目标要求:DNS对域名逆向解析;实现不同网段在访问同一域名时得到不同的IP,如10.0.0.网段访问www.fbl.com时IP为10.0.0.254。192.168.1.网段在访问该域名时IP为192.168.1.254。
步骤:
1、DNS逆向解析域设置
① 在原有DNS基础上,声明一个逆向解析域,(vim /etc/named/chroot/etc/named.conf)
options {
directory "/var/named";
};
#原解析域
zone "fbl.com" IN {
type master ;
file "fbl.com.db";
};
#逆向解析域声明
zone "1.168.192.IN-ADDR.ARPA" IN{
type master;
file "fbl.com.db";
};
② /var/named/chroot/var/named/fbl.com.db 中内容的设置:
(说明:@代表要解析的域名,NS前就不用再写了。逆向解析中的127代表127.1.168.192. IN-ADDR.ARPA 。下同)
$TTL 86400
@ SOA dns.fbl.com. root.dsn.fbl.com. (2008051600 3H 15M 1W 1D)
NS dns.fbl.com.
dns.fbl.com. A 192.168.1.127
www.fbl.com. A 192.168.1.127
#逆向解析
127 PTR www.fbl.com.
160 PTR ftp.fbl.com.
254 PTR mail.fbl.com.
③重启DNS,可用host 192.168.1.127测试
2、不同网段的分离
①配置DNS主控文件:vim /etc/named/chroot/etc/named.conf ,设置如下:
options {
directory "/var/named";
};
view "smallnet" {
match-clients {192.168.1.0/24;};
recursion yes;
zone "fbl.com" IN {
type master ;
file "fbl.com.db";
};
zone "1.168.192.IN-ADDR.ARPA" IN{
type master;
file "fbl.com.db";
};
};
view "bignet" {
match-clients {10.0.0.0/24;};
recursion yes;
zone "fbl.com" IN {
type master ;
file "bigfbl.com.db";
};
zone "0.0.10.IN-ADDR.ARPA" IN{
type master;
file "bigfbl.com.db";
};
};
②配置DNS数据库文件 vim /var/named/chroot/var/named/bigfbl.com.db 设置如下:
$TTL 86400
@ SOA dns.fbl.com. root.dsn.fbl.com. (2008051600 3H 15M 1W 1D)
NS dns.fbl.com.
dns.fbl.com. A 10.0.0.254
www.fbl.com. A 10.0.0.254
254 PTR www.fbl.com.
160 PTR ftp.fbl.com.
254 PTR mail.fbl.com.
③重启DNS,用IP为192.168.1.网段测试,得到IP为192.168.1.127;用IP为10.0.0.网段测试,得到IP为10.0.0.254。
④另外,还可以使用定义acl别名的方式,添加多个网段
acl cnc {
192.168.2.0/24
192.168.3.0/24
……
};
使用: view "bignet" {
match-clients {cnc;};
……
};
