Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1150933
  • 博文数量: 463
  • 博客积分: 10540
  • 博客等级: 上将
  • 技术积分: 5450
  • 用 户 组: 普通用户
  • 注册时间: 2006-11-12 08:30
文章分类

全部博文(463)

文章存档

2014年(2)

2012年(14)

2011年(42)

2010年(18)

2009年(78)

2008年(35)

2007年(182)

2006年(92)

我的朋友

分类: LINUX

2011-08-01 17:17:58

BIND9+VIEW+Master-Slave+TSIG

1.主DNS 192.168.1.19
2.从DNS 192.168.1.20

视图为电信跟其它

主DNS配置文件(/etc/named.conf)

options {
        directory "/var/named";
        pid-file "/var/named/named.pid";
        statistics-file "/var/named/named_stats";
        version "DNS";
        dump-file "/var/named/data/cache_dump.db";
        allow-query { any; };
        allow-transfer { 192.168.1.19; };
};

logging {

        channel error
        {
                file "/var/named/log/dns_warnings" versions 3 size 3m;
                severity error;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel general_dns
        {
                file "/var/named/log/dns_logs" versions 3 size 3m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        category default { error; };
        category queries { general_dns; };
};

key "rndc-key" {
       algorithm hmac-md5;
       secret "G2TWhCl4fK6XFPrlk7JiKA==";
};
 
controls {
       inet 127.0.0.1 port 953
       allow { 127.0.0.1; } keys { "rndc-key"; };
};

key "tel" {
        algorithm hmac-md5;
        secret "ls1Qn0p8o2ikoReMGSVnkQ==";
};

key "default" {
        algorithm hmac-md5;
        secret "hWJct6myvWH4AGNE09Dk9A==";
};


include "acl_tel";
view "tel" {
        match-clients { key "tel";tel; };
        server 192.168.1.19 { keys "tel"; };

        zone "mail.com" {
                type master;
                also-notify { 192.168.1.19; };
                file "mail.com.view";
        };

        zone "." {
                type hint;
                file "named.root";
        };

        zone "localhost" IN {
                type master;
                file "localhost.zone";
        };

        zone "0.0.127.IN-ADDR.ARPA" {
                type master;
                file "localhost.rev";
        };

};

view "default" {
        match-clients { key "default"; any;};
        server 192.168.1.19 { keys "default"; };

        zone "mail.com" {
                type master;
                also-notify { 192.168.1.19; };
                file "mail.com.default";
        };
                zone "localhost" IN {
                type master;
                file "localhost.zone";
        };

        zone "0.0.127.IN-ADDR.ARPA" {
                type master;
                file "localhost.rev";
        };
};


从DNS主配置文件

options {
        directory "/var/named";
        pid-file "/var/named/named.pid";
        statistics-file "/var/named/named_stats";
        version "DNS";
        dump-file "/var/named/data/cache_dump.db";
        allow-query { any; };
        max-refresh-time 10;
};    

logging {

        channel error
        {
                file "/var/named/log/dns_warnings" versions 3 size 3m;
                severity error;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel general_dns
        {      
                file "/var/named/log/dns_logs" versions 3 size 3m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
       
        category default { error; };
        category queries { general_dns; };
};
      
key "rndc-key" {
       algorithm hmac-md5;
       secret "EiQ80ZRd9PvqXgMy0zBe9A==";
};
      
controls {
       inet 127.0.0.1 port 953
       allow { 127.0.0.1; } keys { "rndc-key"; };
};     

key "tel" {
        algorithm hmac-md5;
        secret "ls1Qn0p8o2ikoReMGSVnkQ==";
};

key "default" {
        algorithm hmac-md5;
        secret "hWJct6myvWH4AGNE09Dk9A==";
};

               
include "acl_tel";
view "tel" {
        match-clients { key "tel";tel; };
        server 192.168.1.9 { keys "tel"; };

        zone "mail.com" {
                type slave;
                file "mail.com.view";
                masters {192.168.1.9;};
        };
               
        zone "." {
                type hint;
                file "named.root";
        };
        zone "localhost" IN {
                type master;
                file "localhost.zone";
        };

        zone "0.0.127.IN-ADDR.ARPA" {
                type master;
                file "localhost.rev";
        };

};

view "default" {
        match-clients { key "default"; any;};
        server 192.168.1.9 { keys "default"; };

        zone "mail.com" {
                type slave;
                file "mail.com.default";
                masters {192.168.1.9;};
        };

        zone "." {
                type hint;
                file "named.root";
        };
        zone "localhost" IN {
                type master;
                file "localhost.zone";
        };

        zone "0.0.127.IN-ADDR.ARPA" {
                type master;
                file "localhost.rev";
        };


};

 


调试命令:
rndc reload 加载所有区
rndc reload mail.com IN tel 只加载tel视图的mail.com区
named -g 前台调试模式

dnssec-keygen -a hmac-md5 -b 128 -n HOST tel      tel视图key生成(把生成的key文件中的密串贴到主配置文件中)
dnssec-keygen -a hmac-md5 -b 128 -n HOST default default视图key生成(把生成的key文件中的密串贴到主配置文件中)


区域文件示例:

$TTL 86400      ; 1 day
mail.com                IN SOA  mail.com. root.mail.com. (
                                110        ; serial
                                10800      ; refresh (3 hours)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
  IN NS  ns.mail.com.
  IN MX 10 mail.mail.com.
www  IN A 10.0.0.1
cache  IN CNAME www.mail.com.

 


ACL文件示例:
acl "tel" {
        192.168.1.51/32; //电信IP网段
};

 

localhost.rev
$TTL    86400 ;
@       IN      SOA     localhost. root.localhost.  (
                        45      ; Serial
                        3h      ; Refresh
                        15      ; Retry
                        1w      ; Expire
                        3h )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.

 

localhost.zone
$TTL    86400
$ORIGIN localhost.
@           1D IN SOA   @ root (
                    42      ; serial (d. adams)
                    3H      ; refresh
                    15M     ; retry
                    1W      ; expiry
                    1D )    ; minimum

            1D IN NS    @
            1D IN A     127.0.0.1


named.root    //此文件可从 wget ftp://ftp.internic.org/domain/named.root 下载最新版,查询根域
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  "
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Jun 8, 2011
;       related version of root zone:   2011060800
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
; End of File

 

 

 
阅读(727) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~