上一篇blog简单写了一下使用nsupdate动态更新DNS记录。今天再写一下在多个view的时候如何设置主备的自动同步。多个view的主备同步主要是是主备之间每个view都使用共享key进行消息的签名。master的配置和之前的稍微有点小的改动
include "/opt/bind/etc/rndc.key";
include "/opt/bind/etc/views.key";
//
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1;
} keys { "rndc-key";
};
};
//
acl test1 {
10.201.0.0/16;
};
acl test2 {
192.0.0.0/8;
};
acl slavedns {
10.144.149.61;
127.0.0.1;
};
options {
listen-on port 53 { any;
};
listen-on-v6 { none;
};
directory "/opt/bind/etc/";
dump-file "/opt/bind/var/named/data/cache_dump.db";
statistics-file "/opt/bind/var/named/data/named_stats.txt";
memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
zone-statistics yes; allow-query { any; };
recursion config
recursion yes; max-ncache-ttl 60; recursive-clients 2000;
dnssec config
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
rrt config
rate-limit { responses-per-second 20; qps-scale 1000; window 4; slip 2; ipv4-prefix-length 32; };
rpz config
response-policy { zone “rpz.zone” policy given; };
log query
querylog yes; #define version version “GNUer’s dns 2.0”;
transfer config
notify explicit; tcp-clients 2000; transfers-out 100; allow-transfer { slavedns; 127.0.0.1;}; also-notify { 10.144.149.61; }; /* Path to ISC DLV key */
#bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};
logging {
channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m;
severity dynamic;
print-time yes;
};
channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m;
severity dynamic;
print-time yes;
};
channel default_stderr { stderr;
severity info;
};
channel null { null; };
channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m;
severity dynamic;
print-time yes;
};
category default {null; }; category queries { query_log; }; category resolver { resolver_log; }; category security { security_log; }; category notify { notify_log; }; category xfer-in { notify_log; }; category xfer-out { notify_log; }; category update { notify_log; }; category unmatched {default_syslog; }; category rate-limit {rrt_log;}; category rpz {rpz_log;}; }; view “test1” { recursion yes; allow-query { any; }; match-clients {test1; key test1;}; allow-update { key test1; }; server 10.144.149.61 {keys test1;}; // also-notify { 10.144.149.61; }; zone “test.org” { type master; file “master/test.org.view1”; }; zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; }; zone “.”{ type hint; file “named.root”; }; };
view “test2” { recursion yes; allow-query { any; }; server 10.144.149.61 {keys test2;}; match-clients {test2; key test2;}; allow-update { key test2; }; // also-notify { 10.144.149.61; }; zone “test.org” { type master; file “master/test.org.view2”; }; zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; }; zone “.”{ type hint; file “named.root”; }; }; view “default” { recursion yes; allow-query { any; }; server 10.144.149.61 {keys default;}; match-clients {any;key default; }; allow-update { key default; }; // also-notify { 10.144.149.61; }; zone “test.org” { type master; file “master/test.org.default”; }; zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; }; zone “.”{ type hint; file “named.root”; }; };
master中的注意事项是:1. also-notify 可以不用每个view都写一遍,在options里把slave都写全也行(也得跟进实际的安全需求来)2. 每个view内用allow-update设置只允许响应的key进行更新。3. 需要使用server来指定和对端机器通信的共享密钥。
slave的配置
include “/opt/bind/etc/rndc.key”; include “/opt/bind/etc/views.key”; // controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { “rndc-key”; }; }; // acl test1 { 10.161.65.8; }; acl test2 { 192.0.0.0/8; };
options { listen-on port 53 { any; }; listen-on-v6 { none; }; directory “/opt/bind/etc/”;
dump-file "/opt/bind/var/named/data/cache_dump.db";
statistics-file "/opt/bind/var/named/data/named_stats.txt";
memstatistics-file "/opt/bind/var/named/data/named_mem_stats.txt";
masterfile-format text; zone-statistics yes; allow-query { any; };
recursion config
recursion yes; max-ncache-ttl 60; recursive-clients 2000;
dnssec config
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
rrt config
rate-limit { responses-per-second 20; qps-scale 1000; window 4; slip 2; ipv4-prefix-length 32; };
rpz config
response-policy { zone “rpz.zone” policy given; };
log query
querylog yes; #define version version “GNUer’s dns 2.0”;
transfer config
notify explicit; tcp-clients 2000; transfers-out 100;
/* Path to ISC DLV key */
#bindkeys-file "/opt/bind/etc/named.iscdlv.key";
};
logging {
channel default_syslog { file "/opt/bind/var/log/named.syslog" versions 5 size 100m;
severity dynamic;
print-time yes;
};
channel default_debug { file "/opt/bind/var/log/named.run" versions 5 size 100m;
severity dynamic;
print-time yes;
};
channel default_stderr { stderr;
severity info;
};
channel null { null; };
channel general_debug { file "/opt/bind/var/log/named.general" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel database_debug { file "/opt/bind/var/log/named.database" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel query_log { file "/opt/bind/var/log/named.query" versions 3 size 100m;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel resolver_log { file "/opt/bind/var/log/named.resolver" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel security_log { file "/opt/bind/var/log/named.security" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel notify_log { file "/opt/bind/var/log/named.notify" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel rrt_log { file "/opt/bind/var/log/named.rrt" versions 3 size 100m;
severity dynamic;
print-time yes;
};
channel rpz_log { file "/opt/bind/var/log/named.rpz" versions 3 size 100m;
severity dynamic;
print-time yes;
};
category default {null; }; category queries { query_log; }; category resolver { resolver_log; }; category security { security_log; }; category notify { notify_log; }; category xfer-in { notify_log; }; category xfer-out { notify_log; }; category update { notify_log; }; category unmatched {default_syslog; }; category rate-limit {rrt_log;}; category rpz {rpz_log;}; }; view “test1” { recursion yes; server 10.161.64.97 {keys test1; }; allow-query { any; }; match-clients {test1; key test1;}; allow-update { key test1; }; zone “test.org” { type slave; file “master/test.org.view1”; masters { 10.161.64.97; } ; }; zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; }; zone “.”{ type hint; file “named.root”; }; };
view “test2” { recursion yes; allow-query { any; }; match-clients {test2; key test2;}; server 10.161.64.97 {keys test2; }; allow-update { key test2; }; zone “test.org” { type slave; file “master/test.org.view2”; masters { 10.161.64.97; } ; }; zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; }; zone “.”{ type hint; file “named.root”; }; }; view “default” { recursion yes; allow-query { any; }; server 10.161.64.97 {keys default; }; match-clients {any;key default; }; allow-update { key default; }; zone “test.org” { type slave; file “master/test.org.default”; masters { 10.161.64.97; } ; }; zone “rpz.zone” { type master; file “master/rpz.zone”; allow-update {none;}; }; zone “.”{ type hint; file “named.root”; }; };
slave的配置注意项也是每个view要使用server定义master通信时使用的key,然后限制特定的key才能更新。另外需要注意的是slave和master的IP不要在任何的acl里。