分类导航

路由器|交换机|网络协议|网络知识|

电脑菜鸟 - 网络技术 - 网络知识 - 内网主从智能 DNS 从此不再烦恼

内网主从智能 DNS 从此不再烦恼

2022-11-03 23:02运维开发故事小姜 网络知识

随着云原生时代的快速发展,各行各业纷纷进军k8s,短短两三年,招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。

内网主从智能 DNS 从此不再烦恼

大家好,我是小姜。

写在前面

随着云原生时代的快速发展,各行各业纷纷进军k8s,短短两三年,招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。亦或者说技术更新迭代层出不穷,老技术会被很快代替,新技术会备受宠爱。而在域名解析领域,大家最熟悉的常用的云解析DNSPod、Godaddy、CloudFlare、阿里云的域名解析等,当然还有dnsmasq、powerdns以及在k8s中用的coreDNS。但是今天我这里就聊聊bind9。

可能目前的中小型公司都不会使用bind9,而且网上你去搜索,大多都是直接使用named服务,不会使用named-chroot。而且更少的是使用acl+view的。要么排版不够好,新手可能看懵逼,配置错误。要么就是没有说的很详细的。当然也有,可能我没有好好花时间搜索或者搜索能力有限。这里我就记录一下bind9使用chroot以及使用acl+view试图实现智能DNS过程。

环境说明

CentOS Linux release 8.4.2105

BIND Version:9.11.26

总网段:172.16.128.0/17

bind9主从所在网段:172.16.0.0/24

Host IP Role
named-srv1 172.16.0.55 named master
named-srv2 172.16.0.56 named slave

bind9 master节点部署

  1. /bin/chattr-i/etc/fstab/etc/passwd/etc/group/etc/shadow/etc/sudoers/etc/services
  2. dnf-yinstallbind-chrootbind-utils
  3. #我要启用chroot,并且需要更改named的目录到/data/named/chroot
  4. #因此需要拷贝文件
  5. mkdir-p/data/named
  6. cp-ar/var/named/*/data/named/
  7. #创建存放日志的目录
  8. mkdir-p/data/named/chroot/data/log/named/
  9. ###在bindchroot的目录中创建相关文件
  10. touch/data/named/chroot/var/named/data/cache_dump.db
  11. touch/data/named/chroot/var/named/data/named_stats.txt
  12. touch/data/named/chroot/var/named/data/named_mem_stats.txt
  13. touch/data/named/chroot/var/named/data/named.run
  14. mkdir/data/named/chroot/var/named/dynamic
  15. touch/data/named/chroot/var/named/dynamic/managed-keys.bind
  16. #到linux系统的/data/目录下,更改named目录的属主和数组为named
  17. cd/data/
  18. chownnamed.named-Rnamed

编辑主named.conf文件

  1. $cat/data/named/chroot/etc/named.conf
  2. acltelecom{
  3. 172.17.10.0/24;
  4. };
  5. aclunicom{
  6. 172.17.20.0/24;
  7. };
  8. aclmobile{
  9. 172.17.30.0/24;
  10. };
  11. options{
  12. listen-onport53{127.0.0.1;172.16.0.55;};
  13. directory"/var/named";
  14. dump-file"/data/named/data/cache_dump.db";
  15. statistics-file"/data/named/data/named_stats.txt";
  16. memstatistics-file"/data/named/data/named_mem_stats.txt";
  17. //允许查询的主机;白名单
  18. allow-query{any;};
  19. allow-query-cache{any;};
  20. //我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS
  21. forwarders{223.5.5.5;223.6.6.6;};
  22. recursive-clients200000;
  23. check-namesmasterwarn;
  24. max-cache-ttl60;
  25. max-ncache-ttl0;
  26. //recursionyes;
  27. //dnssec-enableyes;
  28. //dnssec-validationyes;
  29. //managed-keys-directory"/var/named/dynamic";
  30. pid-file"/run/named/named.pid";
  31. //session-keyfile"/run/named/session.key";
  32. };
  33. logging{
  34. channelquery_log{
  35. file"/data/log/named/query.log"versions10size300m;
  36. severityinfo;
  37. print-categoryyes;
  38. print-timeyes;
  39. print-severityyes;
  40. };
  41. channelclient_log{
  42. file"/data/log/named/client.log"versions3size200m;
  43. severityinfo;
  44. print-categoryyes;
  45. print-timeyes;
  46. print-severityyes;
  47. };
  48. channelconfig{
  49. file"/data/log/named/config.log"versions3size100m;
  50. severityinfo;
  51. print-categoryyes;
  52. print-timeyes;
  53. print-severityyes;
  54. };
  55. channeldefault_log{
  56. file"/data/log/named/default.log"versions3size100m;
  57. severitydebug;
  58. print-categoryyes;
  59. print-timeyes;
  60. print-severityyes;
  61. };
  62. channelgeneral_log{
  63. file"/data/log/named/general.log"versions3size200m;
  64. severitydebug;
  65. print-categoryyes;
  66. print-timeyes;
  67. print-severityyes;
  68. };
  69. categoryqueries{
  70. query_log;
  71. };
  72. categoryclient{
  73. client_log;
  74. };
  75. categorygeneral{
  76. general_log;
  77. };
  78. categoryconfig{
  79. config;
  80. };
  81. categorydefault{
  82. default_log;
  83. };
  84. };
  85. viewtelcom_view{
  86. match-clients{telcom;};
  87. match-destinations{any;};
  88. recursionyes;
  89. include"/etc/named-telcome.zones";
  90. };
  91. viewunicom_view{
  92. match-clients{unicom;};
  93. match-destinations{any;};
  94. recursionyes;
  95. include"/etc/named-unicome.zones";
  96. };
  97. viewmobile_view{
  98. match-clients{any;};
  99. match-destinations{any;};
  100. recursionyes;
  101. include"/etc/named-mobile.zones";
  102. };

注意:需要提醒大家的是:第一,启用了named-chroot服务以后,就必须关闭named服务,两者取其一。第二,如果启用了named-chroot,那么目录就都是相对目录,都是相对于/var/named/chroot而言的。

使用acl+view

上面已经定义好了三个acl和三个view。一般来说我们的acl都会放在最开头,也就是options的前面,也建议这样放。

接下来就需要生成三个view下面的include包含进来的区域文件了。这里只演示正向解析区域,一般内网bind9很少需要反向解析。

生成区域文件

  1. $vi/var/named/chroot/etc/named-telcome.zones
  2. zone"ayunw.cn"IN{
  3. typemaster;
  4. file"ayunw.cn.zone";
  5. allow-update{none;};
  6. masterfile-formattext;
  7. allow-transfer{172.16.0.56;};
  8. };
  9. $vi/var/named/chroot/etc/named-unicom.zones
  10. zone"iyunw.cn"IN{
  11. typemaster;
  12. file"iyunw.cn.zone";
  13. allow-update{none;};
  14. masterfile-formattext;
  15. allow-transfer{172.16.0.56;};
  16. };
  17. $vi/var/named/chroot/etc/named-mobile.zones
  18. zone"allenjol.cn"IN{
  19. typemaster;
  20. file"allenjol.cn.zone";
  21. allow-update{none;};
  22. masterfile-formattext;
  23. allow-transfer{172.16.0.56;};
  24. };

生成区域解析库文件

  1. $cd/var/named/chroot/var
  2. $viayunw.cn.zone
  3. $TTL86400
  4. @INSOAayunw.cn.root.iyunw.cn.(
  5. 202111011;serial(d.adams)
  6. 1H;refresh
  7. 15M;retry
  8. 1W;expiry
  9. 1D);minimum
  10. INNSns1.ayunw.cn.
  11. INNSns2.ayunw.cn.
  12. ns1INA172.16.0.55
  13. ns2INA172.16.0.56
  14. wwwINA172.16.0.58
  15. $viiyunw.cn.zone
  16. $TTL86400
  17. @INSOAiyunw.cn.root.iyunw.cn.(
  18. 202111011;serial(d.adams)
  19. 1H;refresh
  20. 15M;retry
  21. 1W;expiry
  22. 1D);minimum
  23. INNSns1.iyunw.cn.
  24. INNSns2.iyunw.cn.
  25. ns1INA172.16.0.55
  26. ns2INA172.16.0.56
  27. webINA172.16.0.59
  28. $viallenjol.cn.zone
  29. $TTL86400
  30. @INSOAallenjol.cn.root.allenjol.cn.(
  31. 202111011;serial(d.adams)
  32. 1H;refresh
  33. 15M;retry
  34. 1W;expiry
  35. 1D);minimum
  36. INNSns1.allenjol.cn.
  37. INNSns2.allenjol.cn.
  38. ns1INA172.16.0.55
  39. ns2INA172.16.0.56
  40. allenINA172.16.0.60

启动服务并设置开机自启

  1. /usr/libexec/setup-named-chroot.sh/var/named/chrooton
  2. systemctlstopnamed
  3. systemctldisablenamed
  4. systemctlstartnamed-chroot
  5. systemctlenablenamed-chroot

bind9 slave节点部署

  1. /bin/chattr-i/etc/fstab/etc/passwd/etc/group/etc/shadow/etc/sudoers/etc/services
  2. dnf-yinstallbind-chrootbind-utils
  3. #我要启用chroot,并且需要更改named的目录到/data/named/chroot
  4. #因此需要拷贝文件
  5. mkdir-p/data/named
  6. cp-ar/var/named/*/data/named/
  7. #创建存放日志的目录
  8. mkdir-p/data/named/chroot/data/log/named/
  9. ###在bindchroot的目录中创建相关文件
  10. touch/data/named/chroot/var/named/data/cache_dump.db
  11. touch/data/named/chroot/var/named/data/named_stats.txt
  12. touch/data/named/chroot/var/named/data/named_mem_stats.txt
  13. touch/data/named/chroot/var/named/data/named.run
  14. mkdir/data/named/chroot/var/named/dynamic
  15. touch/data/named/chroot/var/named/dynamic/managed-keys.bind
  16. #到linux系统的/data/目录下,更改named目录的属主和数组为named
  17. cd/data/
  18. chownnamed.named-Rnamed

编辑从named.conf文件

  1. $cat/data/named/chroot/etc/named.conf
  2. $cat/data/named/chroot/etc/named.conf
  3. acltelecom{
  4. 172.17.10.0/24;
  5. };
  6. aclunicom{
  7. 172.17.20.0/24;
  8. };
  9. aclmobile{
  10. 172.17.30.0/24;
  11. };
  12. options{
  13. listen-onport53{127.0.0.1;172.16.0.55;};
  14. directory"/var/named";
  15. dump-file"/data/named/data/cache_dump.db";
  16. statistics-file"/data/named/data/named_stats.txt";
  17. memstatistics-file"/data/named/data/named_mem_stats.txt";
  18. //允许查询的主机;白名单
  19. allow-query{any;};
  20. allow-query-cache{any;};
  21. //我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS
  22. forwarders{223.5.5.5;223.6.6.6;};
  23. recursive-clients200000;
  24. check-namesmasterwarn;
  25. max-cache-ttl60;
  26. max-ncache-ttl0;
  27. //recursionyes;
  28. //dnssec-enableyes;
  29. //dnssec-validationyes;
  30. //managed-keys-directory"/var/named/dynamic";
  31. pid-file"/run/named/named.pid";
  32. //session-keyfile"/run/named/session.key";
  33. };
  34. logging{
  35. channelquery_log{
  36. file"/data/log/named/query.log"versions10size300m;
  37. severityinfo;
  38. print-categoryyes;
  39. print-timeyes;
  40. print-severityyes;
  41. };
  42. channelclient_log{
  43. file"/data/log/named/client.log"versions3size200m;
  44. severityinfo;
  45. print-categoryyes;
  46. print-timeyes;
  47. print-severityyes;
  48. };
  49. channelconfig{
  50. file"/data/log/named/config.log"versions3size100m;
  51. severityinfo;
  52. print-categoryyes;
  53. print-timeyes;
  54. print-severityyes;
  55. };
  56. channeldefault_log{
  57. file"/data/log/named/default.log"versions3size100m;
  58. severitydebug;
  59. print-categoryyes;
  60. print-timeyes;
  61. print-severityyes;
  62. };
  63. channelgeneral_log{
  64. file"/data/log/named/general.log"versions3size200m;
  65. severitydebug;
  66. print-categoryyes;
  67. print-timeyes;
  68. print-severityyes;
  69. };
  70. categoryqueries{
  71. query_log;
  72. };
  73. categoryclient{
  74. client_log;
  75. };
  76. categorygeneral{
  77. general_log;
  78. };
  79. categoryconfig{
  80. config;
  81. };
  82. categorydefault{
  83. default_log;
  84. };
  85. };
  86. viewtelcom_view{
  87. match-clients{telcom;};
  88. match-destinations{any};
  89. recursionyes;
  90. include"/etc/named-telcome.zones";
  91. };
  92. viewunicom_view{
  93. match-clients{unicom;};
  94. match-destinations{any;};
  95. recursionyes;
  96. include"/etc/named-unicome.zones";
  97. };
  98. viewmobile_view{
  99. match-clients{any;};
  100. match-destinations{any;};
  101. recursionyes;
  102. include"/etc/named-mobile.zones";
  103. };

生成区域文件

  1. $vi/var/named/chroot/etc/named-telcome.zones
  2. zone"ayunw.cn"IN{
  3. typemaster;
  4. file"ayunw.cn.zone";
  5. allow-update{none;};
  6. masterfile-formattext;
  7. allow-transfer{172.16.0.56;};
  8. };
  9. $vi/var/named/chroot/etc/named-unicom.zones
  10. zone"iyunw.cn"IN{
  11. typemaster;
  12. file"iyunw.cn.zone";
  13. allow-update{none;};
  14. masterfile-formattext;
  15. allow-transfer{172.16.0.56;};
  16. };
  17. $vi/var/named/chroot/etc/named-mobile.zones
  18. zone"allenjol.cn"IN{
  19. typemaster;
  20. file"allenjol.cn.zone";
  21. allow-update{none;};
  22. masterfile-formattext;
  23. allow-transfer{172.16.0.56;};
  24. };

启动服务并设置开机自启

  1. /usr/libexec/setup-named-chroot.sh/var/named/chrooton
  2. systemctlstopnamed
  3. systemctldisablenamed
  4. systemctlstartnamed-chroot
  5. systemctlenablenamed-chroot

注意:从节点无需创建区域解析库文件,当主节点重启named-chroot服务的时候会自动同步解析库文件到从节点

测试解析

找了三台机器,内网ip分别为:172.16.10.1、172.16.20.1、172.16.30.1,分别解析www.ayunw.cn、web.iyunw.cn以及allen.allenjol.cn,都是能正常解析的。

  1. $dig-tAwww.ayunw.cn
  2. ;<<>>DiG9.11.26-RedHat-9.11.26-4.el8_4<<>>-tAallen.ptcloud.t.home
  3. ;;globaloptions:+cmd
  4. ;;Gotanswer:
  5. ;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40756
  6. ;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:2,ADDITIONAL:3
  7. ;;OPTPSEUDOSECTION:
  8. ;EDNS:version:0,flags:;udp:1232
  9. ;COOKIE:e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6(good)
  10. ;;QUESTIONSECTION:
  11. ;www.ayunw.cn.INA
  12. ;;ANSWERSECTION:
  13. www.ayunw.cn.86400INA172.16.0.58
  14. ;;AUTHORITYSECTION:
  15. ayunw.cn.86400INNSns2.ayunw.cn.
  16. ayunw.cn.86400INNSns1.ayunw.cn.
  17. ;;ADDITIONALSECTION:
  18. ns1.ayunw.cn.86400INA172.16.0.55
  19. ns2.ayunw.cn.86400INA172.16.0.56
  20. ;;Querytime:0msec
  21. ;;SERVER:172.16.0.55#53(172.16.0.55)
  22. ;;WHEN:TueOct2609:50:40CST2021
  23. ;;MSGSIZErcvd:161
  24. $dig-tAweb.iyunw.cn
  25. ;<<>>DiG9.11.26-RedHat-9.11.26-4.el8_4<<>>-tAallen.ptcloud.t.home
  26. ;;globaloptions:+cmd
  27. ;;Gotanswer:
  28. ;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40756
  29. ;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:2,ADDITIONAL:3
  30. ;;OPTPSEUDOSECTION:
  31. ;EDNS:version:0,flags:;udp:1232
  32. ;COOKIE:e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6(good)
  33. ;;QUESTIONSECTION:
  34. ;web.iyunw.cn.INA
  35. ;;ANSWERSECTION:
  36. web.iyunw.cn.86400INA172.16.0.59
  37. ;;AUTHORITYSECTION:
  38. iyunw.cn.86400INNSns2.iyunw.cn.
  39. iyunw.cn.86400INNSns1.iyunw.cn.
  40. ;;ADDITIONALSECTION:
  41. ns1.iyunw.cn.86400INA172.16.0.55
  42. ns2.iyunw.cn.86400INA172.16.0.56
  43. ;;Querytime:0msec
  44. ;;SERVER:172.16.0.55#53(172.16.0.55)
  45. ;;WHEN:TueOct2609:50:40CST2021
  46. ;;MSGSIZErcvd:161
  47. $dig-tAallen.allenjol.cn
  48. ;<<>>DiG9.11.26-RedHat-9.11.26-4.el8_4<<>>-tAallen.ptcloud.t.home
  49. ;;globaloptions:+cmd
  50. ;;Gotanswer:
  51. ;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40756
  52. ;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:2,ADDITIONAL:3
  53. ;;OPTPSEUDOSECTION:
  54. ;EDNS:version:0,flags:;udp:1232
  55. ;COOKIE:e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6(good)
  56. ;;QUESTIONSECTION:
  57. ;allen.allenjol.cn.INA
  58. ;;ANSWERSECTION:
  59. allen.allenjol.cn.86400INA172.16.0.60
  60. ;;AUTHORITYSECTION:
  61. allenjol.cn.86400INNSns2.allenjol.cn.
  62. allenjol.cn.86400INNSns1.allenjol.cn.
  63. ;;ADDITIONALSECTION:
  64. ns1.allenjol.cn.86400INA172.16.0.55
  65. ns2.allenjol.cn.86400INA172.16.0.56
  66. ;;Querytime:0msec
  67. ;;SERVER:172.16.0.55#53(172.16.0.55)
  68. ;;WHEN:TueOct2609:50:40CST2021
  69. ;;MSGSIZErcvd:161

如果你有足够的机器,那么你换一台不在172.16.10.0/24、172.16.20.0/24、172.16.30.0/24这三个网段的机器,然后去任意解析 这三个zone文件中的域名,你会发现最终都是没有正常的A记录返回的。

或者如果你用172.16.10.1去解析web.iyunw.cn或者是allen.allenjol.cn,那么就无法正常解析了。这就是acl+view实现的智能DNS的效果。

原文链接:https://mp.weixin.qq.com/s/DqxcTfccHyhalSW_uTvI3g

延伸 · 阅读

精彩推荐