bind架设策略DNS,使南北方用户自动访问较快的服务器。
##2006/07/17 初稿
##20080409, 更新为bind9.4.2版配置,并增加master/slave配置
##20080425,更正view环境下从服务器同步不成功原因
主要实现:电信的用户访问电信的服务器,网通用户访问网通的服务器.(当然服务器都有托管相应机房)
1. 安装
下载 http://www.isc.org/products/BIND/
./configure –enable-threads –prefix=/app/bind-9.4.2 && make && make install
cd /app && ln -s bind-9.4.2/ bind
mkdir /app/bind/etc/named && cd /app/bind/etc/named && wget ftp://ftp.internic.org/domain/named.root
# groupadd bind
# useradd -g bind -d /app/bind-9.4.2 -s /sbin/nologin bind
# chown bind:bind /app/bind-9.4.2 -R
2. 配置
sbin/rndc-confgen > etc/rndc.conf
tail -10 etc/rndc.conf|head -9|sed s/#\//g > etc/named.conf
vi named.conf #主DNS服务器
key “rndc-key” {
algorithm hmac-md5;
secret “xxxxxxxxxxxxxxx”;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
acl “trust-lan” {
127.0.0.1/8; xx.xx.xx.xx/32; xx.xx.xx.xx/32; xx.xx.xx.xx/32;
};
options {
directory “/app/bind/etc/named”;
pid-file “/app/bind/var/run/named.pid”;
version “0.0.0″;
#datasize 40M;
allow-transfer { “trust-lan”; };
recursion yes;
allow-notify {
“trust-lan”;
};
allow-recursion {
“trust-lan”;
};
auth-nxdomain no;
forwarders {
202.106.0.20;
202.106.196.115;};
};
logging {
channel warning
{ file “/app/bind/var/logs/dns_warnings” versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{ file “/app/bind/var/logs/dns_logs” versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { general_dns; };
};
### KEYS FOR TSIG ####
key telkey {
algorithm hmac-md5;
secret “xxxxxxxxxx”;
};
key cnckey {
algorithm hmac-md5;
secret “xxxxxxxxxxx”;
};
key anykey {
algorithm hmac-md5;
secret “xxxxxxxxxxxx”;
};
### CNC TEL EDU IP DEFINE ##
include “acl-tel.conf”;
include “acl-cnc.conf”;
#include “acl-edu.conf”;
### view list###
view “view_tel” IN {
match-clients { key “telkey”; tel; };
allow-transfer { key “telkey”; };
server 11.11.11.11 { keys telkey; };
server 22.22.22.22 { keys “telkey”; };
include “def/tel.def”;
};
view “view_cnc” IN {
match-clients { key “cnckey”; cnc; };
allow-transfer { key “cnckey”; };
server 11.11.11.11 { keys “cnckey”; };
server 22.22.22.22 { keys “cnckey”; };
include “def/cnc.def”;
};
view “view_any” IN {
match-clients { key anykey; any; };
allow-transfer { key anykey; };
server 11.11.11.11 { keys anykey; };
server 22.22.22.22 { keys anykey; };
include “def/other.def”;
};
named.conf ##从DNS服务器
server 主DNSIP { keys “telkey”; }; #就改server 11.11.11.11 { keys …; }; 就行就可以了
3.编辑网通电信IP地址段列表
#需要将从DNS服务器的IP地址去掉,不然无法同步
vi acl-cnc.conf
acl “CNC” {
#此处添加网通IP地址段;见下面附件;
};
vi acl-telecom.conf
acl “telecom” {
#此处添加电信IP地址段;见下面附件;
};
附一些配置文件
1) cat named.127.0.0
$TTL 600
@ IN SOA localhost. root.localhost. (
20080228 ;serial
28800 ;refresh
14400 ;retry
720000 ;expire
86400 ;minium
)
@ IN NS localhost.
1 IN PTR localhost.
2) cat named.localhost
$TTL 600
@ IN SOA localhost. root.localhost. (
20080228 ;serial
28800 ;refresh
14400 ;retry
720000 ;expire
86400 ;minimum
)
@ IN NS localhost.
localhost. IN A 127.0.0.1
3) 主DNS cnc.def
zone “zhangjianfeng.com” {
type master;
file “def/cnc/zhangjianfeng.com.zone”;
};
4) 从DNS cnc.def
zone “zhangjianfeng.com” {
type slave;
masters { xx.xx.xx.xx; };
file “def/cnc/zhangjianfeng.com.zone”;
};5) cnc/zhangjianfeng.com.zone
$TTL 3600
$ORIGIN zhangjianfeng.com.
@ IN SOA ns.zhangjianfeng.com. root.zhangjianfeng.com. (
20060720;
3600;
900;
68400;
15);
;
@ IN NS ns.zhangjianfeng.com
@ IN A 202.111.1.1
;; 上面指ping zhangjianfeng.com 为202.111.1.1
www IN A 202.111.11.11
* IN A 22.22.22.22
; “上面一行是泛域名指定 其它:
++如需要开机自动启动,把/usr/local/named/sbin/named -u bind加到/etc/rc.local
++常用命令
rndc status 显示named工作状态
rndc querylog 打开/关闭querylog,默认为关闭,打开后,客户机的所有DNS查询都记录在/var/log/message.(上面的配置已经打开并配置了querylog)
++key产生办法
sbin/dnssec-keygen -a HMAC-MD5 -b 128 -n HOST cnc
然后取出xxx.key文件中的最后一列即可BIND 下载 http://www.isc.org/products/BIND/
最新的named.root下载 ftp://ftp.internic.org/domain/named.root
网通IP地址段(参考):cnc.txt
电信IP地址段(参考):telecom.txt
电信IP地址段(参考):edu-ip.txt
DNS网通电信互通解决方案 DNS-cnc-telecom.txt
自动生成最新的网通/电信IP地址段的脚本: cn_isp.sh
Trackback URL: http://blog.zhangjianfeng.com/article/355/trackback
(No Ratings Yet)
Loading ...
.text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://my.poco.cn/fav/storeIt.php?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t)+'&img=http://www.h-strong.com/blog/logo.gif','keyit','scrollbars=no,width=475,height=575,status=no,resizable=yes'));keyit.focus(); "添加到POCO网摘"){kind=logo}
写的不错,兄弟.