实现智能DNS
智能DNS
智能DNS实现如下图:当用户通过浏览器访问www.sina.com,浏览器向DNS服务器查找服务器地址,北京的用户,返回区域代理服务器1的ip地址,上海的用户返回区域服务器2的ip地址,以此类推。以北京用户为例:当DNS服务器返回区域代理服务器1的地址,用户访问区域代理服务器1,区域代理服务器一般存放静态的一些内容,当用户只访问静态的内容时,区域代理服务器1提供服务,当用户访问一些动态内容时,区域代理服务器1就向web服务器寻找,然后返回给用户。
实验:实现上海和北京和其他地区的智能DNS管理
说明: 实现当上海地区访问www.sina.com 返回ip为6.6.6.6
当北京地区访问www.sina.com 返回ip为1.1.1.1
当其他地区访问www.sina.com 返回ip为2.2.2.2
以ip地址来划分区域,上海的ip地址段为:
192.168.191.0/24;
192.168.192.0/24;
北京的ip地址段为:
172.17.251.0/24;
172.18.251.0/24;
以此来模拟智能DNS实现过程。
实现步骤:三大步:
第一、准备数据库文件
地址www.sina.com 返回的地址等信息
第二、定义acl
定义某个区域的ip地址
第三、定义view
关联acl和数据库文件
1、安装包
yum install bind
2、启动服务
systemctl start named
注意:DNS服务的包名为bind ,服务名为named
主配置文件:/etc/named.conf, /etc/named.rfc1912.zones,/etc/rndc.key
解析库文件: /var/named/ZONE_NAME.ZONE
3、创建DNS数据库文件
cd /var/named
vim sina.com.zone.beijing
1
2
3
4
5
6
7
8
9
10
11
|
$TTL 1D @ IN SOA dns1 rname.invalid. ( 2017101101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1 dns1 A 172.17.251.107 dns1 A 192.168.191.107 www A 1.1.1.1 |
vim sina.com.zone.shanghai
1
2
3
4
5
6
7
8
9
10
11
|
$TTL 1D @ IN SOA dns1 rname.invalid. ( 2017101101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1 dns1 A 172.17.251.107 dns2 A 192.168.191.107 www A 6.6.6.6 |
vim sina.com.zone.other
1
2
3
4
5
6
7
8
9
10
11
|
$TTL 1D @ IN SOA dns1 rname.invalid. ( 2017101101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1 dns1 A 172.17.251.107 dns1 A 192.168.191.107 www A 2.2.2.2 |
4、创建acl和view
vim /etc/named.conf
(1)注释这两行
1
2
3
4
5
6
7
8
|
options { // listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named" ;
dump- file "/var/named/data/cache_dump.db" ;
statistics- file "/var/named/data/named_stats.txt" ;
memstatistics- file "/var/named/data/named_mem_stats.txt" ;
// allow-query { any; };
|
第一行代表53端口绑定的ip,allow-query {};表示允许查询的主机
将这两行注释;或者改成上面,localhost表示允许该主机上的所有ip都可以绑定53端口,any代表所有ip
(2)在该文件添加
1
2
3
4
5
6
7
8
|
acl shanghainet { 192.168.191.0 /24 ;
192.168.192.0 /24 ;
}; acl beijingnet { 172.17.251.0 /24 ;
172.18.251.0 /24 ;
}; |
(3)创建view
将下面的文件修改成下面
创建view的方法1:关联数据库文件时,直接写文件名
方法2:将文件写在/etc/named.rfc1912.zone.shanghai,中,在该文件中指定文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
view beijingview { match-clients { beijingnet;}; // 连接acl
zone "sina.com" {
type master;
file "sina.com.zone.beijing" ; // 指定数据库文件
};
zone "." IN {
type hint; // 允许该地区的用户直接访问根地址
file "named.ca" ;
};
}; view shanghaiview { match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.shanghai" ;
zone "." IN {
type hint;
file "named.ca" ;
};
}; view otherview { match-clients {any;};
include "/etc/named.rfc1912.zones.other" ;
zone "." IN {
type hint;
file "named.ca" ;
};
}; include "/etc/named.root.key" ;
|
整个文件如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
acl shanghainet { 192.168.191.0 /24 ;
192.168.192.0 /24 ;
}; acl beijingnet { 172.17.251.0 /16 ;
172.18.251.0 /16 ;
}; options { // listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named" ;
dump- file "/var/named/data/cache_dump.db" ;
statistics- file "/var/named/data/named_stats.txt" ;
memstatistics- file "/var/named/data/named_mem_stats.txt" ;
// allow-query { any; };
allow-transfer { none; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users . Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes ;
dnssec- enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys- file "/etc/named.iscdlv.key" ;
managed-keys-directory "/var/named/dynamic" ;
pid- file "/run/named/named.pid" ;
session-keyfile "/run/named/session.key" ;
}; logging { channel default_debug {
file "data/named.run" ;
severity dynamic;
};
}; logging { channel default_debug {
file "data/named.run" ;
severity dynamic;
};
}; view beijingview { match-clients { beijingnet;};
zone "sina.com" {
type master;
file "sina.com.zone.beijing" ;
};
zone "." IN {
type hint;
file "named.ca" ;
};
}; view shanghaiview { match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.shanghai" ;
zone "." IN {
type hint;
file "named.ca" ;
};
}; view otherview { match-clients {any;};
include "/etc/named.rfc1912.zones.other" ;
zone "." IN {
type hint;
file "named.ca" ;
};
}; include "/etc/named.root.key" ;
|
5、 将/etc/named.rfc1912.zones 复制两份命名为/etc/named.rfc1912.zones.shanghai
/etc/named.rfc1912.zones.other
vim /etc/named.rfc1912.zones.shanghai
添加如下内容
1
2
3
4
|
zone "sina.com" IN {
type master;
file "sina.com.zone.shanghai" ;
}; |
vim /etc/named.rfc1912.zones.other
添加如下内容
1
2
3
4
|
zone "sina.com" IN {
type master;
file "sina.com.zone.other" ;
}; |
6、启动服务
重新加载服务:rndc reload
注意:在centos6或centos7上最好不要用restart,容易把服务死掉,起不来服务。
这里rndc reload 这个命令时专门管理DNS服务的,如果必要重启服务了,先关闭服务,再开启服务。
7、测试:
在某一客户端上,将该客户端的DNS执行服务器主机
(1)如果网络是自动获取的,则修改vim /etc/resolv.conf
nameserver 172.17.251.107
(2)如果网络时自己配置的,/etc/sysconfig/network-scripts ,修改该目录下的桥接网卡的DNS1=172.17.251.107 。
重启服务 systemctl restart network
在客户端测试:
dig www.sina.com @192.168.191.107
dig www.sina.com @172.17.251.107
[[email protected] named]# dig www.sina.com @192.168.191.107
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sina.com @192.168.191.107
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57522
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.sina.com. IN A
;; Query time: 0 msec
;; SERVER: 192.168.191.107#53(192.168.191.107)
;; WHEN: Thu Oct 12 11:10:48 CST 2017
;; MSG SIZE rcvd: 41
遇到错误
排错:1、查看防火墙iptables -vnL ,清除防火墙策略iptables -F
2、查看网络连接。dig www.baidu.com
rndc flush 清除缓存
rndc reload 重新启动
发现这两个都清除了,还是出现相同错误
最后发现是数据库文件的权限问题,在运行DNS时,是用named这个用户,执行操作的,所以当文件的所有者,所属组为root是,将权限改成644
上海用户,解析出来6.6.6.6。成功
[[email protected] network-scripts]# dig www.sina.com @192.168.191.107
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sina.com @192.168.191.107
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63539
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sina.com. IN A
;; ANSWER SECTION:
www.sina.com. 86400 IN A 6.6.6.6
;; AUTHORITY SECTION:
sina.com. 86400 IN NS dns1.sina.com.
;; ADDITIONAL SECTION:
dns1.sina.com. 86400 IN A 172.17.251.107
dns1.sina.com. 86400 IN A 192.168.191.107
;; Query time: 2 msec
;; SERVER: 192.168.191.107#53(192.168.191.107)
;; WHEN: Mon Oct 9 13:34:41 2017
;; MSG SIZE rcvd: 97
本文转自 hawapple 51CTO博客,原文链接:http://blog.51cto.com/guanm/1971653