使用Bind 9 的DNS-views實現IP地址分區域解析
一、簡介
在實際的網路應用中,我們有時希望對於同一個Domain Name能夠根據不同的請求IP地址/區域,解析到不同的對應IP地址,比如:有時對於企業內部網路和外部網路希望對同一域名解析到不同的IP地址以達到安全目的或者應用目的,又比如為了解決中國南北方電信/網通互訪速度差異問題,您也會希望電信用戶解析到的域名IP是位於電信網路中的伺服器,網通用戶亦然,使用戶能夠訪問到臨近的最快的伺服器。而這些應用都可以通過對DNS的簡單配置達到,使用DNS達到這一目的有以下的優點:
原文來自http://zqli.cublog.cn
1.低成本-無需添加任何專用設備,只需通過簡單配置即可;
2.靈活性強-可隨時增加/刪除解析規則;
3.有一定的可擴展能力-如果搭配Round Robin DNS可無縫快速的配置簡單的負載均衡。
二、DNS-views配置
1、原理
使用DNS提供的view指令可以實現根據不同的IP範圍來對同一個域名進行解析。
注意:view指令只在BIND9存在,以前的BIND8是沒有view指令的!
2、配置示例
(1)環境假想
操作系統:Red Hat Enterprise Linux Server release 5 (Tikanga)
BIND版本:BIND 9.3.3rc2
主DNS伺服器:192.168.0.2
從DNS伺服器:192.168.0.3
域名:leotest.com
我們希望CN的IP列表所解析到www.leotest.com的IP地址為:192.168.0.100,非CN的IP列表內的IP則解析到:192.168.0.200
原文來自http://zqli.cublog.cn
安裝Bind:
# rpm -ivh bind-9.3.3-7.el5.i386.rpm
# cat named.conf
include "/var/named/acl.conf";
options
{
query-source port 53;
query-source-v6 port 53;
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "internal"
{
match-clients { CN; };
recursion yes;
include "/etc/named.root.hints";
zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "slaves/my.ddns.internal.zone.db";
};
zone "leotest.com" {
type master;
file "leotest.com.zone";
allow-transfer {
192.168.0.3;
};
};
};
key ddns_key
{
algorithm hmac-md5;
secret "ZQFSVQ9sMquZsdb3Twg9q231SwF1f1KBhG74JMlaiPaumD6NeOA626FQ1DOa";
};
view "external"
{
match-clients { any; };
recursion yes;
include "/etc/named.root.hints";
zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
zone "leotest.com" {
type master;
file "leotest.com.zone.ext";
allow-transfer {
192.168.0.3;
};
};
};
# cat acl.conf
acl "CN" {
58.248.0.0/13;
210.52.0.0/16;
};
可以在這個文件里添加更多的IP地址段,上面只是做為例子。
# cat leotest.com.zone
$ttl 38400
@ IN SOA ns.leotest.com. root.ns.leotest.com.(
2007072600 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; default_ttl
)
@ NS ns.leotest.com.
@ MX 5 mail.leotest.com.
IN A 192.168.0.100
www IN A 192.168.0.100
mail IN A 192.168.0.100
# cat leotest.com.zone.ext
$ttl 38400
@ IN SOA ns.leotest.com. root.ns.leotest.com.(
2007072600 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; default_ttl
)
@ NS ns.leotest.com.
@ MX 5 mail.leotest.com.
IN A 192.168.0.200
www IN A 192.168.0.200
mail IN A 192.168.0.200
下面是從DNS(192.168.0.3)的設置
# cat /etc/named.conf
include "/var/named/acl.conf";
options
{
query-source port 53;
query-source-v6 port 53;
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "internal"
{
match-clients { CN; };
recursion yes;
include "/etc/named.root.hints";
include "/var/named/internal.conf";
};
key ddns_key
{
algorithm hmac-md5;
secret "COD951PjWgXORWEdLNbN1xAzuZ5eRrdzXmhCZp09ykYoczacYxPe27sImK49";
};
view "external"
{
match-clients { any; };
recursion yes;
include "/etc/named.root.hints";
include "/var/named/external.conf";
};
# cat internal.conf
zone "leotest.com" {
type slave;
file "slaves/leotest.com.zone";
masters {192.168.0.2;};
};
# cat external.conf
zone "leotest.com" {
type slave;
file "slaves/leotest.com.zone.b";
masters {192.168.0.2;};
};
acl.conf與主DNS伺服器上的配置文件一樣。
[火星人
]
使用Bind 9 的DNS-views實現IP地址分區域解析已經有806次圍觀
http://coctec.com/docs/service/show-post-37004.html