上一篇blog简单写了一下使用nsupdate动态更新DNS记录。今天再写一下在多个view的时候如何设置主备的自动同步。
多个view的主备同步主要是是主备之间每个view都使用共享key进行消息的签名。master的配置和之前的稍微有点小的改动
include "/opt/bind/etc/rndc.key";
include "/opt/bind/etc/views.key";
//
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
//
acl test1 {
10.201.0.0/16;
};
acl test2 {
192.0.0.0/8;
};
acl slavedns {
10.144.149.61;
127.0.0.1;
};
options {
listen-on port 53 { any; };
listen-on-v6 { none; };
directory "/opt/bind/etc/";
dump-file "/opt/bind/var/named/data/cache_dump.db";
statistics-file "/opt/bind/var/named/data/named_stats.txt";
memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
zone-statistics yes;
allow-query { any; };
# recursion config
recursion yes;
max-ncache-ttl 60;
recursive-clients 2000;
# dnssec config
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
# rrt config
rate-limit {
responses-per-second 20;
qps-scale 1000;
window 4;
slip 2;
ipv4-prefix-length 32;
};
# rpz config
response-policy {
zone "rpz.zone" policy given;
};
# log query
querylog yes;
#define version
version "GNUer's dns 2.0";
## transfer config
notify explicit;
tcp-clients 2000;
transfers-out 100;
allow-transfer { slavedns; 127.0.0.1;};
also-notify { 10.144.149.61; };
/* Path to ISC DLV key */
#bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};
logging {
channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m; severity dynamic; print-time yes;};
channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m; severity dynamic; print-time yes;};
channel default_stderr { stderr; severity info; };
channel null { null; };
channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m; severity dynamic; print-time yes;};
channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m; severity dynamic; print-time yes;};
channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m; severity dynamic; print-time yes;print-severity yes; print-category yes;};
channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m; severity dynamic; print-time yes;};
channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m; severity dynamic; print-time yes;};
channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m; severity dynamic; print-time yes;};
channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m; severity dynamic; print-time yes;};
channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m; severity dynamic; print-time yes;};
category default {null; };
category queries { query_log; };
category resolver { resolver_log; };
category security { security_log; };
category notify { notify_log; };
category xfer-in { notify_log; };
category xfer-out { notify_log; };
category update { notify_log; };
category unmatched {default_syslog; };
category rate-limit {rrt_log;};
category rpz {rpz_log;};
};
view "test1" {
recursion yes;
allow-query { any; };
match-clients {test1; key test1;};
allow-update { key test1; };
server 10.144.149.61 {keys test1;};
// also-notify { 10.144.149.61; };
zone "test.org" {
type master;
file "master/test.org.view1";
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
view "test2" {
recursion yes;
allow-query { any; };
server 10.144.149.61 {keys test2;};
match-clients {test2; key test2;};
allow-update { key test2; };
// also-notify { 10.144.149.61; };
zone "test.org" {
type master;
file "master/test.org.view2";
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
view "default" {
recursion yes;
allow-query { any; };
server 10.144.149.61 {keys default;};
match-clients {any;key default; };
allow-update { key default; };
// also-notify { 10.144.149.61; };
zone "test.org" {
type master;
file "master/test.org.default";
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
master中的注意事项是:
1. also-notify 可以不用每个view都写一遍,在options里把slave都写全也行(也得跟进实际的安全需求来)
2. 每个view内用allow-update设置只允许响应的key进行更新。
3. 需要使用server来指定和对端机器通信的共享密钥。
slave的配置
include "/opt/bind/etc/rndc.key";
include "/opt/bind/etc/views.key";
//
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
//
acl test1 {
10.161.65.8;
};
acl test2 {
192.0.0.0/8;
};
options {
listen-on port 53 { any; };
listen-on-v6 { none; };
directory "/opt/bind/etc/";
dump-file "/opt/bind/var/named/data/cache_dump.db";
statistics-file "/opt/bind/var/named/data/named_stats.txt";
memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
masterfile-format text;
zone-statistics yes;
allow-query { any; };
# recursion config
recursion yes;
max-ncache-ttl 60;
recursive-clients 2000;
# dnssec config
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
# rrt config
rate-limit {
responses-per-second 20;
qps-scale 1000;
window 4;
slip 2;
ipv4-prefix-length 32;
};
# rpz config
response-policy {
zone "rpz.zone" policy given;
};
# log query
querylog yes;
#define version
version "GNUer's dns 2.0";
## transfer config
notify explicit;
tcp-clients 2000;
transfers-out 100;
/* Path to ISC DLV key */
#bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};
logging {
channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m; severity dynamic; print-time yes;};
channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m; severity dynamic; print-time yes;};
channel default_stderr { stderr; severity info; };
channel null { null; };
channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m; severity dynamic; print-time yes;};
channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m; severity dynamic; print-time yes;};
channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m; severity dynamic; print-time yes;print-severity yes; print-category yes;};
channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m; severity dynamic; print-time yes;};
channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m; severity dynamic; print-time yes;};
channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m; severity dynamic; print-time yes;};
channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m; severity dynamic; print-time yes;};
channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m; severity dynamic; print-time yes;};
category default {null; };
category queries { query_log; };
category resolver { resolver_log; };
category security { security_log; };
category notify { notify_log; };
category xfer-in { notify_log; };
category xfer-out { notify_log; };
category update { notify_log; };
category unmatched {default_syslog; };
category rate-limit {rrt_log;};
category rpz {rpz_log;};
};
view "test1" {
recursion yes;
server 10.161.64.97 {keys test1; };
allow-query { any; };
match-clients {test1; key test1;};
allow-update { key test1; };
zone "test.org" {
type slave;
file "master/test.org.view1";
masters { 10.161.64.97; } ;
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
view "test2" {
recursion yes;
allow-query { any; };
match-clients {test2; key test2;};
server 10.161.64.97 {keys test2; };
allow-update { key test2; };
zone "test.org" {
type slave;
file "master/test.org.view2";
masters { 10.161.64.97; } ;
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
view "default" {
recursion yes;
allow-query { any; };
server 10.161.64.97 {keys default; };
match-clients {any;key default; };
allow-update { key default; };
zone "test.org" {
type slave;
file "master/test.org.default";
masters { 10.161.64.97; } ;
};
zone "rpz.zone" {
type master;
file "master/rpz.zone";
allow-update {none;};
};
zone "."{
type hint;
file "named.root";
};
};
slave的配置注意项也是每个view要使用server定义master通信时使用的key,然后限制特定的key才能更新。另外需要注意的是slave和master的IP不要在任何的acl里。