"Subdomain Authorization"
"Experimental description": a new server IP of 192.168.0.112 is configured to become the primary DNS for the test.com subdomain (a.test.com)
"Experimental Validation": subdomains can be self-managed, and DNS can be queried for resolving subdomains through the parent domain, but subdomains cannot query the parent domain.
"Experimental Steps":
1, for the positive sub-domain authorization, only need to add "glue record" in the zone resolution library of the parent domains;
[[email protected] ~]# vim /var/named/test.com.zone $TTL 86400@ IN SOA ns.test.com. admin.test.com. ( 2015052613 2H 10M 7D 1D ) IN NS ns.test.com.a in ns ns.a.test.com. #添加子域的NS记录; IN MX 10 mail.test.com.ns IN a 192.168.0.111ns.a in a 192.168.0.112 #添加子域的A记录;www IN A 192.168.0.113mail IN A 192.168.0.114web in a 192.168.0.115pop3 in cname mail.test.com.
2 configuration files and database parsing files of the subdomain server;
[[email protected] ~]# vim /etc/named.rfc1912.zones #在子域服务器上配置区域;zone " A.test.com " IN { type master; file "A.test.com.zone";}; zone "0.168.192.in-addr.arpa" IN { type master; file "192.168.0.zone";}; [[email protected] ~]# vim /var/named/a.test.com.zone #配置正向解析库文件; $TTL 86400; a.test.com. in soa ns.a.test.com. admin.a.test.com ( 2015052800 1h 5m 7D 3H ) a.test.com. in ns ns.a.test.com.mail in mx 10 mailns in a 192.168.0.112mail in a 192.168.0.118www in a 192.168.0.119[[email protected] ~]# vim /var/named/192.168.0.zone #配置反向解析库文件; $TTL 86400@ IN SOA ns.a.test.com. admin.a.test.com ( 2015052800 1H 5M 7D 8H ) IN NS ns.a.test.com.112 in ptr ns.a.test.com.118 in ptr Mail.a.test.com.119 in ptr
3, through the above two a simple subdomain is created, now under test;
[[email protected] ~]# dig -t a www.a.test.com @192.168.0.111 # Sequencing the subdomain host;; <<>> dig 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.6 <<> on the parent domain > -t A www.a.test.com @192.168.0.111;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27976;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, additional: 1 #看到没有flags里面没有aa, verify that the parent domain is not the authoritative answer;;; QUESTION SECTION:;www.a.test.com.INA;; ANSWER SECTION: #解析成功! ;; AUTHORITY SECTION:a.test.com.86400INNSns.a.test.com.;; ADDITIONAL SECTION:ns.a.test.com.86400INA192.168.0.112;; Query time: 39 msec;; server: 192.168.0.111#53 (192.168.0.111); when: fri may 29 19:51:29 2015;; MSG SIZE rcvd: 81[[email protected] ~]# dig -t A www.a.test.com @192.168.0.112 #子域自己解析测试;; <<>> dig 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.6 <<>> -t a www.a.test.com @ 192.168.0.112;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13045;; flags: qr aa rd ra; query: 1, answer: 1, authority: 1, ADDITIONAL: 1 #flags里面有aa, to verify that its own resolution is authoritative response;;; QUESTION SECTION:;www.a.test.com.INA;; ANSWER SECTION: #解析成功! ;; AUTHORITY SECTION:a.test.com.86400INNSns.a.test.com.;; ADDITIONAL SECTION:ns.a.test.com.86400INA192.168.0.112;; Query time: 1 msec;; server: 192.168.0.112#53 (192.168.0.112); when: fri may 29 19:49:40 2015;; MSG SIZE rcvd: 81[[email protected] ~]# dig -t A www.test.com @192.168.0.112 #通过子域DNS来解析父域服务器;; <<>> dig 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.6 <<>> -t a www.test.com @ 192.168.0.112;; global options: +cmd;; connection timed out; no servers could be reached # Cannot resolve to, verify that the subdomain cannot resolve the parent domain;
Forward
Through the above experiment we can find that the subdomain is not aware of the parent domain is where, of course, can not parse the parent domain, there is no way to solve this problem? Of course, and quite simply, we just need to configure the subdomain forwarding.
[[email protected] ~]# vim /etc/named.conf #编辑子域的配置文件;options { forward first ; #设置为转发且模式为first, you can also set the mode to only; #only为递归请求, if the forwarding server is unable to resolve the return target, accept the result; # First: To send a recursive request, if the forwarding server returned to the target can not be resolved, the machine again to query the request; forwarders { 192.168.0.111; }; #转发至何处, the specific value can be seen in the following supplementary explanation;}; [[email protected] ~]# service named restartstopping named: . [ OK ]Starting named: [ ok ][[email protected] ~]# dig -t a www.test.com @192.168.0.112 #测试通过子域查询父域;; <<>> dig 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.6 <<>> -t a www.test.com @ 192.168.0.112;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18252;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, additional: 0;; QUESTION SECTION:;www.test.com.INA;; ANSWER SECTION: ;; Query time: 1198 msec;; server: 192.168.0.112#53 (192.168.0.112); WHEN: Fri May 29 20:41:09 2015;; msg size rcvd: 257# through such a simple configuration, you can query to parse the parent domain, but also introduced another problem, we modify the global configuration, causing # All other domain queries through the subdomain will be forwarded to the parent domain, this should not be the parent domain responsible for the resolution of the parent domain to do, this is certainly not a # reason, For this we need to specify that only queries to the parent domain are forwarded to the parent domain. [[email protected] ~]# vim /etc/named.rfc1912.zones #只需要在配置文件中指定针对父域进行转发;zone " Test.com " IN { type forward; forward first; forwarders { 192.168.0.111; } ;};
Additional notes:
access Control:
Allow-transfer {}; Define white lists that are allowed to be transmitted;
Allow-query {}; Define white lists that allow queries;
allow-update {}; Define whitelist that allows updates;
allow-recursion {}; Define white lists that allow recursion;
recursion Yes; All hosts can be recursive;
access Control List (ACL) for bind:
Built-in ACLs:
None (none allowed), any (all allowed), local (local), localnet (local network)
Custom ACLs:
ACL Acl_name {
ip
ip
Network
};
Example: ACL localnetwork {
172.16.0.0/16;
192.168.0.0/24;
};
allow-recursion {localnetwork;};
View
< Span style= "FONT-SIZE:18PX;" > Depending on the source of the client, resolving the same name to a different value can also be called intelligent parsing > We can get the server from the telecom to the telecom room, Resolve the request from Unicom to the server in the Unicom room. Below we assume that our Telecommunications room Web server IP is 192.168.0.113, the Web server address of the Unicom room is: 172.16.0.10
first step, modify the configuration file definition ACL with view;
[[email protected] ~]# vim /etc/named.confacl unicom { #定义联通的ACL, named unicom; 192.168.0.111; };view "Unicom" { # Define the Unicom view, named unicom match-clients { unicom; }; #匹配该选项的, Use the following area to parse; zone "test.com" { type master; file "Unicom.test.com.zone"; };}; view "Telnet" { match-clients { any; }; #按顺序执行, as long as there are no matches to unicom that match this option, use the following area domain to parse; zone "test.com" { type master; file "test.coM.zone "; };};
The second step is to create a regional library parsing file unicom.test.com and test.com, which is not illustrated here;
The third step, test results;
[[email protected] ~]# dig -t a www.test.com @192.168.0.111 # Querying on hosts with IP 192.168.0.111;; <<>> dig 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.test.com @192.168.0.111;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39197;; flags: qr aa rd ra; query: 1, answer: 1, authority: 1, ADDITIONAL: 1;; QUESTION SECTION:;www.test.com.INA;; answer section: #, resolves to the Unicom computer room server; ;; AUTHORITY SECTION:test.com.86400INNSns.test.com.;; ADDITIONAL SECTION:ns.test.com.86400INA192.168.0.111;; Query time: 1 msec;; server: 192.168.0.111#53 (192.168.0.111); WHEN: Fri May 29 21:30:01 2015;; msg size rcvd: 79[[email protected] ~]# dig -t a www.test.com @192.168.0.111 Query on the host on the #在ip为192.168.0.112;; <<>> dig 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A www.test.com @192.168.0.111;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7626;; flags: qr aa rd ra; query: 1, answer: 1, authority: 1, ADDITIONAL: 1;; QUESTION SECTION:;www.test.com.INA;; ANSWER SECTION: #解析到了电信机房的服务器; ;; AUTHORITY SECTION:test.com.86400INNSns.test.com.;; ADDITIONAL SECTION:ns.test.com.86400INA192.168.0.111;; query time: 4 msec
Well, the experiment so far, I hope you big God lot of shooting bricks! Thank you!
This article is from the "Flying Snail" blog, please be sure to keep this source http://ljmsky.blog.51cto.com/2878/1656516
DNS server Configuration practices under Linux (iii)-Subdomain authorization, forwarding, view