bind实现智能DNS(ACL,view
发布时间:2019-08-29 07:38:36编辑:auto阅读(2308)
一、功能描述
在实现了DNS主从同步,子域授权之后,还可以针对不同网络内的域名解析请求DNS能够指向不同的主机地址,以实现分流。
假设下图中两台主机互为镜像,要实现来源不同的主机对此域名的解析指向同网段内的镜像主机,而不用穿过路由器,跨段断访问。例如171.16.0.0/24网内对www.sunlinux.com的解析指向172.16.200.6的服务器,而192.168.0.0/24网段内主机对www.sunlinux.com的解析指向192.168.0.6的服务器。可以利用ACL及VIEW规则来实现。
二、实现步骤
1、将来源不同的两个网段定义到不同的ACL规则当中。
acl C_class { 192.168.0.0/24; };
acl B_class { 172.16.0.0/8; };
acl Other { !192.168.0.0/24; !172.16.0.0/8; any; }; # 除了上面两个网段之外的所有地址
#acl Other { any; }; # 所有地址2、用view划分DNS。
view classC { # 每个view相当于一个独立的DNS
match-clients { C_class; }; # 匹配规则
zone "." IN { # 根DNS、C网主机对非sunlinux.com请求则找根
type hint;
file "named.ca";
};
zone "sunlinux.com" IN { # 解析区域
type master;
file "sunlinux.com.Czone"; # C网主机对非sunlinux.com请求规则
};
};
view classB { # 若使用view则所有的区域都应该包含在view中
match-clients { B_class; };
zone "." IN { # 根DNS、B网主机对非sunlinux.com请求则找根
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone"; # B网主机对非sunlinux.com请求规则
};
};
view anyother {
match-clients { Other; }; # 非限定网段主机
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone";
};
};3、编辑bind配置文件将规则写入。
# vim /etc/named.conf
options {
directory "/var/named"; # 数据文件目录
... # 定义全局信息
};
logging {
channel default_debug {
file "data/named.run"; # 定义日志信息
severity dynamic;
};
};
acl C_class { 192.168.0.0/24; };
acl B_class { 172.16.0.0/8; };
#acl Other { !192.168.0.0/24; !172.16.0.0/8; any; };
acl Other { any; };
view classC {
match-clients { C_class; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Czone";
};
};
view classB {
match-clients { B_class; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone";
};
};
view anyother {
match-clients { Other; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone";
};
};4、编辑C网段数据文件。
# vim /var/named/sunlinux.com.Czone
$TTL 600
@ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. (
20140312
1H
5M
3D
6H
)
IN NS ns1.sunlinux.com.
IN NS ns2.sunlinux.com.
IN MX 10 mail
ns1 IN A 172.16.251.58
ns2 IN A 172.16.251.61
www IN A 192.168.0.6
mail IN A 192.168.0.85、编辑B网段数据文件。
[root@localhost ~]# vim /var/named/sunlinux.com.Bzone
$TTL 600
@ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. (
20140312
1H
5M
3D
6H
)
IN NS ns1.sunlinux.com.
IN NS ns2.sunlinux.com.
IN MX 10 mail
blog IN NS ns3.blog.sunlinux.com.
blog IN NS ns4.blog.sunlinux.com.
ns3.blog IN A 172.16.251.64
ns4.blog IN A 172.16.251.67
ns1 IN A 172.16.251.58
ns2 IN A 172.16.251.61
www IN A 172.16.200.6
mail IN A 172.16.200.8
pop IN CNAME mail
ftp IN CNAME www6、检查配置文件语法错误,并启动。
# service named configtest zone sunlinux.com.Czone/IN: loaded serial 20140312 zone sunlinux.com.Bzone/IN: loaded serial 20140312 # service named start Starting named: [ OK ]
三、测试及验证
B 网段测试结果
# dig -t A www.sunlinux.com @172.16.251.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @172.16.251.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6742 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.sunlinux.com. IN A ;; ANSWER SECTION: www.sunlinux.com. 600 IN A 172.16.200.6 # B网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 1 msec ;; SERVER: 172.16.251.58#53(172.16.251.58) ;; WHEN: Tue Mar 18 10:26:12 2014 ;; MSG SIZE rcvd: 118 # dig -t A mail.sunlinux.com @172.16.251.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @172.16.251.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51869 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.sunlinux.com. IN A ;; ANSWER SECTION: mail.sunlinux.com. 600 IN A 172.16.200.8 # B网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 0 msec ;; SERVER: 172.16.251.58#53(172.16.251.58) ;; WHEN: Tue Mar 18 10:26:24 2014 ;; MSG SIZE rcvd: 119
C网段测试结果。
# dig -t A www.sunlinux.com @192.168.0.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @192.168.0.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22172 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.sunlinux.com. IN A ;; ANSWER SECTION: www.sunlinux.com. 600 IN A 192.168.0.6 # C网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 1 msec ;; SERVER: 192.168.0.58#53(192.168.0.58) ;; WHEN: Tue Mar 18 10:25:34 2014 ;; MSG SIZE rcvd: 118 # dig -t A mail.sunlinux.com @192.168.0.58 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @192.168.0.58 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.sunlinux.com. IN A ;; ANSWER SECTION: mail.sunlinux.com. 600 IN A 192.168.0.8 # C网地址 ;; AUTHORITY SECTION: sunlinux.com. 600 IN NS ns2.sunlinux.com. sunlinux.com. 600 IN NS ns1.sunlinux.com. ;; ADDITIONAL SECTION: ns1.sunlinux.com. 600 IN A 172.16.251.58 ns2.sunlinux.com. 600 IN A 172.16.251.61 ;; Query time: 0 msec ;; SERVER: 192.168.0.58#53(192.168.0.58) ;; WHEN: Tue Mar 18 10:25:39 2014 ;; MSG SIZE rcvd: 119
四、补充说明
acl:需要先定义后使用。内置ACL{any;none;local;localnet;}可以直接使用。
view:优先级从上至下,先匹配到的生效。
上一篇: python在S60系统上开发相关的网站
下一篇: DDR3 1600与DDR3 1333比
- openvpn linux客户端使用
51321
- H3C基本命令大全
50773
- openvpn windows客户端使用
41367
- H3C IRF原理及 配置
38171
- Python exit()函数
32656
- openvpn mac客户端使用
29545
- python全系列官方中文文档
28389
- python 获取网卡实时流量
23263
- 1.常用turtle功能函数
23232
- python 获取Linux和Windows硬件信息
21557
- Python搭建一个RAG系统(分片/检索/召回/重排序/生成)
1632°
- Browser-use:智能浏览器自动化(Web-Agent)
2368°
- 使用 LangChain 实现本地 Agent
1970°
- 使用 LangChain 构建本地 RAG 应用
1914°
- 使用LLaMA-Factory微调大模型的function calling能力
2242°
- 复现一个简单Agent系统
1949°
- LLaMA Factory-Lora微调实现声控语音多轮问答对话-1
2644°
- LLaMA Factory微调后的模型合并导出和部署-4
4430°
- LLaMA Factory微调模型的各种参数怎么设置-3
4270°
- LLaMA Factory构建高质量数据集-2
3040°
- 姓名:Run
- 职业:谜
- 邮箱:383697894@qq.com
- 定位:上海 · 松江
