CDN是通过客户端所使用的local dns（以下简称LDNS）做智能调度的，以保证客户端拿到的是离自己最近的节点的资源。但是有时候用户使用的LDNS不一定是本地的LDNS，或者用户可以自己定义LDNS,比如大家都喜欢使用google的8.8.8.8，这样的话，CDN不能根据LDNS进行精确的调度。

ECS在某种意义上可以解决这个问题，下面简述一下它的实现原理： ECS：来源于google，对EDNS0的扩展。在DNS请求的包中插入client的网段地址带到ADNS上，ADNS收到ECS段位的包根据client的IP去进行DNS记录匹配，google的公开name server已支持，此方式需要LDNS和ADNS（授权域名服务器）同时支持。现在大多数的CDN厂商都支持了edns-client-subnet，但是运营商的LDNS还不支持，所以现在还未被广泛使用。

下面给出一个demo演示ecs的实现过程： 实验环境 CentOS Linux release 7.3.1611 serverip：172.17.119.82 clinet from Beijng ct ip:218.30.26.0/24 clinet from Neimenggu ct 222.74.1.0/24

edns-client-subnet（下简称ecs）其现在还没有正式被bind9支持，但是bind9给出了实验版本。需要对bind重新编译，ISC上有支持ecs authoritative的源码，git克隆到到本地编译即可。

[root@server bin]# cd /usr/local/src/
[root@server src]# ls
[root@server src]# git clone https://source.isc.org/git/bind9.git
Cloning into 'bind9'...
remote: Counting objects: 454545, done.
remote: Compressing objects: 100% (76149/76149), done.
Receiving objects: 100% (454545/454545), 215.97 MiB | 8.31 MiB/s, done.
remote: Total 454545 (delta 375727), reused 453100 (delta 374590)
Resolving deltas: 100% (375727/375727), done.
[root@server src]# ls
bind9

[root@server bin]# group -r -g 53 named
[root@server bin]# useradd -r -u 53 -g 53 named

[root@server src]# cd bind9/
[root@server bind9]# ./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named/ --disable-chroot --enable-threads --without-openssl
#指明安装位置，配置文件位置，关闭chroot，开启线程,不使用openssl
[root@server bind9]# make && make install

自行编译bind源码包会产生以下问题:

（1）没有配置文件 （2）没有区域解析文件（包括13个根服务器的解析文件） （3）没有rndc的相关配置文件

解决上述问题

#1、将bind下配置文件加入PATH中
[root@server bind9]# vim /etc/profile.d/named.sh
export PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH
[root@server bind9]# . /etc/profile.d/named.sh

#2、导出库文件搜索路径
[root@server bind9]# vim /etc/ld.so.conf.d/named.conf
/usr/local/bind9/lib
[root@server bind9]# ldconfig -v

#3、导出头文件搜索路径
[root@server bind9]# ln -sv /usr/local/bind9/include /usr/include/named
"/usr/include/named" -> "/usr/local/bind9/include"

#4、导出帮助文档搜索路径
[root@server bind9]# vim /etc/man_db.conf
添加一行
MANDATORY_MANPATH                       /usr/local/bind9/share/man

编辑主配置文件

[root@server bind9]# vim /etc/named/named.conf
//named.conf

acl nmnet {
        ecs 222.74.1.0/24;
};

acl bjnet {
        ecs 218.30.26.0/24;
};


options {
//    listen-on port 53 { 127.0.0.1; 172.17.119.82; };
    directory   "/var/named";
    allow-query     { any; };
    recursion yes;
};

view neimenggu {
    match-clients { nmnet; };
    allow-recursion { none; };

zone "." IN {
        type hint;
        file "named.ca";
     };

zone "isurecloud.com" IN {
        type master;
        file "isurecloud.com.nmnet.zone";
        allow-update { none; };
      };

};

view beijing {
    match-clients { bjnet; };
    allow-recursion { none; };

zone "isurecloud.com" IN {
        type master;
        file "isurecloud.com.bjnet.zone";
        allow-update { none; };
     };

};

#检查named.conf文件
[root@server bind9]# named-checkconf

创建区域解析库文件

#在联网的情况下直接将查询根的结果导入根区域配置文件
[root@server named]# dig -t NS . > /var/named/named.ca

#vim/var/named/isurecloud.com.nmnet.zone
$TTL 86400
$ORIGIN isurecloud.com.
@    IN    SOA    ns1.isurecloud.com.    admin.isurecloud.com. (
            2017061301
            1H
            5M
            7D
            1D )
    IN    NS    ns1
    IN    NS    ns2
ns1    IN    A    172.17.119.82
ns2    IN    A    172.17.119.83
www    IN    A    222.74.1.100

#vim/var/named/isurecloud.com.bjnet.zone
$TTL 86400
$ORIGIN isurecloud.com.
@    IN    SOA    ns1.isurecloud.com.    admin.isurecloud.com. (
            2017061301
            1H
            5M
            7D
            1D )
    IN    NS    ns1
    IN    NS    ns2
ns1    IN    A    172.17.119.82
ns2    IN    A    172.17.119.83
www    IN    A    218.30.26.100

#检查zone文件
[root@server named]# named-checkzone "isurecloud.com" /var/named/isurecloud.com.nmnet.zone
zone isurecloud.com/IN: loaded serial 2017061301
OK
[root@server named]# named-checkzone "isurecloud.com" /var/named/isurecloud.com.bjnet.zone
zone isurecloud.com/IN: loaded serial 2017061301
OK

接下来，为了安全，需要更改主配置文件和解析库文件的权限和属组

[root@server named]# chmod 640 isurecloud.com.bjnet.zone  isurecloud.com.nmnet.zone named.ca
[root@server named]# chown :named isurecloud.com.bjnet.zone  isurecloud.com.nmnet.zone named.ca
[root@server named]# chmod 640 /etc/named/named.conf
[root@server named]# chown :named /etc/named/named.conf

尝试启动bind

[root@server named]# named -u named #以named用户启动bind
[root@server named]# echo $?
1
#发现启动失败，查看详细日志
[root@server named]# tail -f /var/log/messages

Oct 25 18:58:06 server named[1871]: ----------------------------------------------------
Oct 25 18:58:06 server named[1871]: BIND 9 is maintained by Internet Systems Consortium,
Oct 25 18:58:06 server named[1871]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Oct 25 18:58:06 server named[1871]: corporation.  Support and training for BIND 9 are
Oct 25 18:58:06 server named[1871]: available at https://www.isc.org/support
Oct 25 18:58:06 server named[1871]: ----------------------------------------------------
Oct 25 18:58:06 server named[1871]: adjusted limit on open files from 65535 to 1048576
Oct 25 18:58:06 server named[1871]: found 1 CPU, using 1 worker thread
Oct 25 18:58:06 server named[1871]: using 1 UDP listener per interface
Oct 25 18:58:06 server named[1871]: using up to 4096 sockets
Oct 25 18:58:06 server named[1871]: loading configuration from '/etc/named/named.conf'
Oct 25 18:58:06 server named[1871]: directory '/var/named' is not writable
Oct 25 18:58:06 server named[1871]: /etc/named/named.conf:6: parsing failed: permission denied
Oct 25 18:58:06 server named[1871]: loading configuration: permission denied
Oct 25 18:58:06 server named[1871]: exiting (due to fatal error)

#原来是因为named用户对/var/named/目录没有写权限，于是修改权限
[root@server named]# chmod 770  /var/named/
[root@server named]# named -u named
[root@server named]# echo $?
0

#查看是否启动成功
[root@server ~]# ss -unlp |grep :53
UNCONN     0      0      172.17.119.82:53                       *:*                   users:(("named",pid=2084,fd=514))
UNCONN     0      0      127.0.0.1:53                       *:*                   users:(("named",pid=2084,fd=513))
UNCONN     0      0           :::53                      :::*                   users:(("named",pid=2084,fd=512))
#启动成功，已监听53端口

#使用222.74.1.0/24作为用户的网段访问
[root@server ~]# dig www.isurecloud.com @172.17.119.82 +subnet=222.74.1.0/24

; <<>> DiG 9.12.0b1 <<>> www.isurecloud.com @172.17.119.82 +subnet=222.74.1.0/24
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45007
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f29c6555d8ba9f66450b6cdb5a093ea1793d800dc57b4f64 (good)
; CLIENT-SUBNET: 222.74.1.0/24/24
;; QUESTION SECTION:
;www.isurecloud.com.        IN    A

;; ANSWER SECTION:
www.isurecloud.com.    86400    IN    A    222.74.1.100

;; Query time: 0 msec
;; SERVER: 172.17.119.82#53(172.17.119.82)
;; WHEN: Mon Nov 13 14:41:37 CST 2017
;; MSG SIZE  rcvd: 102

#使用218.30.26.0/24作为用户的网段访问
[root@server ~]# dig www.isurecloud.com @172.17.119.82 +subnet=218.30.26.0/24

; <<>> DiG 9.12.0b1 <<>> www.isurecloud.com @172.17.119.82 +subnet=218.30.26.0/24
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31605
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e7879a8311986abc90e6b7785a093ee0f736a77432479fd0 (good)
; CLIENT-SUBNET: 218.30.26.0/24/24
;; QUESTION SECTION:
;www.isurecloud.com.        IN    A

;; ANSWER SECTION:
www.isurecloud.com.    86400    IN    A    218.30.26.100

;; Query time: 0 msec
;; SERVER: 172.17.119.82#53(172.17.119.82)
;; WHEN: Mon Nov 13 14:42:40 CST 2017
;; MSG SIZE  rcvd: 102