摘要:Linux架设DNS服务器之四
6.提高域名服务器的安全
为了提高域名服务器的安全性,必须要控制区文件的传输.在配置named.conf时,可以采取几方面的控制来加强安全.
options {
allow-transfer {202.103.166.100;};
};
这句指令指定只有授权的辅服务器才能从本主服务器上获得区数据信息
options {
allow-query {192.168.1/24;127.0.0/8;};
};
这句指令指定只有授权的客户才能从本服务器上获得区数据信息.
options {
forwarders {202.103.166.194;202.105.177.100;};
forward-only;
};
这句指令指定只有指定的服务器才能被本缓存服务器访问.
7.应用实例
假设有一个网络,网络由proxy分成internet和intranet两部分:为了保护mail server的安全,将它安置在intranet上.内部用户通过内部mail server收发信件.
proxy server主机上同时建有proxy server ,dns server 和smtp server.
eth0 ip address:192.168.1.1
eth1 ip address:172.16.0.1
mail server主机上同时建有smtp server,pop3 server.
ip address:172.16.0.2
用户的网关 为172.16.0.1
dns server 为172.16.0.1
smtp server为mail.test.com
pop3 server为mail.test.com
我们还是用"test.com"作为例子,我们需要六个基本配置文件:
/etc/named.conf
/var/named/named.ca
/var/named/named.local
/var/named/named.test.com
/var/named/named.172.16.0
/var/named/named.192.168.1
7.1 创建或修改/etc/named.conf:
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a PM nameserver config
//
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
//there are our primary zone files
zone "test.com" {
type master;
file "named.test.com";
};
zone "0.16.172.in-addr.arpa" {
type master;
file "named.172.16.0";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "named.192.168.1";
};
文件中的zone "test.com"段是声明这是用于test.com域的主服务器,用于该域的数据从/var/named/named.test.com文件中装载.文件中的zone "0.16.172.in-addr.arpa"段是指向映射IP地址172.16.0.* 到主机名的文件.
用于该域的数据从/var/named/named.172.16.0文件中装载.文件中的zone "1.168.192.in-addr.arpa"段是指向映射IP地址192.168.1.* 到主机名的文件.用于该域的数据从/var/named/named.192.168.1文件中装载.
7.2 创建或修改/var/named/named.local
@ IN SOA ns.test.com. root.ns.test.com. (
2000051500 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns.test.com.
1 IN PTR localhost.
注意:在修改named.*文件时每次存盘时要注意增加Serial值.如使用绝对域名时千万别忘了后面带的"."
7.3 创建或修改/var/named/named.test.com
@ IN SOA ns.test.com. root.ns.test.com. (
2000051500 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns.test.com.
ns A 192.168.1.1
ns A 172.16.0.1
MX 10 ns.test.com.
www A 192.168.1.2
mail A 172.16.0.2
MX 10 mail.test.com.
MX 20 ns.test.com.
7.4 创建或修改/var/named/named.192.168.1
@ IN SOA ns.test.com. root.ns.test.com. (
2000051500 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns.test.com.
1 IN PTR ns.test.com.
2 IN PTR www.test.com.
7.5 创建或修改/var/named/named.172.16.0
@ IN SOA ns.test.com. root.ns.test.com. (
2000051500 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns.test.com.
1 IN PTR ns.test.com.
2 IN PTR mail.test.com.
假设用户发一份邮件到tom@hotmail.com时,信件先投递到mail.test.com主机,
由mail.test.com主机再传递给ns.test.com主机,再由ns.test.com主机投递给mail.hotmail.com.然后再由用tom从mail.hotmail.com主机取得邮件.
当hotmail.com上的tom想发邮件给mail.test.com上的用户时,tom机器上的解析器先获得test.com的域名信息,然后邮件客户端根据邮件投递路由首先发给mail.test.com主机,由于mail.test.com主机为内部主机,internet用户无法访问.然后邮件客户端根据邮件投递路由发给ns.test.com主机.由于ns.test.com主机为于internet上,ns.test.com主机收到邮件后再转发到同一网段的mail.test.com主机上,然后再由用户从mail.test.com主机取得邮件.
8.与Microsoft dns 的集成
Microsoft dns 定义了一个新的类型WINS的资源记录,它附属在域的根区.这个记录告诉Microsoft的DNS服务器如何与WINS服务器取得联系,解决对
设为首页
加入收藏
联系我们
减小字体
增大字体
站内广告
相关技术