技术、情感、摄影、原创、分享
南北互通廉价解决方案-智能DNS
上一篇 / 下一篇 2007-01-17 17:25:00 / 天气: 阴雨 / 心情: 平静 / 精华(3) / 个人分类:Linux
本文遵循创作共用版权协议,转载请保留原文链接和原文作者
本文链接:http://9ng.cn/1/viewspace_6343.html
本文作者:九尾银狐
一、应用背景
某网络广告公司,总部设在中国上海,是一个具有多项全球顶尖互联网专利技术的专业广告集团,主营在线网络广告,业务量庞大,广告主及联盟网站众多且遍布不同区域。由于南北互通问题,严重制约了市场的拓展和业务的进一步发展,影响了工作效率。目前有CDN(内容分布网络),BGP(边际网关协议)等技术可以解决南北互通问题,但是高投资、高使用费以及高维护费成为该公司的首要难题。为打破困局,该公司决定对症下药,寻找更经济的解决办法,消除南北间不可逾越的"鸿沟",降低网络费用。
二、解决方案
采用双线机房,Bind9作为智能DNS,通过DNS View配置,自动根据客户端IP来判断,网通的用户解析出网通的IP,电信的解析出电信IP,使用户能够访问到临近的同网的服务器,避免跨网访问,从而提高访问速度,解决南北互访问题。
三、实施步骤
操作系统:
| CentOS 4.4 | http://www.centos.org |
软件列表:
| BIND9 | http://www.isc.org |
| Ripe-dbase-client-v3 | http://www.apnic.net |
例子域名:
| Entage.net |
步骤一、安装操作系统
推荐使用CentOS 4.4,基于RedHat Enterprise AS 4.4安全加强的免费可升级独立分发版本Linux操作系统,安装过程不再详述。
步骤二、安装Bind9
(1)RPM包方式安装
1.手动下载软件包安装
下载RPM软件包:
| wgethttp://isoredirect.centos.org/centos/4/os/i386/CentOS/RPMS/bind-9.2.4-16.EL4.i386.rpm |
| wgethttp://isoredirect.centos.org/centos/4/os/i386/CentOS/RPMS/bind-libs-9.2.4-16.EL4.i386.rpm |
| wgethttp://isoredirect.centos.org/centos/4/os/i386/CentOS/RPMS/bind-utils-9.2.4-16.EL4.i386.rpm |
| wgethttp://isoredirect.centos.org/centos/4/os/i386/CentOS/RPMS/bind-devel-9.2.4-16.EL4.i386.rpm |
安装软件包:
| rpm -iUvh bind*.rpm |
2.yum自动安装
| yum install bind bind-libs bind-utils bind-devel |
3.up2date自动安装
| up2date bind bind-libs bind-utils bind-devel |
以上三种方式任选一种安装,安装后执行以下命令配置DNS服务开机自启动
| chkconfig named on |
(2)源码包方式安装
下载源码包:
| wgethttp://ftp.isc.org/isc/bind9/9.3.3/bind-9.3.3.tar.gz |
解压源码包:
| tar zxvf bind-9.3.3.tar.gz |
配置:
| cd bind-9.3.3 |
| ./configure --prefix=/usr |
编译:
| make |
安装:
| make install |
添加用户和组:
| groupadd -g 25 named |
| useradd -u 25 -g 25 -d /var/named -s /sbin/nologin named |
建立启动脚本:
| vi /etc/init.d/named |
==========named begin==========
#!/bin/bash
#
# named This shell scrīpt takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 13 87
# descrīption: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/sbin/named ]
then
/usr/sbin/named -u named -c /etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;
stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;
esac
==========named end===========
更改启动脚本权限:
| chmod 755 /etc/init.d/named |
添加启动脚本为系统服务:
| chkconfig --add named |
配置DNS服务开机自启动:
| chkconfig named on |
步骤三、安装IP地址段查询工具Ripe-dbase-client-v3:
下载软件包:
| wget http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client-v3.tar.gz |
解压软件包:
| tar zxvf ripe-dbase-client-v3.tar.gz |
配置:
| cd whois-3.1 |
| ./configure --prefix=/usr |
编译:
| make |
安装
| make install |
步骤四、建立相关目录及文件
| mkdir -p /var/named/data |
| mkdir -p /var/named/master/any |
| mkdir -p /var/named/master/cnc |
| mkdir -p /var/named/master/telecom |
| mkdir -p /var/named/slaves |
| mkdir -p /var/log/named |
| mkdir -p /var/run/named |
| touch /var/named/cnc_acl.conf |
| touch /var/named/telecom_acl.conf |
| touch /var/log/named/dns_warning |
| touch /var/log/named/dns_log |
| touch /var/named/master/any.def |
| touch /var/named/master/cnc.def |
| touch /var/named/master/telecom.def |
| wget ftp://ftp.internic.org/domain/named.root -O /var/named/named.ca |
| chown -R named.named /var/named /var/log/named /var/run/named |
| chmod -R 770 /var/named /var/log/named /var/run/named |
步骤五、配置rndc
设置rndc.conf:
| vi /etc/rndc.conf |
==========rndc.conf begin==========
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
include "/etc/rndc.key";
==========rndc.conf end============
生成/etc/rndc.key:
| /usr/sbin/rndc-confgen –a |
步骤六、配置ACL文件
设置网通IP列表ACL文件cnc_acl.conf:
| /usr/bin/whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP | grep "descr" | grep "Reverse" | awk -F "for" '{if ($2!="") print $2}'| sort -n | awk 'BEGIN{print "acl \"CNC\" '{'"}{print $1";"}END{print "'}';"}' > /var/named/cnc_acl.conf |
设置电信IP列表ACL文件telecom_acl.conf:
| /usr/bin/whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET | grep "descr" | grep "Reverse" | awk -F "for" '{if ($2!="") print $2}'| sort -n | awk 'BEGIN{print "acl \"TELECOM\" '{'"}{print $1";"}END{print "'}';"}' > /var/named/telecom_acl.conf |
步骤七、配置named.conf
| vi /etc/named.conf |
==========named.conf begin==========
acl "trusted-lan" {
127.0.0.1/8;
192.168.0.0/24;
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "";
datasize 40M;
allow-transfer {
"trusted-lan";
};
recursion yes;
allow-notify {
"trusted-lan";
};
allow-recursion {
"trusted-lan";
};
auth-nxdomain no;
forwarders {
202.96.209.5;
210.22.70.3;
};
};
logging {
channel warning {
file "/var/log/named/dns_warning" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/var/log/named/dns_log" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
include "cnc_acl.conf";
include "telecom_acl.conf";
view "view_cnc" {
match-clients {
CNC;
};
zone "." {
type hint;
file "named.ca";
};
include "master/cnc.def";
};
view "view_telecom" {
match-clients {
TELECOM;
};
zone "." {
type hint;
file "named.ca";
};
include "master/telecom.def";
};
view "view_any" {
match-clients {
any;
};
zone "." {
type hint;
file "named.ca";
};
include "master/any.def";
};
include "/etc/rndc.key";
==========named.conf end===========
步骤八、增加域名解析配置文件
设置网通解析配置文件:
| vi /var/named/master/cnc.def |
==========cnc.def begin==========
zone "entage.net"{
type master;
file "master/cnc/entage.net";
};
==========cnc.def end===========
设置电信解析配置文件:
| vi /var/named/master/telecom.def |
==========telecom.def begin==========
zone "entage.net"{
type master;
file "master/telecom/entage.net";
};
==========telecom.def end===========
设置网通电信以外解析配置文件:
| vi /var/named/master/any.def |
==========any.def begin==========
zone "entage.net"{
type master;
file "master/any/entage.net";
};
==========any.def end===========
步骤九、增加域名定义文件
设置网通域名定义文件:
| vi /var/named/master/cnc/entage.net |
==========cnc/entage.net begin==========
$TTL 3600
$ORIGIN entage.net.
@ IN SOA ns.entage.net. root.entage.net. (
2007011701 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns.entage.net.
@ IN A 218.108.238.221
ns IN A 218.108.238.221
www IN A 218.108.238.221
;
;end
==========cnc/entage.net end===========
设置电信域名定义文件:
| vi /var/named/master/telecom/entage.net |
==========telecom/entage.net begin==========
$TTL 3600
$ORIGIN entage.net.
@ IN SOA ns.entage.net. root.entage.net. (
2007011701 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns.entage.net.
@ IN A 61.152.241.97
ns IN A 61.152.241.97
www IN A 61.152.241.97
;
;end
==========telecom/entage.net end===========
设置其它区域域名定义文件:
| vi /var/named/master/any/entage.net |
==========any/entage.net begin==========
$TTL 3600
$ORIGIN entage.net.
@ IN SOA ns.entage.net. root.entage.net. (
2007011701 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns.entage.net.
@ IN A 61.152.241.97
ns IN A 61.152.241.97
www IN A 61.152.241.97
;
;end
==========any/entage.net end===========
四、结束语
此方案有如下优点:
1.低成本-无需添加任何专用设备,只需通过简单配置即可;
2.灵活性强-可随时增加/删除解析规则;
3.有一定的可扩展能力-如果搭配Round Robin DNS可无缝快速的配置简单的负载均衡;
(全文完)
相关阅读:
- 开源Linux VPN解决方案 - 序言 (fox, 2007-2-01)
- 开源Linux VPN解决方案 - OpenSWan安装配置指南 (fox, 2007-3-04)
- LAMP应用架构部署指南II--Linux安装及初始环境设置 (fox, 2007-11-07)
-
引用
删除
Guest / 2008-10-07 18:00:21
- If auth-nxdomain is 'yes' allows the server to answer authoritatively (the AA bit is set) on returning NXDOMAIN (domain does not exist) answers, if 'no' (the default) the server will not answer authoritatively. NOTE: This changes the previous BIND 8 default setting. This statement may be used in a view or a global options clause.
