DNS智能解析+主从架构配置实例,感兴趣的朋友可以参考下。
最近在研究DNS的智能解析,并实现了多区域的传递,通过TSIG key来实现的。
大概想法是想实现电信,网通,其他用户分别能解析到不同ip上去,详细配置步骤见下面的内容。
环境: centos5.2 i386
# yum install bind*
开始配置,由于安装了chroot,因此bind的想关文件目录在/var/named/chroot下的etc和var两个目录内。
1.master
在etc目录下建立named.conf文件,内容如下:
acl "trust-lan" { 127.0.0.1/8; 192.168.0.0/16;};
options {
directory "/var/named";
allow-query { any; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "";
datasize 40M;
#rrset-order { order random; };
allow-transfer { "trust-lan" ; };
recursion no;
allow-notify { "trust-lan" ; };
allow-recursion { "trust-lan" ; };
auth-nxdomain no;
};
logging {
channel warning {
file "/var/named/chroot/var/log/dns_warnings.log" versions 5 size 1024K;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_log {
file "/var/named/chroot/var/log/dns_security.log" versions 5 size 1024K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel query_log {
file "/var/named/chroot/var/log/dns_query.log" versions 10 size 1024K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category security { security_log; };
category queries { query_log; };
};
##############define isp source address#################
include "/var/named/chroot/var/named/cnc_acl.conf";
include "/var/named/chroot/var/named/telecom_acl.conf";
##########KEYS FOR TSIG#########################
key telekey {
algorithm hmac-md5;
secret "************************";
};
key cnckey {
algorithm hmac-md5;
secret "************************";
};
key anykey {
algorithm hmac-md5;
secret "************************";
};
#################view cnc###################################
view "cnc" {
match-clients { key "cnckey"; CNC; };
allow-query { any; };
recursion yes;
allow-transfer { key cnckey; };
server 192.168.199.201 { keys cnckey; };
zone "test.local"{
type master;
file "/var/named/chroot/var/named/cnc/test.local.zone";
};
zone "." {
type hint;
file "/var/named/chroot/var/named/named.root";
};
};
############view telecom########################
view "tele" {
match-clients { key "telekey"; TELE; };
allow-query { any; };
recursion yes;
allow-transfer { key telekey; };
server 192.168.199.201 { keys telekey; };
zone "test.local"{
type master;
file "/var/named/chroot/var/named/tele/test.local.zone";
};
zone "." {
type hint;
file "/var/named/chroot/var/named/named.root";
};
};
##############view any##########################
view "any" {
match-clients { key "anykey"; any; };
allow-query { any; };
recursion yes;
allow-transfer { key anykey; };
server 192.168.199.201 { keys anykey; };
zone "test.local"{
type master;
file "/var/named/chroot/var/named/any/test.local.zone";
};
zone "." {
type hint;
file "/var/named/chroot/var/named/named.root";
};
};
###########################################
include "/var/named/chroot/etc/rndc.key";
*部分3个key的生成方法是:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST “name”
只要三个name不同生成三个不同的key就可以了,然后分别复制到上述三个key中的*部分。
var目录下的相关文件
log named run tmp 需要有四个目录
#mkdir log
#cd log/
#touch dns_warnings.log dns_security.log dns_query.log
#chown -R named:named log/
#chmod -R 775 log/
建立相关日志文件,赋予named用户写入权限。
进入var/named/目录
any chroot cnc cnc_acl.conf data named.root slaves tele telecom_acl.conf
需要有这些相关文件和目录的存在,下面一一说明:
chroot是个连接文件,暂时不管,cnc_acl.conf和telecom_acl.conf两文件是关于来源IP地址的文件
格式如下:
acl "TELE"{
192.168.199.20;
192.168.199.21;
};
每个ip分号隔开。
named.root文件,是关于根的相关记录文件
wget ftp://rs.internic.net/domain/named.root得到
any cnc tele三个目录下的就是根据不同来源ip,解析到不同ip的,dns区域配置文件。
例子:
区域配置文件的说明这里就不说了,相信大家都看的懂。
最后还有有关目录权限的设置
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 755 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
照做就行了,还有这里说明下注意事项,配置主从dns的时候必须要写两个NS记录,还有在/etc/resolv.conf下按这样的格式写
search test.local
nameserver 192.168.199.200
nameserver 192.168.199.201
至此,master的配置完毕。
启动dns吧!
2.slave的配置基本一样,就是无需在any cnc tele三个目录下建立相关区域配置文件,因为slave是从master那边获取区域配置文件的,否则会出现问题,别的一切照做。附上slave的
named.conf
acl "trust-lan" { 127.0.0.1/8; 192.168.0.0/16;};
options {
directory "/var/named";
allow-query { any; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "";
datasize 40M;
#rrset-order { order random; };
allow-transfer { "trust-lan" ; };
recursion no;
allow-notify { "trust-lan" ; };
allow-recursion { "trust-lan" ; };
auth-nxdomain no;
};
logging {
channel warning {
file "/var/named/chroot/var/log/dns_warnings.log" versions 5 size 1024K;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_log {
file "/var/named/chroot/var/log/dns_security.log" versions 5 size 1024K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel query_log {
file "/var/named/chroot/var/log/dns_query.log" versions 10 size 1024K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category security { security_log; };
category queries { query_log; };
};
##############define isp source address#################
include "/var/named/chroot/var/named/cnc_acl.conf";
include "/var/named/chroot/var/named/telecom_acl.conf";
##########KEYS FOR TSIG#########################
key telekey{
algorithm hmac-md5;
secret "************************";
};
key cnckey {
algorithm hmac-md5;
secret "************************";
};
key anykey {
algorithm hmac-md5;
secret "************************";
};
#################view cnc###################################
view "cnc" {
match-clients { key "cnckey"; CNC; };
allow-query { any; };
recursion yes;
allow-transfer { none; };
server 192.168.199.200 { keys cnckey; };
zone "test.local"{
type slave;
masters { 192.168.199.200; };
file "/var/named/chroot/var/named/cnc/test.local.zone";
};
zone "." {
type hint;
file "/var/named/chroot/var/named/named.root";
};
};
############view telecom########################
view "tele" {
match-clients { key "telekey"; TELE; };
allow-query { any; };
recursion yes;
allow-transfer { none; };
server 192.168.199.200 { keys telekey; };
zone "test.local"{
type slave;
masters { 192.168.199.200; };
file "/var/named/chroot/var/named/tele/test.local.zone";
};
zone "." {
type hint;
file "/var/named/chroot/var/named/named.root";
};
};
##############view any##########################
view "any" {
match-clients { key "anykey"; any; };
allow-query { any; };
recursion yes;
allow-transfer { none; };
server 192.168.199.200 { keys anykey; };
zone "test.local"{
type slave;
masters { 192.168.199.200; };
file "/var/named/chroot/var/named/any/test.local.zone";
};
zone "." {
type hint;
file "/var/named/chroot/var/named/named.root";
};
};
###########################################
include "/var/named/chroot/etc/rndc.key";
注意:每个key必须要和master的相应key符合,否则无法传递更改的信息,也就实现不了主从更新了。至此slave也设置完毕,启动dns吧!
当主dns的区域配置文件发生变化时,执行#rndc reload就ok,slave就会更新相关设置了,如更新不成,检查网络是否有问题,还有两台机器的系统时间是否一样,超过5分钟的话就会更新失败。