Shulou(Shulou.com)06/03 Report--

DNS Advanced Application: implementation of Sub-Domain Authorization, forwarding and view

Before implementing the above functions, let's review some of the basic formats of the DNS configuration:

ACL:

Acl string {address_match_element;address_match_element;...}

ZONE:

# Master zone string optional_class {type master; file quoted_string;...}; # Slave server zone string optional_class {type slave; masters {MASTER_ADDRESS;} file quoted_string;...}; # forwarding server zone string optional_class {type forward; forward {first | only}; forwarders {forward_address }...}

VIEW

# once view is started, all zone can only be defined in view. View string optional_class {match-clients {address_match_element;...}; match-destinations {address_match_element;...}; zone string optional_class {...}

Access control instructions:

Allow-query {address_match_element;...}; allow-transfer {address_match_element;...}; allow-recursion {address_match_element;...}; allow-update {address_match_element;...}

Details man named.conf

Subdomain authorization:

Environment: two centos6.5

IP1:192.168.1.16, IP2:192.168.1.20

Implementation: configure IP1 as a DNS server, and configure a DNS server (subdomain) with IP2 as the domain name under it. You just need to define a subdomain in the parse library file of IP1.

START:

Turn off the firewall and selinux

First configure IP1 (192.168.1.16):

Modify the configuration file

# cat / etc/named.conf options {listen-on port 53 {192.168.1.16; 127.0.0.1;}; / / or delete this line / / listen-on-v6 port 53 {:: 1;}; directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db"; statistics-file "/ var/named/data/named_stats.txt" Memstatistics-file "/ var/named/data/named_mem_stats.txt"; allow-query {any;}; recursion yes; dnssec-enable no; dnssec-validation no; / * Path to ISC DLV key * / / bindkeys-file "/ etc/named.iscdlv.key"; / / managed-keys-directory "/ var/named/dynamic";}

Add zone:

# tail / etc/named.rfc1912.zones zone "jiajie.com" IN {type master; file "jiajie.zone";}

Configure the parse library file:

# vim / var/named/jiajie.zone $TTL 1D @ IN SOA ns1.jiajie.com. Jjzgood.126.com. (20170509 1H 10M 5D 1D) IN NS ns1 IN NS ns2 ns1 IN A 192.168.1.16 ns2 IN A 192.168.1.17 www IN A 192.168 .1.17 * IN A 192.168.1.16 # define a field ops IN NS ns1.ops ops IN NS ns2.ops ns1.ops IN A 192.168.1.20 ns2.ops IN A 192.168.1.21 in the parse library

Modify permissions and groups:

# chmod / var/named/jiajie.zone # chown: named/ var/named/jiajie.zone # ll / var/named/jiajie.zone-rw-r- 1 root named 292 May 9 16:30 / var/named/jiajie.zone

Restart the service: # service named restart

Check the port number: # ss-tlnp | grep: 53

Verify:

# host-t a www.jiajie.com 192.168.1.16Using domain server:Name: 192.168.1.16Address: 192.168.1.16#53Aliases: www.jiajie.com has address 192.168.1.17

3. Configure subdomains (IP2:192.168.1.20)

Modify the configuration file:

# cat / etc/named.conf options {listen-on port 53 {192.168.1.16; 127.0.0.1;}; / / or delete this line / / listen-on-v6 port 53 {:: 1;}; directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db"; statistics-file "/ var/named/data/named_stats.txt" Memstatistics-file "/ var/named/data/named_mem_stats.txt"; allow-query {any;}; recursion yes; dnssec-enable no; dnssec-validation no; / * Path to ISC DLV key * / / bindkeys-file "/ etc/named.iscdlv.key"; / / managed-keys-directory "/ var/named/dynamic";}

Add ZONE:

# tail / etc/named.rfc1912.zoneszone "ops.jiajie.com" IN {type master; file "ops.jiajie.com.zone";}

Configure the parse library file:

# vim / var/named/ops.jiajie.com.zone $TTL 1D @ IN SOA ns1.ops.jiajie.com. Jjzgood.126.com. (20170509 1H 10M 5D 1D) IN NS ns1 IN NS ns2ns1 IN A 192.168.1.20ns2 IN A 192.168.1.21www IN A 192.168.1.20 * IN A 192.168.1.21

Modify permissions and groups:

# chmod 640 / var/named/ops.jiajie.com.zone # chown named/ var/named/ops.jiajie.com.zone

Restart the service: # service named restart

Check the port number: # ss-tlnp | grep: 53

Verify:

# host-t a www.ops.jiajie.com 192.168.1.20Using domain server:Name: 192.168.1.20Address: 192.168.1.20#53Aliases: www.ops.jiajie.com has address 192.168.1.2 "host-t a ftp.ops.jiajie.com 192.168.1.20Using domain server:Name: 192.168.1.20Address: 192.168.1.20#53Aliases: ftp.ops.jiajie.com has address 192.168.1.21 Murray- -- # Note that the two dns servers used above and below are different-# host-t a www.ops.jiajie.com 192.168.1 .16Using domain server:Name: 192.168.1.16Address: 192.168.1.16#53Aliases: www.ops.jiajie.com has address 192.168.1.20 [root@test1 ~] # host-t a ftp.ops.jiajie.com 192.168.1.16Using domain server:Name: 192.168.1.16Address: 192.168.1.16#53Aliases: ftp.ops.jiajie.com has address 192.168.1.21

From the above, we can see that it is possible to use the parent domain to resolve the address of the child domain, but it cannot be resolved if the child domain is used to resolve the parent domain (as shown in the following figure). At this point, we can set up a forwarding server on the subdomain to solve the above awkward situation.

As shown below:

# host-t a ftp.jiajie.com 192.168.1.20Using domain server:Name: 192.168.1.20Address: 192.168.1.20#53Aliases: Host ftp.jiajie.com not found: 3 (NXDOMAIN) forwarding server

Note: this experiment is based on the above experiment.

First, add a forwarding area to the IP2 (192.168.1.20) server:

# tail / etc/named.rfc1912.zoneszone "jiajie.com" IN {type forward;forward only;forwarders {192.168.1.16;};}

Reload configuration service: # rndc reload

At this point, we can resolve the address of the parent domain on the child domain:

# host-t A ftp.jiajie.com 192.168.1.20Using domain server:Name: 192.168.1.20Address: 192.168.1.20#53Aliases: ftp.jiajie.com has address 192.168.1.16

Forwarding is divided into global forwarding and regional forwarding.

Global forwarding: all those that are not responsible for the resolution area of this machine will be forwarded to the designated server.

Option {forward {first | only}; forwarders {address;}}

Zone forwarding: only requests for specific areas are forwarded to the specified server

Zone {type forward; forward {first | only}; forwarders {address;}}; implementation of intelligent view:

This experiment is modified on the basis of the above two experiments.

Be careful

Once view is enabled, all zone can be defined in view

A bind can define multiple view, and one or more zone can be defined in each view.

You may need to parse the same region within multiple view, but use different regions to resolve the file.

When the client request arrives, it checks the view from the top down.

Configuration:

Configure IP1 (192.168.1.16)

1. First move the root area in / etc/named.conf to the / etc/named.rfc1912.zones file.

# vim / etc/named.confzone "." IN {type hint; file "named.ca";}

two。 Add an acl to the header of the / etc/named.conf file

# vim / etc/named.confacl in_net {192.168.1.16; 192.168.1.10; 127.0.0.0amp 24;}

3. Add two view, notice that the first view circles all the zone in the file, and the second view is added at the bottom of the file.

# will match IP# vim / etc/named.rfc1912.zonesview innet {match-clients {in_net;}; allow-recursion {in_net;}; zone...};} in acl # match IPview outnet {match-clients {any;} other than acl; zone "jiajie.com" IN {type master; file "jiajie.com.out"; allow-update {none;}

4.cp / var/named/jiajie.zone / var/named/jiajie.com.out-a

5. Edit / var/named/jiajie.zone.out

# vim / var/named/jiajie.com.out $TTL 1D @ IN SOA ns1.jiajie.com. Jjzgood.126.com. (20170509 1H 10M 5D 1D) IN NS ns1 IN NS ns2ns1 IN A 192.168.1.16ns2 IN A 192.168.1.17www IN A 2.2.2.2 * IN A 2.2.2.3

6. Run # rndc reload

7. Verify:

# verification based on IP1 (192.168.1.16) platform # host www.jiajie.com 192.168.1.16Using domain server:Name: 192.168.1.16Address: 192.168.1.16#53Aliases: www.jiajie.com has address 192.168.1.Verification based on IP2 (192.168.1.20) platform verification # host www.jiajie.com 192.168.1.16Using domain server:Name: 192.168.1.16Address: 192.168.1.verification 53Aliases: www.jiajie.com has address 2.2.2.2

Windows platform validation:

It can be seen from the above that although you are accessing the same domain name, if your IP address is different, it will be returned to you with a different address, thus achieving intelligence.

2017-5-9 22:04:59

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.