DNS
1 前言
一个问题,一篇文章,一出故事。
笔者生产环境同一个域名“www.cmdschool.org”想实现外网用户查询得到一个公共地址(47.90.98.232),内网用户查询得到一个私网地址(10.168.0.80),于是整理本文。
2 最佳实践
2.1 配置基础的DNS环境
2.2 配置DNS多视图
In dnsSer0[1,2]
2.2.1 创建DNS访问控制列表
vim /etc/named.conf
增加如下内网和外网访问控制列表配置,
acl acl_internal { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; acl acl_internet { !acl_internal; any; };
2.2.2 创建DNS内网和外网视图
vim /etc/named.conf
如下内网和外网视图修改如下,
view internal { match-clients { localhost; acl_internal; }; recursion yes; include "/etc/named.rfc1912.zones"; include "/etc/named/named.internal.zones"; }; view internet { match-clients { acl_internet; }; recursion yes; include "/etc/named.rfc1912.zones"; include "/etc/named/named.internet.zones"; };
2.2.3 定义外网区域的配置
cat /etc/named/named.internet.zones
可见如下配置,
zone "cmdschool.org" IN { type master; file "cmdschool.org.internet.zone"; allow-update { none; }; }; zone "98.90.47.in-addr.arpa" IN { type master; file "cmdschool.org.internet.rzone"; allow-update { none; }; };
然后,使用如下命令查看之前的正向解析配置,
cat /var/named/cmdschool.org.internet.zone
可见如下配置,
$TTL 86400 @ IN SOA cmdschool.org. root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost localhost IN A 127.0.0.1 www IN A 47.90.98.232
然后,使用如下命令查看之前的反向解析配置,
cat /var/named/cmdschool.org.internet.rzone
可见如下配置,
$TTL 86400 @ IN SOA cmdschool.org. root.cmdschool.org. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS localhost. 232 IN PTR www.cmdschool.org.
2.2.4 定义内网区域的配置
vim /etc/named/named.internal.zones
创建如下配置,
zone "cmdschool.org" IN { type master; file "cmdschool.org.internal.zone"; allow-update { none; }; }; zone "0.168.10.in-addr.arpa" IN { type master; file "cmdschool.org.internal.rzone"; allow-update { none; }; };
然后,使用如下命令创建正向解析配置,
vim /var/named/cmdschool.org.internal.zone
可见如下配置,
$TTL 86400 @ IN SOA cmdschool.org. root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost localhost IN A 127.0.0.1 www IN A 10.168.0.80
然后,使用如下命令创建反向解析配置,
vim /var/named/cmdschool.org.internal.rzone
可见如下配置,
$TTL 86400 @ IN SOA cmdschool.org. root.cmdschool.org. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS localhost. 80 IN PTR www.cmdschool.org.
2.2.5 修改配置文件权限
chown root:named /etc/named/named.*.zones chmod 640 /etc/named/named.*.zones chown root:named /var/named/cmdschool.org.*zone chmod 640 /var/named/cmdschool.org.*zone
2.2.6 检查配置文件
named-checkconf /etc/named.conf named-checkconf -t /var/named/chroot/ /etc/named.conf
2.2.7 重新启动服务使配置生效
In dnsSer0[1,2]
systemctl restart named-chroot.service
2.2.8 检查配置文件
In client01
nslookup > server 10.168.0.60 Default server: 10.168.0.60 Address: 10.168.0.60#53 > www.cmdschool.org Server: 10.168.0.60 Address: 10.168.0.60#53 Name: www.cmdschool.org Address: 10.168.0.80 > 10.168.0.80 80.0.168.10.in-addr.arpa name = www.cmdschool.org. >
如果路由器DNAT到10.168.0.80,路由器wlan口地址为119.128.173.43,则测试显示如下,
nslookup > server 119.128.173.43 Default server: 119.128.173.43 Address: 119.128.173.43#53 > www.cmdschool.org Server: 119.128.173.43 Address: 119.128.173.43#53 Name: www.cmdschool.org Address: 47.90.98.232 > 47.90.98.232 232.98.90.47.in-addr.arpa name = www.cmdschool.org. >
没有评论