智能DNS安装与配置
hfh08
|
1#
hfh08 发表于 2006-08-15 15:59
智能DNS安装与配置
注:对于配置智能DNS,主要用途为:1、解决网通与电信问题 2、实现区域规划(不同区域访问各自最近的服务器),下面以解决网通与电信连接问题的配置。至于实现2的功能,只需稍加更改即可。
一、DNS服务器安装......................................................................................... 1 二、named.conf的配置....................................................................................... 2 三、更新根区文件:.......................................................................................... 3 四、建立启动脚本:.......................................................................................... 4 五、添加一个NS............................................................................................... 5 六、添加一个域名.............................................................................................. 5 附:获取IP地址范围方法:................................................................................. 7 一、DNS服务器安装 1、 软件列表 BIND 9.3.2 ftp://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz 2、 安装BIND 9 安装BIND9: # tar zxvf bind-9.3.2.tar.gz # cd bind-9.3.2 # ./configure --prefix=/usr/local/named --disable-ipv6 # make && make install 建立BIND用户: # groupadd bind # useradd -g bind -d /usr/local/named -s /sbin/nologin bind 创建配置文件目录: # mkdir –p /usr/local/named/etc # chown bind:bind /usr/local/named/etc # chmod 700 /usr/local/named/etc 二、named.conf的配置 创建主要的配置文件: # vi /usr/local/named/etc/named.conf ===========================named.conf======================= acl "trust-lan" { 127.0.0.1/8; 192.168.0.0/16;}; options { directory "/usr/local/named/etc/"; pid-file "/var/run/named/named.pid"; version "0.0.0"; datasize 40M; allow-transfer { "trust-lan";}; recursion yes; allow-notify { "trust-lan"; }; allow-recursion { "trust-lan"; }; auth-nxdomain no; forwarders { 202.99.160.68; 202.99.168.8;}; }; logging { channel warning { file "/var/log/named/dns_warnings" versions 3 size 1240k; severity warning; print-category yes; print-severity yes; print-time yes; }; channel general_dns { file "/var/log/named/dns_logs" versions 3 size 1240k; severity info; print-category yes; print-severity yes; print-time yes; }; category default { warning; }; category queries { general_dns; }; }; zone "." { type hint; file "named.root"; }; acl "CNC" { 58.16.0.0/16; 58.17.0.0/17; 58.17.128.0/17; 58.18.0.0/16; 58.19.0.0/16; 58.20.0.0/16; 58.21.0.0/16; 注:这些根据情况输入IP地址段 }; view "view_cnc" { match-clients { CNC; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; include "master/cnc.def"; }; view "view_any" { match-clients { any; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; include "master/telecom.def"; }; 添加完成后,保存。 三、更新根区文件: # cd /usr/local/named/etc/ # wget ftp://ftp.internic.org/domain/named.root 创建PID和日志文件: # mkdir /var/run/named/ # chmod 777 /var/run/named/ # chown bind:bind /var/run/named/ # mkdir /var/log/named/ # touch /var/log/named/dns_warnings # touch /var/log/named/dns_logs # chown bind:bind /var/log/named/* # mkdir master # touch master/cnc.def # touch master/telecom.def 生成rndc-key: # cd /usr/local/named/etc/ # ../sbin/rndc-confgen > rndc.conf 把rndc.conf中: # Use with the following in named.conf, adjusting the allow list as needed: 后面以的部分加到/usr/local/named/etc/named.conf中并去掉注释 运行测试: # /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf & 状态检查: # /usr/local/named/sbin/rndc status 四、建立启动脚本: # vi /etc/init.d/named ============================== named.sh============================ #!/bin/bash # # named a network name service. # # # chkconfig: 545 35 75 # description: a name server # if [ `id -u` -ne 0 ] then echo "ERROR:For bind to port 53,must run as root." exit 1 fi case "$1" in start) if [ -x /usr/local/named/sbin/named ]; then /usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.' fi ;; stop) kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.' ;; restart) echo . echo "Restart BIND9 server" $0 stop sleep 10 $0 start ;; *) echo "$0 start | stop | restart" ;; esac ===============================named.sh============================ # chmod 755 /etc/init.d/named # chown root:root /etc/init.d/named # chkconfig --add named # chkconfig named on 五、添加一个NS 在域名的管理网站上,设定NS服务器为你安装的DNS 六、添加一个域名 # cd /usr/local/named/etc/master # mkdir cnc # mkdir telecom # vi cnc.def 添加 zone "daoyou.com" { type master; file "master/cnc/daoyou.com"; }; # vi telecom.def 添加 zone "daoyou.com" { type master; file "master/telecom/daoyou.com"; }; 添加网通的解析,解析到的IP为61.45.55.78 #vi cnc/daoyou.com 添加 $TTL 3600 $ORIGIN daoyou.com. @ IN SOA ns.daoyou.com. root.ns.daoyou.com.( 2005121013 ;Serial 3600 ; Refresh ( seconds ) 900 ; Retry ( seconds ) 68400 ; Expire ( seconds ) 15 );Minimum TTL for Zone ( seconds ) ; @ IN NS ns.daoyou.com. @ IN A 61.45.55.78 www IN A 61.45.55.78 ; ;end 添加电信的解析,解析到的IP为210.75.1.178 #vi telecom/daoyou.com 添加 $TTL 3600 $ORIGIN daoyou.com. @ IN SOA ns.daoyou.com. root.ns.daoyou.com.( 2005121013 ;Serial 3600 ; Refresh ( seconds ) 900 ; Retry ( seconds ) 68400 ; Expire ( seconds ) 15 );Minimum TTL for Zone ( seconds ) ; @ IN NS ns.daoyou.com. @ IN A 210.75.1.178 www IN A 210.75.1.178 ; ;end #/usr/local/named/sbin/rndc reload OK,到此你的DNS服务器就算是跑起来了。试一下分别用网通和电信的线路ping一下吧. 附:获取IP地址范围方法: 1、 利用shell程序获取IP地址段 #!/bin/sh FILE=/root/study/apnic/ip_apnic rm -f $FILE wget http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest -O $FILE grep 'apnic|CN|ipv4|' $FILE | cut -f 4,5 -d'|'|sed -e 's/|/ /g' | while read ip cnt do echo $ip:$cnt mask=$(cat << EOF | bc | tail -1 pow=32; define log2(x) { if (x<=1) return (pow); pow--; return(log2(x/2)); } log2($cnt) EOF) echo $ip/$mask>> cn.net NETNAME=`whois $ip@whois.apnic.net | sed -e '/./{H;$!d;}' -e 'x;/netnum/!d' |grep ^netname | sed -e 's/.*: \(.*\)/\1/g' | sed -e 's/-.*//g'` case $NETNAME in CNC) echo $ip/$mask >> CNCGROUP ;; CHINANET|CNCGROUP) echo $ip/$mask >> $NETNAME ;; CHINANET|CNCGROUP) echo $ip/$mask >> $NETNAME ;; CHINATELECOM) echo $ip/$mask >> CHINANET ;; *) echo $ip/$mask >> OTHER ;; esac done 2、 可以利用网上的资料,下面是最新的信息,然后利awk行成地址段即可。 wget http://218.66.103.230/vpn_route/cnc.new 新的网通路由表 wget http://218.66.103.230/vpn_route/chinanet.new 新的电信路由表 |