2.3. bind单实例部署
- Date:
2018-09
2.3.1. dns服务器环境
系统版本 |
CentOS release 6.6 (Final) |
主机名 |
dns_01 |
硬件环境 |
x86_64 |
网络配置 |
eth0(dhcp):192.168.161.137 |
bind软件 |
|
备注
- bind安装过程此处略过,参考:
dns-bind-install
2.3.2. bind配置
备注
无论是正向解析的域名配置文件还是反向解析的配置文件,都需要包含进主配置域名文件。
- bind配置过程包括以下几步骤:
rndc配置,用来远程管理bind;
bind主配置文件
/etc/named.conf配置;一般会用主配置文件包含子配置文件的方式来分解配置复杂度对配置分层管理。这样易于配置管理维护,且降低配置复杂度;
权威域名解析文件配置;
在权威域名解析文件中添加对应的解析记录;
添加反向解析记录文件并添加反向解析记录。
2.3.2.1. rndc配置
备注
默认没有文件 /etc/rndc.key 也没有 /etc/rndc.conf
1[root@dns_01 etc]# pwd
2/etc
3[root@dns_01 etc]# rndc-confgen -a
4wrote key file "/etc/rndc.key"
5[root@dns_01 etc]# cat rndc.key
6key "rndc-key" {
7 algorithm hmac-md5;
8 secret "5gMwPoQw6iumSg9pSFOi4w==";
9};
生成 rndc.conf 并修改
1[root@dns_01 etc]# rndc-confgen >rndc.conf
2[root@dns_01 etc]# cat rndc.conf
3# Start of rndc.conf
4key "rndc-key" {
5 algorithm hmac-md5;
6 secret "meQGrfOy+mPHOs/CoBDqyQ==";
7};
8
9options {
10 default-key "rndc-key";
11 default-server 127.0.0.1;
12 default-port 953;
13};
14# End of rndc.conf
15
16# Use with the following in named.conf, adjusting the allow list as needed:
17# key "rndc-key" {
18# algorithm hmac-md5;
19# secret "meQGrfOy+mPHOs/CoBDqyQ==";
20# };
21#
22# controls {
23# inet 127.0.0.1 port 953
24# allow { 127.0.0.1; } keys { "rndc-key"; };
25# };
26# End of named.conf
修改上面内容:
1[root@dns_01 etc]# sed -i 's#secret "meQGrfOy+mPHOs/CoBDqyQ==";#secret "5gMwPoQw6iumSg9pSFOi4w==";#' /etc/rndc.conf
2[root@dns_01 etc]# grep 'secret "5gMwPoQw6iumSg9pSFOi4w==";' /etc/rndc.conf
3 secret "5gMwPoQw6iumSg9pSFOi4w==";
4# secret "5gMwPoQw6iumSg9pSFOi4w==";
2.3.2.2. bind主配置文件修改
配置准备:
1[root@dns_01 ~]# cd /etc/
2[root@dns_01 etc]# cp named.conf named.conf.`date +%F`
3[root@dns_01 etc]# ll named.conf*
4-rw-r----- 1 root named 979 Oct 20 15:57 named.conf
5-rw-r----- 1 root root 979 Oct 20 16:54 named.conf.2018-10-20
6[root@dns_01 etc]# >named.conf
配置 named.conf :
小技巧
注意这个配置里面的 secret "5gMwPoQw6iumSg9pSFOi4w==";
就是上面生成的rndc.key里面的值。也是rndc.conf的值。
1[root@dns_01 etc]# cat >>named.conf<<EOF
2> options {
3> version "1.1.1";
4> listen-on port 53 {any;};
5> directory "/var/named/chroot/etc/";
6> pid-file "/var/named/chroot/var/run/named/named.pid";
7> allow-query { any; };
8> dump-file "/var/named/chroot/var/log/binddump.db";
9> statistics-file "/var/named/chroot/var/log/named_stats";
10> zone-statistics yes;
11> memstatistics-file "log/mem_stats";
12> empty-zones-enable no;
13> forwarders {
14> 219.146.0.130;
15> 8.8.8.8;
16> };
17> };
18>
19> key "rndc-key" {
20> algorithm hmac-md5;
21> secret "5gMwPoQw6iumSg9pSFOi4w==";
22> };
23>
24> controls {
25> inet 127.0.0.1 port 953
26> allow { 127.0.0.1; } keys { "rndc-key"; };
27> };
28>
29> logging {
30> channel warning {
31> file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
32> severity warning;
33> print-category yes;
34> print-severity yes;
35> print-time yes;
36> };
37> channel general_dns {
38> file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
39> severity info;
40> print-category yes;
41> print-severity yes;
42> print-time yes;
43> };
44> category default {
45> warning;
46> };
47> category queries {
48> general_dns;
49> };
50> };
51>
52> include "/var/named/chroot/etc/view.conf";
53> EOF
上面配置内容:
1options {
2 version "1.1.1";
3 listen-on port 53 {any;};
4 directory "/var/named/chroot/etc/";
5 pid-file "/var/named/chroot/var/run/named/named.pid";
6 allow-query { any; };
7 dump-file "/var/named/chroot/var/log/binddump.db";
8 statistics-file "/var/named/chroot/var/log/named_stats";
9 zone-statistics yes;
10 memstatistics-file "log/mem_stats";
11 empty-zones-enable no;
12 forwarders {
13 219.146.0.130;
14 8.8.8.8;
15 };
16};
17
18key "rndc-key" {
19 algorithm hmac-md5;
20 secret "5gMwPoQw6iumSg9pSFOi4w==";
21};
22
23controls {
24 inet 127.0.0.1 port 953
25 allow { 127.0.0.1; } keys { "rndc-key"; };
26};
27
28logging {
29 channel warning {
30 file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
31 severity warning;
32 print-category yes;
33 print-severity yes;
34 print-time yes;
35 };
36 channel general_dns {
37 file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
38 severity info;
39 print-category yes;
40 print-severity yes;
41 print-time yes;
42 };
43 category default {
44 warning;
45 };
46 category queries {
47 general_dns;
48 };
49};
50
51include "/var/named/chroot/etc/view.conf";
2.3.2.3. 域名解析文件添加配置
根据前面named.conf配置文件说明是包含了文件 /var/named/chroot/etc/view.conf
在这个view.conf文件中包含一个新的自己的域名:display.tk,并指定这个域名的配置文件。
1[root@dns_01 etc]# cd /var/named/chroot/etc/
2[root@dns_01 etc]# ls
3localtime named pki
4[root@dns_01 etc]# cat >>view.conf <<EOF
5> view "View" {
6> zone "display.tk" {
7> type master;
8> file "display.tk.zone";
9> //allow-transfer {
10> // 192.168.161.137;
11> //};
12> //notify yes;
13> //also-notify {
14> // 192.168.161.137;
15> //};
16> };
17> zone "192.168.161.in-addr.arpa" {
18> type master;
19> file "192.168.161.zone";
20> //allow-transfer {
21> // 192.168.161.137;
22> //};
23> //notify yes;
24> //also-notify {
25> // 192.168.161.137;
26> //};
27> };
28> };
29> EOF
上面配置内容:
1view "View" {
2 zone "display.tk" {
3 type master;
4 file "display.tk.zone";
5 //allow-transfer {
6 // 192.168.161.134;
7 //};
8 //notify yes;
9 //also-notify {
10 // 192.168.161.134;
11 //};
12 };
13 zone "192.168.161.in-addr.arpa" {
14 type master;
15 file "192.168.161.zone";
16 //allow-transfer {
17 // 192.168.161.134;
18 //};
19 //notify yes;
20 //also-notify {
21 // 192.168.161.134;
22 //};
23 };
24};
添加一个display域名配置
1[root@dns_01 etc]# vi /var/named/chroot/etc/display.tk.zone
文件中插入下面内容:
1$ORIGIN .
2$TTL 3600 ; 1 hour
3display.tk IN SOA op.display.tk. dns.display.tk. (
4 2000 ; serial
5 900 ; refresh (15 minutes)
6 600 ; retry (10 minutes)
7 86400 ; expire (1 day)
8 3600 ; minimum (1 hour)
9 )
10 NS op.display.tk.
11$ORIGIN display.tk.
12shanks A 1.2.3.4
13op A 1.2.3.4
- Serial
只是一个序号,但这个序号可被用来作为slave与master更新的依据。举例来说,master序号为100但slave序号为90时,那么这个zonefile的资料就会被传送到slave来更新了。由于这个序号代表新旧资料,通常建议可以利用日期来设定。举例来说,上面的资料是在2006/10/20所写的第一次,所以用2006102001作为序号代表!(yyyymmddnn,nn代表这一天是第几次修改)
- Refresh
除了根据Serial来判断新旧之外,我们可以利用这个refresh(更新)命令slave多久进行一次主动更新;
- Retry
如果到了Refresh的时间,但是slave却无法连接到master时,那么在多久之后,slave会再次的主动尝试与主机连线;
- Expire
如果slave一直无法与master连接上,那么经过多久的时间之后,则命令slave不要再连接master了!也就是说,此时我们假设masterDNS可能遇到重大问题而无法上线,则等待系统管理员处理完毕后,再重新来到slaveDNS重新启动bind吧!
- Minimun
这个就有点象是TTL
2.3.2.4. 添加域名反向解析
1[root@dns_01 etc]# vi 192.168.161.zone
插入下面内容
1$TTL 3600 ; 1 hour
2@ IN SOA op.display.tk. dns.display.tk. (
3 2004 ; serial
4 900 ; refresh (15 minutes)
5 600 ; retry (10 minutes)
6 86400 ; expire (1 day)
7 3600 ; minimum (1 hour)
8 )
9 NS op.display.tk.
10134 IN PTR a.display.tk.
2.3.2.5. 检查配置合法性
检查 /etc/named.conf 语法是否有错误
1[root@dns_01 ~]# named-checkconf
检查zone配置是否有语法错误
1[root@dns_01 ~]# named-checkzone display.tk. /var/named/chroot/etc/display.tk.zone
2zone display.tk/IN: loaded serial 2000
3OK
2.3.2.6. 测试上面配置
测试域名dns服务器的域名: op.display.tk
1[root@dns_01 ~]# dig @192.168.161.137 op.display.tk
2
3; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @192.168.161.137 op.display.tk
4; (1 server found)
5;; global options: +cmd
6;; Got answer:
7;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26072
8;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
9
10;; QUESTION SECTION:
11;op.display.tk. IN A
12
13;; ANSWER SECTION:
14op.display.tk. 3600 IN A 1.2.3.4
15
16;; AUTHORITY SECTION:
17display.tk. 3600 IN NS op.display.tk.
18
19;; Query time: 1 msec
20;; SERVER: 192.168.161.137#53(192.168.161.137)
21;; WHEN: Sat Oct 27 22:36:54 2018
22;; MSG SIZE rcvd: 61
测试域名dns服务器反向解析IP: 192.168.161.134
1[root@dns_01 ~]# host -t PTR 192.168.161.134 192.168.161.137
2Using domain server:
3Name: 192.168.161.137
4Address: 192.168.161.137#53
5Aliases:
6
7Host 134.161.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
2.3.3. DNS做负载均衡
负载均衡的原理就是一个域名,对应多个IP,此时用户访问这个域名是会轮询所有IP,每次返回一个。
- 缺点:
DNS不能检测域名对应的IP是否存在,只能傻瓜式的直接返回这个IP。
- 实例:
- 为域名display.tk后面的www服务添加两个对应的IP:
192.168.161.134 192.168.161.132
- 配置过程:
在上面配置的文件
/var/named/chroot/etc/display.tk.zone追加两行。
1www A 192.168.161.134
2www A 192.168.161.132
此时配置文件 /var/named/chroot/etc/display.tk.zone 内容如下:
1[root@dns_01 ~]# cd /var/named/chroot/etc/
2[root@dns_01 etc]# cat display.tk.zone
3$ORIGIN .
4$TTL 3600 ; 1 hour
5display.tk IN SOA op.display.tk. dns.display.tk. (
6 2000 ; serial
7 900 ; refresh (15 minutes)
8 600 ; retry (10 minutes)
9 86400 ; expire (1 day)
10 3600 ; minimum (1 hour)
11 )
12 NS op.display.tk.
13$ORIGIN display.tk.
14shanks A 1.2.3.4
15op A 1.2.3.4
16[root@dns_01 etc]# echo 'www A 192.168.161.134'>>display.tk.zone
17[root@dns_01 etc]# echo 'www A 192.168.161.132'>>display.tk.zone
18[root@dns_01 etc]# cat display.tk.zone
19$ORIGIN .
20$TTL 3600 ; 1 hour
21display.tk IN SOA op.display.tk. dns.display.tk. (
22 2000 ; serial
23 900 ; refresh (15 minutes)
24 600 ; retry (10 minutes)
25 86400 ; expire (1 day)
26 3600 ; minimum (1 hour)
27 )
28 NS op.display.tk.
29$ORIGIN display.tk.
30shanks A 1.2.3.4
31op A 1.2.3.4
32www A 192.168.161.134
33www A 192.168.161.132
配置生效:
1[root@dns_01 ~]# rndc reload
2WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
3server reload successful
2.3.3.1. 测试上面配置
1[root@dns_01 ~]# host www.display.tk 192.168.161.137
2Using domain server:
3Name: 192.168.161.137
4Address: 192.168.161.137#53
5Aliases:
6
7www.display.tk has address 192.168.161.134
8www.display.tk has address 192.168.161.132
测试域名返回值:
1[root@dns_01 ~]# dig @192.168.161.137 www.display.tk
2
3; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @192.168.161.137 www.display.tk
4; (1 server found)
5;; global options: +cmd
6;; Got answer:
7;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43925
8;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
9
10;; QUESTION SECTION:
11;www.display.tk. IN A
12
13;; ANSWER SECTION:
14www.display.tk. 3600 IN A 192.168.161.132
15www.display.tk. 3600 IN A 192.168.161.134
16
17;; AUTHORITY SECTION:
18display.tk. 3600 IN NS op.display.tk.
19
20;; ADDITIONAL SECTION:
21op.display.tk. 3600 IN A 1.2.3.4
22
23;; Query time: 1 msec
24;; SERVER: 192.168.161.137#53(192.168.161.137)
25;; WHEN: Sat Oct 27 23:13:16 2018
26;; MSG SIZE rcvd: 97
27
28[root@dns_01 ~]# dig @192.168.161.137 www.display.tk
29
30; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @192.168.161.137 www.display.tk
31; (1 server found)
32;; global options: +cmd
33;; Got answer:
34;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22012
35;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
36
37;; QUESTION SECTION:
38;www.display.tk. IN A
39
40;; ANSWER SECTION:
41www.display.tk. 3600 IN A 192.168.161.134
42www.display.tk. 3600 IN A 192.168.161.132
43
44;; AUTHORITY SECTION:
45display.tk. 3600 IN NS op.display.tk.
46
47;; ADDITIONAL SECTION:
48op.display.tk. 3600 IN A 1.2.3.4
49
50;; Query time: 0 msec
51;; SERVER: 192.168.161.137#53(192.168.161.137)
52;; WHEN: Sat Oct 27 23:13:20 2018
53;; MSG SIZE rcvd: 97
2.3.4. 智能DNS
智能DNS会根据用户IP返回同一域名对应的不同IP。
根据用户IP分为两个组,每个组访问同一个
www.display.tk返回不同的IP。第一组的客户端IP是
192.168.161.132,第二组的用户IP是192.168.161.136。第一组用户访问
www.display.tk返回IP是192.168.161.134,第二组用户返回的是192.168.161.138
配置过程:
修改主配置文件
/var/named/chroot/etc/named.conf
在主配置文件 /var/named/chroot/etc/named.conf 最后一行前一行添加下面内容:
1acl group1 {
2 192.168.161.132;
3};
4
5acl group2 {
6 192.168.161.136;
7};
修改配置文件
/var/named/chroot/etc/view.conf
备注
假设goup1中的用户是河北用户,用hb代表,goup2中的用户是山东用户,用sd代表。
先空空这个文件内容:
1[root@dns_01 ~]# >/var/named/chroot/etc/view.conf
清空这个文件内容,然后添加下面内容:
1view "GROUP1" {
2 match-clients { group1; };
3 zone "display.tk" {
4 type master;
5 file "hb.display.tk.zone";
6 };
7};
8
9view "GROUP2" {
10 match-clients { group2; };
11 zone "display.tk" {
12 type master;
13 file "sd.display.tk.zone";
14 };
15};
- 上面这个配置说明要重新创建两个域名解析文件:
/var/named/chroot/etc/hb.display.tk.zone
/var/named/chroot/etc/sd.display.tk.zone
小技巧
这两个文件名称是上面 /var/named/chroot/etc/view.conf 中的 file 指定的。
创建对应的解析文件并配置
创建文件 /var/named/chroot/etc/sd.display.tk.zone
编辑并加入下面内容:
1$ORIGIN .
2$TTL 3600 ; 1 hour
3display.tk IN SOA op.display.tk. dns.display.tk. (
4 2000 ; serial
5 900 ; refresh (15 minutes)
6 600 ; retry (10 minutes)
7 86400 ; expire (1 day)
8 3600 ; minimum (1 hour)
9 )
10 NS op.display.tk.
11$ORIGIN display.tk.
12shanks A 1.2.3.4
13op A 1.2.3.4
14www A 192.168.161.134
创建文件 /var/named/chroot/etc/hb.display.tk.zone
编辑并加入下面内容:
1$ORIGIN .
2$TTL 3600 ; 1 hour
3display.tk IN SOA op.display.tk. dns.display.tk. (
4 2000 ; serial
5 900 ; refresh (15 minutes)
6 600 ; retry (10 minutes)
7 86400 ; expire (1 day)
8 3600 ; minimum (1 hour)
9 )
10 NS op.display.tk.
11$ORIGIN display.tk.
12shanks A 1.2.3.4
13op A 1.2.3.4
14www A 192.168.161.138
2.3.4.1. 测试上面配置
模拟河北客户端IP:192.168.161.132,测试:
1[root@client_hb_01 ~]# ifconfig eth0|awk -F '[ :]+' '{if(NR==2) print $4}'
2192.168.161.132
3[root@client_hb_01 ~]# dig @192.168.161.137 WWW.display.tk
4
5; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> @192.168.161.137 WWW.display.tk
6; (1 server found)
7;; global options: +cmd
8;; Got answer:
9;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5133
10;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
11
12;; QUESTION SECTION:
13;WWW.display.tk. IN A
14
15;; ANSWER SECTION:
16WWW.display.tk. 3600 IN A 192.168.161.138
17
18;; AUTHORITY SECTION:
19display.tk. 3600 IN NS op.display.tk.
20
21;; ADDITIONAL SECTION:
22op.display.tk. 3600 IN A 1.2.3.4
23
24;; Query time: 0 msec
25;; SERVER: 192.168.161.137#53(192.168.161.137)
26;; WHEN: Sun Oct 28 08:36:44 2018
27;; MSG SIZE rcvd: 81
模拟山东客户端IP:192.168.161.136,测试:
1[root@client_sd_01 ~]# ifconfig eth0|awk -F '[ :]+' '{if(NR==2) print $4}'
2192.168.161.136
3[root@client_sd_01 ~]# dig @192.168.161.137 WWW.display.tk
4
5; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> @192.168.161.137 WWW.display.tk
6; (1 server found)
7;; global options: +cmd
8;; Got answer:
9;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53250
10;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
11
12;; QUESTION SECTION:
13;WWW.display.tk. IN A
14
15;; ANSWER SECTION:
16WWW.display.tk. 3600 IN A 192.168.161.134
17
18;; AUTHORITY SECTION:
19display.tk. 3600 IN NS op.display.tk.
20
21;; ADDITIONAL SECTION:
22op.display.tk. 3600 IN A 1.2.3.4
23
24;; Query time: 0 msec
25;; SERVER: 192.168.161.137#53(192.168.161.137)
26;; WHEN: Mon Oct 15 09:56:03 2018
27;; MSG SIZE rcvd: 81
2.3.5. named日志
/var/named/chroot/var/log/named_stats 日志默认没有,需要运行下面的命令才能生成这个日志文件。
1rndc stats