bind实现智能DNS(ACL,view
一、功能描述
在实现了DNS主从同步,子域授权之后,还可以针对不同网络内的域名解析请求DNS能够指向不同的主机地址,以实现分流。
假设下图中两台主机互为镜像,要实现来源不同的主机对此域名的解析指向同网段内的镜像主机,而不用穿过路由器,跨段断访问。例如171.16.0.0/24网内对www.sunlinux.com的解析指向172.16.200.6的服务器,而192.168.0.0/24网段内主机对www.sunlinux.com的解析指向192.168.0.6的服务器。可以利用ACL及VIEW规则来实现。
wKiom1MnD0jR4vgnAAMrrhwlv-I575.jpg
二、实现步骤
1、将来源不同的两个网段定义到不同的ACL规则当中。
acl C_class { 192.168.0.0/24; };
acl B_class { 172.16.0.0/8; };
acl Other { !192.168.0.0/24; !172.16.0.0/8; any; }; # 除了上面两个网段之外的所有地址
#acl Other { any; }; # 所有地址2、用view划分DNS。
view classC { # 每个view相当于一个独立的DNS
match-clients { C_class; }; # 匹配规则
zone "." IN { # 根DNS、C网主机对非sunlinux.com请求则找根
type hint;
file "named.ca";
};
zone "sunlinux.com" IN { # 解析区域
type master;
file "sunlinux.com.Czone"; # C网主机对非sunlinux.com请求规则
};
};
view classB { # 若使用view则所有的区域都应该包含在view中
match-clients { B_class; };
zone "." IN { # 根DNS、B网主机对非sunlinux.com请求则找根
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone"; # B网主机对非sunlinux.com请求规则
};
};
view anyother {
match-clients { Other; }; # 非限定网段主机
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone";
};
};3、编辑bind配置文件将规则写入。
# vim /etc/named.conf
options {
directory "/var/named"; # 数据文件目录
... # 定义全局信息
};
logging {
channel default_debug {
file "data/named.run"; # 定义日志信息
severity dynamic;
};
};
acl C_class { 192.168.0.0/24; };
acl B_class { 172.16.0.0/8; };
#acl Other { !192.168.0.0/24; !172.16.0.0/8; any; };
acl Other { any; };
view classC {
match-clients { C_class; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Czone";
};
};
view classB {
match-clients { B_class; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone";
};
};
view anyother {
match-clients { Other; };
zone "." IN {
type hint;
file "named.ca";
};
zone "sunlinux.com" IN {
type master;
file "sunlinux.com.Bzone";
};
};4、编辑C网段数据文件。
# vim /var/named/sunlinux.com.Czone
$TTL 600
@ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. (
20140312
1H
5M
3D
6H
)
IN NS ns1.sunlinux.com.
IN NS ns2.sunlinux.com.
IN MX 10 mail
ns1 IN A 172.16.251.58
ns2 IN A 172.16.251.61
www IN A 192.168.0.6
mail IN A 192.168.0.85、编辑B网段数据文件。
[root@localhost ~]# vim /var/named/sunlinux.com.Bzone
$TTL 600
@ IN SOA dns.sunlinux.com. dnsadmin.sunlinux.com. (
20140312
1H
5M
3D
6H
)
IN NS ns1.sunlinux.com.
IN NS ns2.sunlinux.com.
IN MX 10 mail
blog IN NS ns3.blog.sunlinux.com.
blog IN NS ns4.blog.sunlinux.com.
ns3.blog IN A 172.16.251.64
ns4.blog IN A 172.16.251.67
ns1 IN A 172.16.251.58
ns2 IN A 172.16.251.61
www IN A 172.16.200.6
mail IN A 172.16.200.8
pop IN CNAME mail
ftp IN CNAME www6、检查配置文件语法错误,并启动。
# service named configtest
zone sunlinux.com.Czone/IN: loaded serial 20140312
zone sunlinux.com.Bzone/IN: loaded serial 20140312
# service named start
Starting named: [ OK ]三、测试及验证
B 网段测试结果
# dig -t A www.sunlinux.com @172.16.251.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @172.16.251.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6742
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sunlinux.com. IN A
;; ANSWER SECTION:
www.sunlinux.com. 600 IN A 172.16.200.6 # B网地址
;; AUTHORITY SECTION:
sunlinux.com. 600 IN NS ns2.sunlinux.com.
sunlinux.com. 600 IN NS ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com. 600 IN A 172.16.251.58
ns2.sunlinux.com. 600 IN A 172.16.251.61
;; Query time: 1 msec
;; SERVER: 172.16.251.58#53(172.16.251.58)
;; WHEN: Tue Mar 18 10:26:12 2014
;; MSG SIZE rcvd: 118
# dig -t A mail.sunlinux.com @172.16.251.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @172.16.251.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51869
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.sunlinux.com. IN A
;; ANSWER SECTION:
mail.sunlinux.com. 600 IN A 172.16.200.8 # B网地址
;; AUTHORITY SECTION:
sunlinux.com. 600 IN NS ns2.sunlinux.com.
sunlinux.com. 600 IN NS ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com. 600 IN A 172.16.251.58
ns2.sunlinux.com. 600 IN A 172.16.251.61
;; Query time: 0 msec
;; SERVER: 172.16.251.58#53(172.16.251.58)
;; WHEN: Tue Mar 18 10:26:24 2014
;; MSG SIZE rcvd: 119C网段测试结果。
# dig -t A www.sunlinux.com @192.168.0.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @192.168.0.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22172
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sunlinux.com. IN A
;; ANSWER SECTION:
www.sunlinux.com. 600 IN A 192.168.0.6 # C网地址
;; AUTHORITY SECTION:
sunlinux.com. 600 IN NS ns2.sunlinux.com.
sunlinux.com. 600 IN NS ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com. 600 IN A 172.16.251.58
ns2.sunlinux.com. 600 IN A 172.16.251.61
;; Query time: 1 msec
;; SERVER: 192.168.0.58#53(192.168.0.58)
;; WHEN: Tue Mar 18 10:25:34 2014
;; MSG SIZE rcvd: 118
# dig -t A mail.sunlinux.com @192.168.0.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @192.168.0.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.sunlinux.com. IN A
;; ANSWER SECTION:
mail.sunlinux.com. 600 IN A 192.168.0.8 # C网地址
;; AUTHORITY SECTION:
sunlinux.com. 600 IN NS ns2.sunlinux.com.
sunlinux.com. 600 IN NS ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com. 600 IN A 172.16.251.58
ns2.sunlinux.com. 600 IN A 172.16.251.61
;; Query time: 0 msec
;; SERVER: 192.168.0.58#53(192.168.0.58)
;; WHEN: Tue Mar 18 10:25:39 2014
;; MSG SIZE rcvd: 119四、补充说明
acl:需要先定义后使用。内置ACL{any;none;local;localnet;}可以直接使用。
view:优先级从上至下,先匹配到的生效。
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2019-08-29 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读