DNS视图功能实现
众所周知网通和电信之间互相的访问速度是很慢的,但是大型网络公司无论你是在哪用的什么方式接入的网络,访问起来速度都很快,那么是怎么实现的呢!首先想到的会是电信和网通各放一些内容完全相同的服务器,那么怎样才能让电信的用户自己去访问电信的服务器,网通的用户访问网通的服务器呢?就需要DNS高级功能视图来实现了。
DNS服务器的视图通常在配置文件中是使用view实现的。把要使用某些IP地址作单独访问的zone区域,统一放在一个命名的view段落中,并且在view中定义请求的IP地址或IP地址段,把IP地址写入match-clients选项中。如果像上面说的,区分电信和网通路线的话,那么可以使用两个acl访问控制列表写上电信或网通IP地址,定义电信网通路线,把acl名字写入view段落match-clients选项中。
注意:
1.一旦使用view,所有的zone都必须定义在view中;只有允许给其地规定客户端所在的view才有必要定义根区域等;
2.客户端请求到达时,其匹配view是自上而下匹配match-clients中定义的地址范围;第一次被匹配到的为最终生效;
全局定义一个ACL列表intnet
将主配置文件的根区域定义到named.rfc1912.zones
注释根区域
下面是主配置文件:/etc/named.conf
acl intnet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";
我们将根区域写进去,然后将里面的所有zone定义到一个视图view中;所有来自intnet的客户端都匹配到这个view中:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | [root@bind named]# vim/etc/named.rfc1912.zones view int { match-clients { intnet; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN{ type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "oracle.com" IN { type master; file "oracle.com.zone"; }; }; |
上面的view只定义了intnet这个网络的访问请求可以到达的区域,其他网络的访问我们还要设置个视图来匹配;视图是自上而下匹配的,还需要明确定义这个视图内部不允许递归;定义访问的区域是这个视图负责的。
我们定义不同视图的客户端访问本机的区域返回的IP不一致,上面的视图是针对内部网络的请求,返回的ip是内部ip,而来自外部网络的客户端返回的结果是下面视图中定义的区域负责返回结果。
| 1 2 3 4 5 6 7 8 9 | view extend { match-clients { any; }; allow-recursion { none; }; zone "oracle.com" IN { type master; file"oracle.com.ext"; }; }; |
我们还需要定义一个来自外部网络请求的区域解析库文件:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [root@bind named]#cd /var/named [root@bind named]# vim oracle.com.ext $ORIGIN oracle.com. @ IN SOA ns.oracle.com. root.oracle.com. ( 2014121101 ;serial 1D ;refresh 5M ;retry 1W ;expiry 1H) ;minimum @ IN NS ns.oracle.com. IN MX 5 mail.oracle.com. ns IN A 172.16.31.100 www IN A 192.168.1.100 www IN A 192.168.1.101 www1 IN A 192.168.1.100 www2 IN A 192.168.1.101 mail IN A 192.168.1.100 pop3 IN CNAME mail iamp4 IN CNAME mail |
进行语法检查,启动服务,查看日志:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@bind named]# named-checkconf [root@bind named]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@bind named]# tail /var/log/messages Dec 13 09:27:43 bind named[2193]: zone0.in-addr.arpa/IN/int: loaded serial 0 Dec 13 09:27:43 bind named[2193]: zone1.0.0.127.in-addr.arpa/IN/int: loaded serial 0 Dec 13 09:27:43 bind named[2193]: zone1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/int:loaded serial 0 Dec 13 09:27:43 bind named[2193]: zoneoracle.com/IN/int: loaded serial 2014121101 Dec 13 09:27:43 bind named[2193]: zonelocalhost.localdomain/IN/int: loaded serial 0 Dec 13 09:27:43 bind named[2193]: zonelocalhost/IN/int: loaded serial 0 Dec 13 09:27:43 bind named[2193]:managed-keys-zone ./IN/int: loaded serial 3 Dec 13 09:27:43 bind named[2193]: zoneoracle.com/IN/extend: loaded serial 2014121101 Dec 13 09:27:43 bind named[2193]:managed-keys-zone ./IN/extend: loaded serial 3 Dec 13 09:27:43 bind named[2193]: running |
我们找到一台内部网络的主机来解析一下,得到的结果是来自172.16网段的反馈:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | [root@www httpd]# dig -t A www.oracle.com @172.16.31.100 ; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.oracle.com@172.16.31.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,status: NOERROR, id: 30864 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2,AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.oracle.com. IN A ;; ANSWER SECTION: www.oracle.com. 600 IN A 172.16.31.101 www.oracle.com. 600 IN A 172.16.31.100 ;; AUTHORITY SECTION: oracle.com. 600 IN NS ns.oracle.com. ;; ADDITIONAL SECTION: ns.oracle.com. 600 IN A 172.16.31.100 ;; Query time: 2 msec ;; SERVER: 172.16.31.100#53(172.16.31.100) ;; WHEN: Sat Dec 13 09:30:03 2014 ;; MSG SIZE rcvd: 97 |
我再从外部网络访问此服务器;如图:
其返回的结果是通过192.168.1.0这个网络返回的:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | [root@test ~]# dig =t A www.oracle.com @172.16.31.100 ; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> =t A www.oracle.com@172.16.31.100 ;; global options: +cmd ;; connection timed out; no servers couldbe reached ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,status: NOERROR, id: 60969 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2,AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but notavailable ;; QUESTION SECTION: ;www.oracle.com. IN A ;; ANSWER SECTION: www.oracle.com. 600 IN A 192.168.1.101 www.oracle.com. 600 IN A 192.168.1.100 ;; AUTHORITY SECTION: oracle.com. 600 IN NS ns.oracle.com. ;; ADDITIONAL SECTION: ns.oracle.com. 600 IN A 172.16.31.100 ;; Query time: 5 msec ;; SERVER: 172.16.31.100#53(172.16.31.100) ;; WHEN: Sat Dec 13 09:43:22 2014 ;; MSG SIZE rcvd: 97 |
我们可以看出结果哦!完成啦(*^__^*)