使用BIND安装智能DNS服务器（三）---添加view和acl配置

智能DNS的配置主要修改named.conf文件，利用view和acl来实现。

acl文件内容,这里只列出一部分，具体详细的可以参考这个网址

纯真IP库，给出了十分详细的IP地址，下载安装后，打开软件，点击解压就可以获取到txt文本格式的IP地址

http://www.crsky.com/soft/2611.html

IP转换为acl工具下载地址
http://blog.lishixin.net/linux/468.html/attachment/dnstool

按照下面博客中的步骤将IP转换为acl格式

http://blog.lishixin.net/archives/468#more-468

注意事项：

只要配置了view的时候，所有的zone都必须包含到view中。

包括下面的这两行

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

下面是本配置中需要的，只列出部分IP的acl文件，这个不影响正常使用

mkdir -p /var/named/acl/srcip/
vim /var/named/acl/srcip/AnHui.acl

acl "AnHui.cnc"{
36.32.0.0/24;
36.32.1.0/24;
36.32.2.0/24;
};

acl "AnHui.telcom"{
36.4.0.0/24;
36.4.1.0/24;
36.4.2.0/24;
};

acl "AnHui.tietong"{
61.235.36.0/24;
61.235.37.0/24;
61.235.38.0/24;
};

acl "AnHui.mobile"{
101.36.128.0/24;
101.36.129.0/24;
101.36.130.0/24;
};

acl "AnHui.cernet"{
1.51.64.0/24;
1.51.65.0/24;
1.51.100.0/24;
};

vim /var/named/acl/srcip/BeiJing.acl

acl "BeiJing.cnc"{
1.25.36.67;
1.25.36.68;
1.25.36.69;
};

acl "BeiJing.telcom"{
1.92.0.0/16;
1.93.0.0;
1.93.0.1;

};

acl "BeiJing.tietong"{
36.192.0.0/24;
36.192.1.0/24;
36.192.2.0/24;
};

acl "BeiJing.mobile"{
36.128.0.0/16;
36.129.0.0/16;
36.130.0.0/16;
};

acl "BeiJing.cernet"{
42.247.0.128;
42.247.0.129;
42.247.0.130;
};

 

主DNS服务器配置，named.conf，修改后需要重启service named restart

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

include "/var/named/acl/srcip/AnHui.acl";
include "/var/named/acl/srcip/BeiJing.acl";

//include "/var/named/include_acl";

options {
listen-on port 53 { 127.0.0.1; 192.168.1.100; }; //主DNS服务器
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
allow-transfer { localhost; 192.168.1.101; };    //从DNS服务器
allow-query-cache { any; };                        //注意没有这个将无法访问网页
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

//电信
view "telcom-view" {
match-clients {
AnHui.telcom;
BeiJing.telcom;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type master;
file "forward.unixmen"; //正向解析文件名
allow-update { none; };
};
zone"1.168.192.in-addr.arpa" IN {
type master;
file "reverse.unixmen";//反向解析文件名
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

//联通
view "cnc-view" {
match-clients {
AnHui.cnc;
BeiJing.cnc;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type master;
file "forward.unixmen"; //正向解析文件名
allow-update { none; };
};
zone"1.168.192.in-addr.arpa" IN {
type master;
file "reverse.unixmen";//反向解析文件名
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

//移动
view "mobile-view" {
match-clients {
AnHui.mobile;
BeiJing.mobile;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type master;
file "forward.unixmen"; //正向解析文件名
allow-update { none; };
};
zone"1.168.192.in-addr.arpa" IN {
type master;
file "reverse.unixmen";//反向解析文件名
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

//中国教育与科研网
view "cernet-view" {
match-clients {
AnHui.cernet;
BeiJing.cernet;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type master;
file "forward.unixmen"; //正向解析文件名
allow-update { none; };
};
zone"1.168.192.in-addr.arpa" IN {
type master;
file "reverse.unixmen";//反向解析文件名
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};


view "external-view" {
match-clients { any; };
recursion yes; //需要递归，要不然上不了网。。。

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type master;
file "forward.unixmen"; //正向解析文件名
allow-update { none; };
};
zone"1.168.192.in-addr.arpa" IN {
type master;
file "reverse.unixmen";//反向解析文件名
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

key "rndc-key" {
algorithm hmac-md5;
secret "VcL5wC2GHCzCU7ju+ajC1Q==";
};

controls {
inet 0.0.0.0 port 953 
allow { localhost; 192.168.1.101; } keys { "rndc-key"; };
};

从DNS服务器named.conf配置,修改后需要重启service named restart

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

include "/var/named/acl/srcip/AnHui.acl";
include "/var/named/acl/srcip/BeiJing.acl";

options {
listen-on port 53 { 127.0.0.1;192.168.1.101; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
allow-query-cache { any; };//注意没有这个将无法访问网页
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};


//电信
view "telcom-view" {
match-clients {
AnHui.telcom;
BeiJing.telcom;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type slave;
file "slaves/unixmen.fwd";
masters { 192.168.1.100; };#主DNS
};

zone"1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/unixmen.rev";
masters { 192.168.1.100; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

//联通
view "cnc-view" {
match-clients {
AnHui.cnc;
BeiJing.cnc;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type slave;
file "slaves/unixmen.fwd";
masters { 192.168.1.100; };#主DNS
};

zone"1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/unixmen.rev";
masters { 192.168.1.100; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

//移动
view "mobile-view" {
match-clients {
AnHui.mobile;
BeiJing.mobile;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type slave;
file "slaves/unixmen.fwd";
masters { 192.168.1.100; };#主DNS
};

zone"1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/unixmen.rev";
masters { 192.168.1.100; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

//中国教育与科研网
view "cernet-view" {
match-clients {
AnHui.cernet;
BeiJing.cernet;
};

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type slave;
file "slaves/unixmen.fwd";
masters { 192.168.1.100; };#主DNS
};

zone"1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/unixmen.rev";
masters { 192.168.1.100; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};


view "external-view" {
match-clients { any; };
recursion yes; //需要递归，要不然上不了网。。。

zone "." IN {
type hint;
file "named.ca";
};

zone"unixmen.local" IN {
type slave;
file "slaves/unixmen.fwd";
masters { 192.168.1.100; };#主DNS
};

zone"1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/unixmen.rev";
masters { 192.168.1.100; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

 

key "rndc-key" {
algorithm hmac-md5;
secret "VcL5wC2GHCzCU7ju+ajC1Q==";
};

controls {
inet * port 953
allow { 127.0.0.1;192.168.1.100; } keys { "rndc-key"; };
};