DNS subdomain authorization, view configuration detailed

Subdomain authorization: In fact, a larger domain is divided into small areas, each small area can be managed by a group or groups of servers, these servers only resolve domain names within their jurisdiction, resolution requests beyond their scope are generally forwarded to the parent domain or forwarded directly to the root domain. Subdomain is relative, to the root of the top-level domain name is its subdomain, and so on, we say here that the sub-domain authorization is for the two-level domain name, that is, three level domain name authorization.

Subdomain Authorization for a forward zone: use glue record (glue record), that is, add an NS record and an A record to the parent domain. If the client's request is beyond the parsing of the subdomain, then we need to define a forwarding server.

To define a forwarding server:

Note: The forwarded server needs to be able to do recursion for the requestor, otherwise, the forwarding request will not proceed;

(1) All forwarding: all the non-native all responsible for the resolution of the area of the request, all forwarded to the designated server;

Options {

Forward {first|only}

Fowwarders

}

(2) zone forwarding: forwarding only requests to a specific zone to a server;

Zone "Zone_name" in {

Type forward;

Forward {first|only}

Forwarders

}

Configure subdomain Authorization:

1. Add the following records to the zone resolution library of the parent DNS server

[[email protected] named]# VIM Czcedu.com.zone23 OPS in NS NS1.OPS24 OPS in NS NS2.OPS25 NS1.O PS in a 192.168.1.10726 ns2.ops in a 192.168.1.108

2. Add a subdomain definition in the zone file of the subdomain DNS server

[Email protected] ~]# VIM/ETC/NAMED.RFC1912.ZONES60 zone "ops.czcedu.com." In {type master;62 file "Ops.czcedu.com.zone"; 63};

3. Edit the Zone resolution library file for the subdomain server

[[email protected] named]# vim ops.czcedu.com.zone1  $TTL  1d2  $ORIGIN   Ops.czcedu.com.3 @       in      soa      ns1.ops.czcedu.com.     admin.ops.czcedu.com.  (4                           20150427015                          1H6                           10M7                          1W8                          1d ) 9          IN      NS       ns110         IN       NS      ns211 ns1     IN       A       192.168.1.10712 ns2      IN      A       192.168.1.10813  www     in      a        172.16.200.114 mail    IN      CNAME    www15 ops.czcedu.com  a       192.168.1.10716 *        in      a        192.168.1.107

[[email protected] named]# dig -t a www.ops.czcedu.com @192.168.1.107# Test subdomain parsing is correct   here both the parent domain and the subdomain parsing are correct; <<>> dig 9.8.2rc1-redhat-9.8.2-0.30.rc1.el6  <<>> -t A www.ops.czcedu.com @192.168.1.107;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31108;;  flags: qr aa rd ra; query: 1, answer: 1, authority: 2,  ADDITIONAL: 2;;  QUESTION SECTION:;www.ops.czcedu.com.INA;;  ANSWER SECTION:www.ops.czcedu.com.86400INA172.16.200.1;;  AUTHORITY SECTION:ops.czcedu.com.86400INNSns1.ops.czcedu.com.ops.czcedu.com.86400INNSns2.ops.czcedu.com.;;  additional section:ns1.ops.czcedu.com.86400ina192.168.1.107ns2.ops.czcedu.com.86400ina192.168.1.108 ;;  Query time: 5 msec;;  server: 192.168.1.107#53 (192.168.1.107);  WHEN: Fri Apr 24 13:02:47 2015;;  msg size  rcvd: 120

4. Adding a forwarding server to the subdomain server forwards the resolution request for the parent domain to the parent domain server

[[email protected] named]# vim/etc/named.conf44 zone "czcedu.com" in {type forward;46 forward only;47 Forwarders {192.168.1.108;}; 48};

5. The test resolves the parent domain success

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/D0/wKiom1WpNkay1HZpAAI5b5KlbjA196.jpg "/>

The underlying security-related configuration in bind:

ACL: (Access control list) merges one or more addresses into a set and calls through a uniform name;

ACL Acl_name {

ip

ip

Net/prelen;

};

Example:

ACL MyNet {

172.16.0.0/16;

}

Bind has four built-in ACLs:

None: no host;

Any: arbitrary host;

Local: the machine;

LocalNet: The network address that is obtained after the IP-to-mask operation of this machine

The view implementation in bind:

The primary role of view is to distribute hosts from different networks to servers of different network segments to increase access speed and reduce server pressure. In our country, for example, telecommunications and netcom user access bandwidth is very small, but their internal access bandwidth is very large, so we can use the same domain name access through the DNS distribution to different IP, then can realize the telecommunications users access to the telecommunications server, Unicom users to access the Unicom server , which is even a solution to the CDN (Content distribution network), but the CDN can also realize that access to the same domain name is only resolved to one IP, but the server that owns the IP does not give any feedback, but only dispatches IP from different zones to the cache servers in different regions. This enables high-concurrency high-rate response to user requests, which are also mentioned in subsequent blogs.

Configure view:

1. To define ACLs in the DNS server

   650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/CE/wKioL1WpOCOyOTX9AAF9LIGt_KE996.jpg "/>

2. Define a zone File view

   
   

[[email protected] named]# vim /etc/named.rfc1912.zones13 view internel {# Define intranet access Policy 14         match-clients { mynet; };15          allow-recursion { mynet; };# Allow only intranet to make recursive requests 1617 zone  "."  in {#可以做递归请求的网段才需要根提示18          type hint;19          file  "named.ca";20 };2122 zone  " Localhost.localdomain " IN {23         type master; 24         file  "Named.localhost";25          allow-update { none; };26 };2728 zone  "localhost"  IN {29         type master;30          file  "Named.localhost";31          allow-update { none; };32 };3334 zone  " 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa " IN {35          type master;36          file  "Named.loopback";37         allow-update {  none; };38 };3940 zone  "1.0.0.127.in-addr.arpa"  IN {41          type master;    42          file  "Named.loopback";    43          allow-update { none; };    44 };      45     46 zone "0.in-addr.arpa " in {    47         type  master;    48         file  " Named.empty ";     49         allow-update  { none; };     50 };    62      63 zone "czcedu.com."  IN {       64          type master;     65          file  "Czcedu.com.zone";             #定义内网解析库文件      66         allow-update {  none; };     67 };     74 };     75     76 view internet {   # Define an Extranet view      77         match-clients  { internet;};      78         allow-recursion {  none; };          #不可做递归请求       79     80 zone "czcedu.com."  in {     81         type  master;    82         file  " Czcedu.com.internet ";      #定义外网解析库文件     83          allow-update { none; };    84 };     85 };

3. Create two parse library files

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/D1/wKiom1WpOXKyD00AAAFdJEeQHdU073.jpg "title=" 1.png " alt= "Wkiom1wpoxkyd00aaafdjeeqhdu073.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/D1/wKiom1WpOXLTy8SGAAFSg0EkoYE879.jpg "title=" 2.png " alt= "Wkiom1wpoxlty8sgaafsg0ekoye879.jpg"/>

4. DNS requests from different clients return different IPs

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/CE/wKioL1WpO3KgHVQEAAD0r_LxPhI533.jpg "title=" 3.png " alt= "Wkiol1wpo3kghvqeaad0r_lxphi533.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6F/D1/wKiom1WpOZWAYyPfAAHU98egPF8853.jpg "title=" 4.png " alt= "Wkiom1wpozwayypfaahu98egpf8853.jpg"/>

All right, here we are. The application of the DNS server is over, please correct me if there is any mistake.

1. 
   

This article is from the "Linuxlove" blog, make sure to keep this source http://linuxlover.blog.51cto.com/2470728/1675843

DNS subdomain authorization, view configuration detailed