相信现在有不少地方都是起双重DNS的,即对外解析成公网地址,对内解析成内网地址。一般的做法是用两台DNS服务器分开来做的,但如果机器紧张,只有一台的话,或出于安全考虑的话,其实也是可以做的。在这里又分两种情况:使用Bind8和Bind9的做法是不一样的。Bind8的话,原理很简单在DNS服务器上运行两个BIND,分别为来自内部网络和外部网络的域名请求提供解析,每个BIND具有不同的配置文件和域名数据库文件,并分别在不同的端口监听。DNS服务器在接到客户端请求时,根据客户的IP地址将请求重定向到不同的BIND服务端口,这样就可以根据客户端的IP地址将不同的解析结果返回给客户端,而整个过程对于客户端来说都是透明的。实现的关键在于运行两个BIND及运用iptables命令进行IP地址及端口改写操作。具体配置的话:在/etc/下生成两个named配置文件named.in与named.outnamed.in## named.conf - configuration for bind(named.in)## Generated automatically by redhat-config-bind, alchemist et al.# Any changes not supported by redhat-config-bind should be put # in /etc/named.custom#include "/etc/named.custom";include "/etc/rndc.key";options { directory "/var/named_in/"; datasize 2098; ......};#Log Fileslogging { category queries { default_syslog; };};#DataBase Fileszone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; };zone "10.in-addr.arpa" { type master; file "10.in-addr.arpa.zone"; };zone "localhost" { type master; file "localhost.zone"; };zone "xxu.edu.cn" { type master; file "xxu.edu.cn.zone"; };named.out## named.conf - configuration for bind(named.out)## Generated automatically by redhat-config-bind, alchemist et al.# Any changes not supported by redhat-config-bind should be put # in /etc/named.custom#include "/etc/named.custom";include "/etc/rndc.key";options { directory "/var/named_out/"; datasize 2098; ... ...};# 注意这里监听的端口不一样了listen-on port 8053 { # 本机IP地址 10.xx.xx.xx;}; #Log Fileslogging { category queries { default_syslog;};#DataBase Fileszone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; };zone "xx.xx.210.in-addr.arpa" { type master; file "xx.xx.210.in-addr.arpa.zone"; };zone "localhost" { type master; file "localhost.zone"; };zone "xxu.edu.cn" { type master; file "xxu.edu.cn.zone"; };为什么选对外发布的做重定向呢,当时的考虑是对内解析的流量大,可以减少一个环节。然后做iptables的重定向,在iptable配置文件中添加-A PREROUTING -s ! 10.0.0.0/255.0.0.0 -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 8053-A POSTROUTING -o eth0 -p udp -m udp --sport 8053 -j SNAT --to-source 10.xx.xx.xx:53COMMIT最后在做一个启动脚本:#!/bin/shecho "Enabling IP Forwarding ..."echo 1 > /proc/sys/net/ipv4/ip_forwardecho "Enabling DNS(outside) Service ..."/usr/sbin/named -u named -c /etc/named.outecho "Enabling DNS(inside) Service ..."/usr/sbin/named -u named -c /etc/named.in重启机器就OK了!如果是用的Bind9的话,那就简单多了!只需要一个named.conf文件就搞定具体配置:include "/etc/rndc.key";options { directory "/var/named/"; ... ...};#Log Fileslogging { category queries { default_syslog; };};#DataBase Files#注意view和match-clients的用法,就是它们在起作用view "internal" { match-clients { 10.0.0.0/8; }; recursion yes; zone "." { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; }; zone "localhost" { type master; file "localhost.zone"; }; zone "xxu.edu.cn" { type master; file "xxu.edu.cn.in.zone"; }; zone "10.in-addr.arpa" { type master; file "10.in-addr.arpa.zone"; };};view "external" { match-clients { any; }; recursion yes; zone "." { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.zone"; }; zone "localhost" { type master; file "localhost.zone"; }; zone "xxu.edu.cn" { type master; file "xxu.edu.cn.out.zone"; }; zone "xx.xx.210.in-addr.arpa" { type master; file "xx.xx.210.in-addr.arpa.zone"; };};这样就配置好了!至于具体的数据文件,我想大家都应该会配置了,我这里就不多说了!
本文转自 firehare 51CTO博客,原文链接:http://blog.51cto.com/firehare/588159,如需转载请自行联系原作者
