第一、实现智能DNS
大概的过程:
安装配置模板--》 视图(相当于shell里的条件判断)--》视图根据一个acl列表(对不同地域的IP进行归类命名)进行读取不同的区域文件
做准备:
主机名
关闭防火墙,Selinux
同步时间
1、对各个线路的IP进行归类
安装ripe-dbase-client-v3
下载网通的IP
whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP > /tmp/test/cnc
下载电信的IP
whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET > /tmp/test/china
这些文件需要二次处理
这里实现模拟,写两个IP的acl
网络使用 <=10.1.1.120
# vim /var/named/chroot/var/named/data/acl_cnc
acl cnc{
10.1.1.1;
10.1.1.20;
10.1.1.73;
10.1.1.100;
10.1.1.104;
192.168.20/24;
}; //《---别忘记;
中国电信的IP
# vim /var/named/chroot/var/named/data/acl_china
acl china{
10.1.1.146;
10.1.1.168;
10.1.1.187;
};
2、配置DNS
安装模板文件 caching-nameserver
先把原来的文件重命名
# mv named.conf named.conf.bk
# mv named.caching-nameserver.conf named.conf
options {
listen-on port 53 { any; }; //<---###
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //<---###
forwarders { 10.1.1.1; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//视图
//view localhost_resolver {
// match-clients { localhost; };
// match-destinations { localhost; };
// recursion yes;
// include "/etc/named.rfc1912.zones";
//};
include "data/acl_cnc";
include "data/acl_china";
view "cnc_resolver" {
match-clients { cnc;10.1.1.19; };
zone "upl.com" in {
type master;
file "data/master.cnc.upl.com.zone";
};
};
view "china_resolver" {
match-clients { china;10.1.1.21; };
zone "upl.com" in {
type master;
file "data/master.china.upl.com.zone";
};
};
view "other" {
match-clients { any; };
zone "upl.com" in {
type master;
file "data/master.other.upl.com.zone";
};
};
//////////////////////////////////////////////
if [ con_1 ];then
command1;
elif [ con_2 ];then
command2;
else
command3;
fi
/////////////////////////////////////
编写不同的区域文件:
# vim /var/named/chroot/var/named/data/master.china.upl.com.zone
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.2
# vim /var/named/chroot/var/named/data/master.cnc.upl.com.zone
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.3 //<----###
# vim /var/named/chroot/var/named/data/master.other.upl.com.zone
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.1
建议:把新建的文件都修改成正确权限和属性
测试验证:
把DNS指向10.1.1.21测试
第二、实现子域
1、修改主域名服务器(10.1.1.21),添加子域授权
分别修改三个区域文件
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.2
sz.upl.com. IN NS dns.sz.upl.com. //《---子域授权
dns.sz.upl.com. IN A 10.1.1.20
2、配置子域名服务器(10.1.1.20),配置步骤与第一个实验一样
准备工作...
include "data/acl_china";
include "data/acl_cnc";
view "china_resolver" {
match-clients { china; };
zone "sz.upl.com" IN {
type master;
file "data/china.master.sz.upl.com.zone";
};
};
view "cnc" {
match-clients { cnc; };
zone "sz.upl.com" IN {
type master;
file "data/cnc.master.sz.upl.com.zone";
};
};
view "other" {
match-clients { any; };
zone "sz.upl.com" IN {
type master;
file "data/other.master.sz.upl.com.zone";
};
};
配置区域文件
$TTL 86400
@ IN SOA sz.upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS dns.sz.upl.com.
dns IN A 10.1.1.20
www IN A 10.1.1.10
测试:
1、分别问子域名服务器和主域名服务器有关 子域名的查询 www.sz.upl.com
2、分别问子域名服务器和主域名服务器有关 主域名的查询 www.upl.com
失败 成功
怎么解决?
方法1:设置子域名服务器,把主域名的相关查询转发到主域名服务(最好的)
方法2:让子域名服务器同时成为主域名服务器的从服务器
第三、主、从之间数据传输采用密钥验证
1、在主域名服务器上生成密钥
# rndc-confgen -a
wrote key file "/etc/rndc.key"
# cat /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "kErZDr6Ei/hbJhRzLeKT6g==";
};
2、修改主域名服务器主配置文件named.conf
include "/etc/rndc.key" //引用了这把密钥的定义
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndckey; };
}; // 使用这个密钥
include "data/acl_cnc";
include "data/acl_china";
view "cnc_resolver" {
match-clients { cnc;10.1.1.20; };
zone "upl.com" in {
type master;
file "data/master.cnc.upl.com.zone";
allow-transfer { key "rndckey"; };
};
};
view "china_resolver" {
match-clients { china;10.1.1.19; };
zone "upl.com" in {
type master;
file "data/master.china.upl.com.zone";
allow-transfer { key "rndckey"; };
};
};
view "other" {
match-clients { any;10.1.1.18; };
zone "upl.com" in {
type master;
file "data/master.other.upl.com.zone";
allow-transfer { key "rndckey"; };
};
};
3、配置从域名服务器
确保主、从之间的密钥是一样
rsync -alvR /var/named/chroot/etc/rndc.key 10.1.1.20:/
# vim named.conf
key "rndckey" {
algorithm hmac-md5;
secret "kErZDr6Ei/hbJhRzLeKT6g==";
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndckey; };
}
view "china_resolver" {
match-clients { china; };
zone "sz.upl.com" IN {
type master;
file "data/china.master.sz.upl.com.zone";
};
zone "upl.com" IN {
type slave;
file "slaves/slave.china.upl.com.zone";
masters { 10.1.1.21 key "rndckey"; };
transfer-source 10.1.1.19; //----###
};
};
view "cnc" {
match-clients { cnc; };
zone "sz.upl.com" IN {
type master;
file "data/cnc.master.sz.upl.com.zone";
};
zone "upl.com" IN {
type slave;
file "slaves/slave.cnc.upl.com.zone";
masters { 10.1.1.21 key "rndckey"; };
transfer-source 10.1.1.20;
};
};
view "other" {
match-clients { any; };
zone "sz.upl.com" IN {
type master;
file "data/other.master.sz.upl.com.zone";
};
zone "upl.com" IN {
type slave;
file "slaves/slave.other.upl.com.zone";
masters { 10.1.1.21 key "rndckey"; };
transfer-source 10.1.1.18; //新添加
};
};
发现所有从服务器下载的数据都是主服务器上的网通视图对应的区域文件。
原因:
1、从服务器以什么样的IP去向主服务器要数据?
10.1.1.20
2、这个IP在主服务器上被哪个视图匹配?
cnc
怎么去解决?从服务在获取区域文件数据的时候,分别使用三个不同的IP。这个三
个IP分别属于主服务器上的三个不同视图
安排从服务器三个IP
网通: 10.1.1.20
电信:10.1.1.19
其他:10.1.1.18
[root@dns etc]# ifconfig eth1:0 10.1.1.18 netmask 255.255.255.0
[root@dns etc]# ifconfig eth1:1 10.1.1.19 netmask 255.255.255.0
===========================================
处理原始IP数据的脚本
cat cnc | grep "inetnum:" |head -1 |awk -f dns.awk
大概的过程:
安装配置模板--》 视图(相当于shell里的条件判断)--》视图根据一个acl列表(对不同地域的IP进行归类命名)进行读取不同的区域文件
做准备:
主机名
关闭防火墙,Selinux
同步时间
1、对各个线路的IP进行归类
安装ripe-dbase-client-v3
下载网通的IP
whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP > /tmp/test/cnc
下载电信的IP
whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET > /tmp/test/china
这些文件需要二次处理
这里实现模拟,写两个IP的acl
网络使用 <=10.1.1.120
# vim /var/named/chroot/var/named/data/acl_cnc
acl cnc{
10.1.1.1;
10.1.1.20;
10.1.1.73;
10.1.1.100;
10.1.1.104;
192.168.20/24;
}; //《---别忘记;
中国电信的IP
# vim /var/named/chroot/var/named/data/acl_china
acl china{
10.1.1.146;
10.1.1.168;
10.1.1.187;
};
2、配置DNS
安装模板文件 caching-nameserver
先把原来的文件重命名
# mv named.conf named.conf.bk
# mv named.caching-nameserver.conf named.conf
options {
listen-on port 53 { any; }; //<---###
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //<---###
forwarders { 10.1.1.1; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//视图
//view localhost_resolver {
// match-clients { localhost; };
// match-destinations { localhost; };
// recursion yes;
// include "/etc/named.rfc1912.zones";
//};
include "data/acl_cnc";
include "data/acl_china";
view "cnc_resolver" {
match-clients { cnc;10.1.1.19; };
zone "upl.com" in {
type master;
file "data/master.cnc.upl.com.zone";
};
};
view "china_resolver" {
match-clients { china;10.1.1.21; };
zone "upl.com" in {
type master;
file "data/master.china.upl.com.zone";
};
};
view "other" {
match-clients { any; };
zone "upl.com" in {
type master;
file "data/master.other.upl.com.zone";
};
};
//////////////////////////////////////////////
if [ con_1 ];then
command1;
elif [ con_2 ];then
command2;
else
command3;
fi
/////////////////////////////////////
编写不同的区域文件:
# vim /var/named/chroot/var/named/data/master.china.upl.com.zone
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.2
# vim /var/named/chroot/var/named/data/master.cnc.upl.com.zone
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.3 //<----###
# vim /var/named/chroot/var/named/data/master.other.upl.com.zone
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.1
建议:把新建的文件都修改成正确权限和属性
测试验证:
把DNS指向10.1.1.21测试
第二、实现子域
1、修改主域名服务器(10.1.1.21),添加子域授权
分别修改三个区域文件
$TTL 86400
@ IN SOA upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS squid.upl.com.
squid IN A 10.1.1.21
www IN A 10.1.1.2
sz.upl.com. IN NS dns.sz.upl.com. //《---子域授权
dns.sz.upl.com. IN A 10.1.1.20
2、配置子域名服务器(10.1.1.20),配置步骤与第一个实验一样
准备工作...
include "data/acl_china";
include "data/acl_cnc";
view "china_resolver" {
match-clients { china; };
zone "sz.upl.com" IN {
type master;
file "data/china.master.sz.upl.com.zone";
};
};
view "cnc" {
match-clients { cnc; };
zone "sz.upl.com" IN {
type master;
file "data/cnc.master.sz.upl.com.zone";
};
};
view "other" {
match-clients { any; };
zone "sz.upl.com" IN {
type master;
file "data/other.master.sz.upl.com.zone";
};
};
配置区域文件
$TTL 86400
@ IN SOA sz.upl.com. root. (
2010080401
60
30
1D
1H
)
@ IN NS dns.sz.upl.com.
dns IN A 10.1.1.20
www IN A 10.1.1.10
测试:
1、分别问子域名服务器和主域名服务器有关 子域名的查询 www.sz.upl.com
2、分别问子域名服务器和主域名服务器有关 主域名的查询 www.upl.com
失败 成功
怎么解决?
方法1:设置子域名服务器,把主域名的相关查询转发到主域名服务(最好的)
方法2:让子域名服务器同时成为主域名服务器的从服务器
第三、主、从之间数据传输采用密钥验证
1、在主域名服务器上生成密钥
# rndc-confgen -a
wrote key file "/etc/rndc.key"
# cat /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "kErZDr6Ei/hbJhRzLeKT6g==";
};
2、修改主域名服务器主配置文件named.conf
include "/etc/rndc.key" //引用了这把密钥的定义
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndckey; };
}; // 使用这个密钥
include "data/acl_cnc";
include "data/acl_china";
view "cnc_resolver" {
match-clients { cnc;10.1.1.20; };
zone "upl.com" in {
type master;
file "data/master.cnc.upl.com.zone";
allow-transfer { key "rndckey"; };
};
};
view "china_resolver" {
match-clients { china;10.1.1.19; };
zone "upl.com" in {
type master;
file "data/master.china.upl.com.zone";
allow-transfer { key "rndckey"; };
};
};
view "other" {
match-clients { any;10.1.1.18; };
zone "upl.com" in {
type master;
file "data/master.other.upl.com.zone";
allow-transfer { key "rndckey"; };
};
};
3、配置从域名服务器
确保主、从之间的密钥是一样
rsync -alvR /var/named/chroot/etc/rndc.key 10.1.1.20:/
# vim named.conf
key "rndckey" {
algorithm hmac-md5;
secret "kErZDr6Ei/hbJhRzLeKT6g==";
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndckey; };
}
view "china_resolver" {
match-clients { china; };
zone "sz.upl.com" IN {
type master;
file "data/china.master.sz.upl.com.zone";
};
zone "upl.com" IN {
type slave;
file "slaves/slave.china.upl.com.zone";
masters { 10.1.1.21 key "rndckey"; };
transfer-source 10.1.1.19; //----###
};
};
view "cnc" {
match-clients { cnc; };
zone "sz.upl.com" IN {
type master;
file "data/cnc.master.sz.upl.com.zone";
};
zone "upl.com" IN {
type slave;
file "slaves/slave.cnc.upl.com.zone";
masters { 10.1.1.21 key "rndckey"; };
transfer-source 10.1.1.20;
};
};
view "other" {
match-clients { any; };
zone "sz.upl.com" IN {
type master;
file "data/other.master.sz.upl.com.zone";
};
zone "upl.com" IN {
type slave;
file "slaves/slave.other.upl.com.zone";
masters { 10.1.1.21 key "rndckey"; };
transfer-source 10.1.1.18; //新添加
};
};
发现所有从服务器下载的数据都是主服务器上的网通视图对应的区域文件。
原因:
1、从服务器以什么样的IP去向主服务器要数据?
10.1.1.20
2、这个IP在主服务器上被哪个视图匹配?
cnc
怎么去解决?从服务在获取区域文件数据的时候,分别使用三个不同的IP。这个三
个IP分别属于主服务器上的三个不同视图
安排从服务器三个IP
网通: 10.1.1.20
电信:10.1.1.19
其他:10.1.1.18
[root@dns etc]# ifconfig eth1:0 10.1.1.18 netmask 255.255.255.0
[root@dns etc]# ifconfig eth1:1 10.1.1.19 netmask 255.255.255.0
===========================================
处理原始IP数据的脚本
cat cnc | grep "inetnum:" |head -1 |awk -f dns.awk
转载请标明出处【实现智能DNS】。
《www.micoder.cc》
虚拟化云计算,系统运维,安全技术服务.
| Tags: | [阅读全文...] |
最新评论