Linux DNS subdomain authorization split split parse cache DNS Server

DNS Subdomain authorization
Role: Applies to the same DNS organization
The resolution of the parent/child domain is handled by a different DNS server
The parent DNS server should have the ability to iterate over the sub-domain name

Subordinate area
belong to different agency management:. CN and. anonymous.cn
. CN needs to know sub-domain information
. CN is not obligated to query a subdomain site for a client
belong to the same institution of management:. Anonymous.cn and bj.Anonymous.cn
. anonymous.cn need to know the subdomain information
. Anonymous.cn is obliged to query the subdomain site for the client

————————————————————————————————

Case LIST:
Sub dns:pc05.bj.Anonymous.cn 192.168.4.5
Responsible for BJ. Parsing of anonymous domain
Parent DNS:SVR6. anonymous.cn 192.168.4.6
Responsible for parsing the tedu.cn domain
Child DNS is responsible for processing when querying subdomains
(When querying www.bj.Anonymous.cn to the parent DNS,
Authorization to sub-DNS processing,
Parent DNS feeds The resulting query results to the client)

Circumstances and points of the case
Basic steps
Configure parent DNS resolution anonymous.cn domain
Configure child DNS resolution BJ. anonymous.cn Domain
In parent DNS, add the subdomain authorization configuration
Subdomain domain name. In NS sub-DNS FQDN
The FQDN of the child DNS. In A child DNS IP address
Test subdomain FQDN Query
[[email protected] ~]# vim/etc/named.conf (parent DNS)
Options {
Directory "/var/named";
};

Zone "anonymous.cn" in {
Type master;
File "Anonymous.cn.zone";
};
[Email protected] named]# vim Anonymous.cn.zone
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
@ NS SVR6. anonymous.cn.
SVR6 A 192.168.4.6
www A 192.168.4.100
bj. anonymous.cn. NS pc05.bj.Anonymous.cn. (Authorized sub-DNS)
pc05.bj.Anonymous.cn. A 192.168.4.5

[[email protected] ~]# vim/etc/named.conf (child DNS)
Options {
Directory "/var/named";
};
Zone "BJ. Anonymous.cn "{
Type master;
File "BJ. Anonymous.cn.zone ";
};
[[email protected] named]# vim BJ. Anonymous.cn.zone
$TTL 1D
@ in SOA @ rname.invalid. (
0; Serial
1D; Refresh
1H; Retry
1W; Expire
3H); Minimum
@ NS pc05.bj.Anonymous.cn.
PC05 A 192.168.4.5
www A 192.168.4.101

——————————————————————————————————————

Official/Authoritative DNS: At least one DNS zone is required
Cache/First DNS: Do not need to be responsible for any DNS zones, for client queries

[[email protected] named]# dig @ server address query object (iterative query)
QUESTION section Query Object
ANSWER Section Parsing results
Authority section Area Information
ADDITIONAL section The IP address of the destination DNS server
[Email protected] named]# dig @192.168.4.5 www.bj.Anonymous.cn
;; QUESTION section:
; Www.bj.Anonymous.cn.INA

;; ANSWER section:
www.bj.Anonymous.cn.86400INA192.168.4.100

;; Authority section:
bj. anonymous.cn.86400innspc05.bj.anonymous.cn.

;; ADDITIONAL section:
pc05.bj.anonymous.cn.86400ina192.168.4.5

;; Query Time:2 msec
;; server:192.168.4.5#53 (192.168.4.5)
;; When:thu Jul 13 14:45:14 2017
;; MSG SIZE rcvd:88

————————————————————————————————————————

Subdomain Forwarding Parent domain
The improvement of subdomain authorization
Parent/child DNS that belongs to an organization
[Single master] to parent DNS to be able to find the FQDN of the parent domain name
[Single master] to sub-DNS to find the FQDN in the subdomain
[Authorize] to the parent DNS to be able to find the FQDN in the sub-domain name
[Forward] to sub-DNS to be able to find the FQDN of the parent domain name

[Email protected] named]# vim/etc/named.conf
Options {
Directory "/var/named";
};
Zone "BJ. Anonymous.cn "in {
Type master;
File "BJ. Anonymous.cn.zone ";

};
Zone "anonymous.cn" in {(Subdomain to parent domain)
Type forward; (forward)
Forwarders {192.168.4.6;}; (Parent DNS address)
};

——————————————————————————————————

Split Separation Analysis
Ability to distinguish the source address of a client when it receives a DNS query request from a client
Provide different parsing results (IP address) for different classes of clients

Client--"CDN Node"--source station

Typical application scenarios:
Access to stressful sites and purchase CDN-provided content distribution services
Deploy a large number of mirror service nodes across the country/in different networks
Providing servers to the nearest client for different clients

View view of BIND
Classify clients according to the source address collection
Different clients get different results (treatment differs)
View "Unicom" {
match-clients{source address 1;....;}
Zone "xxx.cn" in{
... Address library 1;
};};

View "CTT" {
match-clients{source Address 2;....;}
Zone "xxx.cn" in{
... Address Library 2;
};};
(The same area xxx.cn is defined separately in multiple views, and other zone data files are independent of each other to achieve differentiation of analytic results)
(Zone configuration outside of view is not allowed after the view view is defined)

ACL address List
Set up a list of high-volume client addresses
Specify the name of the list at the time of invocation and list name any to match any address
"Match stops" according to the order of the View calls

ACL "Liantong" {//Unicom network
IP address 1;IP address 2;..
Network segment 1; network segment 2;..
....
};

ACL "Tietong" {//CRC network
IP address 3;IP address 4;..
Network segment 3; network segment 4;..
....
};

Configuration Separation resolution
Authoritative DNS:SVR6. anonymous.cn 192.168.4.6
Responsible Area: anonymous.cn
A record separation resolution--www.Anonymous.cn as a column
Client from 192.168.4.5 192.168.7.0/21 Parse Result 192.168.4.100
Other Address resolution results 1.2.3.4
[Email protected] named]# vim/etc/named.conf
Options {
Directory "/var/named";
};
View "Mylan" {
MATCH-CLIENTS{192.168.4.5;192.168.7.0/24;};
Zone "anonymous.cn" {
Type master;
File "Anonymous.cn.zone.1";
};
};
View "Other" {
Match-clients{any;};
Zone "anonymous.cn" {
Type master;
File "Anonymous.cn.zone.2";
};
};

——————————————————————————————————————

Cache DNS
Cache name servers
Get domain Name "--" IP address records from other DNS servers
Cache and reuse query results to improve search efficiency
Configuration features:
No authoritative zone is required on the cache DNS and, of course, cache DNS can be superimposed on an existing DNS server

Caching DNS for scenarios
The main application of the environment: Internet export bandwidth of the enterprise LAN low,
Public DNS servers for ISP service providers

Parse Record:
Method One: Root domain iteration, level, level two ... DNS server iterations for a domain
Mode two: Global forwarding, forwarding the request to the specified public DNS, requesting a recursive service

Global Forwarding cache:
Client-"Cache/Preferred dsn--" other public DNS
Configuring a forward-caching DNS
Basic configuration steps
Establish the named.conf master configuration file
Set forwarders{public DNS;}; Transponder
Restart the named service to verify that the cache DNS server
Vim/etc/named.conf
Options {
forwarders{202.106.0.20;};
};

Root-domain iterative cache DNS:
Client--"cache dsn--" root DNS
Root-domain iterative cache DNS
Basic configuration steps
Establish the named.conf master configuration file
Add zone "." {type hint;..}; Root domain
Preparing zone data files for the root domain
To start the named service, verify that the cache DNS server
[Email protected] ~]# vim/etc/named.conf
Options {
Directory "/var/named";
Forwarders {202.106.0.20;};
};
Zone "." {
Type hint;
File "named.ca"
(Provide named.ca area data file, Internet share, record 13 root server address information)

————————————————————————————————————————
Quickly build a DNS server
DNS servers that are based on global forwarding:
Vim/etc/named.conf
Options {
Forwarders {The IP address of the public DNS};
};

Cache DNS servers based on root domain iterations
Vim/etc/named.conf
Options {
Directory "/var/named";
};
Zone "." {
Type hint;
File "named.ca";
}

——————————————————————————————————

Linux DNS subdomain authorizes split to separate resolved cache DNS servers