DNS轉發、ACL以及VIEW

王更生 ? ? Linux干貨

DNS全稱是Domain Name System的簡稱,即域名系統。因特網上作為域名和IP地址相互映射的一個分布式數據庫,能夠使用戶更方便的訪問互聯網,而不用去記住能夠被機器直接讀取的IP數串。通過主機名,最終得到該主機名對應的IP地址的過程叫做域名解析(或主機名解析)。DNS協議運行在UDP/TCP協議之上,使用端口號53。

DNS轉發

DNS轉發分為全局轉發和區域轉發。 全局轉發: 對非本機所負責解析區域的請求, 全轉發給指定的服務器,在/etc/named.conf文件中的options里面添加配置的參數:

 10 options {
 11 //      listen-on port 53 { localhost; };
 12         listen-on-v6 port 53 { ::1; };
 13         directory       "/var/named";
 14         dump-file       "/var/named/data/cache_dump.db";
 15         statistics-file "/var/named/data/named_stats.txt";
 16         memstatistics-file "/var/named/data/named_mem_stats.txt";
 17 //      allow-query     { localhost; };
 18         forward only|first;      ##轉發的類型(first|only),only表示僅轉發,無論轉發的服務器能否返回結果;frist表示先轉發,如果被轉發的服務器沒有返回正確的結果,則會根據情況就行迭代查詢
 19         forwarders {IP;};    ##指向的轉發服務器

特定區域轉發:僅轉發對特定的區域的請求,比全局轉發優先級高,在/etc/named.rfc1912.zones文件中進行配置:

 41 zone "baidu.com" IN {     ##指明轉發的特定的域
 42         type forward;    ##指明域的類型為轉發
 43         forward only|first;   ##指明轉發類型(only|first)
 44         forwarders {IP;};   ##指明轉發服務器
 45 };

下面來做個實驗來說明轉發:準備一臺Linux虛擬機,安裝好bind軟件包后,由于網絡原因,不能主機解析域名:

[root:~]#    dig baidu.com @127.0.0.1   ##測試能不能解析百度

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4039
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com.         IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:43:09 CST 2016
;; MSG SIZE  rcvd: 38

[root:~]#    dig qq.com @127.0.0.1  ##測試能不能解析qq

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39373
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:43:27 CST 2016
;; MSG SIZE  rcvd: 35

上面的測試可以知道,現在通過自身不能解析域名,現在配置全局轉發如下:

 10 options {
 11 //      listen-on port 53 { localhost; };
 12         listen-on-v6 port 53 { ::1; };
 13         directory       "/var/named";
 14         dump-file       "/var/named/data/cache_dump.db";
 15         statistics-file "/var/named/data/named_stats.txt";
 16         memstatistics-file "/var/named/data/named_mem_stats.txt";
 17 //      allow-query     { localhost; };
 18         forward only;      ######################
 19         forwarders {172.16.0.1;};  ######該ip為本實驗環境的可以的向外通信的主機
 ##完成后重啟服務

測試結果:

[root:~]#    dig qq.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28257
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:
qq.com.         0   IN  A   61.135.157.156
qq.com.         0   IN  A   125.39.240.113

;; AUTHORITY SECTION:
qq.com.         13686   IN  NS  ns2.qq.com.
qq.com.         13686   IN  NS  ns3.qq.com.
qq.com.         13686   IN  NS  ns4.qq.com.
qq.com.         13686   IN  NS  ns1.qq.com.

;; ADDITIONAL SECTION:
ns2.qq.com.     99870   IN  A   101.227.169.106
ns2.qq.com.     99870   IN  A   125.39.202.108
ns3.qq.com.     99870   IN  A   182.140.177.149
ns3.qq.com.     99870   IN  A   182.140.167.157
ns1.qq.com.     99870   IN  A   101.226.68.138
ns1.qq.com.     99870   IN  A   14.17.19.139
ns4.qq.com.     99870   IN  A   123.151.178.115
ns4.qq.com.     99870   IN  A   125.39.247.247
ns4.qq.com.     99870   IN  A   184.105.206.124
ns4.qq.com.     99870   IN  A   203.205.144.156

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:51:10 CST 2016
;; MSG SIZE  rcvd: 299

[root:~]#    dig qq.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:
qq.com.         600 IN  A   61.135.157.156
qq.com.         600 IN  A   125.39.240.113

;; AUTHORITY SECTION:
qq.com.         13682   IN  NS  ns2.qq.com.
qq.com.         13682   IN  NS  ns1.qq.com.
qq.com.         13682   IN  NS  ns3.qq.com.
qq.com.         13682   IN  NS  ns4.qq.com.

;; ADDITIONAL SECTION:
ns2.qq.com.     99866   IN  A   125.39.202.108
ns2.qq.com.     99866   IN  A   101.227.169.106
ns3.qq.com.     99866   IN  A   182.140.167.157
ns3.qq.com.     99866   IN  A   182.140.177.149
ns1.qq.com.     99866   IN  A   14.17.19.139
ns1.qq.com.     99866   IN  A   101.226.68.138
ns4.qq.com.     99866   IN  A   125.39.247.247
ns4.qq.com.     99866   IN  A   184.105.206.124
ns4.qq.com.     99866   IN  A   203.205.144.156
ns4.qq.com.     99866   IN  A   123.151.178.115

;; Query time: 51 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:51:14 CST 2016
;; MSG SIZE  rcvd: 299

在上面的實例中,使用的是only的轉發類型,這種類型是不管求情解析的是不是本主機能夠解析的域,都一律轉發到指定的服務器,并且不管被轉發的服務器能否解析出請求。 
如果設置為first,則是主機將請求先轉發給指定的轉發服務器,如果指定的轉發服務器能夠解析出請求的域名,這返回結果給客戶端,如果不能,這根據情況自己迭代查詢。 
特定區域轉發: 
在/etc/named.conf中將全局轉發的設置語句注釋掉:

...
 18         //forward only;   ###############
 19         //forwarders {172.16.0.1;};   ###############
 20         /*
 21          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 22          - If you are building a RECURSIVE (caching) DNS server, you need to enable
 23            recursion.
 24          - If your recursive DNS server has a public IP address, you MUST enable access
 25            control to limit queries to your legitimate users. Failing to do so will
 26            cause your server to become part of large scale DNS amplification
 27            attacks. Implementing BCP38 within your network would greatly
 28            reduce such attack surface
 29         */
 30         recursion yes;   #########
...

在/etc/named.rfc1912.zones中添加特定的轉發域:

...
41 zone "baidu.com" IN {
 42         type forward;
 43         forward only;
 44         forwarders {172.16.0.1;};
 45 };
 ###重啟服務并清空緩存
[root:~]#    systemctl restart named
[root:~]#    rndc flush
 ##要達到不能夠解析除baidu.com以外的所有域名
 [root:~]#    dig qq.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 23:26:27 CST 2016
;; MSG SIZE  rcvd: 35

[root:~]#    dig baidu.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53534
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com.         IN  A

;; ANSWER SECTION:
baidu.com.      255 IN  A   111.13.101.208
baidu.com.      255 IN  A   220.181.57.217
baidu.com.      255 IN  A   123.125.114.144
baidu.com.      255 IN  A   180.149.132.47

;; AUTHORITY SECTION:
baidu.com.      11392   IN  NS  dns.baidu.com.
baidu.com.      11392   IN  NS  ns4.baidu.com.
baidu.com.      11392   IN  NS  ns7.baidu.com.
baidu.com.      11392   IN  NS  ns3.baidu.com.
baidu.com.      11392   IN  NS  ns2.baidu.com.

;; ADDITIONAL SECTION:
dns.baidu.com.      97772   IN  A   202.108.22.220
ns3.baidu.com.      97772   IN  A   220.181.37.10
ns4.baidu.com.      97773   IN  A   220.181.38.10
ns2.baidu.com.      97772   IN  A   61.135.165.235
ns7.baidu.com.      97773   IN  A   119.75.219.82

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 23:26:33 CST 2016
;; MSG SIZE  rcvd: 272

因此,全局轉發模型如下:

Alt text

 
區域模轉發模型:

Alt text

ACL

為什么要有acl?因為安全和DNS服務器性能,如果沒有ACL,那么任何人都可以到我們的DNS服務器上做遞歸查詢,這樣是非常危險的。而且DNS的區域傳送是多主復制,如果不設置ACL,那么任何主機都可以到我們的DNS上來做完全區域傳送,這也是很危險的,而且會讓我們的DNS服務器忙死。

####bind中常有的4個acl控制指令:
allow-query {}:    允許查詢的主機;白名單
allow-transfer {}:   允許區域傳送的主機;白名單
allow-recursion {}:   允許遞歸的主機,建議全局使用
allow-update {}:    允許更新區域數據庫中的內容

acl的定義格式為: 
acl acl_name {ip;ip/prelen;…}; 
上述的大括號中填寫用戶自定義的acl或者bind內置的:none、any、localhost、localnet; 
none: 沒有一個主機 
any: 任意主機 
localhost: 本機 
localnet: 本機的IP同掩碼運算后得到的網絡地址 
注意:acl只有先定義才可以使用,因此acl定義必須在acl調用的最上方即放在配置文件的最上方。 
在主機上有個shanghai.roger.com的域,可以通過本機上所有的ip解析出www.shanghai.roger.com:


[root:named]#    dig www.shanghai.roger.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 08 10:41:08 CST 2016
;; MSG SIZE  rcvd: 135

[root:named]#    dig www.shanghai.roger.com @172.16.22.123

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.22.123
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5995
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 0 msec
;; SERVER: 172.16.22.123#53(172.16.22.123)
;; WHEN: Thu Dec 08 10:41:31 CST 2016
;; MSG SIZE  rcvd: 135

[root:named]#    dig www.shanghai.roger.com @172.16.252.81

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.252.81
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60273
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 0 msec
;; SERVER: 172.16.252.81#53(172.16.252.81)
;; WHEN: Thu Dec 08 10:41:39 CST 2016
;; MSG SIZE  rcvd: 135

在/etc/named.conf文件中配置acl如下

...
  6 //
  7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
  8 //
  ##########################################
  9 acl queryacl {172.16.22.123;};     ##配置的acl
  ##########################################
 10 options {
 11 //  listen-on port 53 { localhost; };
 12     listen-on-v6 port 53 { ::1; };
 13     directory   "/var/named";
 14     dump-file   "/var/named/data/cache_dump.db";
...

在/etc/named.rfc1912.zones在配置域shanghai.roger.com的acl如下:

...
 24 zone "shanghai.roger.com"{
 25     type master;
 26     file "shanghai.roger.com";
 27     allow-query { queryacl; };   ##設置的查詢acl
 28 };
...

重啟服務后,查詢如下:

[root:named]#    dig www.shanghai.roger.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60033
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 08 10:58:15 CST 2016
;; MSG SIZE  rcvd: 51

[root:named]#    dig www.shanghai.roger.com @172.16.22.123

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.22.123
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62958
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 46 msec
;; SERVER: 172.16.22.123#53(172.16.22.123)
;; WHEN: Thu Dec 08 10:58:19 CST 2016
;; MSG SIZE  rcvd: 135

[root:named]#    dig www.shanghai.roger.com @172.16.252.81

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.252.81
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; Query time: 0 msec
;; SERVER: 172.16.252.81#53(172.16.252.81)
;; WHEN: Thu Dec 08 10:58:41 CST 2016
;; MSG SIZE  rcvd: 51

只有允許查詢的172.16.22.123這個acl里面的ip能夠查詢,其他的ip,包括127.0.0.1不在acl里面的都不能查詢。這就是acl。

VIEW

view是基于人的腦裂(brain split)原理,靈活控制哪些客戶機能看到哪個view視圖的訪問控制列表,view功能可以實現不同網段發出同樣的請求卻得到不同的DNS解析結果,可以有效的分流網絡流量,提高訪問控制能力。 
一個bind服務器可定義多個view,每個view中可定義一個或多個zone 
每個view用來匹配一組客戶端 
多個view內可能需要對同一個區域進行解析,但使用不同的區域解析庫文件 
格式: 
view VIEW_NAME { 
match-clients { }; 
zone “magedu.com” { 
type master; 
file “magedu.com.zone”; }; 
include “/etc/named.rfc1912.zones.xxxx” 
}; 
同樣采用一臺機器,通過配置多個區域庫文件,acl設置匹配。達到通過不同的ip去解析同一個域名,返回的ip不一樣。 
首先編輯/etc/named.conf,配置acl:

...
 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
  8 //
  9 acl beijing {172.16.200.0/24;};
 10 acl shanghai {172.16.252.0/24;};
 11 acl tianjing {172.16.100.0/24;};
 12 acl other {any;};
 13 options {
...
 51 };
 52
 53 view "beijing"{
 54     match-clients {beijing;};
 55     zone "shanghai.roger.com"{
 56         type master;
 57         file "shanghai.roger.com.bj";
 58     };
 59 include "/etc/named.rfc1912.zones";
 60 };
 61 view "tianjing"{
 62     match-clients {tianjing;};
 63     zone "shanghai.roger.com"{
 64         type master;
 65         file "shanghai.roger.com.tj";
 66     };
 67 include "/etc/named.rfc1912.zones";
 68 };
 69 view "shanghai"{
 70     match-clients {shanghai;};
 71     zone "shanghai.roger.com"{
 72         type master;
 73         file "shanghai.roger.com.sh";
 74     };
 75 include "/etc/named.rfc1912.zones";
 76 };
 77 view "other"{
 78     match-clients {other;};
 79     zone "shanghai.roger.com"{
 80         type master;
 81         file "shanghai.roger.com.ot";
 82     };
 83 include "/etc/named.rfc1912.zones";
 84 };
 85 include "/etc/named.root.key";

編輯對應的資源庫文件:

[root:named]#    cat shanghai.roger.com.bj
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 1.1.1.1
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115
[root:named]#    cat shanghai.roger.com.tj
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 1.1.1.3
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115
[root:named]#    cat shanghai.roger.com.sh
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 1.1.1.2
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115
[root:named]#    cat shanghai.roger.com.ot
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 172.16.253.115
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115

編輯完成后檢查配置文件的權限:

[root:named]#    ll
total 40
...
-rw-r-----. 1 root  named  207 Dec  9 15:39 shanghai.roger.com.bj
-rw-r-----. 1 root  named  214 Dec  9 15:55 shanghai.roger.com.ot
-rw-r-----. 1 root  named  207 Dec  9 15:40 shanghai.roger.com.sh
-rw-r-----. 1 root  named  207 Dec  9 15:40 shanghai.roger.com.tj
...

檢查配置文件是否有錯誤,無誤后重啟服務:

[root:named]#    named-checkconf
[root:named]#    systemctl restart named

開始測試: 
使用172.16.200.0/16去解析www.shanghai.roger.com:

###################使用ip為172.16.200.0/24去解析###########################
root:~]#    ip a
...
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:f2:82:b8 brd ff:ff:ff:ff:ff:ff
    inet 172.16.200.200/16 brd 172.16.255.255 scope global eth0
    ...
[root:~]#    dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   1.1.1.1    ##對應了*.bj文件的www配置

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 1 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Thu Dec 08 16:40:46 CST 2016
;; MSG SIZE  rcvd: 135

同樣的用acl配置的地址范圍去解析:

###################使用ip為172.16.252.0/24去解析###########################
[root:~]#    ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:c1:9a:6e brd ff:ff:ff:ff:ff:ff
    inet 172.16.252.5/16 brd 172.16.255.255 scope global dynamic eth0
       valid_lft 64047sec preferred_lft 64047sec
 ...
[root:~]#    dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11627
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   1.1.1.2  ####

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 1 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Thu Dec 08 16:44:41 CST 2016
;; MSG SIZE  rcvd: 135
###################使用ip為172.16.100.0/24去解析###########################
[root:named]#    ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:bb:1c:26 brd ff:ff:ff:ff:ff:ff
    inet 172.16.100.101/16 brd 172.16.255.255 scope global eth0
    inet6 fe80::20c:29ff:febb:1c26/64 scope link
   ...
[root:named]#     dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54657
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   1.1.1.3 ##############

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 1 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Thu Dec  8 16:46:05 2016
;; MSG SIZE  rcvd: 124
#########################使用ip為other去解析###########################
[root:named]#    ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:bb:10:26 brd ff:ff:ff:ff:ff:ff
    inet 172.16.253.115/16 brd 172.16.255.255 scope global eth0
   ...
[root:named]#     dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.253.115

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 2 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Sat Oct 15 18:54:33 2016
;; MSG SIZE  rcvd: 124

由此,通過VIEW實現了智能DNS哈。

原創文章,作者:王更生,如若轉載,請注明出處:http://www.www58058.com/63019

(0)
王更生王更生
上一篇 2016-12-08
下一篇 2016-12-08

相關推薦

  • 文本處理工具

    1.cat 主要三大功能: 1.一次顯示整個文件:cat filename 2.從鍵盤創建一個文件:cat > filename << EOF ….>EOF (只能創建新文件,不能編輯已有文件);cat向已經存在的文件追加內容:cat >> file <<EOF…>EOF 3.將幾…

    2017-07-29

  • 第八周-Shell腳本編程

    1、寫一個腳本,使用ping命令探測172.16.250.1-172.16.250.254之間的所有主機的在線狀態; 在線的主機使用綠色顯示; 不在線的主使用紅色顯示; #!/bin/bash for i in {1..254}; do { ip=172.16.250.$i if ping -c 1 -w 1 $ip &> /dev/null …

    Linux干貨 2017-08-23

  • 8.3_Linux習題和作業

    課堂習題 1.當用戶xiaoming對/testdir 目錄無執行權限時,意味著無法做哪些操作? 答:不能cd進該目錄 2.當用戶xiaoqiang對/testdir 目錄無讀權限時,意味著無法做哪些操作? 答:不能查看目錄內的文件列表,不能cd,也不能查看目錄里面文件的元數據 3.當用戶wangcai 對/testdir 目錄無寫權限時,該目錄下的只讀文件…

    Linux干貨 2016-08-04

  • 計算機基礎

    計算機基礎知識簡單介紹

    2018-03-28

  • MySQL高級特性-合并表

    1. Merge Tables         如果愿意的話,可以把合并表看成一種較老的、有更多限制的分區表,但是它們也有自己的用處,并且能提供一些分區表不能提供的功能。 合并表實際是容納真正的表的容器??梢允褂锰厥獾腢NION語法來CREATE TABLE。下面是一個合并表的例子: mysql> &n…

    Linux干貨 2015-04-13

  • 第五周練習

    1.顯示當前系統上root,fedora或user1用戶的默認shell         # cat /etc/passwd | cut -d: -f1,7 | grep -E "(fedora|root|user1)" 2.找出/etc/rc.d/init.…

    Linux干貨 2016-11-26
欧美性久久久久