Bind Advanced Apps

Subdomain Authorization

Subdomain Authorization: The name server of each domain is authorized by its superior name server in the parsing library;

Similar to the root domain authorized TLD:

. com. In NS ns1.com.

. com. In NS ns2.com.

Ns1.com. In A 2.2.2.1

Ns2.com. In A 2.2.2.2

Xmdb.com. On the. COM name server, add a resource record to the resolution library:

Xmdb.com. In NS ns1.xmdb.com.

Xmdb.com. In NS ns2.xmdb.com.

Xmdb.com. In NS ns3.xmdb.com.

Ns1.xmdb.com. In A 3.3.3.1

Ns2.xmdb.com. In A 3.3.3.2

Ns3.xmdb.com. In A 3.3.3.3

The parent domain knows the subdomain, and the subdomain does not know the parent domain because the parent domain defines the child domain, but the subdomain does not have a parent field defined, such as a customer query www.baidu.com not directly looking for. com server parsing, but root parsing, of course, the definition of the transponder excepted

Actual configuration:

requirements: for xmfb.com, define subdomain Ops

Lab Environment:

Parent domain: 192.168.0.102

Subdomain: 192.168.0.104

Parent Domain Configuration:

Defining an OPS Subdomain

[[email protected] ~]# cat /var/named/xmfb.com.zone$ttl 86400$origin xmfb.com.@    IN  SOAns1.xmfb.com.admin.xmfb.com  (            2015042201           1h            5M            7D           1D)          INNS   ns1         inmx  10 mx1        inmx  20 mx2ns1in   A      192.168.0.102   mx1IN  A    192.168.0.1mx2IN  A   192.168.0.2wwwIN  A    192.168.0.3wwwin  a   192.168.0.4ftpIN  CNAME  www ops    IN       ns      ns1.ops      # Definition content of subdomain ops    in      ns       ns2.ops       #表示子域有两台服务器ns1 .ops in     a        192.168.0.10ns2.ops IN     A        192.168.0.20

If the client makes a request, when the request arrives at the parent domain, the service is forwarded to the child zone, which responds to the request

Subdomain Server Configuration

Installing the Software

[[email protected] ~]# Yum-yinstall bind

Master Profile Definition

[Email protected] ~]# cat/etc/named.confoptions {directory "/var/named";       Dump-file "/var/named/data/cache_dump.db";       Statistics-file "/var/named/data/named_stats.txt";    Memstatistics-file "/var/named/data/named_mem_stats.txt"; Recursionyes;}; Zone "."    in {type hint; File "named.ca";}; Include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

Secondary configuration file Definitions

[Email protected] ~]# Cat/etc/named.rfc1912.zoneszone "ops.xmfb.com" in {typemaster; File "Ops.xmfb.com.zone";};

Defining a Zone resolution library

[[Email protected] ~]# cat/var/named/ops.xmfb.com.zone$ttl 86400$origin ops.xmfb.com. @    in    soa  ns1.ops.xmfb.com. admin.ops.xmfb.com.   (                 2015042501                1h                 10M                 3D                 1D)       IN    NS ns1     IN    NS  ns2ns1  in    a  192.168.0.10ns2  in     a  192.168.0.20www  in    a  192.168.0.11*    in    a   192.168.0.11

Configuring the Zone resolution library file genus Group

[Email protected] ~]# Chown:named/var/named/ops.xmfb.com.zone

Validation parsing

[[email protected] ~]# dig -t a [email protected] ; <<> > dig9.8.2rc1-redhat-9.8.2-0.30.rc1.el6_6.2 <<>> -t a www.ops.xmfb.com [email protected];;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status:NOERROR, id: 63269;;  flags: qr aa rd ra; QUERY: 1, ANSWER: 1,AUTHORITY: 2,  additional: 2 ;;  QUESTION SECTION:;www.ops.xmfb.com.       IN  A ;;  answer section:www.ops.xmfb.com.86400  in  a   192.168.0.11  ;;  authority section:ops.xmfb.com.     86400  in  ns   ns2.ops.xmfb.com.ops.xmfb.com.     86400  in  ns   ns1.ops.xmfb.com. ;;  ADDITIONAL SECTION:ns1.ops.xmfb.com.86400  IN  A    192.168.0.10ns2.ops.xmfb.com.86400  in  a   192.168.0.20 ;;  Query time: 1 msec;;  server: 192.168.0.104#53 (192.168.0.104);  WHEN: Thu Apr 23 13:30:47 2015;;  msg size rcvd: 118

To define a forwarding server:

Why use forwarders?

1, when the subdomain resolves the parent domain zone record, because the subdomain does not have the parent domain record, then goes back to find the root, thus greatly wasted the time; You can transfer other people's requests to the parent domain for the parent domain to parse.

2, if the use of the company can forward the client request to the local operators, their DNS server will record the results of other people's resolution, if the DNS server to find the operator, the discovery of a cache will be directly from the cache to return the answer, improve resolution efficiency.

Note: the forwarded server needs to be able to do recursion for the requestor, otherwise, the forwarding request will not proceed;

(1) All forwarding: all the non-native all responsible for the resolution of the area of the request, all forwarded to the designated server;

options{forward{first|only} fowwarders}

First: Forward, if there is no answer to the root of the request

Only: If the forwarding server does not have an answer, send the request to the root

(2) zone forwarding: forwarding only requests to a specific zone to a server;

Zone "Zone_name" in {typeforward; Forward{first|only} Forwarders}

Note: Turn off DNSSEC functionality:

Dnssec-enableno;

Dnssec-validationno;

the underlying security-related configuration in DNS:

ACL: merges one or more addresses into a set and is called by a uniform name;

Aclacl_name {

ip

ip

Net/prelen;

};

Bind has four built-in ACLs:

None: no host;

Any: arbitrary host;

Local: the machine;

LocalNet: The network address obtained after the IP and mask operation of this machine;

Note: can only be defined first, then used; therefore, it is generally defined in the configuration file in front of the options;

Instructions for access control:

allow-query{}: The host that allows the query; white list;

allow-transfer{}: Host allowed zone transfer; white list;

allow-recursion{}: Allow recursive host;

allow-update{}: Allow updating of content in a regional database;

Example:

ACL slaves {192.168.0.104; #定义一个访问控制列表};  Zone "Xmfb.com" in {typemaster; File "Xmfb.com.zone";  Allow-transfer {slaves;}; #使用访问控制列表};

View views

By classifying the requestor according to its source, the classification implements a different zone resolution library to resolve the request to a regional host. It is mainly used in the field of CDN technology

Configuration method:

Viewview_name {#定义视图 match-clients {}; #定义视图解析的来源地址 zone{} #视图解析的区域 zone{}} #视图结束

A BIND server can define multiple view, one or more zones can be defined in each view;

Each view matches a set of clients;

Multiple view may need to parse the same area, but use different zones to parse the library file;

Attention:

(1) Once the view is enabled, all zones can only be defined in the view;

(2) It is only necessary to define the root area in the view that matches the client that allows the recursive request;

(3) When a client request arrives, the list of clients serviced by each view is checked from top to bottom;

Experimental environment

Example:

The intranet deploys a Web server, which requires the intranet user to resolve the Web server's intranet address through the DNS server, and the network user resolves the IP address that the Web server publishes to the gateway.

The intranet client accesses the Web server before the view is defined:

1, the Access DNS server resolves the Web server address, resolves to the address of the Gateway's public network address

2. Access the gateway's public network address

3, the gateway through the NAT translation mechanism to send the request to the Web server to complete access

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "alt=" image "src="/HTTP/ S3.51cto.com/wyfs02/m02/6c/29/wkiom1va1ccycntfaannrpobtuc717.jpg "height=" 405 "border=" 0 "/>

To access the intranet server after defining the view:

1, access to the DNS server, resolved to the address of the intranet address

2. Direct access to intranet Web server

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" image "alt=" image "src="/HTTP/ S3.51cto.com/wyfs02/m00/6c/29/wkiom1va1ckxqd6yaankequuprm036.jpg "height=" 403 "border=" 0 "/>

The benefit of defining the view is that the intranet user eliminates the conversion process of the Access gateway, speeding up the access speed

Topology Address Description:

Gateway: 192.168.0.1, turn on the routing function

172.16.0.1

172.16.0.0/16 Analog Intranet Address

192.168.0.0/24 Analog Extranet Address

dns:172.16.4.100

client:192.168.0.104

Ensure DNS and client, can ping pass.

Server Configuration

DNS server Configuration

[[email protected] ~]# cat /etc/named.confoptions {     listen-onport 53 { 172.16.4.100; 127.0.0.1; };    directory  "/var/named";};  acl mynet {     #定义acl列表为内网地址  172.16.0.0/16; 127.0.0.0/8;};  view internal {   #定义一个内网用户解析的视图   match-clients { mynet; };     #定义内网客户端列表, ACLs can be used directly by defining ACLs   allow-recursion { mynet; };    #允许递归  zone  "."  IN {        typehint;         file "named.ca";};  zone  "xmfb.com"  in {  typemaster;  file "Xmfb.com.zone";};};     #内网视图的结束  view external {   #定义一个外网解析的视图   match-clients  { any; };zone  "Xmfb.com"  in {  typemasteR;  file "Xmfb.com.external"; allow-update { none; };};};    #外网解析视图的结束

Intranet Zone Analysis Library

[[email protected] named]# cat xmfb.com.zone$ttl 86400$origin xmfb.com.@    IN  SOAns1.xmfb.com.admin.xmfb.com  (            2015042201           1H            5M            7D           1D)          inns   ns1        inmx   10 mx1        INMX  20 mx2ns1   IN   A       172.16.4.100mx1  IN    A   172.16.1.1    mx2  IN   A    172.16.1.2www   IN   A   172.16.1.3      www    in   a   172.16.1.4ftp  in   cname  www

Extranet Zone resolution library

[[email protected] named]# cat xmfb.com.external$ttl 86400$origin xmfb.com.@    IN  SOAns1.xmfb.com.admin.xmfb.com  (            2015042201           1h            5M            7D           1D)          INNS   ns1         Inmx  10 mx1        inmx  20 mx2ns1   IN   A       172.16.4.100mx1  IN     A   192.168.1.1mx2  IN   A    192.168.1.2www  in   a   192.168.1.3www  in    a    192.168.1.4ftp  in   cname  www

Validation

Intranet Analysis:

[[email protected] ~]# dig -t a www.xmfb.com @172.16.4.100 ; < <>> dig9.8.2rc1-redhat-9.8.2-0.30.rc1.el6_6.2 <<>> -t a [email  protected];;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status:NOERROR, id: 14808;;  flags: qr aa rd ra; QUERY: 1, ANSWER: 2,AUTHORITY: 1,  additional: 1 ;;  question section:;www.xmfb.com.           in   A ;;  ANSWER SECTION:www.xmfb.com.     86400  IN  A    172.16.1.4    #解析为内网地址www. Xmfb.com.     86400  in   A   172.16.1.3 ;;  authority section:xmfb.com.     86400  in  ns  ns1.xmfb.com. ;;  additional section:ns1.xmfb.com.     86400  in  a    172.16.4.100 ;;  Query time: 1 msec;;  server: 172.16.4.100#53 (172.16.4.100);  WHEN: Thu Apr 23 19:11:19 2015;;  msg size rcvd: 96

External network parsing:

[[email protected] ~]# dig -t a [email protected] ; <<> > DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> -t A [email  protected];;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status:NOERROR, id: 9925;;  flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY:1,  additional: 1;;  WARNING: recursion requested but not available ;;  question section:;www.xmfb.com.           in   A ;;  ANSWER SECTION:www.xmfb.com.     86400  IN  A    192.168.1.3   #解析为外网地址www. Xmfb.com.     86400  in   A   192.168.1.4 ;;  authority section:xmfb.com.     86400  in  ns   ns1.xmfb.com. ;;  additional section:ns1.xmfb.com.     86400  in  a    172.16.4.100 ;;  Query time: 7 msec;;  server: 172.16.4.100#53 (172.16.4.100);  WHEN: Thu Apr 23 19:15:52 2015;;  msg size rcvd: 96

This article from "Plum blossom fragrance from bitter cold" blog, please be sure to keep this source http://ximenfeibing.blog.51cto.com/8809812/1640472

Bind Advanced Apps