DNS优化实例(BIND)
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DNS优化实例(BIND)相关的知识,希望对你有一定的参考价值。
参考技术A 1、禁止递归查询
2、客户端安装缓存软件NSCD
3、CHROOT安全加固
4、负载均衡
5、DNS视图技术(智能DNS)
1、禁止递归查询
recursion on;
2、客户端安装缓存软件NSCD
yum -y install nscd
vi /etc/ncsd.conf
logfile /var/log/nscd.log
threads 4
max-threads 32
server-user nscd
debug-level 0
reload-count 5
paranoia no
restart-interval 3600
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
3、安全加固chroot
yum install -y bind bind-utils bind-libs bind-chroot
cp -R /usr/share/doc/bind- /sample/var/named/ /var/named/chroot/var/named/
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
cp -p /etc/named.conf /var/named/chroot/etc/named.conf
//开机启动
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
ln -s \'/usr/lib/systemd/system/named-chroot.service\' \'/etc/systemd/system/multi-user.target.wants/named-chroot.service\'
4、负载均衡
设置多个A记录,BIND会自动轮询
5、DNS视图技术,即根据来源IP选择解析,来源IP的定位可以通过日志来查询
logging
channel default_debug
file "data/named.run";
severity dynamic;
;
channel query_log #开启请求日志
file "/var/log/dns/query.log" versions 5 size 30m;
severity info;
print-time yes;
print-category yes;
;
category queries
query_log;
;
;
view "view_localnet_45"
match-clients # 使用match-clients指令,指定匹配来自这些用户的ip
localnet45; # 写的是acl配置文件定义的aclname
;
zone "ljf.com"
type master;
file "ljf.com.zone45"; #不同的匹配规则我这里写的是用不同的域名文件,方便管理
;
;
view "view_localnet_141"
match-clients
localnet141;
;
zone "ljf.com"
type master;
file "ljf.com.zone141";
;
;
include "/etc/named.root.key";
include "/etc/named/acl/localnet141.conf"; # 引入acl配置文件
include "/etc/named/acl/LocalNet45.conf"; # 引入acl配置文件
cat /etc/named/acl/localnet141.conf
acl "localnet141"
192.168.141.0/24; #针对192.168.141的网段
;
cat /etc/named/acl/LocalNet45.conf
acl "localnet45" # 定义acl的名字,方便named.conf里面的match-clients 去调用
192.168.45.0/24; # 针对192.168.45的网段
;
cat /var/named/ljf.com.zone141
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns
www IN A 192.168.141.3
ns IN A 102.168.141.3
cat /var/named/ljf.com.zone45
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns
www IN A 192.168.45.128
test IN A 192.168.45.2
ns IN A 192.168.45.129
DNS&BIND——DNS的ACL和视图
bind中的基础安全相关配置
(一)ACL定义:把一个或多个主机归并为一个集合,并通过一个统一的名称调用
acl acl_name{
ip;
ip;
net/prelen;
} ;实例:
acl mynet{机
172.25.0.0/46;
};bind 由四个内置的acl
none: 没有一个主机
any: 任意主机
local: 本机
localnet:本机的IP同掩码运算后得到的网络地址
注意: acl,先定义后使用,一般定义在配置文件中的option前面
访问控制的指令:
allow-query {}; #允许查询的主机 (白名单)
allow-transfer {}; #允许区域传送的主机 (白名单)
allow-recursion {}; #允许递归的主机(通常全局option)
allow-upadte {}; #允许更新区域数据库中内容
(二)视图( view)
一个bind服务器可以定义多个view,每个view中可定义一个或多个zone
每个view用来匹配一组客户端请求
多个view可能对同一个区域进行解析,但使用不同的区域解析文件
实例
view VIEW_NAME {
match-clients { };
};注意
一旦启用view,所有zone都只能定义在view中
仅有必要在匹配到允许递归请求(本地dns)的客户端所在view中定义根区域
客户端请求到达时,是自上而下匹配每个view所服务的客户端列表
下面我们来看一组ACL和view结合使用的实例~~
定义我的acl
[[email protected] named]# vim /etc/named.conf
acl mynet{
172.25.254.11;
172.25.254.10;
127.0.0.0/8;
};
定义视图
[[email protected] named]# vim /etc/named.rfc1912.zones
view internal {
match-clients { mynet; }; #匹配的客户端列表
allow-recursion { mynet; }; #允许递归的列表
zone "." IN {
type hint;
file "named.ca";
};
zone "lalala.com" IN {
type master;
file "lalala.com.zone";
allow-update { none; };
also-notify {172.25.254.10;};
};
};
在acl中的主机,就可以成功解析 ^-^
[[email protected] named]# dig -t A www.lalala.com @172.25.254.11
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t A www.lalala.com @172.25.254.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65311
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.lalala.com. IN A
;; ANSWER SECTION:
www.lalala.com. 86400 IN A 172.25.254.11
不在acl中主机就不能访问 =-=
[[email protected] ~]# ip addr show br0
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 34:17:eb:76:53:97 brd ff:ff:ff:ff:ff:ff
inet 172.25.254.88/24 brd 172.25.254.255 scope global br0
[[email protected] ~]# dig -t A www.lalala.com @172.25.254.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.lalala.com @172.25.254.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49304
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.lalala.com. IN A
不同客户端解析同一个域名结果不一样
[[email protected] named]# vim /etc/named.rfc1912.zones
....
view external {
match-clients {any;};
#因为view按照视图定义顺序匹配主机,所以这里的any为剩下的主机
zone "lala la.com" IN {
type master;
file "lalala.com.external";
allow-update {none;};
};
};
[[email protected] named]# vim lalala.com.external
$TTL 1D
@ IN SOA ns1.lalala.com. admin.lalala.com (
2016060905; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.lalala.com.
NS ns2.lalala.com.
MX 10 mx1.lalala.com.
MX 20 mx2.lalala.com.
ns1 A 172.25.254.11
ns2 A 172.25.254.18
www A 2.2.2.2
* A 2.2.2.2
使用同一个DNS服务器,acl列表中解析的是172.25.254.11 ^-^
[[email protected] named]# dig -t A www.lalala.com @172.25.254.11
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t A www.lalala.com @172.25.254.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10150
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.lalala.com. IN A
;; ANSWER SECTION:
www.lalala.com. 86400 IN A 172.25.254.11
使用同一个DNS服务器,其他主机解析的是2.2.2.2 ^-^
[[email protected] ~]# dig -t A www.lalala.com @172.25.254.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.lalala.com @172.25.254.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51279
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.lalala.com. IN A
;; ANSWER SECTION:
www.lalala.com. 86400 IN A 2.2.2.2
本文出自 “12049878” 博客,谢绝转载!
以上是关于DNS优化实例(BIND)的主要内容,如果未能解决你的问题,请参考以下文章