DNS
1 前言
一个问题,一篇文章,一出故事。
笔者生产环境同一个域名“www.cmdschool.org”想实现外网用户查询得到一个公共地址(47.90.98.232),内网用户查询得到一个私网地址(10.168.0.80),于是整理本文。
2 最佳实践
2.1 配置基础的DNS环境
2.2 配置DNS多视图
In dnsSer0[1,2]
2.2.1 创建DNS访问控制列表
vim /etc/named.conf
增加如下内网和外网访问控制列表配置,
acl acl_internal {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
acl acl_internet {
!acl_internal;
any;
};
2.2.2 创建DNS内网和外网视图
vim /etc/named.conf
如下内网和外网视图修改如下,
view internal {
match-clients { localhost; acl_internal; };
recursion yes;
include "/etc/named.rfc1912.zones";
include "/etc/named/named.internal.zones";
};
view internet {
match-clients { acl_internet; };
recursion yes;
include "/etc/named.rfc1912.zones";
include "/etc/named/named.internet.zones";
};
2.2.3 定义外网区域的配置
cat /etc/named/named.internet.zones
可见如下配置,
zone "cmdschool.org" IN {
type master;
file "cmdschool.org.internet.zone";
allow-update { none; };
};
zone "98.90.47.in-addr.arpa" IN {
type master;
file "cmdschool.org.internet.rzone";
allow-update { none; };
};
然后,使用如下命令查看之前的正向解析配置,
cat /var/named/cmdschool.org.internet.zone
可见如下配置,
$TTL 86400
@ IN SOA cmdschool.org. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
www IN A 47.90.98.232
然后,使用如下命令查看之前的反向解析配置,
cat /var/named/cmdschool.org.internet.rzone
可见如下配置,
$TTL 86400
@ IN SOA cmdschool.org. root.cmdschool.org. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
232 IN PTR www.cmdschool.org.
2.2.4 定义内网区域的配置
vim /etc/named/named.internal.zones
创建如下配置,
zone "cmdschool.org" IN {
type master;
file "cmdschool.org.internal.zone";
allow-update { none; };
};
zone "0.168.10.in-addr.arpa" IN {
type master;
file "cmdschool.org.internal.rzone";
allow-update { none; };
};
然后,使用如下命令创建正向解析配置,
vim /var/named/cmdschool.org.internal.zone
可见如下配置,
$TTL 86400
@ IN SOA cmdschool.org. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
www IN A 10.168.0.80
然后,使用如下命令创建反向解析配置,
vim /var/named/cmdschool.org.internal.rzone
可见如下配置,
$TTL 86400
@ IN SOA cmdschool.org. root.cmdschool.org. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
80 IN PTR www.cmdschool.org.
2.2.5 修改配置文件权限
chown root:named /etc/named/named.*.zones chmod 640 /etc/named/named.*.zones chown root:named /var/named/cmdschool.org.*zone chmod 640 /var/named/cmdschool.org.*zone
2.2.6 检查配置文件
named-checkconf /etc/named.conf named-checkconf -t /var/named/chroot/ /etc/named.conf
2.2.7 重新启动服务使配置生效
In dnsSer0[1,2]
systemctl restart named-chroot.service
2.2.8 检查配置文件
In client01
nslookup > server 10.168.0.60 Default server: 10.168.0.60 Address: 10.168.0.60#53 > www.cmdschool.org Server: 10.168.0.60 Address: 10.168.0.60#53 Name: www.cmdschool.org Address: 10.168.0.80 > 10.168.0.80 80.0.168.10.in-addr.arpa name = www.cmdschool.org. >
如果路由器DNAT到10.168.0.80,路由器wlan口地址为119.128.173.43,则测试显示如下,
nslookup > server 119.128.173.43 Default server: 119.128.173.43 Address: 119.128.173.43#53 > www.cmdschool.org Server: 119.128.173.43 Address: 119.128.173.43#53 Name: www.cmdschool.org Address: 47.90.98.232 > 47.90.98.232 232.98.90.47.in-addr.arpa name = www.cmdschool.org. >
没有评论