class; }; # 匹配規則 zone "." IN { # 根DNS、C網主機對非sunlinux.com請求則找根 type hint; file "named.ca"; }; zone "sunlinux.com" IN { # 解析區域 type master; file "sunlinux.com.Czone"; # C網主機對非sunlinux.com請求規則 }; }; view classB { # 若使用view則所有的區域都應該包含在view中 match-clients { B_class; }; zone "." IN { # 根DNS、B網主機對非sunlinux.com請求則找根 type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; # B網主機對非sunlinux.com請求規則 }; }; view anyother { match-clients { Other; }; # 非限定網段主機 zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; }; };
3、編輯bind配置文件將規則寫入。
# vim /etc/named.conf options { directory "/var/named"; # 數據文件目錄 ... # 定義全局資訊 }; logging { channel default_debug { file "data/named.run"; # 定義日誌資訊 severity dynamic; }; }; acl C_class { 192.168.0.0/24; }; acl B_class { 172.16.0.0/8; }; #acl Other { !192.168.0.0/24; !172.16.0.0/8; any; }; acl Other { any; }; view classC { match-clients { C_class; }; zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Czone"; }; }; view classB { match-clients { B_class; }; zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; }; }; view anyother { match-clients { Other; }; zone "." IN { type hint; file "named.ca"; }; zone "sunlinux.com" IN { type master; file "sunlinux.com.Bzone"; }; };
4、編輯C網段數據文件。
# vim /var/named/sunlinux.com.Czone $TTL 600 @ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. ( 20140312 1H 5M 3D 6H ) IN NS ns1.sunlinux.com. IN NS ns2.sunlinux.com. IN MX 10 mail ns1 IN A 172.16.251.58 ns2 IN A 172.16.251.61 www IN A 192.168.0.6 mail IN A 192.168.0.8
5、編輯B網段數據文件。
[root@localhost ~]# vim /var/named/sunlinux.com.Bzone $TTL 600 @ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. ( 20140312 1H 5M 3D 6H ) IN NS ns1.sunlinux.com. IN NS ns2.sunlinux.com. IN MX 10 mail blog IN NS ns3.blog.sunlinux.com. blog IN NS ns4.blog.sunlinux.com. ns3.blog IN A 172.16.251.64 ns4.blog IN A 172.16.251.67 ns1 IN A 172.16.251.58 ns2 IN A 172.16.251.61 www IN A 172.16.200.6 mail IN A 172.16.200.8 pop IN CNAME mail ftp IN CNAME www
6、檢查配置文件語法錯誤,並啟動。
# service named configtest zone sunlinux.com.Czone/IN: loaded serial 20140312 zone sunlinux.com.Bzone/IN: loaded serial 20140312 # service named start Starting named: [ OK ]
三、測試及驗證
B 網段測試結果
# dig -t A www.sunlinux.com @172.16.251.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @172.16.251.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6742 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.sunlinux.com. IN A ;; ANSWER SECTION: www.sunlinux.com. 600 IN A 172.16.200.6 # B網地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 1 msec ;; SERVER: 172.16.251.58#53(172.16.251.58) ;; WHEN: Tue Mar 18 10:26:12 2014 ;; MSG SIZE rcvd: 118 # dig -t A mail.sunlinux.com @172.16.251.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @172.16.251.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51869 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.sunlinux.com. IN A ;; ANSWER SECTION: mail.sunlinux.com. 600 IN A 172.16.200.8 # B網地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 0 msec ;; SERVER: 172.16.251.58#53(172.16.251.58) ;; WHEN: Tue Mar 18 10:26:24 2014 ;; MSG SIZE rcvd: 119
C網段測試結果。
# dig -t A www.sunlinux.com @192.168.0.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @192.168.0.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22172 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.sunlinux.com. IN A ;; ANSWER SECTION: www.sunlinux.com. 600 IN A 192.168.0.6 # C網地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 1 msec ;; SERVER: 192.168.0.58#53(192.168.0.58) ;; WHEN: Tue Mar 18 10:25:34 2014 ;; MSG SIZE rcvd: 118 # dig -t A mail.sunlinux.com @192.168.0.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @192.168.0.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.sunlinux.com. IN A ;; ANSWER SECTION: mail.sunlinux.com. 600 IN A 192.168.0.8 # C網地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 0 msec ;; SERVER: 192.168.0.58#53(192.168.0.58) ;; WHEN: Tue Mar 18 10:25:39 2014 ;; MSG SIZE rcvd: 119
四、補充說明
acl:需要先定義後使用。內置ACL{any;none;local;localnet;}可以直接使用。
view:優先順序從上至下,先匹配到的生效。
