海运的博客

BIND下可通过nsupdate远程、本地动态更新域指向，无需重启BIND，即DDNS，相应域规则需配置allow-update权限。
直接允许指定IP更新：

#https://www.haiyun.me
allow-update { 8.8.8.8; };

或以密钥方式验证：

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns #生成密钥类型为HOST,主机名ddns
cat Kddns.+157+61025.key #查看生成的密钥,后续需添加到配置文件中
ddns. IN KEY 512 3 157 S/ZqoSgQB3OZ8M0Bm4rTFJp54zTEZoBqHLMjg/ljdCTH/8VTYMvxornk y0bCpuAC0VwHzX3Eq+2Fymw/L+iQdA==

添加到主配置：

key "ddns" {
        algorithm hmac-md5;
        secret "S/ZqoSgQB3OZ8M0Bm4rTFJp54zTEZoBqHLMjg/ljdCTH/8VTYMvxornk y0bCpuAC0VwHzX3Eq+2Fymw/L+iQdA==";
};
zone "www.haiyun.me" IN { #相应域授权
        type master;
        file "named.www.haiyun.me";
        allow-query { any; };
        update-policy {
        grant ddns name ddns.www.haiyun.me. A; #仅允许对ddns.www.haiyun.me A记录进行更改
        };

复制生成的公钥与私钥到执行更新的服务器，执行更新操作：

nsupdate -k Kddns.+157+61025.key
> server 184.164.141.188
> update delete ddns.www.haiyun.me
> update add ddns.www.haiyun.me 60 A 8.8.8.8
> send
> quit

新建脚本自动更新IP：

#!/bin/bash
while ture
do
interface=pppoe-wan
dnsserver=184.164.141.188
keyfile=/root/Kddns.+157+61025.key
keydir=/root/
domain=ddns.www.haiyun.me
ddnsip=ping -c 1 $domain|grep from|awk '{print $4}'|sed 's/:$//g'
ip=`ifconfig pppoe-wan|grep inet|awk -F"[ ]+|[:]" ' {print $4}'`
if [ $ddnsip == $ip ]
    echo "当前IP没有更改"
else
cd $keydir
echo "server $dnsserver"                       >  ddns
echo "update delete $domain A "               >>  ddns
echo "update add    $domain 600 A $ip"        >>  ddns
echo "send"                                   >>  ddns
nsupdate -k $keyfile -v ddns
fi
sleep 300
done

BIND可根据请求查询的源IP分配到不同的域规则，即智能DNS服务器。
下载运营商IP地址库，定义ACL，由于条目太多，可分别存为独立文件调用。
示例主DNS为：1.1.1.1，从DNS为2.2.2.2。

#https://www.haiyun.me
acl liantong{
    112.96.0.0/15;
};

生成key，用于同步时验证并解决不能全部同步的问题，

dnssec-keygen -a hmac-md5 -b 128 -n HOST one
dnssec-keygen -a hmac-md5 -b 128 -n HOST two
dnssec-keygen -a hmac-md5 -b 128 -n HOST three

主DNS配置：

key one
{
       algorithm hmac-md5;
       secret "hxCQkylFHbhzbPYo+CRWLA==";
};
key two
{
       algorithm hmac-md5;
       secret "T4Gf+E0+3Y+5uL3ylkQBSA==";
};

key three
{
       algorithm hmac-md5;
       secret "8q22D8M1c9QQKJLteC2bQQ==";
};
view "dianxin" {
server  2.2.2.2 { 
        keys { one; };
};
match-clients { dianxin; key one; !key two; !key three};
zone "." IN {
        type hint;
        file "named.ca";
};
zone "www.haiyun.me" IN {
        type master;
        file "dianxin.www.haiyun.me";
        allow-query { any; };
        notify yes;
        allow-transfer { key one; };
        };
};

view "liantong" {
server  2.2.2.2 {
        keys { two; };
};
match-clients { liantong; key two; !key one; !key three; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "www.haiyun.me" IN {
        type master;
        file "liantong.www.haiyun.me";
        allow-query { any; };
        notify yes;
        allow-transfer { key two; };
        };
};

view "other" {
server  2.2.2.2 {
        keys { three; };
};
match-clients { any; key three; !key one; !key two; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "www.haiyun.me" IN {
        type master;
        file "other.www.haiyun.me";
        allow-query { any; };
        notify yes;
        allow-transfer { key three; };
        };
};
include "/var/named/dianxin.acl";
include "/var/named/liantong.acl";

从DNS配置：

key one
{
       algorithm hmac-md5;
       secret "hxCQkylFHbhzbPYo+CRWLA==";
};
key two
{
       algorithm hmac-md5;
       secret "T4Gf+E0+3Y+5uL3ylkQBSA==";
};

key three
{
       algorithm hmac-md5;
       secret "8q22D8M1c9QQKJLteC2bQQ==";
};
view "dianxin" {
server  1.1.1.1 {
        keys { one; };
};
match-clients { dianxin; key one; !key two; !key three; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "www.haiyun.me" IN {
        type master;
        file "dianxin.www.haiyun.me";
        allow-query { any; };
        masters {1.1.1.1;};
        };
};

view "liantong" {
server  1.1.1.1 {
        keys { two; };
};
match-clients { liantong; key two; !key one; !key three; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "www.haiyun.me" IN {
        type master;
        file "liantong.www.haiyun.me";
        allow-query { any; };
        masters {1.1.1.1;};
        };
};

view "other" {
server  1.1.1.1 {
        keys { three; };
};
match-clients { any; key three; !key one; !key two; };
zone "." IN {
        type hint;
        file "named.ca";
};
zone "www.haiyun.me" IN {
        type master;
        file "other.www.haiyun.me";
        allow-query { any; };
        masters {1.1.1.1;};
        };
};
include "/var/named/dianxin.acl";
include "/var/named/liantong.acl";

定义多个域规则，分别转向不同的IP：

$TTL 600
@                       IN SOA   ns1.www.haiyun.me. domain.mail.www.haiyun.me. (
                        2012070401;
                        3H;
                        10M;
                        1W;
                        1H );
@      IN     NS     ns1.www.haiyun.me.
ns1     IN     A     184.164.141.188
www     IN     A     184.164.141.188

为不间断的提供DNS查询服务，自架DNS至少有两台服务器同时提供服务，一台设置为主DNS服务器，其它设置从DNS，自动从主DNS获取数据更新。
Master DNS配置：

#https://www.haiyun.me
zone "www.haiyun.me" IN {
        type master;
        file "named.www.haiyun.me";
        notify yes; #通知Slave更新
        allow-transfer { 184.164.141.188; }; #允许Slave获取信息
};

配置域规则略过，可参考：BIND安装配置。
Slave DNS配置：

zone　"www.haiyun.me" IN {
　　　　type　slave;
　　　　file　"named.www.haiyun.me";
　　　　masters { 184.164.141.188; };
};

从DNS要从主DNS获取域规则并写入，域规则存入目录需有named进程运行用户写入权限，默认为named。

chown -R named:named /var/named/

BIND主域名服务器安装配置参考：BIND DNS安装配置。
子域名管理授权即授权DNS管理二级域名，本例以web.www.haiyun.me为测试域名，BIND主配置文件添加域规则：

zone "web.haiyun.me" IN {
        type master;
        file "named.web.haiyun.me";
        allow-query { any; };
        allow-update { none; }; 
};

主域名规则下定义子域NS：

$TTL 600
@                       IN SOA   ns1.haiyun.me. root.mail.gmail.com. (
                        2012070401;
                        21600;
                        5400;
                        864000;
                        86400 );
@      IN     NS     ns1.haiyun.me.
ns1     IN     A     184.164.141.188
www     IN     A     184.164.141.188
web     IN      NS      ns.web.haiyun.me. #定义web.haiyun.me由ns.web.haiyun.me管理
ns.web  IN      A       184.164.141.188 #定义子域ns.web.haiyun.me所在服务器

然后新建web.haiyun.me域名规则：

$TTL 600
@                       IN SOA   ns.haiyun.me. root.mail.gmail.com. (
                        2012070401;
                        3H;
                        10M;
                        1W;
                        1D );
@      IN     NS     ns.web.haiyun.me.
ns     IN     A     184.164.141.188 #本子域NS地址要和主域定义的相同
www     IN     A     184.164.141.188

Ping测试：

ping www.web.haiyun.me
PING www.web.haiyun.me (184.164.141.188) 56(84) bytes of data.
64 bytes from 184.164.141.188: icmp_seq=1 ttl=57 time=19.1 ms

DNS服务器分为三种：

缓存DNS：负责接收缓存用户DNS请求，查询通过转发DNS服务器，一般家用路由带这种DNS。
递归DNS：普通用户最常接触的就是递归DNS了，用于递归查询域名所对应的IP地址，一般都是使用运营商提供的DNS。
权威DNS：包含根DNS，权威域名DNS，当用户通过递归DNS查询域名对应IP的时候就要向权威DNS查询。

本文要介绍的是权威DNS服务器的安装配置，用于提供对域名的解析服务。
Centos6下BIND安装：

#https://www.haiyun.me
yum install bind

Centos5下BIND安装：

yum install bind 
cp -a /usr/share/doc/bind-9.3.6/sample/etc/* /etc/
cp -a /usr/share/doc/bind-9.3.6/sample/var/named/* /var/named/

配置为本地缓存转发DNS服务器：

cat /etc/named.conf
options {
    listen-on port 53 { 127.0.0.1; };
    directory     "/var/named"; 
    allow-query     { localhost; }; #仅允许本地查询
    recursion yes; #允许递归查询
        forward only;  #仅转发
        forwarders {
                8.8.8.8; #转发查询DNS服务器
                4.4.4.4;
        };

};

配置为域名解析权威服务器，根据view功能对内提供递归查询服务，对外提供域名解析服务，需在域名注册商处理更改DNS服务器，如ns1.haiyun.me。

//全局设置
options {
    listen-on port 53 { any; };
    directory     "/var/named";
};

//日志设置
logging {
        channel default_debug {
                file "data/named.run";
                print-time        yes;
                severity dynamic;
        };
        channel query_log {
                file "data/query.log" versions 3 size 20m;
                severity  info;
                print-time        yes;
                print-category  yes;
                };
                category queries {
                query_log;
        };
};

//匹配本机
view localhost {
    match-clients      { localhost; };
    allow-query      { any; };
    recursion yes;  //允许递归查询，即本地DNS缓存服务器
    include "/etc/named.rfc1912.zones"; //调用根服务器及本地
};


//匹配外网
view  external
{
    match-clients    { any; };
        allow-query     { any; };
    recursion no; //非递归服务器
        allow-transfer  { none; }; //不允许传送
    allow-query-cache { any; };

zone "haiyun.me" { 
        type master;
        file "haiyun.me";
        };
};

正解配置：

$ORIGIN haiyun.me //此参数配合下面@，无设置为主配置文件内zone参数
$TTL 600          //SOA ns用于主从判断权威服务器 
@                       IN SOA   ns1.haiyun.me. mail.haiyun.me. ( 
                        2012070401; #序号，slave判断是否下载
                        3H; #更新频率
                        10M; #失败重新连接时间
                        1W; #失效时间
                        1H ); #TTL时间
@      IN     NS     ns1.haiyun.me.  //授权ns服务器
@      IN     NS     ns2.haiyun.me.
ns1     IN     A     1.2.3.4
ns2     IN     A     1.2.3.4
www     IN     A     1.2.3.4

配置完成启动named服务，如有配置iptables需开启udp53端口，为稳定可配置主从同步DNS服务器。

/etc/init.d/named start
iptables -p upd --dport 53 -j ACCEPT

验证是否生效：

dig -t ns www.haiyun.me
;; QUESTION SECTION:
;www.haiyun.me.            IN    NS

;; ANSWER SECTION:
www.haiyun.me.        600    IN    NS    ns1.haiyun.me.
www.haiyun.me.        600    IN    NS    ns2.haiyun.me.

;; ADDITIONAL SECTION:
ns1.haiyun.me.        600    IN    A    1.2.3.4
ns2.haiyun.me.        600    IN    A    1.2.3.4