七、DNS的acl规则和view视图
###jie.com服务器的主配置文件######
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
######区域配置文件######################
view LAN {
zone "." IN { #把主配置文件的根域放到了区域配置文件中
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
match-clients { 172.16.22.0/16; }; #当匹配这个网段的IP访问jie.com服务器时,返回172.16.22.128
zone "jie.com" IN {
type master;
file "lan.jie.com";
};
};
view WAN {
match-clients { any; }; #其他任何网段访问时返回1.1.1.128
zone "jie.com" IN {
type master;
file "wan.jie.com";
};
};
#######区域解析库文件的内容#################
#############/var/named/lan.jie.com#####################
$TTL 1D
@ IN SOA dns.jie.com. admin.jie.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS dns.jie.com.
dns IN A 172.16.22.128
www IN A 172.16.22.128
ftp IN A 172.16.22.128
mail IN A 172.16.22.128
www IN A 172.16.22.1
#############/var/named/wan.jie.com#####################
$TTL 1D
@ IN SOA dns.jie.com. admin.jie.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS dns.jie.com.
dns IN A 1.1.1.128
www IN A 1.1.1.128
ftp IN A 1.1.1.128
mail IN A 1.1.1.128
www IN A 1.1.1.1
验证:
[root@LanPC ~]# ifconfig | grep -A 1 eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9C:14:36
inet addr:172.16.22.3 Bcast:172.16.255.255 Mask:255.255.0.0
[root@LanPC ~]# host -t A 172.16.22.2
Using domain server:
Name: 172.16.22.2
Address: 172.16.22.2#53
Aliases:
has address 172.16.22.128
has address 172.16.22.1
[root@WanPC ~]# ifconfig | grep -A 1 eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:D1:6F:09
inet addr:192.168.0.4 Bcast:192.168.255.255 Mask:255.255.0.0
[root@WanPC ~]# host -t A 172.16.22.2
Using domain server:
Name: 172.16.22.2
Address: 172.16.22.2#53
Aliases:
has address 1.1.1.1
has address 1.1.1.128
八、DNS的日志系统的使用
####此实验是接着上面的实验内容####################
#######修改主配置文件####################
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel querylog {
file "/var/log/bindquery.log" versions 3 size 10M;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
category queries { querylog; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
##########其它文件不需要修改
touch /var/log/bindquery.log
chown named:named /var/log/bindquery.log
验证:
[root@LanPC ~]# host -t A ftp.jie.com 172.16.22.2
Using domain server:
Name: 172.16.22.2
Address: 172.16.22.2#53
Aliases:
ftp.jie.com has address 172.16.22.128
[root@LanPC ~]# host -t A 172.16.22.2
Using domain server:
Name: 172.16.22.2
Address: 172.16.22.2#53
Aliases:
has address 172.16.22.1
has address 172.16.22.128
[root@jie2 log]# cat /var/log/bindquery.log
08-Aug-2013 06:27:51.720 queries: info: client 172.16.22.3#36432: view LAN: query: ftp.jie.com IN A + (172.16.22.2)
08-Aug-2013 06:27:52.406 queries: info: client 172.16.22.3#34500: view LAN: query: ftp.jie.com IN A + (172.16.22.2)
08-Aug-2013 06:27:52.880 queries: info: client 172.16.22.3#34935: view LAN: query: ftp.jie.com IN A + (172.16.22.2)
08-Aug-2013 06:31:27.921 queries: info: client 172.16.22.3#38660: view LAN: query: ftp.jie.com IN A + (172.16.22.2)
08-Aug-2013 06:31:34.402 queries: info: client 172.16.22.3#52686: view LAN: query: IN A + (172.16.22.2)
可以生成日志
小结:DNS实现CDN会用到view,理清楚配置文件之间的关系。当服务开启不了时多查看日志(/var/log/messages),注意配置文件的语法格式。博客内容有点多,望各位博友能多多指点。