摘要:博文參考主配置文件格式全局配置段日志子系統(tǒng)配置段區(qū)域定義段區(qū)域定義本機(jī)能夠?yàn)槟男┻M(jìn)行解析�,就要定義哪些注意每個(gè)配置語(yǔ)句必須以分號(hào)結(jié)尾任何服務(wù)程序如果期望其能夠通過(guò)網(wǎng)絡(luò)被其它主機(jī)訪問(wèn),至少應(yīng)該監(jiān)聽(tīng)在一個(gè)能與外部主機(jī)通信的緩存名稱服務(wù)器的配置監(jiān)
博文參考
http://zhang789.blog.51cto.com/11045979/1858610
https://segmentfault.com/a/1190000010332312
主配置文件格式
全局配置段:
options { … }
日志子系統(tǒng)配置段:
logging { … }
區(qū)域定義段:
zone “ZONE_NAME” IN { … }
區(qū)域定義:本機(jī)能夠?yàn)槟男﹝one進(jìn)行解析�,就要定義哪些zone
注意:
每個(gè)配置語(yǔ)句必須以分號(hào)結(jié)尾
任何服務(wù)程序如果期望其能夠通過(guò)網(wǎng)絡(luò)被其它主機(jī)訪問(wèn),至少應(yīng)該監(jiān)聽(tīng)在一個(gè)能與外部主機(jī)通信的IP
緩存名稱服務(wù)器的配置
監(jiān)聽(tīng)能與外部主機(jī)通信的地址
listen-on port 53
listen-on port 53 { 172.16.252.245; }
dnssec: 建議關(guān)閉dnssec����,設(shè)為no(自己做實(shí)驗(yàn)時(shí)建議關(guān)閉)
dnssec-enable no
dnssec-validation no
dnssec-lookaside no
關(guān)閉僅允許本地查詢:
//allow-query { localhost; }
檢查配置文件語(yǔ)法錯(cuò)誤:
named-checkconf /etc/named.conf
檢查區(qū)域配置文件錯(cuò)誤:
named-checkzone “rookie.com” /var/named/rookie.com.zone
例:[root@localhost ~]#vim /etc/named.conf
測(cè)試命令dig:
dig [-t type] name [@SERVER] [query options]
dig 只用于測(cè)試dns 系統(tǒng),不會(huì)查詢hosts 文件進(jìn)行解析
查詢選項(xiàng):
+[no]trace程:跟蹤解析過(guò)程 : dig +trace rookie.com
+[no]recurse:進(jìn)行遞歸解析
[root@localhost ~]#dig -t A www.baidu.com @172.16.252.254 +trace
測(cè)試反向解析:
dig -x IP = dig -t ptr reverseip.in-addr.arpa
模擬區(qū)域傳送:
dig -t axfr ZONE_NAME @SERVER
dig -t axfr rookie.com @10.10.10.11
dig -t axfr 100.1.10.in-addr.arpa @172.16.1.1
dig -t NS . @114.114.114.114
dig -t NS . @a.root-servers.net
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35043
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN NS
;; ANSWER SECTION:
baidu.com. 54644 IN NS ns7.baidu.com.
baidu.com. 54644 IN NS ns3.baidu.com.
baidu.com. 54644 IN NS ns4.baidu.com.
baidu.com. 54644 IN NS dns.baidu.com.
baidu.com. 54644 IN NS ns2.baidu.com.
;; ADDITIONAL SECTION:
ns2.baidu.com. 140982 IN A 61.135.165.235
ns4.baidu.com. 140982 IN A 220.181.38.10
dns.baidu.com. 140982 IN A 202.108.22.220
ns3.baidu.com. 140982 IN A 220.181.37.10
ns7.baidu.com. 140982 IN A 119.75.219.82
;; Query time: 2 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Thu Jun 01 07:22:38 EDT 2017
;; MSG SIZE rcvd: 208
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 +nocomments
;; global options: +cmd
;baidu.com. IN NS
baidu.com. 54627 IN NS dns.baidu.com.
baidu.com. 54627 IN NS ns3.baidu.com.
baidu.com. 54627 IN NS ns2.baidu.com.
baidu.com. 54627 IN NS ns4.baidu.com.
baidu.com. 54627 IN NS ns7.baidu.com.
ns2.baidu.com. 140965 IN A 61.135.165.235
ns4.baidu.com. 140965 IN A 220.181.38.10
dns.baidu.com. 140965 IN A 202.108.22.220
ns3.baidu.com. 140965 IN A 220.181.37.10
ns7.baidu.com. 140965 IN A 119.75.219.82
;; Query time: 1 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Thu Jun 01 07:22:56 EDT 2017
;; MSG SIZE rcvd: 208
測(cè)試命令host:
host [-t type] name [SERVER]
host -t NS rookie.com 172.16.0.1
host -t soa rookie.com
host -t mx rookie.com
host -t axfr rookie.com
host 1.2.3.4
nslookup命令:nslookup [-option] [name | -] [server]
交互式模式:
nslookup>
server IP:指明使用哪個(gè)DNS server進(jìn)行查詢
set q=RR_TYPE:指明查詢的資源記錄類型
name:要查詢的名稱
[root@localhost ~]#nslookup
> server 172.16.0.1
Default server: 172.16.0.1
Address: 172.16.0.1#53
> set q=a
> www.tencent.com
Server: 172.16.0.1
Address: 172.16.0.1#53
Non-authoritative answer:
www.tencent.com canonical name = upfile.wj.qq.com.cloud.tc.qq.com.
upfile.wj.qq.com.cloud.tc.qq.com canonical name = ssd.tcdn.qq.com.
Name: ssd.tcdn.qq.com
Address: 111.202.99.24
Name: ssd.tcdn.qq.com
Address: 111.202.99.25
Name: ssd.tcdn.qq.com
Address: 111.202.99.23
Name: ssd.tcdn.qq.com
Address: 123.125.110.21
Name: ssd.tcdn.qq.com
Address: 123.125.110.12
Name: ssd.tcdn.qq.com
Address: 123.125.110.11
Name: ssd.tcdn.qq.com
Address: 123.125.110.22
命令rndc:
rndc:remote name domain contoller(遠(yuǎn)程域名控制器)
953/tcp�����,但默認(rèn)監(jiān)聽(tīng)于127.0.0.1地址����,因此僅允許本地使用
rndc –> rndc (953/tcp)
rndc COMMAND
命令:
reload:重載主配置文件和區(qū)域解析庫(kù)文件
reload zonename:重載區(qū)域解析庫(kù)文件
retransfer zonename:手動(dòng)啟動(dòng)區(qū)域傳送,而不管序列號(hào)是否增加
notify zonename:重新對(duì)區(qū)域傳送發(fā)通知
reconfig:重載主配置文件
querylog:開(kāi)啟或關(guān)閉查詢?nèi)罩疚募?var/log/message
trace:遞增debug 一個(gè)級(jí)別
trace LEVEL:指定使用的級(jí)別
notrace:為將調(diào)試級(jí)別設(shè)置為 0
flush:清空DNS
[root@localhost ~]#rndc status
version: 9.9.4-RedHat-9.9.4-37.el7 版本
CPUs found: 4 CPU
worker threads: 4 線程
UDP listeners per interface: 4 接口
number of zones: 101 區(qū)域數(shù)
debug level: 0 調(diào)試級(jí)別
xfers running: 0 運(yùn)行
xfers deferred: 0 延遲
soa queries in progress: 0 正在進(jìn)行的SOA查詢
query logging is OFF 查詢記錄
recursive clients: 0/0/1000 遞歸客戶端
tcp clients: 0/100 TCP客戶端
server is up and running 服務(wù)器啟動(dòng)并運(yùn)行
配置主DNS 服務(wù)器:
在主配置文件中定義區(qū)域
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
定義區(qū)域解析庫(kù)文件
出現(xiàn)的內(nèi)容
宏定義
資源記錄
主配置文件語(yǔ)法檢查:
named-checkconf
解析庫(kù)文件語(yǔ)法檢查:
named-checkzone "rookie.com" /var/named/rookie.com.zone
rndc status|reload ;service named reload
注意:實(shí)驗(yàn)配置前需要特別注意三點(diǎn)
關(guān)閉防火墻
關(guān)閉SElinux
時(shí)間必須同步
配置解析一個(gè)正向區(qū)域
以rookie.com域?yàn)槔?/p>
定義區(qū)域
在主配置文件中(/etc/named.conf)或主配置文件輔助配置文件(/etc/named.rfc1912.conf)中實(shí)現(xiàn)
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com" IN {
type master;
file "rookie.com.zone";
};
注意:區(qū)域名字即為域名
建立區(qū)域數(shù)據(jù)文件(主要記錄為A或AAAA記錄)
在/var/named目錄下建立區(qū)域數(shù)據(jù)文件����;
文件為:/var/named/rookie.com.zone
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600(全局變量 緩存600秒)
rookie.com.(域名) IN SOA rookie.com. admin.rookie.com.管理員郵箱 (
2017060101 序列號(hào)
1H 刷新時(shí)間間隔一小時(shí)
5M 重試時(shí)間間隔五分鐘
1W 過(guò)期時(shí)間一周
6H ) 否定答案的TTL值六小時(shí)
IN NS dns1.rookie.com.
IN NS dns2.rookie.com.
dns1.rookie.com. IN A 172.16.250.149
dns2.rookie.com. IN A 172.16.252.245
www.rookie.com. IN A 172.16.0.1
web IN CNAME www
權(quán)限及屬組修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
[root@localhost /var/named]#ll
總用量 20
drwxrwx--- 2 named named 6 11月 12 2016 data
drwxrwx--- 2 named named 6 11月 12 2016 dynamic
-rw-r----- 1 root named 2076 1月 28 2013 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
-rw-r----- 1 root named 301 6月 1 00:22 rookie.com.zone
檢查語(yǔ)法錯(cuò)誤:
[root@localhost /var/named]#named-checkconf
[root@localhost /var/named]#named-checkzone "rookie.com" /var/named/rookie.com.zone
zone rookie.com/IN: loaded serial 2017060101
OK
讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件
[root@localhost /var/named]#rndc reload
[root@localhost ~]#systemctl restart named.service
驗(yàn)證
[root@localhost /var/named]#dig -t A www.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38718
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com. IN A
;; ANSWER SECTION:
www.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns1.rookie.com.
rookie.com. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: 四 6月 01 01:02:13 CST 2017
;; MSG SIZE rcvd: 129
也可以通過(guò)修改/etc/hosts省略IP
[root@localhost /var/named]#vim /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search magedu.com
#nameserver 172.16.0.1
[root@localhost /var/named]#dig -t A www.rookie.com
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com. IN A
;; ANSWER SECTION:
www.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns2.rookie.com.
rookie.com. 600 IN NS dns1.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 6月 01 01:08:08 CST 2017
;; MSG SIZE rcvd: 129
配置解析一個(gè)反向區(qū)域
定義區(qū)域
在主配置文件中或主配置文件輔助配置文件中實(shí)現(xiàn);
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.zone";
};
注意:反向區(qū)域的名字
反寫(xiě)的網(wǎng)段地址.in-addr.arpa
16.172.in-addr.arpa
定義區(qū)域解析庫(kù)文件(主要記錄為PTR)
[root@localhost ~]#vim /var/named/172.16.zone
$TTL 600
@ IN SOA rookie.com. admin.rookie.com. (
2017060101
1H
5M
2W
1D )
@ IN NS dns1.rookie.com.
@ IN NS dns2.rookie.com.
149.250 IN PTR dns1.rookie.com.
245.252 IN PTR dns2.rookie.com.
125.252 IN PTR www.rookie.com.
權(quán)限及屬組修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
檢查語(yǔ)法錯(cuò)誤:
[root@localhost ~]#named-checkconf
[root@localhost ~]#named-checkzone "172.16" /var/named/172.16.zone
zone 172.16/IN: loaded serial 2017060101
讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件
[root@localhost ~]#rndc reload
[root@localhost ~]#systemctl restart named.service
驗(yàn)證
[root@localhost /var/named]#dig -x 172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 172.16.259.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;149.259.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
149.259.16.172.in-addr.arpa. 600 IN PTR dns1.rookie.com.
;; AUTHORITY SECTION:
16.172.in-addr.arpa. 600 IN NS dns1.rookie.com.
16.172.in-addr.arpa. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 6月 01 01:44:45 CST 2017
;; MSG SIZE rcvd: 150
主從服務(wù)器:
注意:從服務(wù)器是區(qū)域級(jí)別的概念�����;
主區(qū)域配置:可以參照上面的正向區(qū)域配置和反向區(qū)域配置
從區(qū)域配置:
On Slave
定義從區(qū)域 (以另一虛擬機(jī)為例)
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com." IN {
type slave;
file "slaves/rookie.com.zone";
masters { 172.16.250.149; }; #指明主節(jié)點(diǎn)
};
[root@localhost ~]#vim /etc/named.conf
options {
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
配置文件語(yǔ)法檢查:
[root@localhost ~]#named-checkconf
主/從都要重載配置
[root@localhost ~]#rndc reload
[root@localhost ~]#systemctl restart named.service
[root@localhost ~]#ll /var/named/slaves/ (文件已經(jīng)同步)
total 4
-rw-r--r-- 1 named named 414 Jun 1 03:01 rookie.com.zone
驗(yàn)證 從
[root@localhost ~]#dig -t A www.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5639
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com. IN A
;; ANSWER SECTION:
www.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns1.rookie.com.
rookie.com. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: Thu Jun 01 03:41:02 EDT 2017
;; MSG SIZE rcvd: 129
修改主配置文件,并重新測(cè)試
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600
rookie.com. IN SOA rookie.com. admin.rookie.com. (
2017060102
1H
5M
1W
6D )
IN NS dns1.rookie.com.
IN NS dns2.rookie.com.
dns1.rookie.com. IN A 172.16.250.149
dns2.rookie.com. IN A 172.16.252.245
www.rookie.com. IN A 172.16.252.125
web IN CNAME www
ftp IN CNAME www
[root@localhost ~]#dig -t A ftp.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A ftp.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30068
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.rookie.com. IN A
;; ANSWER SECTION:
ftp.rookie.com. 600 IN CNAME WWW.rookie.com.
WWW.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns1.rookie.com.
rookie.com. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: Thu Jun 01 03:46:11 EDT 2017
;; MSG SIZE rcvd: 147
On Master
確保區(qū)域數(shù)據(jù)文件中為每個(gè)從服務(wù)配置NS記錄����,并且在正向區(qū)域文件需要每個(gè)從服務(wù)器的NS記錄的主機(jī)名配置一個(gè)A記錄,且此A后面的地址為真正的從服務(wù)器的IP地
注意:時(shí)間要同步
ntpdate命令
子域授權(quán):
正向解析區(qū)域授權(quán)子域的方法:
ops.rookie.com. IN NS ns1.ops.rookie.com.
ops.rookie.com. IN NS ns2.ops.rookie.com.
ns1.ops.rookie.com. IN A IP.AD.DR.ESS
ns2.ops.rookie.com. IN A IP.AD.DR.ESS
定義轉(zhuǎn)發(fā):
注意:被轉(zhuǎn)發(fā)的服務(wù)器必須允許為當(dāng)前服務(wù)做遞歸�;
區(qū)域轉(zhuǎn)發(fā):僅轉(zhuǎn)發(fā)對(duì)某特定區(qū)域的解析請(qǐng)求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先轉(zhuǎn)發(fā)�����;轉(zhuǎn)發(fā)器不響應(yīng)時(shí)���,自行去迭代查詢���;
only:只轉(zhuǎn)發(fā)
全局轉(zhuǎn)發(fā):針對(duì)凡本地沒(méi)有通過(guò)zone定義的區(qū)域查詢請(qǐng)求,通通轉(zhuǎn)給某轉(zhuǎn)發(fā)器�����;
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
轉(zhuǎn)發(fā)服務(wù)器
注意:被轉(zhuǎn)發(fā)的服務(wù)器需要能夠?yàn)檎?qǐng)求者做遞歸�,否則轉(zhuǎn)發(fā)請(qǐng)求不予進(jìn)行
first:首先轉(zhuǎn)發(fā)�����;轉(zhuǎn)發(fā)器不響應(yīng)時(shí),自行去迭代查詢
only:只轉(zhuǎn)發(fā)
全局轉(zhuǎn)發(fā): 對(duì)非本機(jī)所負(fù)責(zé)解析區(qū)域的請(qǐng)求�����, 全 轉(zhuǎn)發(fā)給指定的服務(wù)器
Options {
fforward {only|first};
forwarders { SERVER_IP; };
};
特定區(qū)域轉(zhuǎn)發(fā):僅轉(zhuǎn)發(fā)對(duì)特定的區(qū)域的請(qǐng)求�����,比全局轉(zhuǎn)發(fā)優(yōu)先級(jí)高
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
注意:關(guān)閉dnssec 功能:
dnssec-enable no;
dnssec-validation no;
bind中的安全相關(guān)的配置:
acl:訪問(wèn)控制列表����;把一個(gè)或多個(gè)地址歸并一個(gè)命名的集合,隨后通過(guò)此名稱即可對(duì)此集合內(nèi)的所有主機(jī)實(shí)現(xiàn)統(tǒng)一調(diào)用
格式:
acl acl_name {
ip;
net/prelen;
……
};
示例:
acl mynet {
172.16.0.0/16;
10.10.10.10;
};
bind有四個(gè)內(nèi)置的acl:
none:沒(méi)有一個(gè)主機(jī)
any:任意主機(jī)
localhost:本機(jī)
localnet:本機(jī)的IP同掩碼運(yùn)算后得到的網(wǎng)絡(luò)地址
注意:只能先定義����,后使用,因此一般定在配置文件中���,處于options
訪問(wèn)控制的指令:
allow-query {};允許查詢的主機(jī)�;白名單
allow-transfer {};允許向哪些主機(jī)做區(qū)域傳送�����;默認(rèn)為向所有主機(jī);應(yīng)該配置僅允許從服務(wù)器
allow-recursion {}; 允許哪此主機(jī)向當(dāng)前DNS服務(wù)器發(fā)起遞歸查詢請(qǐng)求
allow-update {}; DDNS���,允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫(kù)文件中內(nèi)容
bind view(視圖):
view:視圖����,一個(gè)bind 服務(wù)器可定義多個(gè)view ���,每個(gè)view中可定義一個(gè)或多個(gè)zone
每個(gè)view 用來(lái)匹配一組客戶端
多個(gè)view 內(nèi)可能需要對(duì)同一個(gè)區(qū)域進(jìn)行解析���,但使用不同的區(qū)域解析庫(kù)文件
view VIEW_NAME {
zone
zone
zone
}
view internal {
match-clients { 172.16.0.0/8; };
zone "rookie.com" IN {
type master;
file "rookie.com/internal";
};
};
view external {
match-clients { any; };
zone "rookie.com" IN {
type master;
file rookie.com/external";
};
};
