大家经常使用bind的时候是划分不同的view的,因为每个view的zone需要单独修改,所以人肉修改是比较麻烦的。这个时候可以使用nsupdate进行批量的操作。只要注意每个view使用正确的记录就行。
使用nsupdate需要给每个view都创建一个key,每个view指定允许对应的这个key能更新。
views.key文件:
key "default" {
algorithm hmac-md5;
secret "GkbQ6Q2WtVqu9pk8WzPDOA==";
};
key "test1" {
algorithm hmac-md5;
secret "4qEjC+NgFmRvGdt8DuCRDA==";
};
key "test2" {
algorithm hmac-md5;
secret "88PUPwk66CbQacWCgFG0kw==";
};
named.conf文件
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
//
acl test1 {
10.0.0.0/8;
};
acl test2 {
192.0.0.0/8;
};
acl slavedns {
192.18.208.31; //ztt dns1
127.0.0.1;
};
options {
listen-on port 53 { any; };
listen-on-v6 { none; };
directory "/opt/bind/etc/";
dump-file "/opt/bind/var/named/data/cache_dump.db";
statistics-file "/opt/bind/var/named/data/named_stats.txt";
memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
zone-statistics yes;
allow-query { any; };
# recursion config
recursion yes;
max-ncache-ttl 60;
recursive-clients 2000;
# dnssec config
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
# rrt config
rate-limit {
responses-per-second 20;
qps-scale 1000;
window 4;
slip 2;
ipv4-prefix-length 32;
};
# rpz config
response-policy {
zone "rpz.zone" policy given;
};
# log query
querylog yes;
#define version
version "GNUer's dns 2.0";
## transfer config
notify explicit;
tcp-clients 2000;
transfers-out 100;
allow-transfer { slavedns; 127.0.0.1;};
also-notify {
192.18.208.31;
};
/* Path to ISC DLV key */
#bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};
logging {
channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m; severity dynamic; print-time yes;};
channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m; severity dynamic; print-time yes;};
channel default_stderr { stderr; severity info; };
channel null { null; };
channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m; severity dynamic; print-time yes;};
channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m; severity dynamic; print-time yes;};
channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m; severity dynamic; print-time yes;print-severity yes; print-category yes;};
channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m; severity dynamic; print-time yes;};
channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m; severity dynamic; print-time yes;};
channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m; severity dynamic; print-time yes;};
channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m; severity dynamic; print-time yes;};
channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m; severity dynamic; print-time yes;};
category default {null; };
category queries { query_log; };
category resolver { resolver_log; };
category security { security_log; };
category notify { notify_log; };
category xfer-in { notify_log; };
category xfer-out { notify_log; };
category update { notify_log; };
category unmatched {default_syslog; };
category rate-limit {rrt_log;};
category rpz {rpz_log;};
};
view "test1" {
recursion yes;
allow-query { any; };
match-clients {test1; key test1;};
allow-update { key test1; };
zone "test.org" {
type master;
file "master/test.org.view1";
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
view "test2" {
recursion yes;
allow-query { any; };
match-clients {test2; key test2;};
allow-update { key test2; };
zone "test.org" {
type master;
file "master/test.org.view2";
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
view "default" {
recursion yes;
allow-query { any; };
match-clients {any;key default; };
allow-update { key default; };
zone "test.org" {
type master;
file "master/test.org.default";
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
nsupdate脚本
#!/bin/bash
TTL=600
declare -A views
views["test1"]="4qEjC+NgFmRvGdt8DuCRDA=="
views["test2"]="88PUPwk66CbQacWCgFG0kw=="
views["default"]="GkbQ6Q2WtVqu9pk8WzPDOA=="
usage(){
echo "$0 view add/delete type domain record"
echo "$0 view mod type1:type2 domain record1:record2"
exit 1
}
if [ $# -ne 5 ];then
usage
fi
view=$1
action=$2
dtype=$3
domain=$4
target=$5
case $2 in
add|delete)
#echo "update $action $domain 600 $dtype $target"
nsupdate -y "$view:${views[$view]}" <<-EOF
server 127.0.0.1
update $action $domain $TTL $dtype $target
send
EOF
if [ $? -eq 0 ];then
echo -e "update $domain --> $ntarget \e[1;32msuccessfull\e[m"
else
echo -e "update $domain --> $ntarget \e[1;31mfailed\e[m"
fi
;;
mod)
otype=$(echo $dtype |cut -d: -f1)
ntype=$(echo $dtype |cut -d: -f2)
otarget=$(echo $target|cut -d: -f1)
ntarget=$(echo $target|cut -d: -f2)
nsupdate -y "$view:${views[$view]}" <<-EOF
server 127.0.0.1
update delete $domain $TTL $otype $otarget
update add $domain $TTL $ntype $ntarget
send
EOF
if [ $? -eq 0 ];then
echo -e "update $domain --> $ntarget \e[1;32msuccessfull\e[m"
else
echo -e "update $domain --> $ntarget \e[1;31mfailed\e[m"
fi
;;
*)
usage
;;
esac
使用示范:
给ax3.test.org.新增A记录10.20.1.33
./nsupdate.sh test2 add A ax3.test.org. 10.20.1.33
给ax3.test.org.删除A记录10.20.1.33
./nsupdate.sh test2 delete A ax3.test.org. 10.20.1.33
把ax3.test.org.从A记录10.20.1.3修改为cname到www.baidu.com.
./nsupdate.sh test2 mod A:CNAME ax3.test.org. 10.20.1.3:www.baidu.com.
把ax3.test.org.从cname到www.baidu.com.修改为A记录10.20.1.3
./nsupdate.sh test2 mod CNAME:A ax3.test.org. www.baidu.com.:10.20.1.3