Bind的一些常用特性
1. 地址匹配列表
acl name {address_match_list;};
acl “internal” {192.168.1.192/26;};
bind也预定义了四个地址匹配列表:
none 没有任何地址
any 所有地址
localhost 本机地址
loaclnets 本地主机任一网络接口所在的网络
2.更新访问控制
使用allow-update 语句,只有匹配该地址列表的地址才允许更新
zone “fx.movie.edu” {
type master;
file “fx.movie.edu.hosts”;
allow-update {192.253.253.100;};
}
更新转发,使用allow-update-forwarding 语句
zone “fx.movie.edu” {
Type master;
file “fx.movie.edu.hosts”;
allow-update-forwarding {192.253.253.100/24;};
}
update-policy可以让你具体设定哪些密钥允许更新区中的哪些记录
语法:(grant|deny) identity nametype name [types]
zone “fx.movie.edu” {
type master;
file “fx.movie.edu.hosts”;
update-policy {grant mummy.fx.movi.edu. self mummy.fx.movie.edu.;};#限制mummy.fx.movie.edu只更新自己的记录
}
zone “fx.movie.edu” {
type master;
file “fx.movie.edu.hosts”;
update-policy {grant mummy.fx.movi.edu. self mummy.fx.movie.edu. A;};
#限制mummy.fx.movie.edu只更新自己的A记录
}
3. DNS notify 区变动通知
Bind默认的区变动通知是打开的,使用 notify no; 关闭
Option {
Notify no;
};
Zone “fx.movie.edu” {
Type master;
File “fx.movie.edu.hosts”;
notify no;
}
Zone “fx.movie.edu” {
Type master;
File “fx.movie.edu.hosts”;
Notify yes;
Also-notify {192.168.1.1;}; #利用also-notify增加一个服务器
}
4.增量区传送(IXFR)
增量区传送各个版本之间相差很大,在BIND 9 IXFR是默认打开的,无需特殊的设置,要关闭 可以使用 request-ixfr no 关闭该功能
5. 转发 (forwarding)
Options {
Forwarders {192.168.1.4;192.168.1.22;};
}
Options {
Forwarders {192.168.1.4;192.168.1.22;};
Forward only; #配置只转发,该语句也可以使用在zone 语句中
}
6. 视图 (view)
这是智能解析用到的,关于这方面网上有很多实例,下面就是一个:
vi /etc/bind/named.conf; #
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
include "/etc/bind/named.conf.options";
view "internal" {
match-clients { localhost; 192.168.0.8; };
match-destinations { any; };
recursion yes;
allow-query { localhost; 192.168.0.0/24; };
allow-transfer { 192.168.0.7; };
include "/etc/bind/named.internal.zones";
include "/etc/bind/named.conf.local";
};
view "external" {
match-clients { 192.168.0.7; 192.168.0.17; };
match-destinations { any; };
recursion yes;
allow-query { any; };
allow-transfer { 192.168.0.7; };
include "/etc/bind/named.external.zones";
include "/etc/bind/named.conf.local";
};
view "others" {
match-clients { any; };
match-destinations { any; };
recursion yes;
allow-query { any; };
allow-transfer { 192.168.0.7; };
include "/etc/bind/named.others.zones";
include "/etc/bind/named.conf.local";
};
vi /etc/bind/named.internal.zones;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "mytest.com" IN {
type master;
file "/etc/bind/mytest.com.internal";
};
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vi /etc/bind/named.external.zones;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "mytest.com" IN {
type master;
file "/etc/bind/mytest.com.external";
};
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vi /etc/bind/named.others.zones;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "mytest.com" IN {
type master;
file "/etc/bind/mytest.com.others";
};
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vi /etc/bind/mytest.com.internal;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$TTL 4320 ; 1 hour 12 minutes
@ IN SOA ns.mytest.com. root.ns.mytest.com. (
2007101701 ;
3600 ;
1800 ;
36000 ;
3600 ) ;
IN NS ns.mytest.com.
ns IN A 192.168.0.8
www IN A 1.1.1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vi /etc/bind/mytest.com.external;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$TTL 4320 ; 1 hour 12 minutes
@ IN SOA ns.mytest.com. root.ns.mytest.com. (
2007101701 ;
3600 ;
1800 ;
36000 ;
3600 ) ;
IN NS ns.mytest.com.
ns IN A 192.168.0.8
www IN A 2.2.2.2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vi /etc/bind/mytest.com.others;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$TTL 4320 ; 1 hour 12 minutes
@ IN SOA ns.mytest.com. root.ns.mytest.com. (
2007101701 ;
3600 ;
1800 ;
36000 ;
3600 ) ;
IN NS ns.mytest.com.
ns IN A 192.168.0.8
www IN A 3.3.3.3
7. bind的优化
限制每个服务器请求的传送数量
Options {
Transfers-per-ns 2;
}
限制区请求传送的总数
Options {
Transfers-in 12;
}
限制区传送的总数
Options {
Transfers-out 21;
}
限制区传送的持续时间
Options {
Max-Transfers-time-in 120;
}
限制区传送的频度
Options {
Max-refresh-time 86400;
Min-refresh-time 1800;
}
使用many-answers格式
Options {
Transfer-format many-answers;
}
