如何实现DNS内外解析分离?

DNS

1 前言

一个问题,一篇文章,一出故事。
笔者生产环境同一个域名“www.cmdschool.org”想实现外网用户查询得到一个公共地址(47.90.98.232),内网用户查询得到一个私网地址(10.168.0.80),于是整理本文。

2 最佳实践

2.1 配置基础的DNS环境

如何部署基础的DNS服务端?

2.2 配置DNS多视图

In dnsSer0[1,2]

2.2.1 创建DNS访问控制列表

vim /etc/named.conf

增加如下内网和外网访问控制列表配置,

acl acl_internal {
       10.0.0.0/8;
       172.16.0.0/12;
       192.168.0.0/16;
};

acl acl_internet {
       !acl_internal;
       any;
};

2.2.2 创建DNS内网和外网视图

vim /etc/named.conf

如下内网和外网视图修改如下,

view internal {
        match-clients      { localhost; acl_internal; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
        include "/etc/named/named.internal.zones";
};

view internet {
        match-clients      { acl_internet; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
        include "/etc/named/named.internet.zones";
};

2.2.3 定义外网区域的配置

cat /etc/named/named.internet.zones

可见如下配置,

zone "cmdschool.org" IN {
        type master;
        file "cmdschool.org.internet.zone";
        allow-update { none; };
};

zone "98.90.47.in-addr.arpa" IN {
        type master;
        file "cmdschool.org.internet.rzone";
        allow-update { none; };
};

然后,使用如下命令查看之前的正向解析配置,

cat /var/named/cmdschool.org.internet.zone

可见如下配置,

$TTL    86400
@               IN SOA  cmdschool.org. root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           localhost
localhost       IN A            127.0.0.1
www             IN A            47.90.98.232

然后,使用如下命令查看之前的反向解析配置,

cat /var/named/cmdschool.org.internet.rzone

可见如下配置,

$TTL    86400
@       IN      SOA     cmdschool.org. root.cmdschool.org.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
232     IN      PTR     www.cmdschool.org.

2.2.4 定义内网区域的配置

vim /etc/named/named.internal.zones

创建如下配置,

zone "cmdschool.org" IN {
        type master;
        file "cmdschool.org.internal.zone";
        allow-update { none; };
};

zone "0.168.10.in-addr.arpa" IN {
        type master;
        file "cmdschool.org.internal.rzone";
        allow-update { none; };
};

然后,使用如下命令创建正向解析配置,

vim /var/named/cmdschool.org.internal.zone

可见如下配置,

$TTL    86400
@               IN SOA  cmdschool.org. root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           localhost
localhost       IN A            127.0.0.1
www             IN A            10.168.0.80

然后,使用如下命令创建反向解析配置,

vim /var/named/cmdschool.org.internal.rzone

可见如下配置,

$TTL    86400
@       IN      SOA     cmdschool.org. root.cmdschool.org.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
80      IN      PTR     www.cmdschool.org.

2.2.5 修改配置文件权限

chown root:named /etc/named/named.*.zones
chmod 640 /etc/named/named.*.zones
chown root:named /var/named/cmdschool.org.*zone
chmod 640 /var/named/cmdschool.org.*zone

2.2.6 检查配置文件

named-checkconf /etc/named.conf
named-checkconf -t /var/named/chroot/ /etc/named.conf

2.2.7 重新启动服务使配置生效

In dnsSer0[1,2]

systemctl restart named-chroot.service

2.2.8 检查配置文件

In client01

nslookup
> server 10.168.0.60
Default server: 10.168.0.60
Address: 10.168.0.60#53
> www.cmdschool.org
Server:         10.168.0.60
Address:        10.168.0.60#53

Name:   www.cmdschool.org
Address: 10.168.0.80
> 10.168.0.80
80.0.168.10.in-addr.arpa       name = www.cmdschool.org.
>

如果路由器DNAT到10.168.0.80,路由器wlan口地址为119.128.173.43,则测试显示如下,

nslookup
> server 119.128.173.43
Default server: 119.128.173.43
Address: 119.128.173.43#53
> www.cmdschool.org
Server:         119.128.173.43
Address:        119.128.173.43#53

Name:   www.cmdschool.org
Address: 47.90.98.232
> 47.90.98.232
232.98.90.47.in-addr.arpa       name = www.cmdschool.org.
>
没有评论

发表评论

DNS
如何创建DNS邮件MX记录?

1 前言 一个问题,一篇文章,一出故事。 笔者一个邮件投递服务需要邮件MX记录的配合,于是整理此文。 …

DNS
如何部署基础的DNS服务端?

1 基础知识 1.1 基本概念 – DNS即英文Domain Name System的缩 …

DNS
如何理解使用权威的DNS服务器

1 理论基础 1.1 关于权威应答的结论 关于DNS显示非权威应答(non-authoritativ …