智能DNS
智能DNS实现如下图:当用户通过浏览器访问www.sina.com,浏览器向DNS服务器查找服务器地址,北京的用户,返回区域代理服务器1的ip地址,上海的用户返回区域服务器2的ip地址,以此类推。以北京用户为例:当DNS服务器返回区域代理服务器1的地址,用户访问区域代理服务器1,区域代理服务器一般存放静态的一些内容,当用户只访问静态的内容时,区域代理服务器1提供服务,当用户访问一些动态内容时,区域代理服务器1就向web服务器寻找,然后返回给用户。
实验:实现上海和北京和其他地区的智能DNS管理
说明: 实现当上海地区访问www.sina.com 返回ip为6.6.6.6
当北京地区访问www.sina.com 返回ip为1.1.1.1
当其他地区访问www.sina.com 返回ip为2.2.2.2
以ip地址来划分区域,上海的ip地址段为:
192.168.191.0/24;
192.168.192.0/24;
北京的ip地址段为:
172.17.251.0/24;
172.18.251.0/24;
以此来模拟智能DNS实现过程。
实现步骤:三大步:
第一、准备数据库文件
地址www.sina.com 返回的地址等信息
第二、定义acl
定义某个区域的ip地址
第三、定义view
关联acl和数据库文件
1、安装包
yum install bind
2、启动服务
systemctl start named
注意:DNS服务的包名为bind ,服务名为named
主配置文件:/etc/named.conf, /etc/named.rfc1912.zones,/etc/rndc.key
解析库文件: /var/named/ZONE_NAME.ZONE
3、创建DNS数据库文件
cd /var/named
vim sina.com.zone.beijing
|
1
2
3
4
5
6
7
8
9
10
11
|
$TTL 1D
@ IN SOA dns1 rname.invalid. (
2017101101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 172.17.251.107
dns1 A 192.168.191.107
www A 1.1.1.1
|
vim sina.com.zone.shanghai
|
1
2
3
4
5
6
7
8
9
10
11
|
$TTL 1D
@ IN SOA dns1 rname.invalid. (
2017101101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 172.17.251.107
dns2 A 192.168.191.107
www A 6.6.6.6
|
vim sina.com.zone.other
|
1
2
3
4
5
6
7
8
9
10
11
|
$TTL 1D
@ IN SOA dns1 rname.invalid. (
2017101101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 172.17.251.107
dns1 A 192.168.191.107
www A 2.2.2.2
|
4、创建acl和view
vim /etc/named.conf
(1)注释这两行
|
1
2
3
4
5
6
7
8
|
options {
//
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named"
;
dump-
file
"/var/named/data/cache_dump.db"
;
statistics-
file
"/var/named/data/named_stats.txt"
;
memstatistics-
file
"/var/named/data/named_mem_stats.txt"
;
//
allow-query { any; };
|
第一行代表53端口绑定的ip,allow-query {};表示允许查询的主机
将这两行注释;或者改成上面,localhost表示允许该主机上的所有ip都可以绑定53端口,any代表所有ip
(2)在该文件添加
|
1
2
3
4
5
6
7
8
|
acl shanghainet {
192.168.191.0
/24
;
192.168.192.0
/24
;
};
acl beijingnet {
172.17.251.0
/24
;
172.18.251.0
/24
;
};
|
(3)创建view
将下面的文件修改成下面
创建view的方法1:关联数据库文件时,直接写文件名
方法2:将文件写在/etc/named.rfc1912.zone.shanghai,中,在该文件中指定文件。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
view beijingview {
match-clients { beijingnet;};
//
连接acl
zone
"sina.com"
{
type
master;
file
"sina.com.zone.beijing"
;
//
指定数据库文件
};
zone
"."
IN {
type
hint;
//
允许该地区的用户直接访问根地址
file
"named.ca"
;
};
};
view shanghaiview {
match-clients { shanghainet;};
include
"/etc/named.rfc1912.zones.shanghai"
;
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
};
view otherview {
match-clients {any;};
include
"/etc/named.rfc1912.zones.other"
;
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
};
include
"/etc/named.root.key"
;
|
整个文件如下
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
acl shanghainet {
192.168.191.0
/24
;
192.168.192.0
/24
;
};
acl beijingnet {
172.17.251.0
/16
;
172.18.251.0
/16
;
};
options {
//
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named"
;
dump-
file
"/var/named/data/cache_dump.db"
;
statistics-
file
"/var/named/data/named_stats.txt"
;
memstatistics-
file
"/var/named/data/named_mem_stats.txt"
;
//
allow-query { any; };
allow-transfer { none; };
/*
- If you are building an AUTHORITATIVE DNS server,
do
NOT
enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable
access
control to limit queries to your legitimate
users
. Failing to
do
so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion
yes
;
dnssec-
enable
no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-
file
"/etc/named.iscdlv.key"
;
managed-keys-directory
"/var/named/dynamic"
;
pid-
file
"/run/named/named.pid"
;
session-keyfile
"/run/named/session.key"
;
};
logging {
channel default_debug {
file
"data/named.run"
;
severity dynamic;
};
};
logging {
channel default_debug {
file
"data/named.run"
;
severity dynamic;
};
};
view beijingview {
match-clients { beijingnet;};
zone
"sina.com"
{
type
master;
file
"sina.com.zone.beijing"
;
};
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
};
view shanghaiview {
match-clients { shanghainet;};
include
"/etc/named.rfc1912.zones.shanghai"
;
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
};
view otherview {
match-clients {any;};
include
"/etc/named.rfc1912.zones.other"
;
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
};
include
"/etc/named.root.key"
;
|
5、 将/etc/named.rfc1912.zones 复制两份命名为/etc/named.rfc1912.zones.shanghai
/etc/named.rfc1912.zones.other
vim /etc/named.rfc1912.zones.shanghai
添加如下内容
|
1
2
3
4
|
zone
"sina.com"
IN {
type
master;
file
"sina.com.zone.shanghai"
;
};
|
vim /etc/named.rfc1912.zones.other
添加如下内容
|
1
2
3
4
|
zone
"sina.com"
IN {
type
master;
file
"sina.com.zone.other"
;
};
|
6、启动服务
重新加载服务:rndc reload
注意:在centos6或centos7上最好不要用restart,容易把服务死掉,起不来服务。
这里rndc reload 这个命令时专门管理DNS服务的,如果必要重启服务了,先关闭服务,再开启服务。
7、测试:
在某一客户端上,将该客户端的DNS执行服务器主机
(1)如果网络是自动获取的,则修改vim /etc/resolv.conf
nameserver 172.17.251.107
(2)如果网络时自己配置的,/etc/sysconfig/network-scripts ,修改该目录下的桥接网卡的DNS1=172.17.251.107 。
重启服务 systemctl restart network
在客户端测试:
dig www.sina.com @192.168.191.107
dig www.sina.com @172.17.251.107
[root@centos7 named]# dig www.sina.com @192.168.191.107
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sina.com @192.168.191.107
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57522
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.sina.com. IN A
;; Query time: 0 msec
;; SERVER: 192.168.191.107#53(192.168.191.107)
;; WHEN: Thu Oct 12 11:10:48 CST 2017
;; MSG SIZE rcvd: 41
遇到错误
排错:1、查看防火墙iptables -vnL ,清除防火墙策略iptables -F
2、查看网络连接。dig www.baidu.com
rndc flush 清除缓存
rndc reload 重新启动
发现这两个都清除了,还是出现相同错误
最后发现是数据库文件的权限问题,在运行DNS时,是用named这个用户,执行操作的,所以当文件的所有者,所属组为root是,将权限改成644
上海用户,解析出来6.6.6.6。成功
[root@centos6 network-scripts]# dig www.sina.com @192.168.191.107
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sina.com @192.168.191.107
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63539
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sina.com. IN A
;; ANSWER SECTION:
www.sina.com. 86400 IN A 6.6.6.6
;; AUTHORITY SECTION:
sina.com. 86400 IN NS dns1.sina.com.
;; ADDITIONAL SECTION:
dns1.sina.com. 86400 IN A 172.17.251.107
dns1.sina.com. 86400 IN A 192.168.191.107
;; Query time: 2 msec
;; SERVER: 192.168.191.107#53(192.168.191.107)
;; WHEN: Mon Oct 9 13:34:41 2017
;; MSG SIZE rcvd: 97
本文转自 hawapple 51CTO博客,原文链接:http://blog.51cto.com/guanm/1971653
