【IT168 服务器学院】相信现在有不少地方都是起双重DNS的,即对外解析成公网地址,对内解析成内网地址。一般的做法是用两台DNS服务器分开来做的,但如果机器紧张,只有一台的话或出于安全考虑只用一台的话,其实也是可以做的,具体作法可以分以下两种情况: 使用Bind8和Bind9的做法是不一样的,
Bind8下的实现方法
在DNS服务器上运行两个BIND,分别为来自内部网络和外部网络的域名请求提供解析,每个BIND具有不同的配置文件和域名数据库文件,并分别在不同的端口监听。DNS服务器在接到客户端请求时,根据客户的IP地址将请求重定向到不同的BIND服务端口,这样就可以根据客户端的IP地址将不同的解析结果返回给客户端,而整个过程对于客户端来说都是透明的。实现的关键在于运行两个BIND及运用iptables命令进行IP地址及端口改写操作。 具体配置的话: 在/etc/下生成两个named配置文件named.in与named.out named.in
## named.conf - configuration for bind(named.in)
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
include "/etc/named.custom";
include "/etc/rndc.key";
options {
directory "/var/named_in/";
datasize 2098;
......
};
};
#Log Files
logging {
category queries {
default_syslog;
};
};
#DataBase Files
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "10.in-addr.arpa" {
type master;
file "10.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.zone";
};
named.out
## named.conf - configuration for bind(named.out)
#
# Generated automatically by redhat-config-bind, alchemist et al.
# Any changes not supported by redhat-config-bind should be put
# in /etc/named.custom
#
include "/etc/named.custom";
include "/etc/rndc.key";
options {
directory "/var/named_out/";
datasize 2098;
... ...
};
# 注意这里监听的端口不一样了
listen-on port 8053 {
# 本机IP地址
10.xx.xx.xx;
};
};
#Log Files
logging {
category queries {
default_syslog;
};
};
#DataBase Files
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "xx.xx.210.in-addr.arpa" {
type master;
file "xx.xx.210.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.zone";
};
为什么选对外发布的做重定向呢,当时的考虑是对内解析的流量大,可以减少一个环节。
然后做iptables的重定向,在iptable配置文件中添加
-A PREROUTING -s ! 10.0.0.0/255.0.0.0 -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 8053
-A POSTROUTING -o eth0 -p udp -m udp --sport 8053 -j SNAT --to-source 10.xx.xx.xx:53
COMMIT
最后在做一个启动脚本:
#!/bin/sh
echo "Enabling IP Forwarding ..."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Enabling DNS(outside) Service ..."
/usr/sbin/named -u named -c /etc/named.out
echo "Enabling DNS(inside) Service ..."
/usr/sbin/named -u named -c /etc/named.in
重启机器就OK了!
Bind9 下的实现方法
只需要一个named.conf文件就搞定 具体配置:
include "/etc/rndc.key";
options {
directory "/var/named/";
... ...
};
};
#Log Files
logging {
category queries {
default_syslog;
};
};
#DataBase Files
#注意view和match-clients的用法,就是它们在起作用
view "internal" {
match-clients { 10.0.0.0/8; };
recursion yes;
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.in.zone";
};
zone "10.in-addr.arpa" {
type master;
file "10.in-addr.arpa.zone";
};
};
view "external" {
match-clients { any; };
recursion yes;
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "xxu.edu.cn" {
type master;
file "xxu.edu.cn.out.zone";
};
zone "xx.xx.210.in-addr.arpa" {
type master;
file "xx.xx.210.in-addr.arpa.zone";
};
};
这样就配置好了! 至于具体的数据文件,我想大家都应该会配置了,我这里就不多说了!
