策略DNS(双重DNS)的配置

Bind8下的实现方法

在DNS服务器上运行两个BIND,分别为来自内部网络和外部网络的域名请求提供解析,每个BIND具有不同的配置文件和域名数据库文件,并分别在不同的端口监听。DNS服务器在接到客户端请求时,根据客户的IP地址将请求重定向到不同的BIND服务端口,这样就可以根据客户端的IP地址将不同的解析结果返回给客户端,而整个过程对于客户端来说都是透明的。实现的关键在于运行两个BIND及运用iptables命令进行IP地址及端口改写操作。 具体配置的话: 在/etc/下生成两个named配置文件named.in与named.out named.in 

## named.conf - configuration for bind(named.in)
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
include "/etc/named.custom";

include "/etc/rndc.key";

options {
   directory "/var/named_in/";
   datasize 2098;
        ......
   };
};

#Log Files
logging {
   category queries {
      default_syslog;
   };
};

#DataBase Files
zone  "0.0.127.in-addr.arpa" {
   type master;
   file  "0.0.127.in-addr.arpa.zone";
};
zone  "10.in-addr.arpa" {
   type master;
   file  "10.in-addr.arpa.zone";
};


zone  "localhost" {
   type master;
   file  "localhost.zone";
};
zone  "xxu.edu.cn" {
   type master;
   file  "xxu.edu.cn.zone";
};

named.out 

## named.conf - configuration for bind(named.out)
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
include "/etc/named.custom";

include "/etc/rndc.key";

options {
   directory "/var/named_out/";
   datasize 2098;
        ... ...
   };
        # 注意这里监听的端口不一样了
   listen-on port 8053 {
      # 本机IP地址
                10.xx.xx.xx;
   };
};

#Log Files
logging {
   category queries {
      default_syslog;
   };
};

#DataBase Files
zone  "0.0.127.in-addr.arpa" {
   type master;
   file  "0.0.127.in-addr.arpa.zone";
};
zone  "xx.xx.210.in-addr.arpa" {
   type master;
   file  "xx.xx.210.in-addr.arpa.zone";
};


zone  "localhost" {
   type master;
   file  "localhost.zone";
};
zone  "xxu.edu.cn" {
   type master;
   file  "xxu.edu.cn.zone";
};

为什么选对外发布的做重定向呢,当时的考虑是对内解析的流量大,可以减少一个环节。

然后做iptables的重定向,在iptable配置文件中添加 

-A PREROUTING -s ! 10.0.0.0/255.0.0.0 -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 8053

-A POSTROUTING -o eth0 -p udp -m udp --sport 8053 -j SNAT --to-source 10.xx.xx.xx:53

COMMIT

最后在做一个启动脚本: 

#!/bin/sh

echo "Enabling IP Forwarding ..."
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Enabling DNS(outside) Service ..."
/usr/sbin/named -u named -c /etc/named.out

echo "Enabling DNS(inside) Service ..."
/usr/sbin/named -u named -c /etc/named.in

重启机器就OK了!

Bind9 下的实现方法

只需要一个named.conf文件就搞定 具体配置: 

include "/etc/rndc.key";

options {
   directory "/var/named/";
   ... ...
   };
};

#Log Files
logging {
   category queries {
      default_syslog;
   };
};

#DataBase Files
#注意view和match-clients的用法,就是它们在起作用
view  "internal" {
   match-clients { 10.0.0.0/8; };
   recursion yes;
   zone  "." {
      type hint;
      file  "named.ca";
   };
   zone  "0.0.127.in-addr.arpa" {
      type master;
      file  "0.0.127.in-addr.arpa.zone";
   };
   zone  "localhost" {
      type master;
      file  "localhost.zone";
   };
   zone  "xxu.edu.cn" {
      type master;
      file  "xxu.edu.cn.in.zone";
   };
   zone  "10.in-addr.arpa" {
      type master;
      file  "10.in-addr.arpa.zone";
   };
};

view  "external" {
   match-clients { any; };
   recursion yes;
   zone  "." {
      type hint;
      file  "named.ca";
   };
   zone  "0.0.127.in-addr.arpa" {
      type master;
      file  "0.0.127.in-addr.arpa.zone";
   };
   zone  "localhost" {
      type master;
      file  "localhost.zone";
   };
   zone  "xxu.edu.cn" {
      type master;
      file  "xxu.edu.cn.out.zone";
   };
   zone  "xx.xx.210.in-addr.arpa" {
      type master;
      file  "xx.xx.210.in-addr.arpa.zone";
   };
};
posted @ 2008-07-14 19:47  邱亮  阅读(1506)  评论(0编辑  收藏  举报