双重DNS的配置
相信現在有不少地方都是起雙重DNS的,即對外解析成公網地址,對內解析成內網地址。一般的做法是用兩臺DNS服務器分開來做的,但如果機器緊張,只有一臺的話,或出于安全考慮的話,其實也是可以做的。在這里又分兩種情況:使用Bind8和Bind9的做法是不一樣的。
Bind8的話,原理很簡單
在DNS服務器上運行兩個BIND,分別為來自內部網絡和外部網絡的域名請求提供解析,每個BIND具有不同的配置文件和域名數據庫文件,并分別在不同的端口監聽。DNS服務器在接到客戶端請求時,根據客戶的IP地址將請求重定向到不同的BIND服務端口,這樣就可以根據客戶端的IP地址將不同的解析結果返回給客戶端,而整個過程對于客戶端來說都是透明的。實現的關鍵在于運行兩個BIND及運用iptables命令進行IP地址及端口改寫操作。
具體配置的話:
在/etc/下生成兩個named配置文件named.in與named.out
named.in
## named.conf - configuration for bind(named.in)
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
include "/etc/named.custom";
include "/etc/rndc.key";
options {
directory "/var/named_in/";
datasize 2098;
......
};
#Log Files
logging {
category queries {
default_syslog;
};
};
#DataBase Files
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "10.in-addr.arpa" {
type master;
file "10.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.zone";
};
named.out
## named.conf - configuration for bind(named.out)
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
include "/etc/named.custom";
include "/etc/rndc.key";
options {
directory "/var/named_out/";
datasize 2098;
... ...
};
# 注意這里監聽的端口不一樣了
listen-on port 8053 {
# 本機IP地址
10.xx.xx.xx;
};
#Log Files
logging {
category queries {
default_syslog;
};
#DataBase Files
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "xx.xx.210.in-addr.arpa" {
type master;
file "xx.xx.210.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.zone";
};
為什么選對外發布的做重定向呢,當時的考慮是對內解析的流量大,可以減少一個環節。
然后做iptables的重定向,在iptable配置文件中添加
-A PREROUTING -s ! 10.0.0.0/255.0.0.0 -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 8053
-A POSTROUTING -o eth0 -p udp -m udp --sport 8053 -j SNAT --to-source 10.xx.xx.xx:53
COMMIT
最后在做一個啟動腳本:
#!/bin/sh
echo "Enabling IP Forwarding ..."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabling DNS(outside) Service ..."
/usr/sbin/named -u named -c /etc/named.out
echo "Enabling DNS(inside) Service ..."
/usr/sbin/named -u named -c /etc/named.in
重啟機器就OK了!
如果是用的Bind9的話,那就簡單多了!
只需要一個named.conf文件就搞定
具體配置:
include "/etc/rndc.key";
options {
directory "/var/named/";
... ...
};
#Log Files
logging {
category queries {
default_syslog;
};
};
#DataBase Files
#注意view和match-clients的用法,就是它們在起作用
view "internal" {
match-clients { 10.0.0.0/8; };
recursion yes;
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.in.zone";
};
zone "10.in-addr.arpa" {
type master;
file "10.in-addr.arpa.zone";
};
};
view "external" {
match-clients { any; };
recursion yes;
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.out.zone";
};
zone "xx.xx.210.in-addr.arpa" {
type master;
file "xx.xx.210.in-addr.arpa.zone";
};
};
這樣就配置好了!
至于具體的數據文件,我想大家都應該會配置了,我這里就不多說了!
總結
- 上一篇: SQL Server中把查询出来的结果重
- 下一篇: 控件的隐藏与恢复