亲手架设Master/Slave智能DNS的流程-阿里云开发者社区

[背景]这是老早我做的一个案例,今天拿出来供大家参考!

所需资料

一:M/S DNS 架设流程

二:TSIG技术用与不同view区域传输

三:获取电信与网通IP shell脚本

四:服务器端修改路由表bat

五:服务器安全

一:

主DNS架设流程

配置步骤：

1、软件列表

BIND 9.3.2
[url]ftp://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz[/url]

2、安装BIND 9

安装BIND9：

# tar zxvf bind-9.3.2.tar.gz
# cd bind-9.3.2
# ./configure
--prefix=/usr/local/named
--disable-ipv6
# make && make install

建立BIND用户：

# groupadd bind
# useradd -g bind -d /usr/local/named -s /sbin/nologin bind

创建配置文件目录：

# mkdir –p /usr/local/named/etc
# chown bind:bind /usr/local/named/etc
# chmod 700 /usr/local/named/etc

创建主要的配置文件：

# vi /usr/local/named/etc/named.conf
===========================named.conf=======================

key "rndc-key" {

algorithm hmac-md5;

secret "7cMD1EIkZIVVcdO52D24Aw==";

};

key "hahazhu"{

algorithm hmac-md5;

secret "cnXsAYNrypKcTdhfy3FABA==";

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { "rndc-key"; };

};

acl "trust-lan" { 127.0.0.1/8;};

options {

directory "/usr/local/named/etc/";

pid-file "/var/run/named/named.pid";

version "0.0.0";

datasize 40M;

allow-transfer {

"trust-lan";};

recursion yes;

allow-notify {

"trust-lan";

};

allow-recursion {

"trust-lan";

};

auth-nxdomain yes;

forwarders {

202.102.192.68;

202.102.200.101;};

};

logging {

channel warning

{ file "/var/log/named/dns_warnings" versions 3 size 1240k;

severity warning;

print-category yes;

print-severity yes;

print-time yes;

};

channel general_dns

{ file "/var/log/named/dns_logs" versions 3 size 1240k;

severity info;

print-category yes;

print-severity yes;

print-time yes;

};

category default { warning; };

category queries { general_dns; };

};

zone "." {

type hint;

file "named.root";

};

acl "CNC" {

58.16.0.0/16;

58.17.0.0/17;

58.17.128.0/17;

58.18.0.0/16;

58.19.0.0/16;

58.20.0.0/16;

58.21.0.0/16;

58.22.0.0/15;

58.240.0.0/15;

58.242.0.0/15;

58.242.161.0/29;

58.244.0.0/15;

58.246.0.0/15;

58.248.0.0/13;

60.0.0.0/13;

60.8.0.0/15;

60.10.0.0/16;

60.11.0.0/16;

60.12.0.0/16;

60.13.0.0/18;

60.13.128.0/17;

60.14.0.0/15;

60.16.0.0/13;

60.24.0.0/14;

60.30.0.0/16;

60.31.0.0/16;

60.208.0.0/13;

60.216.0.0/15;

60.218.0.0/15;

60.220.0.0/14;

61.48.0.0/13;

61.133.0.0/17;

61.134.96.0/19;

61.134.128.0/17;

61.135.0.0/16;

61.137.128.0/17;

61.138.0.0/17;

61.138.128.0/18;

61.139.128.0/18;

61.148.0.0/15;

61.156.0.0/16;

61.158.0.0/16;

61.159.0.0/18;

61.161.0.0/18;

61.161.128.0/17;

61.162.0.0/16;

61.163.0.0/16;

61.167.0.0/16;

61.168.0.0/16;

61.176.0.0/16;

61.179.0.0/16;

61.180.128.0/17;

61.181.0.0/16;

61.182.0.0/16;

61.189.0.0/17;

125.32.0.0/16;

125.40.0.0/13;

202.96.0.0/18;

202.96.64.0/21;

202.96.72.0/21;

202.97.128.0/18;

202.97.224.0/21;

202.97.240.0/20;

202.98.0.0/21;

202.98.8.0/21;

202.99.64.0/19;

202.99.96.0/21;

202.99.128.0/19;

202.99.160.0/21;

202.99.168.0/21;

202.99.176.0/20;

202.99.208.0/20;

202.99.224.0/21;

202.99.232.0/21;

202.99.240.0/20;

202.102.128.0/21;

202.102.224.0/21;

202.102.232.0/21;

202.106.0.0/16;

202.107.0.0/17;

202.108.0.0/16;

202.110.0.0/17;

202.111.128.0/18;

203.93.8.0/24;

203.93.192.0/18;

210.13.128.0/17;

210.14.160.0/19;

210.14.192.0/19;

210.15.32.0/19;

210.15.96.0/19;

210.15.128.0/18;

210.16.128.0/18;

210.21.0.0/16;

210.51.0.0/16;

210.52.128.0/17;

210.53.0.0/17;

210.53.128.0/17;

210.74.96.0/19;

210.74.128.0/19;

210.82.0.0/15;

211.152.0.0/13;

218.7.0.0/16;

218.8.0.0/14;

218.12.0.0/16;

218.21.128.0/17;

218.24.0.0/14;

218.28.0.0/15;

218.56.0.0/14;

218.60.0.0/15;

218.62.0.0/17;

218.67.128.0/17;

218.68.0.0/15;

218.104.0.0/14;

218.106.81.0/29;

219.154.0.0/15;

219.156.0.0/15;

219.158.0.0/17;

219.158.128.0/17;

219.159.0.0/18;

220.252.0.0/16;

221.0.0.0/15;

221.2.0.0/16;

221.3.0.0/17;

221.3.128.0/17;

221.4.0.0/16;

221.5.0.0/17;

221.5.128.0/17;

221.6.0.0/16;

221.7.0.0/19;

221.7.32.0/19;

221.7.64.0/19;

221.7.96.0/19;

221.7.128.0/17;

221.8.0.0/15;

221.10.0.0/16;

221.11.0.0/17;

221.11.128.0/18;

221.11.192.0/19;

221.12.0.0/17;

221.12.128.0/18;

221.13.0.0/18;

221.13.64.0/19;

221.13.96.0/19;

221.13.128.0/17;

221.14.0.0/15;

221.192.0.0/15;

221.194.0.0/16;

221.195.0.0/16;

221.196.0.0/15;

221.198.0.0/16;

221.199.0.0/19;

221.199.32.0/20;

221.199.128.0/18;

221.199.192.0/20;

221.200.0.0/14;

221.204.0.0/15;

221.206.0.0/16;

221.207.0.0/18;

221.207.64.0/18;

221.207.128.0/17;

221.208.0.0/14;

221.212.0.0/16;

221.213.0.0/16;

221.214.0.0/16;

221.215.0.0/16;

221.216.0.0/13;

222.128.0.0/14;

222.132.0.0/14;

222.136.0.0/13;

222.160.0.0/15;

222.162.0.0/16;

222.163.0.0/19;

222.163.32.0/19;

222.163.64.0/18;

222.163.128.0/17;

219.235.56.194;

};

view "view_cnc"{

match-clients { key hahazhu;CNC;};

recursion no;

allow-transfer {key hahazhu;};

server 218.22.93.237 {keys hahazhu;};

zone "." {

type hint;

file "named.root";

};

zone "0.0.127.IN-ADDR.ARPA" {

type master;

file "localhost.rev";};

include "master/cnc.def";};

view "view_any" {

match-clients { key rndc-key;any; };

recursion no;

allow-transfer {key rndc-key;};

server 218.22.93.237 {keys rndc-key;};

zone "." {

type hint;

file "named.root";};

zone "0.0.127.IN-ADDR.ARPA" {

type master;

file "localhost.rev";

};

include "master/telecom.def";};

添加完成后，保存。

更新根区文件：

# cd /usr/local/named/etc/
# wget [url]ftp://ftp.internic.org/domain/named.root[/url]

创建PID和日志文件：

# mkdir /var/run/named/
# chmod 777 /var/run/named/
# chown bind:bind /var/run/named/

# mkdir /var/log/named/
# touch /var/log/named/dns_warnings
# touch /var/log/named/dns_logs
# chown bind:bind /var/log/named/*

# mkdir master
# touch master/cnc.def
# touch master/telecom.def

生成rndc-key：

# cd /usr/local/named/etc/
# ../sbin/rndc-confgen > rndc.conf

把rndc.conf中：
# Use with the following in named.conf, adjusting the allow list as needed:
后面以的部分加到/usr/local/named/etc/named.conf中并去掉注释

运行测试：

# /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf &

状态检查：

# /usr/local/named/sbin/rndc status

建立启动脚本：

# vi /etc/init.d/named
============================== named.sh============================
#!/bin/bash
#
# named a network name service.
#
#
# chkconfig: 545 35 75
# description: a name server
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in

start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;

stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;

esac
===============================named.sh============================

# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on

到这里bind已经安装完毕 .下面是解析部分.

3、添加一个NS

注册两个dns

Ns2.yyyy.com

4、添加一个域名
# cd /usr/local/named/etc/master
# mkdir cnc
# mkdir telecom
# vi cnc.def
添加

zone "18l.net" {

type master;

file "master/cnc/18l.net";

};

zone "bbtsd.com"{

type master;

file "master/cnc/bbtsd.com";

};

# vi telecom.def
添加

zone "18l.net" {

type master;

file "master/telecom/18l.net";

};

zone "bbtsd.com"{

type master;

file "master/telecom/bbtsd.com";

};

添加网通的解析
#vi cnc/18l.net

$TTL 3600

$ORIGIN 18l.net.

18l.net. IN SOA ns2.yyyy. root.yyyy.com.(

2007070901

3600

900

68400

15)

@ IN NS ns2.yyyy.com.

;ns2.yyyy.com. IN A 218.22.93.242

@ IN A 218.106.81.34

www IN A 58.242.161.2

mail IN A 218.106.81.34

IN MX 10 mail

#Vi cnc/bbtsd.com

$TTL 3600

$ORIGIN bbtsd.com.

bbtsd.com. IN SOA ns2.yyyy.com. root.yyyy.com.(

2007070901

3600

900

68400

15)

@ IN NS ns2.yyyy.com.

;ns2.yyyy.com. IN A 218.22.93.242

www IN A 58.242.161.4

mail IN A 218.106.81.34

IN MX 10 mail

@ IN A 58.242.161.4

添加电信的解析
#vi telecom/18l.net

$TTL 3600

$ORIGIN 18l.net.

@ IN SOA ns2.yyyy.com. root.yyyy.com.(

2007070901

3600

900

68400

15 )

@ IN NS ns2.yyyy.com.

ns2.yyyy.com IN A 218.22.93.242

@ IN A 218.22.93.244

www IN A 218.22.93.244

mail IN A 218.106.81.34

IN MX 10 mail

#vi telecom/bbtsd.com

$TTL 3600

$ORIGIN bbtsd.com.

bbtsd.com. IN SOA ns2.yyyy.com. root.yyyy.com.(

2007070901

3600

900

68400

15 )

@ IN NS ns2.yyyy.com.

ns2.yyyy.com IN A 218.22.93.242

www IN A 218.22.93.253

mail IN A 218.106.81.34

IN MX 10 mail

@ IN A 218.22.93.253

#/usr/local/named/sbin/rndc reload

OK，到此你的主DNS服务器配置就算是搞起来了。

从DNS架设流程

key "rndc-key" {

algorithm hmac-md5;

secret "7cMD1EIkZIVVcdO52D24Aw==";

};

key"hahazhu"{

algorithm hmac-md5;

secret "cnXsAYNrypKcTdhfy3FABA==";

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { "rndc-key"; };

};

acl "trust-lan" { 127.0.0.1/8;};

options {

directory "/usr/local/named/etc/";

pid-file "/var/run/named/named.pid";

version "0.0.0";

datasize 40M;

allow-transfer {

"trust-lan";};

recursion yes;

allow-notify {

"trust-lan";

};

allow-recursion {

"trust-lan";

};

auth-nxdomain no;

recursion yes;

forwarders {

202.102.192.68;

202.102.200.101;};

};

logging {

channel warning

{ file "/var/log/named/dns_warnings" versions 3 size 1240k;

severity warning;

print-category yes;

print-severity yes;

print-time yes;

};

channel general_dns

{ file "/var/log/named/dns_logs" versions 3 size 1240k;

severity info;

print-category yes;

print-severity yes;

print-time yes;

};

category default { warning; };

category queries { general_dns; };

};

zone "." {

type hint;

file "named.root";

};

acl "CNC" {

58.16.0.0/16;

58.17.0.0/17;

58.17.128.0/17;

58.18.0.0/16;

58.19.0.0/16;

58.20.0.0/16;

58.21.0.0/16;

58.22.0.0/15;

58.240.0.0/15;

58.242.0.0/15;

58.242.161.0/29;

58.244.0.0/15;

58.246.0.0/15;

58.248.0.0/13;

60.0.0.0/13;

60.8.0.0/15;

60.10.0.0/16;

60.11.0.0/16;

60.12.0.0/16;

60.13.0.0/18;

60.13.128.0/17;

60.14.0.0/15;

60.16.0.0/13;

60.24.0.0/14;

60.30.0.0/16;

60.31.0.0/16;

60.208.0.0/13;

60.216.0.0/15;

60.218.0.0/15;

60.220.0.0/14;

61.48.0.0/13;

61.133.0.0/17;

61.134.96.0/19;

61.134.128.0/17;

61.135.0.0/16;

61.137.128.0/17;

61.138.0.0/17;

61.138.128.0/18;

61.139.128.0/18;

61.148.0.0/15;

61.156.0.0/16;

61.158.0.0/16;

61.159.0.0/18;

61.161.0.0/18;

61.161.128.0/17;

61.162.0.0/16;

61.163.0.0/16;

61.167.0.0/16;

61.168.0.0/16;

61.176.0.0/16;

61.179.0.0/16;

61.180.128.0/17;

61.181.0.0/16;

61.182.0.0/16;

61.189.0.0/17;

125.32.0.0/16;

125.40.0.0/13;

202.96.0.0/18;

202.96.64.0/21;

202.96.72.0/21;

202.97.128.0/18;

202.97.224.0/21;

202.97.240.0/20;

202.98.0.0/21;

202.98.8.0/21;

202.99.64.0/19;

202.99.96.0/21;

202.99.128.0/19;

202.99.160.0/21;

202.99.168.0/21;

202.99.176.0/20;

202.99.208.0/20;

202.99.224.0/21;

202.99.232.0/21;

202.99.240.0/20;

202.102.128.0/21;

202.102.224.0/21;

202.102.232.0/21;

202.106.0.0/16;

202.107.0.0/17;

202.108.0.0/16;

202.110.0.0/17;

202.111.128.0/18;

203.93.8.0/24;

203.93.192.0/18;

210.13.128.0/17;

210.14.160.0/19;

210.14.192.0/19;

210.15.32.0/19;

210.15.96.0/19;

210.15.128.0/18;

210.16.128.0/18;

210.21.0.0/16;

210.51.0.0/16;

210.52.128.0/17;

210.53.0.0/17;

210.53.128.0/17;

210.74.96.0/19;

210.74.128.0/19;

210.82.0.0/15;

211.152.0.0/13;

218.7.0.0/16;

218.8.0.0/14;

218.12.0.0/16;

218.21.128.0/17;

218.24.0.0/14;

218.28.0.0/15;

218.56.0.0/14;

218.60.0.0/15;

218.62.0.0/17;

218.67.128.0/17;

218.68.0.0/15;

218.104.0.0/14;

218.106.81.0/29;

219.154.0.0/15;

219.156.0.0/15;

219.158.0.0/17;

219.158.128.0/17;

219.159.0.0/18;

220.252.0.0/16;

221.0.0.0/15;

221.2.0.0/16;

221.3.0.0/17;

221.3.128.0/17;

221.4.0.0/16;

221.5.0.0/17;

221.5.128.0/17;

221.6.0.0/16;

221.7.0.0/19;

221.7.32.0/19;

221.7.64.0/19;

221.7.96.0/19;

221.7.128.0/17;

221.8.0.0/15;

221.10.0.0/16;

221.11.0.0/17;

221.11.128.0/18;

221.11.192.0/19;

221.12.0.0/17;

221.12.128.0/18;

221.13.0.0/18;

221.13.64.0/19;

221.13.96.0/19;

221.13.128.0/17;

221.14.0.0/15;

221.192.0.0/15;

221.194.0.0/16;

221.195.0.0/16;

221.196.0.0/15;

221.198.0.0/16;

221.199.0.0/19;

221.199.32.0/20;

221.199.128.0/18;

221.199.192.0/20;

221.200.0.0/14;

221.204.0.0/15;

221.206.0.0/16;

221.207.0.0/18;

221.207.64.0/18;

221.207.128.0/17;

221.208.0.0/14;

221.212.0.0/16;

221.213.0.0/16;

221.214.0.0/16;

221.215.0.0/16;

221.216.0.0/13;

222.128.0.0/14;

222.132.0.0/14;

222.136.0.0/13;

222.160.0.0/15;

222.162.0.0/16;

222.163.0.0/19;

222.163.32.0/19;

222.163.64.0/18;

222.163.128.0/17;

219.235.56.194;

};

view "view_cnc"{

match-clients { key hahazhu;CNC;};

recursion no;

allow-transfer {none;};

server 218.22.93.242 {keys hahazhu;};

zone "." {

type hint;

file "named.root";

};

zone "0.0.127.IN-ADDR.ARPA" {

type master;

file "localhost.rev";};

include "master/cnc.def";};

view "view_any" {

match-clients { key rndc-key;any; };

recursion yes;

allow-transfer {none;};

server 218.22.93.242 {keys rndc-key;};

zone "." {

type hint;

file "named.root";};

zone "0.0.127.IN-ADDR.ARPA" {

type master;

file "localhost.rev";

};

include "master/telecom.def";};

将从主DNS中把其复制过来.从主的key内容一样.

把rndc.conf中：
# Use with the following in named.conf, adjusting the allow list as needed:
后面以的部分加到/usr/local/named/etc/named.conf中并去掉注释

运行测试：

# /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf &

状态检查：

# /usr/local/named/sbin/rndc status

建立启动脚本：

# vi /etc/init.d/named
============================== named.sh============================
#!/bin/bash
#
# named a network name service.
#
#
# chkconfig: 545 35 75
# description: a name server
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in

start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;

stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;

esac
===============================named.sh============================

# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on

到这里bind已经安装完毕 .下面是解析部分.

3、添加一个NS

Ns.xxxx.net

4、添加一个域名
# cd /usr/local/named/etc/master
# mkdir cnc
# mkdir telecom
# vi cnc.def

zone "18l.net" {

type slave;

masters {218.22.93.242;};

file "master/cnc/18l.net";

};

zone "bbtsd.com"{

type slave;

masters {218.22.93.242;};

file "master/cnc/bbtsd.com";

};

# vi telecom.def
添加

zone "18l.net" {

type slave;

masters {218.22.93.242;};

file "master/telecom/18l.net";

};

zone "bbtsd.com"{

type slave;

masters {218.22.93.242;};

file "master/telecom/bbtsd.com";

};

OK,到这里,从DNS就算架设成功了.至于出现错误,请检查日志/var/log/messages 还有定义的日志.

记住,架设容易,维护难.以后,还需要好好看管,才行噢!!!

二

至于这一部分,已经在配置文件中体现了.我只需要将在bind9管理手册中的资料复制来来,看下如何操作就成了.

5.4 TSIG（信号安全处理）

这是一个基于BIND 中的安全处理的Transaction SIGnature (TSIG)。它描述了配置文件

的更新和在不同情况下的更新要求，包括产生处理密匙和使用BIND TSIG 的过程。

BIND 主要支持服务器对服务器之间通讯的TSIG。包括域传送（zone transfer），通报

（notify）和递归查询信息。基于BIND8 的新版本对TSIG 的支持较为有限。

TSIG 可能对动态更新最有用了，一个动态域的主DNS 服务器使用访问控制来控制更

新，而基于IP 的访问控制是不够的。基于密匙的访问控制要高级的多了，参看推荐标准。

nsupdate 程序通过-k 和-y 命令选项支持TSIG。

5.4.1 为每对主机产生共享密匙

产生一个共享的加密方式就是在host1 和host2 之间共享使用。可选择任意的密

匙： “host1-host2”。但密匙必须在两个主机上是一样的。

5.4.1.1 自动产生

下列命令将会产生一个如上所述128 位（16 字节）HAMC-MD5 的密匙。越长的键越

好，但是较短的键比较容易读取。注意键的最大长度是512 比特；更长的键将会被MD5 消

化以产生128 位的密匙。

dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.

密匙存在于Khost1-host2.+157+00000.private 文件中。文件不直接被调用，但是在”Key:”

之后的base-64 编码字符串可以直接拷贝出作为共享密匙：

DNS （BIND9） RunStone Tech. Inc.

[url]http://www.runstone.com[/url] , 2003 22

Key: La/E5CjG9O+os1jq0a2jdA==

字符串"La/E5CjG9O+os1jq0a2jdA=="可以作为共享密匙使用

5.4.1.2 手工生成

共享密匙仅仅是使用base-64 编码的随机序列结果。大多数ASCII 字符串是有效的

base-64 字符串（假设长度是4 的倍数，只有有效的字符被使用），所以共享密匙可以被手工

生成。

而且，一个熟知的字符串可以通过mmencode 或者一个相似的程序以产生base-64 编码

数据。

5.4.2 把共享密匙拷到两台机器中

这超过了DNS 的范围。使用一种安全传输机制，例如可以是安全FTP、ssh、电话等。

5.4.3 通知服务器密匙的存在

设想host1 和host2 是这2 台服务器。下列语句将会加到每个服务器中的named.conf file

中：

key host1-host2. {

algorithm hmac-md5;

secret "La/E5CjG9O+os1jq0a2jdA==";

};

BIND 只支持hmac-md5 算法。密匙就是在上面产生的这个。既然这是一个密匙，建议

将named.conf 设为不可读，或者在named.conf 中调用一个包含了密匙的不可读的文件。

这样，key 就被认可了。这意味着如果服务器受到一则被这个key 标记的消息，它可以

对这个签字进行校验。如果校验成功，应答就会被同一个key 所标记。

5.4.4 通知服务器使用密匙

既然密匙只在两个主机之间共享，服务器就必须被告知什么时候使用key。下列是加入

到host1 的named.conf 文件中的配置，如果host2 的IP 地址是10.1.2.3:

server 10.1.2.3 {

DNS （BIND9） RunStone Tech. Inc.

[url]http://www.runstone.com[/url] , 2003 23

keys { host1-host2. ;};

};

多个key 可能同时被使用，但是只有第一个有效。这个指示不包括任何加密，所以它

可能是一个普遍可读文件。

如果host1 向那个地址发送一个消息，此消息将会被特殊的key 标记。host1 则会等待

任何使用了相同key 标记的回复信息。

一个相似的语句也会存在于host2 的配置文件中（使用host1 的地址），这样host2 就会

在回复host1 的消息中标记相同的key。

5.4.5 基于TSIG 密匙的访问控制

BIND 承认在ACL 定义中使用IP 地址和地址段和allow-{ query | transfer | update }。这

也拓展到允许使用TSIG 密匙。上述key 可以表示为key host1-host2。

一个allow-update 的例子是：

allow-update { key host1-host2. ;};

它只允许那些带有”host1-host2”标记的动态更新请求被接受。后面的update-policy 还有

更加强大的功能。

5.4.6 错_________误

在处理用TSIG 标记信息时会发生一些错误。如果一个标记信息被发送到一个不兼容

TSIG 的服务器中，服务器不能识别记录，就会返回一个FORMERR。这是配置错误的结果，

服务器应该配置清楚要发送到的特定的server。

如果识别TSIG 的服务器收到一则由未知key 标志的信息，响应时就不会用TSIG 标记，

且会带有错误编码BADKEY。如果一个识别TSIG 服务器收到一个带着无效标记的信息，

回应就不会用TSIG 标记，且会带有错误编码BADSIG。如果一台识别TSIG 服务器接收到

一个超过规定时限的信息，响应时就会带有TSIG 标记的错误代码BADTIME，且时间值将

会被重新调整，使得响应可以被成功验证。在所有这些情况中，消息的错误代码都被设置

为NOTAUTH。

*记住,主辅DNS时间差不能大于5分钟,最好做个网络同步时间服务.不过,我没做.嘿嘿~~

三

(1)

以下方法可以查询到3个服务商大致的地址范围，不过是否完整还需要大家验证。

下载并编译最新的ripe-dbase-client
# wget [url]http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client-v3.tar.gz[/url]

#tar zxvf ripe-dbase*.gz
#cd whois-3.1
#./configure;make
执行查询并输出结果
#./whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP >/tmp/cnc
#./whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET >/tmp/chinanet
#./whois3 -h whois.apnic.net -l -i mb MAINT-CN-CRTC > /tmp/crtc

如果想得到具体的服务商比如江苏省电信的IP池，就把mb的值改为MAINT-CHINANET-JS，或者是辽宁网通，那就改为MAINT-CNCGROUP-LN

然后用grep 和sed去掉多余的文字就可以得到了。

(2)

#!/bin/sh

FILE=/root/study/apnic/ip_apnic

rm -f $FILE

wget [url]http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest[/url] -O $FILE

grep 'apnic|CN|ipv4|' $FILE | cut -f 4,5 -d'|'|sed -e 's/|/ /g' | while read ip

cnt

echo $ip:$cnt

mask=$(cat << EOF | bc | tail -1

pow=32;

define log2(x) {

if (x<=1) return (pow);

pow--;

return(log2(x/2));

}

log2($cnt)

EOF)

echo $ip/$mask>> cn.net

NETNAME=`whois $[email]ip@whois.apnic.net[/email] | sed -e '/./{H;$!d;}' -e 'x;/netnum/!d' |grep ^netname | sed -e 's/.*: $.*$/\1/g' | sed -e 's/-.*//g'`

case $NETNAME in

CHINANET|CNCGROUP)

echo $ip/$mask >> $NETNAME

;;

#如果你還要其他 ISP , 請在這邊加上去即可,透過 apnic whois , 你可以知道他的 NETNAME

OTHER_NETNAME_here)

;;

Esac

done

四

以前写的,用于放在服务器端判定的.不过,比这复杂,考略系统资源,就不用这么复杂了.只需要一条Bat,就可以了.

REM Version 20060830,Copyright Netbank Co.LTD

@echo off

echo 正在启动网通链路，请稍候...

REM CNC

route add 58.16.0.0 mask 255.248.0.0 58.242.161.1 -p

route add 58.240.0.0 mask 255.240.0.0 58.242.161.1 -p

route add 60.0.0.0 mask 255.224.0.0 58.242.161.1 -p

route add 60.55.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 60.208.0.0 mask 255.240.0.0 58.242.161.1 -p

route add 60.255.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.48.0.0 mask 255.248.0.0 58.242.161.1 -p

route add 61.133.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 61.134.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 61.136.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 61.137.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 61.138.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 61.138.128.0 mask 255.255.192.0 58.242.161.1 -p

route add 61.139.128.0 mask 255.255.192.0 58.242.161.1 -p

route add 61.148.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 61.156.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.158.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.159.0.0 mask 255.255.192.0 58.242.161.1 -p

route add 61.161.0.0 mask 255.255.192.0 58.242.161.1 -p

route add 61.161.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 61.162.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 61.167.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.168.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.176.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.179.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.180.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 61.181.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.182.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 61.189.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 121.16.0.0 mask 255.240.0.0 58.242.161.1 -p

route add 121.89.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 124.64.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 124.66.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 124.67.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 124.88.0.0 mask 255.248.0.0 58.242.161.1 -p

route add 124.128.0.0 mask 255.248.0.0 58.242.161.1 -p

route add 124.160.0.0 mask 255.248.0.0 58.242.161.1 -p

route add 125.32.0.0 mask 255.240.0.0 58.242.161.1 -p

route add 202.38.143.0 mask 255.255.255.0 58.242.161.1 -p

route add 202.74.8.0 mask 255.255.248.0 58.242.161.1 -p

route add 202.75.208.0 mask 255.255.240.0 58.242.161.1 -p

route add 202.90.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 202.96.0.0 mask 255.255.192.0 58.242.161.1 -p

route add 202.96.64.0 mask 255.255.224.0 58.242.161.1 -p

route add 202.97.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 202.98.0.0 mask 255.255.224.0 58.242.161.1 -p

route add 202.99.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 202.102.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 202.106.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 202.107.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 202.108.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 202.110.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 202.111.128.0 mask 255.255.192.0 58.242.161.1 -p

route add 202.130.224.0 mask 255.255.224.0 58.242.161.1 -p

route add 203.93.8.0 mask 255.255.255.0 58.242.161.1 -p

route add 203.93.192.0 mask 255.255.192.0 58.242.161.1 -p

route add 203.175.192.0 mask 255.255.192.0 58.242.161.1 -p

route add 210.13.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 210.14.160.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.14.192.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.15.32.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.15.96.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.15.128.0 mask 255.255.192.0 58.242.161.1 -p

route add 210.21.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 210.22.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 210.51.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 210.52.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 210.74.96.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.74.128.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.78.0.0 mask 255.255.224.0 58.242.161.1 -p

route add 210.82.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 211.144.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 211.152.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 218.7.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 218.8.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 218.12.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 218.21.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 218.24.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 218.28.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 218.56.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 218.60.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 218.62.0.0 mask 255.255.128.0 58.242.161.1 -p

route add 218.67.128.0 mask 255.255.128.0 58.242.161.1 -p

route add 218.68.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 218.104.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 218.244.32.0 mask 255.255.224.0 58.242.161.1 -p

route add 218.247.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 219.154.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 219.156.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 219.158.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 219.159.0.0 mask 255.255.192.0 58.242.161.1 -p

route add 219.232.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 220.248.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 220.252.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 221.0.0.0 mask 255.240.0.0 58.242.161.1 -p

route add 221.136.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 221.192.0.0 mask 255.224.0.0 58.242.161.1 -p

route add 222.128.0.0 mask 255.240.0.0 58.242.161.1 -p

route add 222.160.0.0 mask 255.252.0.0 58.242.161.1 -p

REM HZCNC

route add 58.100.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 125.210.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 211.155.224.0 mask 255.255.240.0 58.242.161.1 -p

route add 218.108.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 219.82.0.0 mask 255.255.0.0 58.242.161.1 -p

REM CRC

route add 61.232.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 61.236.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 211.98.0.0 mask 255.255.0.0 58.242.161.1 -p

route add 221.172.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 222.32.0.0 mask 255.224.0.0 58.242.161.1 -p

route add 58.82.176.0 mask 255.255.240.0 58.242.161.1 -p

route add 58.82.224.0 mask 255.255.240.0 58.242.161.1 -p

route add 61.29.240.0 mask 255.255.240.0 58.242.161.1 -p

route add 121.46.0.0 mask 255.255.192.0 58.242.161.1 -p

route add 121.46.192.0 mask 255.255.224.0 58.242.161.1 -p

route add 122.198.32.0 mask 255.255.224.0 58.242.161.1 -p

route add 124.156.112.0 mask 255.255.240.0 58.242.161.1 -p

route add 124.156.128.0 mask 255.255.240.0 58.242.161.1 -p

route add 124.249.224.0 mask 255.255.240.0 58.242.161.1 -p

REM UNICOM

route add 61.240.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 211.90.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 211.92.0.0 mask 255.252.0.0 58.242.161.1 -p

route add 211.96.0.0 mask 255.254.0.0 58.242.161.1 -p

route add 220.192.0.0 mask 255.240.0.0 58.242.161.1 –p

保存为cncstart.bat

REM Version 20060830,Copyright Netbank Co.LTD

@echo off

echo 正在关闭网通链路，请稍候...

REM CNC

route delete 58.16.0.0 mask 255.248.0.0

route delete 58.240.0.0 mask 255.240.0.0

route delete 60.0.0.0 mask 255.224.0.0

route delete 60.55.0.0 mask 255.255.0.0

route delete 60.208.0.0 mask 255.240.0.0

route delete 60.255.0.0 mask 255.255.0.0

route delete 61.48.0.0 mask 255.248.0.0

route delete 61.133.0.0 mask 255.255.128.0

route delete 61.134.0.0 mask 255.254.0.0

route delete 61.136.0.0 mask 255.255.128.0

route delete 61.137.128.0 mask 255.255.128.0

route delete 61.138.0.0 mask 255.255.128.0

route delete 61.138.128.0 mask 255.255.192.0

route delete 61.139.128.0 mask 255.255.192.0

route delete 61.148.0.0 mask 255.254.0.0

route delete 61.156.0.0 mask 255.255.0.0

route delete 61.158.0.0 mask 255.255.0.0

route delete 61.159.0.0 mask 255.255.192.0

route delete 61.161.0.0 mask 255.255.192.0

route delete 61.161.128.0 mask 255.255.128.0

route delete 61.162.0.0 mask 255.254.0.0

route delete 61.167.0.0 mask 255.255.0.0

route delete 61.168.0.0 mask 255.255.0.0

route delete 61.176.0.0 mask 255.255.0.0

route delete 61.179.0.0 mask 255.255.0.0

route delete 61.180.128.0 mask 255.255.128.0

route delete 61.181.0.0 mask 255.255.0.0

route delete 61.182.0.0 mask 255.255.0.0

route delete 61.189.0.0 mask 255.255.128.0

route delete 121.16.0.0 mask 255.240.0.0

route delete 121.89.0.0 mask 255.255.0.0

route delete 124.64.0.0 mask 255.254.0.0

route delete 124.66.0.0 mask 255.255.128.0

route delete 124.67.0.0 mask 255.255.0.0

route delete 124.88.0.0 mask 255.248.0.0

route delete 124.128.0.0 mask 255.248.0.0

route delete 124.160.0.0 mask 255.248.0.0

route delete 125.32.0.0 mask 255.240.0.0

route delete 202.38.143.0 mask 255.255.255.0

route delete 202.74.8.0 mask 255.255.248.0

route delete 202.75.208.0 mask 255.255.240.0

route delete 202.90.0.0 mask 255.255.0.0

route delete 202.96.0.0 mask 255.255.192.0

route delete 202.96.64.0 mask 255.255.224.0

route delete 202.97.128.0 mask 255.255.128.0

route delete 202.98.0.0 mask 255.255.224.0

route delete 202.99.0.0 mask 255.255.0.0

route delete 202.102.128.0 mask 255.255.128.0

route delete 202.106.0.0 mask 255.255.0.0

route delete 202.107.0.0 mask 255.255.128.0

route delete 202.108.0.0 mask 255.255.0.0

route delete 202.110.0.0 mask 255.255.0.0

route delete 202.111.128.0 mask 255.255.192.0

route delete 202.130.224.0 mask 255.255.224.0

route delete 203.93.8.0 mask 255.255.255.0

route delete 203.93.192.0 mask 255.255.192.0

route delete 203.175.192.0 mask 255.255.192.0

route delete 210.13.128.0 mask 255.255.128.0

route delete 210.14.160.0 mask 255.255.224.0

route delete 210.14.192.0 mask 255.255.224.0

route delete 210.15.32.0 mask 255.255.224.0

route delete 210.15.96.0 mask 255.255.224.0

route delete 210.15.128.0 mask 255.255.192.0

route delete 210.21.0.0 mask 255.255.0.0

route delete 210.22.0.0 mask 255.255.0.0

route delete 210.51.0.0 mask 255.255.0.0

route delete 210.52.0.0 mask 255.254.0.0

route delete 210.74.96.0 mask 255.255.224.0

route delete 210.74.128.0 mask 255.255.224.0

route delete 210.78.0.0 mask 255.255.224.0

route delete 210.82.0.0 mask 255.254.0.0

route delete 211.144.0.0 mask 255.254.0.0

route delete 211.152.0.0 mask 255.254.0.0

route delete 218.7.0.0 mask 255.255.0.0

route delete 218.8.0.0 mask 255.252.0.0

route delete 218.12.0.0 mask 255.255.0.0

route delete 218.21.128.0 mask 255.255.128.0

route delete 218.24.0.0 mask 255.252.0.0

route delete 218.28.0.0 mask 255.254.0.0

route delete 218.56.0.0 mask 255.252.0.0

route delete 218.60.0.0 mask 255.254.0.0

route delete 218.62.0.0 mask 255.255.128.0

route delete 218.67.128.0 mask 255.255.128.0

route delete 218.68.0.0 mask 255.254.0.0

route delete 218.104.0.0 mask 255.252.0.0

route delete 218.244.32.0 mask 255.255.224.0

route delete 218.247.0.0 mask 255.255.0.0

route delete 219.154.0.0 mask 255.254.0.0

route delete 219.156.0.0 mask 255.254.0.0

route delete 219.158.0.0 mask 255.255.0.0

route delete 219.159.0.0 mask 255.255.192.0

route delete 219.232.0.0 mask 255.252.0.0

route delete 220.248.0.0 mask 255.252.0.0

route delete 220.252.0.0 mask 255.255.0.0

route delete 221.0.0.0 mask 255.240.0.0

route delete 221.136.0.0 mask 255.255.0.0

route delete 221.192.0.0 mask 255.224.0.0

route delete 222.128.0.0 mask 255.240.0.0

route delete 222.160.0.0 mask 255.252.0.0

REM HZCNC

route delete 58.100.0.0 mask 255.254.0.0

route delete 125.210.0.0 mask 255.255.0.0

route delete 211.155.224.0 mask 255.255.240.0

route delete 218.108.0.0 mask 255.254.0.0

route delete 219.82.0.0 mask 255.255.0.0

REM CRC

route delete 61.232.0.0 mask 255.248.0.0

route delete 61.236.0.0 mask 255.254.0.0

route delete 211.98.0.0 mask 255.255.0.0

route delete 221.172.0.0 mask 255.252.0.0

route delete 222.32.0.0 mask 255.224.0.0

route delete 58.82.176.0 mask 255.255.240.0

route delete 58.82.224.0 mask 255.255.240.0

route delete 61.29.240.0 mask 255.255.240.0

route delete 121.46.0.0 mask 255.255.192.0

route delete 121.46.192.0 mask 255.255.224.0

route delete 122.198.32.0 mask 255.255.224.0

route delete 124.156.112.0 mask 255.255.240.0

route delete 124.156.128.0 mask 255.255.240.0

route delete 124.249.224.0 mask 255.255.240.0

REM UNICOM

route delete 61.240.0.0 mask 255.252.0.0

route delete 211.90.0.0 mask 255.254.0.0

route delete 211.92.0.0 mask 255.252.0.0

route delete 211.96.0.0 mask 255.254.0.0

route delete 220.192.0.0 mask 255.240.0.0

保存为:cncstop.bat

五,服务器安全,那就多了.不过,我将其iptables复制下来.

# Generated by iptables-save v1.2.11 on Sun Jul 8 20:36:32 2007

*filter

:INPUT DROP [1:75]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT

-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 222 -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT

-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

COMMIT

# Completed on Sun Jul 8 20:36:32 2007

将其保存到/etc/sysconfig/iptables下,

Service iptables start

至于其他资料,我以并打包.

本文转自hahazhu0634 51CTO博客，原文链接：http://blog.51cto.com/5ydycm/116635，如需转载请自行联系原作者