创建内部动态DNS服务器
创建内部动态DNS服务器
由于各类不一样的缘由,企业内部每每会有多台DHCP服务器,负责分发IP地址,给内部网络管理带来不便。本文将介绍如何在企业内部用BIND9创建内部DDNS服务,解决网络管理不便的问题。web
假设企业内部有三台DHCP服务器负责为三个子域分发IP地址,三个子域分别是rd.lswin.cn(192.168.230.0/24)、ga.lswin.cn(192.168.231.0/24)和sm.lswin.cn(192.168.232.0/24)。安全
示例中,DDNS服务器的名称为ddns.lswin.cn。
bash
安装 /配置BIND9
安装 BIND9
root@ddns:~# apt-get update && apt-get install bind9
配置BIND9
修改/etc/bind/named.conf.local 文件服务器
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // // ___***___ Own DynDNS // include "/etc/bind/ddns-keys.conf"; // // rd.lswin.cn zone 配置 // zone "rd.lswin.cn" { type master; file "/var/lib/bind/rd.lswin.cn.zone"; allow-update { key rd-lswin-cn.;}; notify no; }; // Reverse DNS 的定义. 用您的子域地址替代 230.168.192 zone "230.168.192.in-addr.arpa" { type master; file "/var/lib/bind/rd.lswin.cn.rev.zone"; allow-update { key rd-lswin-cn.; }; }; // // ga.lswin.cn zone 配置 // zone "ga.lswin.cn" { type master; file "/var/lib/bind/ga.lswin.cn.zone"; allow-update { key ga-lswin-cn.;}; notify no; }; // Reverse DNS 的定义. 用您的子域地址替代 231.168.192 zone "231.168.192.in-addr.arpa" { type master; file "/var/lib/bind/ga.lswin.cn.rev.zone"; allow-update { key ga-lswin-cn.; }; }; // // sm.lswin.cn zone 配置 // zone "sm.lswin.cn" { type master; file "/var/lib/bind/sm.lswin.cn.zone"; allow-update { key sm-lswin-cn.;}; notify no; }; // Reverse DNS 的定义. 用您的子域地址替代 232.168.192 zone "232.168.192.in-addr.arpa" { type master; file "/var/lib/bind/sm.lswin.cn.rev.zone"; allow-update { key sm-lswin-cn.; }; };
为子域配置库文件网络
/var/lib/bind/rd.lswin.cn.zonemvc
$ORIGIN . $TTL 907200 ; 1 week 3 days 12 hours rd.lswin.cn IN SOA ns1.rd.lswin.cn. ( 2014071478 ; serial 28800 ; refresh (8 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) NS ns1.rd.lswin.cn. $ORIGIN rd.lswin.cn. ns1 A 192.168.230.1
/var/lib/bind/rd.lswin.cn.rev.zonedom
$ORIGIN . $TTL 907200 ; 1 week 3 days 12 hours 230.168.192.in-addr.arpa IN SOA ns1.rd.lswin.cn. ( 2014071452 ; serial 28800 ; refresh (8 hours) 604800 ; retry (1 week) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns1.rd.lswin.cn. $ORIGIN 230.168.192.in-addr.arpa. 1 PTR rd.lswin.cn. PTR ns1.rd.lswin.cn. PTR admin.rd.lswin.cn.
其余二个zone的和这个配置基本一致,只需修改IP地址和子域名便可。ide
为子域配置生成密匙
首先为三个子域生成不一样的密匙,而后将生成的密匙放入密匙文件 /etc/bind/ddns-keys.confsvg
root@ddns:~# tsig-keygen -a hmac-sha512 rd-lswin-cn. root@ddns:~# tsig-keygen -a hmac-sha512 rd-lswin-cn. root@ddns:~# tsig-keygen -a hmac-sha512 rd-lswin-cn.
key "rd-lswin-cn." { algorithm hmac-sha512; secret "dWZM3Go6hz7AL/VX3ihaQpTgwyigx27hIoKgxVooYblnFkgKTPjBiUhScM+eOpO4PrD1EgYwCIc/zb3WzoUadg=="; }; key "ga-lswin-cn." { algorithm hmac-sha512; secret "0avlbJzkK0DWB0XZbYDjK5Q7gAjmbTCPliHaV19di0KnH7lKitclqOF/l/S8SP5BFSUbpDQTen0OY/9mvcfGbA=="; }; key "sm-lswin-cn." { algorithm hmac-sha512; secret "HxyVoX1/i5293TD3fXUxRLyuyjofdnKUy3fsvamB4myAAva4etoa+4rQliXb2+PoVpLxOyOkwN8ksY5ypioG1A=="; };
检查配置/重启BIND9
检查配置测试
root@ddns:~# named-checkconf root@ddns:~# named-checkzone rd.lswin.cn /var/lib/bind/rd.lswin.cn.zone zone rd.lswin.cn/IN: loaded serial 2014071478 OK root@ddns:~# named-checkzone ga.lswin.cn /var/lib/bind/ga.lswin.cn.zone zone ga.lswin.cn/IN: loaded serial 2014071478 OK root@ddns:~# named-checkzone sm.lswin.cn /var/lib/bind/sm.lswin.cn.zone zone sm.lswin.cn/IN: loaded serial 2014071478 OK root@ddns:~#
如没问题,就能够重启BIND9。
root@ddns:~# service bind9 restart root@ddns:~#
测试动态更新功能
三组配置彻底类似,咱们只测试一组配置。
创建key文件 ga-lswin-cn.key
从现有配置中,将ga.lswin.cn的key复制过来。
key "ga-lswin-cn." { algorithm hmac-sha512; secret "0avlbJzkK0DWB0XZbYDjK5Q7gAjmbTCPliHaV19di0KnH7lKitclqOF/l/S8SP5BFSUbpDQTen0OY/9mvcfGbA=="; };
测试正向DDNS添加
root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn Server: ddns.lswin.cn Address: 192.168.220.109#53 ** server can't find test.ga.lswin.cn: NXDOMAIN root@ddns:~# nsupdate -k ./ga-lswin-cn.key > server ddns.lswin.cn > zone ga.lswin.cn > update add test.ga.lswin.cn 7200 IN A 192.168.231.123 > show Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;ga.lswin.cn. IN SOA ;; UPDATE SECTION: test.ga.lswin.cn. 7200 IN A 192.168.231.123 > send > quit root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn Server: ddns.lswin.cn Address: 192.168.220.109#53 Name: test.ga.lswin.cn Address: 192.168.231.123 root@ddns:~#
记录 test.ga.lswin.cn 已成功加入DDNS。
测试正向DDNS删除
root@ddns:~# root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn Server: ddns.lswin.cn Address: 192.168.220.109#53 Name: test.ga.lswin.cn Address: 192.168.231.123 root@ddns:~# nsupdate -k ./ga-lswin-cn.key > server ddns.lswin.cn > zone ga.lswin.cn > update delete test.ga.lswin.cn A > send > quit root@ddns:~# nslookup test.ga.lswin.cn ddns.lswin.cn Server: ddns.lswin.cn Address: 192.168.220.109#53 ** server can't find test.ga.lswin.cn: NXDOMAIN root@ddns:~#
记录test.ga.lswin.cn已从DDNS中成功删除。
**测试逆向DDNS添加**
root@ddns:~# root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn ** server can't find 123.231.168.192.in-addr.arpa: NXDOMAIN root@ddns:~# nsupdate -k ./ga-lswin-cn.key > server ddns.lswin.cn > update add 123.231.168.192.in-addr.arpa. 7200 PTR test.ga.lswin.cn > send > quit root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn 123.231.168.192.in-addr.arpa name = test.ga.lswin.cn. root@ddns:~#
192.168.231.123已成功添加。
**测试逆向DDNS删除**
root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn 123.231.168.192.in-addr.arpa name = test.ga.lswin.cn. root@ddns:~# nsupdate -k ./ga-lswin-cn.key > server ddns.lswin.cn > update delete 123.231.168.192.in-addr.arpa. PTR > send > quit root@ddns:~# nslookup 192.168.231.123 ddns.lswin.cn ** server can't find 123.231.168.192.in-addr.arpa: NXDOMAIN root@ddns:~#
192.168.231.123已成功删除。
配置DHCP服务器推送更新
在咱们的系统中,只有下列二种DHCPD,因此只有如下二种示例。
假设:ddns.lswin.cn的IP地址是192.168.220.109。
ISC DHCPD
如子网 ga.lswin.cn子网上的DHCPD是ISC的DHCPD,在dhcpd.conf中加上下列内容便可:
# Turn on DDNS ddns-updates on; update-static-leases on; # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style standard; update-static-leases on; key "ga-lswin-cn." { algorithm hmac-sha512; secret "0avlbJzkK0DWB0XZbYDjK5Q7gAjmbTCPliHaV19di0KnH7lKitclqOF/l/S8SP5BFSUbpDQTen0OY/9mvcfGbA=="; }; # # update ga.lswin.cn DNS zones and its reverse zone zone ga.lswin.cn. { primary 192.168.220.109; key ga-lswin-cn.; } zone 231.168.192.in-addr.arpa. { primary 192.168.220.109; key ga-lswin-cn.; }
OPNSense
如子网 ga.lswin.cn子网上的DHCPD是来自OPNSense,在dhcpd.conf中加上下列内容便可:
pfSense的配置方式同样。
示例中BIND9的options配置文件:
/etc/bind/named.conf.options
/ // for security, only in acl can inquery this DNS // // --------------------- ACLs ------------------------- // 容许使用该DNS的IP列表 acl internal { // 本地 127.0.0.1; // CIDR of 192.168.0.0 - 192.168.255.255 192.168.0.0/16; // CIDR of 10.10.0.0 - 10.10.0.255 10.10.0.0/24; }; // ------------------- Options ------------------------- options { directory "/var/cache/bind"; // 使用114.114.114.114 和 阿里公共DNS作外部DNS forwarders { // 114 DNS 114.114.114.114; // Ali's DNS 223.5.5.5; }; // 安全设置,只容许ACL中的IP访问 allow-query { internal; }; allow-query-cache { internal; }; // enables recursive queries but on from our local nets and local hosts // Do not allow externals to do recursive queries. recursion yes; allow-recursion { internal; }; allow-transfer { internal; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== // turn off zone encryption. The auto flag still generates // warnings in the log file dnssec-enable no; //dnssec-enable yes; //dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; };
内部DDNS服务器已经创建完成,DHCP服务器只要将内部主DNS服务器指向ddns.lswin.cn便可。采用内部DDNS服务,能够给内网的管理带来很大方便,如服务器的备份、迁移等等。