bind实现智能DNS（ACL，view

一、功能描述

   在实现了DNS主从同步，子域授权之后，还可以针对不同网络内的域名解析请求DNS能够指向不同的主机地址，以实现分流。

   假设下图中两台主机互为镜像，要实现来源不同的主机对此域名的解析指向同网段内的镜像主机，而不用穿过路由器，跨段断访问。例如171.16.0.0/24网内对www.sunlinux.com的解析指向172.16.200.6的服务器，而192.168.0.0/24网段内主机对www.sunlinux.com的解析指向192.168.0.6的服务器。可以利用ACL及VIEW规则来实现。

二、实现步骤

1、将来源不同的两个网段定义到不同的ACL规则当中。

acl C_class { 192.168.0.0/24; }; 
acl B_class { 172.16.0.0/8; };
acl Other { ！192.168.0.0/24; ！172.16.0.0/8; any; }; # 除了上面两个网段之外的所有地址
#acl Other { any; }; # 所有地址

2、用view划分DNS。

view classC {                       # 每个view相当于一个独立的DNS
        match-clients { C_class; }; # 匹配规则
        zone "." IN {               # 根DNS、C网主机对非sunlinux.com请求则找根
        type hint;
        file "named.ca";
        };
        zone "sunlinux.com" IN {    # 解析区域
                type master;
                file "sunlinux.com.Czone"; # C网主机对非sunlinux.com请求规则
        };
};
view classB {                       # 若使用view则所有的区域都应该包含在view中
        match-clients { B_class; };
        zone "." IN {               # 根DNS、B网主机对非sunlinux.com请求则找根
        type hint;
        file "named.ca";
        };
        zone "sunlinux.com" IN {
                type master;
                file "sunlinux.com.Bzone"; # B网主机对非sunlinux.com请求规则
        };
};
view anyother {                 
        match-clients { Other; }; # 非限定网段主机
        zone "." IN {
        type hint;
        file "named.ca";
        };
        zone "sunlinux.com" IN {
                type master;
                file "sunlinux.com.Bzone";
        };
};

3、编辑bind配置文件将规则写入。

# vim /etc/named.conf
options {
     directory       "/var/named";  # 数据文件目录
    ...                             # 定义全局信息     
};
logging {
    channel default_debug {
                file "data/named.run";  # 定义日志信息
                severity dynamic;
        };
};
acl C_class { 192.168.0.0/24; }; 
acl B_class { 172.16.0.0/8; };
#acl Other { ！192.168.0.0/24; ！172.16.0.0/8; any; };
acl Other { any; };
view classC {                    
        match-clients { C_class; };
        zone "." IN {            
        type hint;
        file "named.ca";
        };
        zone "sunlinux.com" IN { 
                type master;
                file "sunlinux.com.Czone";
        };
};
view classB {                    
        match-clients { B_class; };
        zone "." IN {            
        type hint;
        file "named.ca";
        };
        zone "sunlinux.com" IN {
                type master;
                file "sunlinux.com.Bzone";
        };
};
view anyother {                 
        match-clients { Other; };
        zone "." IN {
        type hint;
        file "named.ca";
        };
        zone "sunlinux.com" IN {
                type master;
                file "sunlinux.com.Bzone";
        };
};

4、编辑C网段数据文件。

# vim /var/named/sunlinux.com.Czone
$TTL 600
@       IN      SOA     dns.sunlinux.com.       dnsadmin.sunlinux.com. (
                        20140312
                        1H
                        5M
                        3D
                        6H
                        )
        IN      NS      ns1.sunlinux.com.
        IN      NS      ns2.sunlinux.com.
        IN      MX      10 mail
ns1     IN      A       172.16.251.58
ns2     IN      A       172.16.251.61
www     IN      A       192.168.0.6
mail    IN      A       192.168.0.8

5、编辑B网段数据文件。

[root@localhost ~]# vim /var/named/sunlinux.com.Bzone
$TTL 600
@       IN      SOA     dns.sunlinux.com.       dnsadmin.sunlinux.com. (
                        20140312
                        1H
                        5M
                        3D
                        6H
                        )
        IN      NS      ns1.sunlinux.com.
        IN      NS      ns2.sunlinux.com.
        IN      MX      10 mail
blog    IN      NS      ns3.blog.sunlinux.com.
blog    IN      NS      ns4.blog.sunlinux.com.
ns3.blog IN     A       172.16.251.64
ns4.blog IN     A       172.16.251.67
ns1     IN      A       172.16.251.58
ns2     IN      A       172.16.251.61
www     IN      A       172.16.200.6
mail    IN      A       172.16.200.8
pop     IN      CNAME   mail
ftp     IN      CNAME   www

6、检查配置文件语法错误，并启动。

# service named configtest
zone sunlinux.com.Czone/IN: loaded serial 20140312
zone sunlinux.com.Bzone/IN: loaded serial 20140312
# service named start
Starting named:                                            [  OK  ]

三、测试及验证

B 网段测试结果

# dig -t A www.sunlinux.com @172.16.251.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @172.16.251.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6742
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sunlinux.com.      IN  A
;; ANSWER SECTION:
www.sunlinux.com.   600 IN  A   172.16.200.6 # B网地址
;; AUTHORITY SECTION:
sunlinux.com.       600 IN  NS  ns2.sunlinux.com.
sunlinux.com.       600 IN  NS  ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com.   600 IN  A   172.16.251.58
ns2.sunlinux.com.   600 IN  A   172.16.251.61
;; Query time: 1 msec
;; SERVER: 172.16.251.58#53(172.16.251.58)
;; WHEN: Tue Mar 18 10:26:12 2014
;; MSG SIZE  rcvd: 118
# dig -t A mail.sunlinux.com @172.16.251.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @172.16.251.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51869
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.sunlinux.com.     IN  A
;; ANSWER SECTION:
mail.sunlinux.com.  600 IN  A   172.16.200.8 # B网地址
;; AUTHORITY SECTION:
sunlinux.com.       600 IN  NS  ns2.sunlinux.com.
sunlinux.com.       600 IN  NS  ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com.   600 IN  A   172.16.251.58
ns2.sunlinux.com.   600 IN  A   172.16.251.61
;; Query time: 0 msec
;; SERVER: 172.16.251.58#53(172.16.251.58)
;; WHEN: Tue Mar 18 10:26:24 2014
;; MSG SIZE  rcvd: 119

C网段测试结果。

# dig -t A www.sunlinux.com @192.168.0.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.sunlinux.com @192.168.0.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22172
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sunlinux.com.      IN  A
;; ANSWER SECTION:
www.sunlinux.com.   600 IN  A   192.168.0.6 # C网地址
;; AUTHORITY SECTION:
sunlinux.com.       600 IN  NS  ns2.sunlinux.com.
sunlinux.com.       600 IN  NS  ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com.   600 IN  A   172.16.251.58
ns2.sunlinux.com.   600 IN  A   172.16.251.61
;; Query time: 1 msec
;; SERVER: 192.168.0.58#53(192.168.0.58)
;; WHEN: Tue Mar 18 10:25:34 2014
;; MSG SIZE  rcvd: 118
# dig -t A mail.sunlinux.com @192.168.0.58
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A mail.sunlinux.com @192.168.0.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45957
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.sunlinux.com.     IN  A
;; ANSWER SECTION:
mail.sunlinux.com.  600 IN  A   192.168.0.8 # C网地址
;; AUTHORITY SECTION:
sunlinux.com.       600 IN  NS  ns2.sunlinux.com.
sunlinux.com.       600 IN  NS  ns1.sunlinux.com.
;; ADDITIONAL SECTION:
ns1.sunlinux.com.   600 IN  A   172.16.251.58
ns2.sunlinux.com.   600 IN  A   172.16.251.61
;; Query time: 0 msec
;; SERVER: 192.168.0.58#53(192.168.0.58)
;; WHEN: Tue Mar 18 10:25:39 2014
;; MSG SIZE  rcvd: 119

四、补充说明

   acl：需要先定义后使用。内置ACL{any；none；local；localnet；}可以直接使用。

   view：优先级从上至下，先匹配到的生效。