zoukankan      html  css  js  c++  java
  • 策略DNS(双重DNS)的配置

    Bind8下的实现方法

    在DNS服务器上运行两个BIND,分别为来自内部网络和外部网络的域名请求提供解析,每个BIND具有不同的配置文件和域名数据库文件,并分别在不同的端口监听。DNS服务器在接到客户端请求时,根据客户的IP地址将请求重定向到不同的BIND服务端口,这样就可以根据客户端的IP地址将不同的解析结果返回给客户端,而整个过程对于客户端来说都是透明的。实现的关键在于运行两个BIND及运用iptables命令进行IP地址及端口改写操作。 具体配置的话: 在/etc/下生成两个named配置文件named.in与named.out named.in

    ## named.conf - configuration for bind(named.in)
    #
    # Generated automatically by redhat-config-bind, alchemist et al.
    # Any changes not supported by redhat-config-bind should be put
    # in /etc/named.custom
    #
    include "/etc/named.custom";
    
    include "/etc/rndc.key";
    
    options {
       directory "/var/named_in/";
       datasize 2098;
            ......
       };
    };
    
    #Log Files
    logging {
       category queries {
          default_syslog;
       };
    };
    
    #DataBase Files
    zone  "0.0.127.in-addr.arpa" {
       type master;
       file  "0.0.127.in-addr.arpa.zone";
    };
    zone  "10.in-addr.arpa" {
       type master;
       file  "10.in-addr.arpa.zone";
    };
    
    
    zone  "localhost" {
       type master;
       file  "localhost.zone";
    };
    zone  "xxu.edu.cn" {
       type master;
       file  "xxu.edu.cn.zone";
    };
    

    named.out

    ## named.conf - configuration for bind(named.out)
    #
    # Generated automatically by redhat-config-bind, alchemist et al.
    # Any changes not supported by redhat-config-bind should be put
    # in /etc/named.custom
    #
    include "/etc/named.custom";
    
    include "/etc/rndc.key";
    
    options {
       directory "/var/named_out/";
       datasize 2098;
            ... ...
       };
            # 注意这里监听的端口不一样了
       listen-on port 8053 {
          # 本机IP地址
                    10.xx.xx.xx;
       };
    };
    
    #Log Files
    logging {
       category queries {
          default_syslog;
       };
    };
    
    #DataBase Files
    zone  "0.0.127.in-addr.arpa" {
       type master;
       file  "0.0.127.in-addr.arpa.zone";
    };
    zone  "xx.xx.210.in-addr.arpa" {
       type master;
       file  "xx.xx.210.in-addr.arpa.zone";
    };
    
    
    zone  "localhost" {
       type master;
       file  "localhost.zone";
    };
    zone  "xxu.edu.cn" {
       type master;
       file  "xxu.edu.cn.zone";
    };
    

    为什么选对外发布的做重定向呢,当时的考虑是对内解析的流量大,可以减少一个环节。

    然后做iptables的重定向,在iptable配置文件中添加

    -A PREROUTING -s ! 10.0.0.0/255.0.0.0 -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 8053
    
    -A POSTROUTING -o eth0 -p udp -m udp --sport 8053 -j SNAT --to-source 10.xx.xx.xx:53
    
    COMMIT
    

    最后在做一个启动脚本:

    #!/bin/sh
    
    echo "Enabling IP Forwarding ..."
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    echo "Enabling DNS(outside) Service ..."
    /usr/sbin/named -u named -c /etc/named.out
    
    echo "Enabling DNS(inside) Service ..."
    /usr/sbin/named -u named -c /etc/named.in
    

    重启机器就OK了!

    Bind9 下的实现方法

    只需要一个named.conf文件就搞定 具体配置:

    include "/etc/rndc.key";
    
    options {
       directory "/var/named/";
       ... ...
       };
    };
    
    #Log Files
    logging {
       category queries {
          default_syslog;
       };
    };
    
    #DataBase Files
    #注意view和match-clients的用法,就是它们在起作用
    view  "internal" {
       match-clients { 10.0.0.0/8; };
       recursion yes;
       zone  "." {
          type hint;
          file  "named.ca";
       };
       zone  "0.0.127.in-addr.arpa" {
          type master;
          file  "0.0.127.in-addr.arpa.zone";
       };
       zone  "localhost" {
          type master;
          file  "localhost.zone";
       };
       zone  "xxu.edu.cn" {
          type master;
          file  "xxu.edu.cn.in.zone";
       };
       zone  "10.in-addr.arpa" {
          type master;
          file  "10.in-addr.arpa.zone";
       };
    };
    
    view  "external" {
       match-clients { any; };
       recursion yes;
       zone  "." {
          type hint;
          file  "named.ca";
       };
       zone  "0.0.127.in-addr.arpa" {
          type master;
          file  "0.0.127.in-addr.arpa.zone";
       };
       zone  "localhost" {
          type master;
          file  "localhost.zone";
       };
       zone  "xxu.edu.cn" {
          type master;
          file  "xxu.edu.cn.out.zone";
       };
       zone  "xx.xx.210.in-addr.arpa" {
          type master;
          file  "xx.xx.210.in-addr.arpa.zone";
       };
    };
    
  • 相关阅读:
    爬虫中动态的POST参数
    Sublime3注册码和安装中文包
    [pytorch][进阶之路]pytorch学习笔记二-自动求导和module
    [pytorch][进阶之路]pytorch学习笔记一
    [python][进阶之路]理解python中的深复制和浅复制
    [python][matlab]在python36上安装matlab2015b引擎
    [python][进阶之路]list复制引发的问题
    [python][pandas]DataFrame的基本操作
    [Algorithm]ADMM简明理解
    [python][cpp]对浮点数进行n位翻转
  • 原文地址:https://www.cnblogs.com/qlight/p/1242850.html
Copyright © 2011-2022 走看看