单位的互联网出口是一条电信链路,新近又拉了一条移动出口链路。DNS服务器以前都是将各种服务器解析到电信IP,既然有了新的移动出口,就可以按照客户端IP来判断,将来自移动的DNS请求解析到移动IP,其他来源的DNS请求解析到电信IP。这项需求可以通过bind的view配置来完成,配置view相对较为容易,但配置基于view的Master/Slave复制却遇到不少问题,做个记录,留作备忘。
先说说环境:操作系统CentOS6.9、bind版本9.8.2
假设:电信的公网IP:1.1.1.1 移动的公网IP:2.2.2.2 域名:test.com
Master DNS公网映射地址:3.3.3.3
Slave DNS公网映射地址:4.4.4.4
一、View的配置:
配置view就是根据不同来源IP的DNS请求,响应不同的zone文件内容。首先就要分类不同来源的IP:移动IP和其他IP,建立两个acl,在/var/name/chroot/etc/目录下新建named.acl文件,并写入以下内容:
//移动IP列表
acl "chinamobile" {
36.128.0.0/10;
39.128.0.0/10;
43.251.244.0/22;
103.20.112.0/22;
...
};
//其他IP列表
acl "default" {
! "chinamobile";
any;
};
然后修改主配置文件/etc/named.conf:
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
allow-transfer { none; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//将刚才建好的named.acl文件包含进来
include "/etc/named.acl";
//移动IP的DNS请求
view "chinamobileIP" {
match-clients { "chinamobile"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.chinamobile.zones";
include "/etc/named.root.key";
};
//其他IP的DNS请求
view "defaultIP" {
match-clients { "default"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
在/var/named/chroot/etc/目录下新建named.rfc1912.chinamobile.zones文件,写入如下内容:
zone "test.com" in {
type master;
file "test.com-chinamobile";
allow-query {any;};
};
修改/etc/named.rfc1912.zones文件,写入如下内容:
zone "test.com" in {
type master;
file "test.com";
allow-query {any;};
};
在/var/named/目录新建test.com文件,写入如下内容:
$TTL 86400
@ IN SOA ns.test.com. master.test.com. (
0 ; serial
1800 ; Refresh
900 ; Retry
2592000 ; Expire
345600 ) ; Minimum
@ IN NS ns.test.com.
www IN A 1.1.1.1 //其他IP的DNS请求,解析到电信公网IP
$include /var/named/test.com-common
在/var/named/目录新建test.com-chinamobile文件,写入如下内容:
$TTL 86400
@ IN SOA ns.test.com. master.test.com. (
0 ; serial
1800 ; Refresh
900 ; Retry
2592000 ; Expire
345600 ) ; Minimum
@ IN NS ns.test.com.
www IN A 2.2.2.2 //移动IP的DNS请求,解析到移动公网IP
$include /var/named/test.com-common注意:以上的两个文件中都有一个$include语句,目的是将哪些无论来自哪里IP的DNS请求都解析到相同的公网地址,这样做的好处是避免写两次,只将差异化的解析分别写进test.com和test.com-chinamobile文件。比如,在/var/named/test.com-common文件中写入如下内容:
ns IN A 3.3.3.3
到此,view的配置就完成了。
二、Master/Slave配置:
Master/Slave配置就折腾了很长时间,主要是因为有view的情况下配置Master/Slave,要在主从DNS服务器上分别配置两个IP才行。否则,从服务器只能同步defaultIP view下的test.com文件。除了这个问题外,调试过程中也是各种报错,折腾一天终于配置成功,排错过程就不写了,直接上成功的配置:
Master DNS IP - eth0:192.168.100.8、eth0:0:192.168.100.9
Slave DNS IP - eth0:192.168.100.21、eth0:0:192.168.100.22Master配置:
1、修改/etc/named.conf文件:
view "chinamobileIP" {
match-clients { 192.168.100.22;"chinamobile"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.chinamobile.zones";
include "/etc/named.root.key";
};
view "defaultIP" {
match-clients { !192.168.100.22;"default"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};黑体字是加入的内容,允许你Slave服务器通过IP192.168.100.22来同步chinamobileIP View的zone文件。
2、修改/etc/named.rfc1912.zones文件:
zone "test.com" in {
type master;
file "test.com";
allow-query {any;};
notify yes; //启用DNS修改通知
also-notify { 192.168.100.21; }; //通知发送给Slave的哪个IP
notify-source 192.168.100.8; //通知由哪个接口发出
allow-transfer { 192.168.100.21; }; //允许Slave的哪个IP来同步
};3、修改/var/named/chroot/etc/named.rfc1912.chinamobile.zones文件:
zone "test.com" in {
type master;
file "test.com-chinamobile";
allow-query {any;};
notify yes; //启用DNS修改通知
also-notify { 192.168.100.22; }; //通知发送给Slave的哪个IP
notify-source 192.168.100.9; //通知由哪个接口发出
allow-transfer { 192.168.100.22; }; //允许Slave的哪个IP来同步
};4、在zone文件中加入Slave服务器的NS标志,修改/var/named/test.com文件:
$TTL 86400
@ IN SOA ns.test.com. master.test.com. (
0 ; serial 版本序列号,每次更新zone文件后,确保该值大于slave的值,才能触发slave同步
1800 ; Refresh Slave服务器在没有收到notify的情况下,多少秒后主动连接Master
900 ; Retry 连接Master失败后,多少秒重试
2592000 ; Expire 重试的最大时间
345600 ) ; Minimum
@ IN NS ns.test.com.
@ IN NS ns1.test.com.
www IN A 1.1.1.1 //其他IP的DNS请求,解析到电信公网IP
$include /var/named/test.com-common5、修改/var/named/test.com-chinamobile文件:
$TTL 86400
@ IN SOA ns.test.com. master.test.com. (
0 ; serial
1800 ; Refresh
900 ; Retry
2592000 ; Expire
345600 ) ; Minimum
@ IN NS ns.test.com.
@ IN NS ns1.test.com.
www IN A 2.2.2.2 //移动IP的DNS请求,解析到移动公网IP
$include /var/named/test.com-common6、修改/var/named/test.com-common文件:
ns IN A 3.3.3.3
ns1 IN A 4.4.4.4
Slave配置:
1、修改/etc/named.conf文件:
...前面省略
include "/etc/named.acl";
view "chinamobileIP" {
match-clients { 192.168.100.9;"chinamobile"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.chinamobile.zones";
include "/etc/named.root.key";
};
view "defaultIP" {
match-clients { !192.168.100.9;"default"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};2、修改/etc/named.rfc1912.zones文件:
zone "test.com" in {
type slave; //类型为Slave
file "slaves/test.com";
allow-query {any;};
transfer-source 192.168.100.21; //指定由本机的哪个接口传输
masters { 192.168.100.8; }; //指定master的接口
};3、修改/var/named/chroot/etc/named.rfc1912.chinamobile.zones文件:
zone "test.com" in {
type slave;
file "slaves/test.com-chinamobile";
allow-query {any;};
transfer-source 192.168.100.22; //指定由本机的哪个接口传输
masters { 192.168.100.9; }; //指定master的接口
};Master/Slave配置完成,重启两台服务器的named服务。分别查看/var/log/messages,确认同步正常。记住每次修改了Master的zone文件后,都要修改SOA版本序列号,建议用年月日加序号。
