上次写过一篇关于“centos 6.2安装bind 9.8.2 master、slave与自动修改后更新”,地址为http://dl528888.blog.51cto.com/2382721/1249311,这次就介绍一下bind view的功能、如何部署、与测试结果。本文参考了http://dreamfire.blog.51cto.com/418026/1133159的一些内容,是先说明一下。
一、view介绍
View功能很容易理解,就是将不同IP地址段发来的查询响应到不同的DNS解析。例如需要对三个不同IP地址段进行配置,就需要明确这些IP地址段,这样View功能才会有效。对于初学者,简单了解它的语法非常必要。如果要有一个更清楚的认识,则可以到BIND官方网站查阅文档。
也可以理解为这样:现在为了解决南北互联问题,主要使用cdn技术,cdn技术也可以说是一个bind view。但ip的acl是cdn的一个核心,这个我们自己没办法找到。
二、配置
安装的话,可以参考之前的文章,本文就不描述了;
Master端的named.conf文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
[root@master named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port
53
{ any; };
# listen-on-v6 port
53
{ ::
1
; };
directory
"/var/named"
;
dump-file
"/var/named/data/cache_dump.db"
;
statistics-file
"/var/named/data/named_stats.txt"
;
memstatistics-file
"/var/named/data/named_mem_stats.txt"
;
allow-query { any; };
recursion yes;
allow-transfer {
192.168
.
56.105
;};
#also-notify {
192.168
.
56.105
;};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file
"/etc/named.iscdlv.key"
;
managed-keys-directory
"/var/named/dynamic"
;
};
logging {
channel default_debug {
file
"data/named.run"
;
severity
dynamic
;
};
};
#zone
"."
IN {
# type hint;
# file
"named.ca"
;
#};
acl Telecomacl {
192.168
.
56.104
;
};
acl Unicomacl {
192.168
.
56.105
;
};
acl Othersacl {
any;
};
view
"Telecom"
{
match-clients {
"Telecomacl"
;
192.168
.
56.109
; !
192.168
.
56.107
; !
192.168
.
56.108
;};
zone
"test.com"
IN {
type master;
notify yes;
also-notify {
192.168
.
56.105
;};
allow-transfer {
192.168
.
56.109
; };
file
"Telecom.test.com"
;
};
zone
"."
IN {
type hint;
file
"named.ca"
;
};
};
view
"Unicom"
{
match-clients {
"Unicomacl"
;
192.168
.
56.107
; !
192.168
.
56.109
; !
192.168
.
56.108
; };
zone
"test.com"
IN {
type master;
notify yes;
also-notify {
192.168
.
56.105
;};
allow-transfer {
192.168
.
56.107
; };
file
"Unicom.test.com"
;
};
zone
"."
IN {
type hint;
file
"named.ca"
;
};
};
view
"Others"
{
match-clients {
"Othersacl"
;
192.168
.
56.108
; !
192.168
.
56.109
; !
192.168
.
56.107
; };
zone
"test.com"
IN {
type master;
notify yes;
also-notify {
192.168
.
56.105
;};
allow-transfer {
192.168
.
56.108
; };
file
"Others.test.com"
;
};
zone
"."
IN {
type hint;
file
"named.ca"
;
};
};
|
Slave的named.conf配置
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
[root@slave named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port
53
{ any; };
# listen-on-v6 port
53
{ ::
1
; };
directory
"/var/named"
;
dump-file
"/var/named/data/cache_dump.db"
;
statistics-file
"/var/named/data/named_stats.txt"
;
memstatistics-file
"/var/named/data/named_mem_stats.txt"
;
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
# bindkeys-file
"/etc/named.iscdlv.key"
;
managed-keys-directory
"/var/named/dynamic"
;
};
logging {
channel default_debug {
file
"data/named.run"
;
severity
dynamic
;
};
};
#zone
"."
IN {
# type hint;
# file
"named.ca"
;
#};
acl Telecomacl {
192.168
.
56.104
;
};
acl Unicomacl {
192.168
.
56.105
;
};
acl Othersacl {
any;
};
view
"Telecom"
{
match-clients {
"Telecomacl"
;
192.168
.
56.109
; !
192.168
.
56.107
; !
192.168
.
56.108
; };
transfer-source
192.168
.
56.109
;
zone
"test.com"
IN {
type slave;
masters {
192.168
.
56.104
; };
file
"Telecom.test.com"
;
};
zone
"."
IN {
type hint;
file
"named.ca"
;
};
};
view
"Unicom"
{
match-clients {
"Unicomacl"
;
192.168
.
56.107
; !
192.168
.
56.109
; !
192.168
.
56.108
; };
transfer-source
192.168
.
56.107
;
zone
"test.com"
IN {
type slave;
masters {
192.168
.
56.104
; };
file
"Unicom.test.com"
;
};
zone
"."
IN {
type hint;
file
"named.ca"
;
};
};
view
"Others"
{
match-clients {
"Othersacl"
;
192.168
.
56.108
; !
192.168
.
56.109
; !
192.168
.
56.107
; };
transfer-source
192.168
.
56.108
;
zone
"test.com"
IN {
type slave;
masters {
192.168
.
56.104
; };
file
"Others.test.com"
;
};
zone
"."
IN {
type hint;
file
"named.ca"
;
};
};
|
Zone的配置(master与slave里都是一样的)
Telecom.test.com的
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
[root@master named]# cat Telecom.test.com
$TTL 1D
@ IN SOA ns1.test.com. root.localhost. (
2013071098
; serial
60
; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.test.com.
NS ns2.test.com.
A
192.168
.
56.104
server A
192.168
.
56.101
client1 A
192.168
.
56.103
ubuntu A
192.168
.
56.102
ns1 A
192.168
.
56.104
ns2 A
192.168
.
56.105
test2 A
192.168
.
8.1
test1 A
192.168
.
8.12
test3 A
192.168
.
8.3
www A
1.1
.
1.1
Telecom.test.com的
[root@master named]# cat Unicom.test.com
$TTL 1D
@ IN SOA ns1.test.com. root.localhost. (
2013071098
; serial
60
; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.test.com.
NS ns2.test.com.
A
192.168
.
56.104
server A
192.168
.
56.101
client1 A
192.168
.
56.103
ubuntu A
192.168
.
56.102
ns1 A
192.168
.
56.104
ns2 A
192.168
.
56.105
test2 A
192.168
.
8.1
test1 A
192.168
.
8.12
test3 A
192.168
.
8.3
www A
2.2
.
2.2
Others.test.com的
[root@master named]# cat Others.test.com
$TTL 1D
@ IN SOA ns1.test.com. root.localhost. (
2013071098
; serial
60
; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.test.com.
NS ns2.test.com.
A
192.168
.
56.104
server A
192.168
.
56.101
client1 A
192.168
.
56.103
ubuntu A
192.168
.
56.102
ns1 A
192.168
.
56.104
ns2 A
192.168
.
56.105
test2 A
192.168
.
8.1
test1 A
192.168
.
8.12
test3 A
192.168
.
8.3
www A
3.3
.
3.3
|
还需要记住,上面的named.conf与zone都配置好后,需要把master与slave的ip都加入到/etc/resolv.conf里,格式类似为
|
1
2
3
4
|
[root@master named]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver
192.168
.
56.104
nameserver
192.168
.
56.105
|
如果不添加,主机就无法通过master与slave主机来查看dns信息。
目前我这个是把acl与view都集中在一个named.conf配置文件里,一般如果你不是频繁的修改acl内容或者view内容,可以直接使用我这样的配置,这样同步是话,可以直接通过slave来复制主的zone到slave里,不需要你自己进行管理(我是使用slave端多网卡,通过transfer-source来指定复制源的方面来进行slave复制master的zone,一般如果不使用这样的方法,你有多个view的话,slave负责master的zone就会出现复制后的zone是多个,但多个zone的配置是完全一样的,所以要不就采用slave多网卡,要不就使用下面的rsync)。如果你频繁修改的话,可以把acl放到另外的一个文件里,然后在named.conf里include,但这样的话,这个acl文件还有zone的文件,在master与slave复制的时候,就需要你自己来弄了,你可以使用rsync+inotify或者rsync+Crontab来进行复制。
三、下面是测试
我上面的named.conf配置里,来自192.168.56.104的主机访问www.test.com的ip为1.1.1.1,而192.168.56.105的主机访问www.test.com的ip为2.2.2.2,最后其他主机访问此域名的话,ip为3.3.3.3.
1、在192.168.56.104里查看www.test.com
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@master named]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr
08
:
00
:
27
:
59
:BB:1F
inet addr:
192.168
.
56.104
Bcast:
192.168
.
56.255
Mask:
255.255
.
255.0
inet6 addr: fe80::a00:27ff:fe59:bb1f/
64
Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:
1500
Metric:
1
RX packets:
1593
errors:
0
dropped:
0
overruns:
0
frame:
0
TX packets:
1177
errors:
0
dropped:
0
overruns:
0
carrier:
0
collisions:
0
txqueuelen:
1000
RX bytes:
137736
(
134.5
KiB) TX bytes:
157084
(
153.4
KiB)
[root@master named]# dig www.test.com
; <<>> DiG
9.8
.2rc1-RedHat-
9.8
.
2
-
0.17
.rc1.el6_4.
4
<<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
46214
;; flags: qr aa rd ra; QUERY:
1
, ANSWER:
1
, AUTHORITY:
2
, ADDITIONAL:
2
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com.
86400
IN A
1.1
.
1.1
;; AUTHORITY SECTION:
test.com.
86400
IN NS ns1.test.com.
test.com.
86400
IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com.
86400
IN A
192.168
.
56.104
ns2.test.com.
86400
IN A
192.168
.
56.105
;; Query time:
1
msec
;; SERVER:
192.168
.
56.104
#
53
(
192.168
.
56.104
)
;; WHEN: Mon Jul
15
10
:
07
:
52
2013
;; MSG SIZE rcvd:
114
|
2、在192.168.56.105里查看www.test.com
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@slave ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr
08
:
00
:
27
:
92
:7F:
34
inet addr:
192.168
.
56.105
Bcast:
192.168
.
56.255
Mask:
255.255
.
255.0
UP BROADCAST RUNNING MULTICAST MTU:
1500
Metric:
1
RX packets:
1330
errors:
0
dropped:
0
overruns:
0
frame:
0
TX packets:
1518
errors:
0
dropped:
0
overruns:
0
carrier:
0
collisions:
0
txqueuelen:
1000
RX bytes:
125612
(
122.6
KiB) TX bytes:
163198
(
159.3
KiB)
[root@slave ~]# dig www.test.com
; <<>> DiG
9.8
.2rc1-RedHat-
9.8
.
2
-
0.17
.rc1.el6_4.
4
<<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
40968
;; flags: qr aa rd ra; QUERY:
1
, ANSWER:
1
, AUTHORITY:
2
, ADDITIONAL:
2
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com.
86400
IN A
2.2
.
2.2
;; AUTHORITY SECTION:
test.com.
86400
IN NS ns1.test.com.
test.com.
86400
IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com.
86400
IN A
192.168
.
56.104
ns2.test.com.
86400
IN A
192.168
.
56.105
;; Query time:
1
msec
;; SERVER:
192.168
.
56.104
#
53
(
192.168
.
56.104
)
;; WHEN: Mon Jul
15
02
:
09
:
43
2013
;; MSG SIZE rcvd:
114
|
3、在192.168.56.101里查看www.test.com
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
root@server:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr
08
:
00
:
27
:
66
:7a:7a
inet addr:
192.168
.
56.101
Bcast:
192.168
.
56.255
Mask:
255.255
.
255.0
inet6 addr: fe80::a00:27ff:fe66:7a7a/
64
Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:
1500
Metric:
1
RX packets:
752
errors:
0
dropped:
0
overruns:
0
frame:
0
TX packets:
1064
errors:
0
dropped:
0
overruns:
0
carrier:
0
collisions:
0
txqueuelen:
1000
RX bytes:
66541
(
66.5
KB) TX bytes:
100256
(
100.2
KB)
root@server:~# dig www.test.com
; <<>> DiG
9.8
.
1
-P1 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
43605
;; flags: qr aa rd ra; QUERY:
1
, ANSWER:
1
, AUTHORITY:
2
, ADDITIONAL:
2
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com.
86400
IN A
3.3
.
3.3
;; AUTHORITY SECTION:
test.com.
86400
IN NS ns1.test.com.
test.com.
86400
IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com.
86400
IN A
192.168
.
56.104
ns2.test.com.
86400
IN A
192.168
.
56.105
;; Query time:
3
msec
;; SERVER:
192.168
.
56.104
#
53
(
192.168
.
56.104
)
;; WHEN: Mon Jul
15
10
:
11
:
20
2013
;; MSG SIZE rcvd:
114
|
可以从上面的结果里看到,从不同的ip里访问www.test.com域名得到的结果完全是我named.conf里要求的。
下面测试当master的named当掉的时候的结果
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[root@master named]# /etc/init.d/named stop
Stopping named: . [ OK ]
1
、 在
192.168
.
56.104
里查看www.test.com
[root@master named]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr
08
:
00
:
27
:
59
:BB:1F
inet addr:
192.168
.
56.104
Bcast:
192.168
.
56.255
Mask:
255.255
.
255.0
inet6 addr: fe80::a00:27ff:fe59:bb1f/
64
Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:
1500
Metric:
1
RX packets:
1833
errors:
0
dropped:
0
overruns:
0
frame:
0
TX packets:
1342
errors:
0
dropped:
0
overruns:
0
carrier:
0
collisions:
0
txqueuelen:
1000
RX bytes:
155319
(
151.6
KiB) TX bytes:
171750
(
167.7
KiB)
[root@master named]# dig www.test.com
; <<>> DiG
9.8
.2rc1-RedHat-
9.8
.
2
-
0.17
.rc1.el6_4.
4
<<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
26442
;; flags: qr aa rd ra; QUERY:
1
, ANSWER:
1
, AUTHORITY:
2
, ADDITIONAL:
2
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com.
86400
IN A
1.1
.
1.1
;; AUTHORITY SECTION:
test.com.
86400
IN NS ns1.test.com.
test.com.
86400
IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com.
86400
IN A
192.168
.
56.104
ns2.test.com.
86400
IN A
192.168
.
56.105
;; Query time:
1
msec
;; SERVER:
192.168
.
56.105
#
53
(
192.168
.
56.105
)
;; WHEN: Mon Jul
15
10
:
18
:
15
2013
;; MSG SIZE rcvd:
114
|
2、在192.168.56.105里查看www.test.com
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@slave ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr
08
:
00
:
27
:
92
:7F:
34
inet addr:
192.168
.
56.105
Bcast:
192.168
.
56.255
Mask:
255.255
.
255.0
UP BROADCAST RUNNING MULTICAST MTU:
1500
Metric:
1
RX packets:
1507
errors:
0
dropped:
0
overruns:
0
frame:
0
TX packets:
1633
errors:
0
dropped:
0
overruns:
0
carrier:
0
collisions:
0
txqueuelen:
1000
RX bytes:
139266
(
136.0
KiB) TX bytes:
175684
(
171.5
KiB)
[root@slave ~]# dig www.test.com
; <<>> DiG
9.8
.2rc1-RedHat-
9.8
.
2
-
0.17
.rc1.el6_4.
4
<<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
9825
;; flags: qr aa rd ra; QUERY:
1
, ANSWER:
1
, AUTHORITY:
2
, ADDITIONAL:
2
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com.
86400
IN A
2.2
.
2.2
;; AUTHORITY SECTION:
test.com.
86400
IN NS ns1.test.com.
test.com.
86400
IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com.
86400
IN A
192.168
.
56.104
ns2.test.com.
86400
IN A
192.168
.
56.105
;; Query time:
4
msec
;; SERVER:
192.168
.
56.105
#
53
(
192.168
.
56.105
)
;; WHEN: Mon Jul
15
02
:
18
:
49
2013
;; MSG SIZE rcvd:
114
|
3、在192.168.56.101里查看www.test.com
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
root@server:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr
08
:
00
:
27
:
66
:7a:7a
inet addr:
192.168
.
56.101
Bcast:
192.168
.
56.255
Mask:
255.255
.
255.0
inet6 addr: fe80::a00:27ff:fe66:7a7a/
64
Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:
1500
Metric:
1
RX packets:
860
errors:
0
dropped:
0
overruns:
0
frame:
0
TX packets:
1228
errors:
0
dropped:
0
overruns:
0
carrier:
0
collisions:
0
txqueuelen:
1000
RX bytes:
75440
(
75.4
KB) TX bytes:
114113
(
114.1
KB)
root@server:~# dig www.test.com
; <<>> DiG
9.8
.
1
-P1 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
56763
;; flags: qr aa rd ra; QUERY:
1
, ANSWER:
1
, AUTHORITY:
2
, ADDITIONAL:
2
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com.
86400
IN A
3.3
.
3.3
;; AUTHORITY SECTION:
test.com.
86400
IN NS ns2.test.com.
test.com.
86400
IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com.
86400
IN A
192.168
.
56.104
ns2.test.com.
86400
IN A
192.168
.
56.105
;; Query time:
1
msec
;; SERVER:
192.168
.
56.105
#
53
(
192.168
.
56.105
)
;; WHEN: Mon Jul
15
10
:
19
:
16
2013
;; MSG SIZE rcvd:
114
|
可以看到即使master上的named服务停掉了,其他主机也可以从slave里获取www.test.com信息。
下面是我对named.conf里是否指定使用notify yes做了一个测试
1、没有指定使用notify yes
2、指定使用notifyyes
具体的测试情况,可以参考我附件里的word文档
根据上面的测试结果,我认为如果你的acl文件里(不在named.conf里),对修改后更新的速度还有要求(比如要求1分钟内slave就需要能修改更新),最好还是在slave里使用rsync+sersync或者rsync+inotify来进行同步acl的文件,还有zone的配置。
如果对修改更新速度没有太多的要求,可以指定使用notify yes。
具体的选择看自己的需求了。
具体的测试过程我就不写了,在附件里的word文档里有。
附件:http://down.51cto.com/data/2363369
本文转自 reinxu 51CTO博客,原文链接:http://blog.51cto.com/dl528888/1279643,如需转载请自行联系原作者
