使用BIND安装智能DNS服务器(三)---添加view和acl配置
智能DNS的配置主要修改named.conf文件,利用view和acl来实现。
acl文件内容,这里只列出一部分,具体详细的可以参考这个网址
纯真IP库,给出了十分详细的IP地址,下载安装后,打开软件,点击解压就可以获取到txt文本格式的IP地址
http://www.crsky.com/soft/2611.html
IP转换为acl工具下载地址
http://blog.lishixin.net/linux/468.html/attachment/dnstool
按照下面博客中的步骤将IP转换为acl格式
http://blog.lishixin.net/archives/468#more-468
注意事项:
只要配置了view的时候,所有的zone都必须包含到view中。
包括下面的这两行
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
下面是本配置中需要的,只列出部分IP的acl文件,这个不影响正常使用
mkdir -p /var/named/acl/srcip/
vim /var/named/acl/srcip/AnHui.acl
acl "AnHui.cnc"{ 36.32.0.0/24; 36.32.1.0/24; 36.32.2.0/24; }; acl "AnHui.telcom"{ 36.4.0.0/24; 36.4.1.0/24; 36.4.2.0/24; }; acl "AnHui.tietong"{ 61.235.36.0/24; 61.235.37.0/24; 61.235.38.0/24; }; acl "AnHui.mobile"{ 101.36.128.0/24; 101.36.129.0/24; 101.36.130.0/24; }; acl "AnHui.cernet"{ 1.51.64.0/24; 1.51.65.0/24; 1.51.100.0/24; };
vim /var/named/acl/srcip/BeiJing.acl
acl "BeiJing.cnc"{ 1.25.36.67; 1.25.36.68; 1.25.36.69; }; acl "BeiJing.telcom"{ 1.92.0.0/16; 1.93.0.0; 1.93.0.1; }; acl "BeiJing.tietong"{ 36.192.0.0/24; 36.192.1.0/24; 36.192.2.0/24; }; acl "BeiJing.mobile"{ 36.128.0.0/16; 36.129.0.0/16; 36.130.0.0/16; }; acl "BeiJing.cernet"{ 42.247.0.128; 42.247.0.129; 42.247.0.130; };
主DNS服务器配置,named.conf,修改后需要重启service named restart
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // include "/var/named/acl/srcip/AnHui.acl"; include "/var/named/acl/srcip/BeiJing.acl"; //include "/var/named/include_acl"; options { listen-on port 53 { 127.0.0.1; 192.168.1.100; }; //主DNS服务器 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.1.0/24; }; allow-transfer { localhost; 192.168.1.101; }; //从DNS服务器 allow-query-cache { any; }; //注意没有这个将无法访问网页 recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; //电信 view "telcom-view" { match-clients { AnHui.telcom; BeiJing.telcom; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type master; file "forward.unixmen"; //正向解析文件名 allow-update { none; }; }; zone"1.168.192.in-addr.arpa" IN { type master; file "reverse.unixmen";//反向解析文件名 allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; //联通 view "cnc-view" { match-clients { AnHui.cnc; BeiJing.cnc; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type master; file "forward.unixmen"; //正向解析文件名 allow-update { none; }; }; zone"1.168.192.in-addr.arpa" IN { type master; file "reverse.unixmen";//反向解析文件名 allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; //移动 view "mobile-view" { match-clients { AnHui.mobile; BeiJing.mobile; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type master; file "forward.unixmen"; //正向解析文件名 allow-update { none; }; }; zone"1.168.192.in-addr.arpa" IN { type master; file "reverse.unixmen";//反向解析文件名 allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; //中国教育与科研网 view "cernet-view" { match-clients { AnHui.cernet; BeiJing.cernet; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type master; file "forward.unixmen"; //正向解析文件名 allow-update { none; }; }; zone"1.168.192.in-addr.arpa" IN { type master; file "reverse.unixmen";//反向解析文件名 allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; view "external-view" { match-clients { any; }; recursion yes; //需要递归,要不然上不了网。。。 zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type master; file "forward.unixmen"; //正向解析文件名 allow-update { none; }; }; zone"1.168.192.in-addr.arpa" IN { type master; file "reverse.unixmen";//反向解析文件名 allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; key "rndc-key" { algorithm hmac-md5; secret "VcL5wC2GHCzCU7ju+ajC1Q=="; }; controls { inet 0.0.0.0 port 953 allow { localhost; 192.168.1.101; } keys { "rndc-key"; }; };
从DNS服务器named.conf配置,修改后需要重启service named restart
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // include "/var/named/acl/srcip/AnHui.acl"; include "/var/named/acl/srcip/BeiJing.acl"; options { listen-on port 53 { 127.0.0.1;192.168.1.101; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; allow-query-cache { any; };//注意没有这个将无法访问网页 recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; //电信 view "telcom-view" { match-clients { AnHui.telcom; BeiJing.telcom; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type slave; file "slaves/unixmen.fwd"; masters { 192.168.1.100; };#主DNS }; zone"1.168.192.in-addr.arpa" IN { type slave; file "slaves/unixmen.rev"; masters { 192.168.1.100; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; //联通 view "cnc-view" { match-clients { AnHui.cnc; BeiJing.cnc; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type slave; file "slaves/unixmen.fwd"; masters { 192.168.1.100; };#主DNS }; zone"1.168.192.in-addr.arpa" IN { type slave; file "slaves/unixmen.rev"; masters { 192.168.1.100; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; //移动 view "mobile-view" { match-clients { AnHui.mobile; BeiJing.mobile; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type slave; file "slaves/unixmen.fwd"; masters { 192.168.1.100; };#主DNS }; zone"1.168.192.in-addr.arpa" IN { type slave; file "slaves/unixmen.rev"; masters { 192.168.1.100; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; //中国教育与科研网 view "cernet-view" { match-clients { AnHui.cernet; BeiJing.cernet; }; zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type slave; file "slaves/unixmen.fwd"; masters { 192.168.1.100; };#主DNS }; zone"1.168.192.in-addr.arpa" IN { type slave; file "slaves/unixmen.rev"; masters { 192.168.1.100; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; view "external-view" { match-clients { any; }; recursion yes; //需要递归,要不然上不了网。。。 zone "." IN { type hint; file "named.ca"; }; zone"unixmen.local" IN { type slave; file "slaves/unixmen.fwd"; masters { 192.168.1.100; };#主DNS }; zone"1.168.192.in-addr.arpa" IN { type slave; file "slaves/unixmen.rev"; masters { 192.168.1.100; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; key "rndc-key" { algorithm hmac-md5; secret "VcL5wC2GHCzCU7ju+ajC1Q=="; }; controls { inet * port 953 allow { 127.0.0.1;192.168.1.100; } keys { "rndc-key"; }; };