一:实验准备:
1、智能DNS底层是基于acl控制的,由view将定义好的acl与区域数据库相连接
2、相关内容:
acl:把一个或多个地址归并为一个集合,并通过一个统一的名称调用
view:视图,一个bind服务器可定义多个view,每个view中可定义一个或多个zone;每个view用来匹配一组客户端
注意:一旦启用了view,所有的zone都只能定义在view中;客户端请求到达时,是自上而下检查每个view所服务的客户端列表
3、准备两台虚拟机,DNS服务器端ip:192.168.242.248;172.17.250.107; DNS客户端ip:192.168.242.202;172.17.250.106;
[root@localhost /var/named]# cat /etc/resolv.conf #服务器的DNS指向自己 #客户端的DNS不做限制; generated by /usr/sbin/dhclient-scriptsearch magedu.comnameserver 172.17.250.107[root@localhost /var/named]#
4、实验目的:根据acl定义的网段,访问相应的区域数据库文件,模拟现实网络中,根据地区区域号就近访问该地区的DNS服务器
二:实验步骤:
1、创建数据库文件:
[root@Centos6 /var/named]# vim /var/named/sjj.com.zone.beijing #beijing的数据库文件$TTL 1D@ IN SOA dns1 mail.sjj.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns1 #NS后面接的是DNS服务器名字,配合A将名字解析出相应的服务器ipdns1 A 172.17.250.107 #服务器ipwww CNAME websrv1websrv1 A 172.17.6.6 #此处的ip是随意定义的[root@Centos6 /var/named]# vim /var/named/sjj.com.zone.shanghai #shanghai的数据库文件$TTL 1D@ IN SOA dns1 mail.sjj.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns1dns1 A 192.168.242.248www CNAME websrv2websrv2 A 192.168.12.1
2、在/etc/named.conf中创建acl
[root@Centos6 /var/named]# vim /etc/named.conf #在options前加入以下代码 acl beijingnet { 172.17.0.0/16; }; acl shanghainet { 192.168.242.0/24; }; 3、在/etc/named.conf中创建view
[root@Centos6 /var/named]# vim /etc/named.conf #在logging{}下面的区域信息中加入以下代码 view beijingview { match-clients { beijingnet; }; zone "sjj.com" { #此处与第二个view用了两种方法,这种方法不需要再改/etc/named.rfc1912.zones type master; file "sjj.com.zone.beijing"; }; zone "." IN { type hint; file "named.ca"; }; }; view shanghaiview { match-clients { shanghainet; }; include "/etc/named.rfc1912.zones"; # 此处的写法,需要去/etc/named.rfc1912.zones里定义 zone "." IN { type hint; file "named.ca"; }; }; 4、根据第三步中,shanghaiview里的include "/etc/named.rfc1912.zones.shanghai";所以需要在"/etc/named.rfc1912.zones"文件里定义如下代码:
[root@Centos6 /var/named]# vim /etc/named.rfc1912.zones zone "sjj.com" IN { type master; file "sjj.com.zone.shanghai"; }; 5、写完配置文件和区域数据库文件后,可以检查一下,是否有语法错误
[root@Centos6 /var/named]# named-checkconf # 检查配置文件/etc/named.conf文件[root@Centos6 /var/named]# named-checkzone sjj.com /var/named/sjj.com.zone.shanghai #检查数据库文件zone sjj.com/IN: loaded serial 0OK[root@Centos6 /var/named]# named-checkzone sjj.com /var/named/sjj.com.zone.beijingzone sjj.com/IN: loaded serial 0OK[root@Centos6 /var/named]# [root@Centos6 /var/named]# rndc flush #清空缓存[root@Centos6 /var/named]# rndc reload #重新加载server reload successful[root@Centos6 /var/named]#
6、看一下named服务是否开启,若出现如下所示显示关闭,则开启。
[root@Centos6 /var/named]# service named statusrndc: connect failed: 127.0.0.1#953: connection refusednamed is stopped #显示服务关闭[root@Centos6 /var/named]#
[root@Centos6 /var/named]# service named start #开启服务Starting named: [ OK ][root@Centos6 /var/named]# service named status #查询服务状态version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6CPUs found: 1worker threads: 1number of zones: 38debug level: 0xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is OFFrecursive clients: 0/0/1000tcp clients: 0/100server is up and running named (pid 5359) is running... #运行[root@Centos6 /var/named]#
看一下防火墙是否开启,可以直接执行iptables -F将其关闭(若本来已关闭,也无妨),也可以看一下SElinux是否关闭---》getenforce,若结果不是“Permissive”,则用---》setenforce 0将其关闭(也可做可不做,但做了不会有负面影响)
三:实验测试:
1、在客户端主机上用两个ip分别测试
[root@Centos6 /var/named]# dig www.sjj.com @192.168.242.248 #用192.168.242.0网段的服务端ip测试; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sjj.com @192.168.242.248;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4756;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:;www.sjj.com. IN A;; ANSWER SECTION:www.sjj.com. 86400 IN CNAME websrv2.sjj.com.websrv2.sjj.com. 86400 IN A 192.168.12.1;; AUTHORITY SECTION:sjj.com. 86400 IN NS dns1.sjj.com.;; ADDITIONAL SECTION:dns1.sjj.com. 86400 IN A 192.168.242.248;; Query time: 2 msec;; SERVER: 192.168.242.248#53(192.168.242.248);; WHEN: Thu Oct 12 11:54:25 2017;; MSG SIZE rcvd: 102[root@Centos6 /var/named]# [root@Centos6 /var/named]# dig www.sjj.com @172.17.250.107 #用172.17.0.0网段的服务端ip测试; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.sjj.com @172.17.250.107;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9394;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:;www.sjj.com. IN A;; ANSWER SECTION:www.sjj.com. 86400 IN CNAME websrv1.sjj.com.websrv1.sjj.com. 86400 IN A 172.17.6.6;; AUTHORITY SECTION:sjj.com. 86400 IN NS dns1.sjj.com.;; ADDITIONAL SECTION:dns1.sjj.com. 86400 IN A 172.17.250.107;; Query time: 3 msec;; SERVER: 172.17.250.107#53(172.17.250.107);; WHEN: Thu Oct 12 11:56:24 2017;; MSG SIZE rcvd: 102[root@Centos6 /var/named]#
2、可以在服务器端自己检测一下:
[root@localhost ~]# dig #先直接dig www.sjj.com ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sjj.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26146;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;www.sjj.com. IN A;; ANSWER SECTION:www.sjj.com. 86400 IN CNAME websrv1.sjj.com.websrv1.sjj.com. 86400 IN A 172.17.1.1 #默认走的是172。17.0.0网络;; AUTHORITY SECTION:sjj.com. 86400 IN NS dns1.sjj.com.;; ADDITIONAL SECTION:dns1.sjj.com. 86400 IN A 172.17.250.107;; Query time: 2 msec;; SERVER: 172.17.250.107#53(172.17.250.107);; WHEN: Fri Oct 13 12:27:50 CST 2017;; MSG SIZE rcvd: 113[root@localhost ~]# dig www.sjj.com @192.168.242.248 # 所以可以再用192.168.242.0网络段的ip测; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> www.sjj.com @192.168.242.248;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32378;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;www.sjj.com. IN A;; ANSWER SECTION:www.sjj.com. 86400 IN CNAME websrv2.sjj.com.websrv2.sjj.com. 86400 IN A 192.168.1.1;; AUTHORITY SECTION:sjj.com. 86400 IN NS dns1.sjj.com.;; ADDITIONAL SECTION:dns1.sjj.com. 86400 IN A 192.168.242.248;; Query time: 1 msec;; SERVER: 192.168.242.248#53(192.168.242.248);; WHEN: Fri Oct 13 12:28:02 CST 2017;; MSG SIZE rcvd: 113[root@localhost ~]#
四:实验总结:
试验其实不难,但是还是不是太顺利,从昨天晚上到今天上午,一直处于测试阶段
1、检查文件觉得没有问题,可是就是dig不出结果,然后就将bind包删除重新安装,重新配置文件,但结果仍然是不行,就问了下同学,我本来在每个数据库文件里设置了两个dns,他给我删的剩一个,检查检查防火墙、SElinux、从客户端ping服务器。。。。然后dig时可以通过192.168.242.0网段的ip测试,但是172.17.0.0网段的不行,然后就用服务器端去ping客户端,结果发现,ping 172.17.250.106时卡住了,过了大概有几秒左右,就通了,然后这时在客户端去dig @172.17.250.107就出结果了,就这样尝试了几次,发现,服务器ping客户机通时,测试出结果,不通时出不了结果;
2、我忘记NS后面放的是服务器的名字,所以相对应的其下的名字对应解析出的ip必须是服务器的ip(如下图所示,192.168.242.248是本次实验中服务器的ip地址),而我刚开始是胡乱写的一个ip,所以在测试dig时找不到服务器,故而不能解析出服务器上的记录。
NS dns1dns1 A 192.168.242.248