DNS转发、ACL以及VIEW

DNS全称是Domain Name System的简称,即域名系统。因特网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过主机名,最终得到该主机名对应的IP地址的过程叫做域名解析(或主机名解析)。DNS协议运行在UDP/TCP协议之上,使用端口号53。


DNS转发

DNS转发分为全局转发和区域转发。 全局转发: 对非本机所负责解析区域的请求, 全转发给指定的服务器,在/etc/named.conf文件中的options里面添加配置的参数:

 10 options {
11 //      listen-on port 53 { localhost; };
12         listen-on-v6 port 53 { ::1; };
13         directory       "/var/named";
14         dump-file       "/var/named/data/cache_dump.db";
15         statistics-file "/var/named/data/named_stats.txt";
16         memstatistics-file "/var/named/data/named_mem_stats.txt";
17 //      allow-query     { localhost; };
18         forward only|first;      ##转发的类型(first|only),only表示仅转发,无论转发的服务器能否返回结果;frist表示先转发,如果被转发的服务器没有返回正确的结果,则会根据情况就行迭代查询
19         forwarders {IP;};    ##指向的转发服务器

特定区域转发:仅转发对特定的区域的请求,比全局转发优先级高,在/etc/named.rfc1912.zones文件中进行配置:

 41 zone "baidu.com" IN {     ##指明转发的特定的域
42         type forward;    ##指明域的类型为转发
43         forward only|first;   ##指明转发类型(only|first)
44         forwarders {IP;};   ##指明转发服务器
45 };

下面来做个实验来说明转发:准备一台Linux虚拟机,安装好bind软件包后,由于网络原因,不能主机解析域名:

[root:~]#    dig baidu.com @127.0.0.1   ##测试能不能解析百度

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4039
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com.         IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:43:09 CST 2016
;; MSG SIZE  rcvd: 38

[root:~]#    dig qq.com @127.0.0.1  ##测试能不能解析qq

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39373
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:43:27 CST 2016
;; MSG SIZE  rcvd: 35

上面的测试可以知道,现在通过自身不能解析域名,现在配置全局转发如下:

 10 options {
11 //      listen-on port 53 { localhost; };
12         listen-on-v6 port 53 { ::1; };
13         directory       "/var/named";
14         dump-file       "/var/named/data/cache_dump.db";
15         statistics-file "/var/named/data/named_stats.txt";
16         memstatistics-file "/var/named/data/named_mem_stats.txt";
17 //      allow-query     { localhost; };
18         forward only;      ######################
19         forwarders {172.16.0.1;};  ######该ip为本实验环境的可以的向外通信的主机
##完成后重启服务

测试结果:

[root:~]#    dig qq.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28257
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:
qq.com.         0   IN  A   61.135.157.156
qq.com.         0   IN  A   125.39.240.113

;; AUTHORITY SECTION:
qq.com.         13686   IN  NS  ns2.qq.com.
qq.com.         13686   IN  NS  ns3.qq.com.
qq.com.         13686   IN  NS  ns4.qq.com.
qq.com.         13686   IN  NS  ns1.qq.com.

;; ADDITIONAL SECTION:
ns2.qq.com.     99870   IN  A   101.227.169.106
ns2.qq.com.     99870   IN  A   125.39.202.108
ns3.qq.com.     99870   IN  A   182.140.177.149
ns3.qq.com.     99870   IN  A   182.140.167.157
ns1.qq.com.     99870   IN  A   101.226.68.138
ns1.qq.com.     99870   IN  A   14.17.19.139
ns4.qq.com.     99870   IN  A   123.151.178.115
ns4.qq.com.     99870   IN  A   125.39.247.247
ns4.qq.com.     99870   IN  A   184.105.206.124
ns4.qq.com.     99870   IN  A   203.205.144.156

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:51:10 CST 2016
;; MSG SIZE  rcvd: 299

[root:~]#    dig qq.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:
qq.com.         600 IN  A   61.135.157.156
qq.com.         600 IN  A   125.39.240.113

;; AUTHORITY SECTION:
qq.com.         13682   IN  NS  ns2.qq.com.
qq.com.         13682   IN  NS  ns1.qq.com.
qq.com.         13682   IN  NS  ns3.qq.com.
qq.com.         13682   IN  NS  ns4.qq.com.

;; ADDITIONAL SECTION:
ns2.qq.com.     99866   IN  A   125.39.202.108
ns2.qq.com.     99866   IN  A   101.227.169.106
ns3.qq.com.     99866   IN  A   182.140.167.157
ns3.qq.com.     99866   IN  A   182.140.177.149
ns1.qq.com.     99866   IN  A   14.17.19.139
ns1.qq.com.     99866   IN  A   101.226.68.138
ns4.qq.com.     99866   IN  A   125.39.247.247
ns4.qq.com.     99866   IN  A   184.105.206.124
ns4.qq.com.     99866   IN  A   203.205.144.156
ns4.qq.com.     99866   IN  A   123.151.178.115

;; Query time: 51 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 22:51:14 CST 2016
;; MSG SIZE  rcvd: 299

在上面的实例中,使用的是only的转发类型,这种类型是不管求情解析的是不是本主机能够解析的域,都一律转发到指定的服务器,并且不管被转发的服务器能否解析出请求。 
如果设置为first,则是主机将请求先转发给指定的转发服务器,如果指定的转发服务器能够解析出请求的域名,这返回结果给客户端,如果不能,这根据情况自己迭代查询。 
特定区域转发: 
在/etc/named.conf中将全局转发的设置语句注释掉:

...
18         //forward only;   ###############
19         //forwarders {172.16.0.1;};   ###############
20         /*
21          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
22          - If you are building a RECURSIVE (caching) DNS server, you need to enable
23            recursion.
24          - If your recursive DNS server has a public IP address, you MUST enable access
25            control to limit queries to your legitimate users. Failing to do so will
26            cause your server to become part of large scale DNS amplification
27            attacks. Implementing BCP38 within your network would greatly
28            reduce such attack surface
29         */
30         recursion yes;   #########
...

在/etc/named.rfc1912.zones中添加特定的转发域:

...
41 zone "baidu.com" IN {
42         type forward;
43         forward only;
44         forwarders {172.16.0.1;};
45 };
###重启服务并清空缓存
[root:~]#    systemctl restart named
[root:~]#    rndc flush
##要达到不能够解析除baidu.com以外的所有域名
[root:~]#    dig qq.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> qq.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 23:26:27 CST 2016
;; MSG SIZE  rcvd: 35

[root:~]#    dig baidu.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53534
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com.         IN  A

;; ANSWER SECTION:
baidu.com.      255 IN  A   111.13.101.208
baidu.com.      255 IN  A   220.181.57.217
baidu.com.      255 IN  A   123.125.114.144
baidu.com.      255 IN  A   180.149.132.47

;; AUTHORITY SECTION:
baidu.com.      11392   IN  NS  dns.baidu.com.
baidu.com.      11392   IN  NS  ns4.baidu.com.
baidu.com.      11392   IN  NS  ns7.baidu.com.
baidu.com.      11392   IN  NS  ns3.baidu.com.
baidu.com.      11392   IN  NS  ns2.baidu.com.

;; ADDITIONAL SECTION:
dns.baidu.com.      97772   IN  A   202.108.22.220
ns3.baidu.com.      97772   IN  A   220.181.37.10
ns4.baidu.com.      97773   IN  A   220.181.38.10
ns2.baidu.com.      97772   IN  A   61.135.165.235
ns7.baidu.com.      97773   IN  A   119.75.219.82

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 07 23:26:33 CST 2016
;; MSG SIZE  rcvd: 272

因此,全局转发模型如下:

Alt text

 
区域模转发模型:

Alt text

ACL

为什么要有acl?因为安全和DNS服务器性能,如果没有ACL,那么任何人都可以到我们的DNS服务器上做递归查询,这样是非常危险的。而且DNS的区域传送是多主复制,如果不设置ACL,那么任何主机都可以到我们的DNS上来做完全区域传送,这也是很危险的,而且会让我们的DNS服务器忙死。

####bind中常有的4个acl控制指令:
allow-query {}:    允许查询的主机;白名单
allow-transfer {}:   允许区域传送的主机;白名单
allow-recursion {}:   允许递归的主机,建议全局使用
allow-update {}:    允许更新区域数据库中的内容

acl的定义格式为: 
acl acl_name {ip;ip/prelen;…}; 
上述的大括号中填写用户自定义的acl或者bind内置的:none、any、localhost、localnet; 
none: 没有一个主机 
any: 任意主机 
localhost: 本机 
localnet: 本机的IP同掩码运算后得到的网络地址 
注意:acl只有先定义才可以使用,因此acl定义必须在acl调用的最上方即放在配置文件的最上方。 
在主机上有个shanghai.roger.com的域,可以通过本机上所有的ip解析出www.shanghai.roger.com:


[root:named]#    dig www.shanghai.roger.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 08 10:41:08 CST 2016
;; MSG SIZE  rcvd: 135

[root:named]#    dig www.shanghai.roger.com @172.16.22.123

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.22.123
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5995
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 0 msec
;; SERVER: 172.16.22.123#53(172.16.22.123)
;; WHEN: Thu Dec 08 10:41:31 CST 2016
;; MSG SIZE  rcvd: 135

[root:named]#    dig www.shanghai.roger.com @172.16.252.81

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.252.81
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60273
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 0 msec
;; SERVER: 172.16.252.81#53(172.16.252.81)
;; WHEN: Thu Dec 08 10:41:39 CST 2016
;; MSG SIZE  rcvd: 135

在/etc/named.conf文件中配置acl如下

...
 6 //
 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 //
 ##########################################
 9 acl queryacl {172.16.22.123;};     ##配置的acl
 ##########################################
10 options {
11 //  listen-on port 53 { localhost; };
12     listen-on-v6 port 53 { ::1; };
13     directory   "/var/named";
14     dump-file   "/var/named/data/cache_dump.db";
...

在/etc/named.rfc1912.zones在配置域shanghai.roger.com的acl如下:

...
24 zone "shanghai.roger.com"{
25     type master;
26     file "shanghai.roger.com";
27     allow-query { queryacl; };   ##设置的查询acl
28 };
...

重启服务后,查询如下:

[root:named]#    dig www.shanghai.roger.com @127.0.0.1

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60033
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 08 10:58:15 CST 2016
;; MSG SIZE  rcvd: 51

[root:named]#    dig www.shanghai.roger.com @172.16.22.123

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.22.123
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62958
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.252.81

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.252.81
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 46 msec
;; SERVER: 172.16.22.123#53(172.16.22.123)
;; WHEN: Thu Dec 08 10:58:19 CST 2016
;; MSG SIZE  rcvd: 135

[root:named]#    dig www.shanghai.roger.com @172.16.252.81

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.252.81
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; Query time: 0 msec
;; SERVER: 172.16.252.81#53(172.16.252.81)
;; WHEN: Thu Dec 08 10:58:41 CST 2016
;; MSG SIZE  rcvd: 51

只有允许查询的172.16.22.123这个acl里面的ip能够查询,其他的ip,包括127.0.0.1不在acl里面的都不能查询。这就是acl。

VIEW

view是基于人的脑裂(brain split)原理,灵活控制哪些客户机能看到哪个view视图的访问控制列表,view功能可以实现不同网段发出同样的请求却得到不同的DNS解析结果,可以有效的分流网络流量,提高访问控制能力。 
一个bind服务器可定义多个view,每个view中可定义一个或多个zone 
每个view用来匹配一组客户端 
多个view内可能需要对同一个区域进行解析,但使用不同的区域解析库文件 
格式: 
view VIEW_NAME { 
match-clients { }; 
zone “magedu.com” { 
type master; 
file “magedu.com.zone”; }; 
include “/etc/named.rfc1912.zones.xxxx” 
}; 
同样采用一台机器,通过配置多个区域库文件,acl设置匹配。达到通过不同的ip去解析同一个域名,返回的ip不一样。 
首先编辑/etc/named.conf,配置acl:

...
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 //
 9 acl beijing {172.16.200.0/24;};
10 acl shanghai {172.16.252.0/24;};
11 acl tianjing {172.16.100.0/24;};
12 acl other {any;};
13 options {
...
51 };
52
53 view "beijing"{
54     match-clients {beijing;};
55     zone "shanghai.roger.com"{
56         type master;
57         file "shanghai.roger.com.bj";
58     };
59 include "/etc/named.rfc1912.zones";
60 };
61 view "tianjing"{
62     match-clients {tianjing;};
63     zone "shanghai.roger.com"{
64         type master;
65         file "shanghai.roger.com.tj";
66     };
67 include "/etc/named.rfc1912.zones";
68 };
69 view "shanghai"{
70     match-clients {shanghai;};
71     zone "shanghai.roger.com"{
72         type master;
73         file "shanghai.roger.com.sh";
74     };
75 include "/etc/named.rfc1912.zones";
76 };
77 view "other"{
78     match-clients {other;};
79     zone "shanghai.roger.com"{
80         type master;
81         file "shanghai.roger.com.ot";
82     };
83 include "/etc/named.rfc1912.zones";
84 };
85 include "/etc/named.root.key";

编辑对应的资源库文件:

[root:named]#    cat shanghai.roger.com.bj
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 1.1.1.1
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115
[root:named]#    cat shanghai.roger.com.tj
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 1.1.1.3
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115
[root:named]#    cat shanghai.roger.com.sh
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 1.1.1.2
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115
[root:named]#    cat shanghai.roger.com.ot
$TTL 38400
@  IN SOA ns1 admin ( 01 1D 1D 1D 1D )
@  NS ns1
@  NS ns2
ns1 A 172.16.253.115
ns2 A 172.16.11.11
www  IN A 172.16.253.115
web IN A 172.16.22.111
ftp A 172.121.12.12
* A 12.12.12.111
@ A 172.16.253.115

编辑完成后检查配置文件的权限:

[root:named]#    ll
total 40
...
-rw-r-----. 1 root  named  207 Dec  9 15:39 shanghai.roger.com.bj
-rw-r-----. 1 root  named  214 Dec  9 15:55 shanghai.roger.com.ot
-rw-r-----. 1 root  named  207 Dec  9 15:40 shanghai.roger.com.sh
-rw-r-----. 1 root  named  207 Dec  9 15:40 shanghai.roger.com.tj
...

检查配置文件是否有错误,无误后重启服务:

[root:named]#    named-checkconf
[root:named]#    systemctl restart named

开始测试: 
使用172.16.200.0/16去解析www.shanghai.roger.com:

###################使用ip为172.16.200.0/24去解析###########################
root:~]#    ip a
...
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:0c:29:f2:82:b8 brd ff:ff:ff:ff:ff:ff
   inet 172.16.200.200/16 brd 172.16.255.255 scope global eth0
   ...
[root:~]#    dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   1.1.1.1    ##对应了*.bj文件的www配置

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 1 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Thu Dec 08 16:40:46 CST 2016
;; MSG SIZE  rcvd: 135

同样的用acl配置的地址范围去解析:

###################使用ip为172.16.252.0/24去解析###########################
[root:~]#    ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:0c:29:c1:9a:6e brd ff:ff:ff:ff:ff:ff
   inet 172.16.252.5/16 brd 172.16.255.255 scope global dynamic eth0
      valid_lft 64047sec preferred_lft 64047sec
...
[root:~]#    dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11627
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   1.1.1.2  ####

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 1 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Thu Dec 08 16:44:41 CST 2016
;; MSG SIZE  rcvd: 135
###################使用ip为172.16.100.0/24去解析###########################
[root:named]#    ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:0c:29:bb:1c:26 brd ff:ff:ff:ff:ff:ff
   inet 172.16.100.101/16 brd 172.16.255.255 scope global eth0
   inet6 fe80::20c:29ff:febb:1c26/64 scope link
  ...
[root:named]#     dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54657
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   1.1.1.3 ##############

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 1 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Thu Dec  8 16:46:05 2016
;; MSG SIZE  rcvd: 124
#########################使用ip为other去解析###########################
[root:named]#    ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 00:0c:29:bb:10:26 brd ff:ff:ff:ff:ff:ff
   inet 172.16.253.115/16 brd 172.16.255.255 scope global eth0
  ...
[root:named]#     dig www.shanghai.roger.com @172.16.251.187

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> www.shanghai.roger.com @172.16.251.187
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.shanghai.roger.com.        IN  A

;; ANSWER SECTION:
www.shanghai.roger.com. 38400   IN  A   172.16.253.115

;; AUTHORITY SECTION:
shanghai.roger.com. 38400   IN  NS  ns1.shanghai.roger.com.
shanghai.roger.com. 38400   IN  NS  ns2.shanghai.roger.com.

;; ADDITIONAL SECTION:
ns1.shanghai.roger.com. 38400   IN  A   172.16.253.115
ns2.shanghai.roger.com. 38400   IN  A   172.16.11.11

;; Query time: 2 msec
;; SERVER: 172.16.251.187#53(172.16.251.187)
;; WHEN: Sat Oct 15 18:54:33 2016
;; MSG SIZE  rcvd: 124

由此,通过VIEW实现了智能DNS哈。

原创文章,作者:王更生,如若转载,请注明出处:http://www.178linux.com/63019

联系我们

400-080-6560

在线咨询

工作时间:周一至周五,9:30-18:30,节假日同时也值班

QR code