大家好,我是小姜。
写在前面
随着云原生时代的快速发展,各行各业纷纷进军k8s,短短两三年,招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。亦或者说技术更新迭代层出不穷,老技术会被很快代替,新技术会备受宠爱。而在域名解析领域,大家最熟悉的常用的云解析DNSPod、Godaddy、CloudFlare、阿里云的域名解析等,当然还有dnsmasq、powerdns以及在k8s中用的coreDNS。但是今天我这里就聊聊bind9。
可能目前的中小型公司都不会使用bind9,而且网上你去搜索,大多都是直接使用named服务,不会使用named-chroot。而且更少的是使用acl+view的。要么排版不够好,新手可能看懵逼,配置错误。要么就是没有说的很详细的。当然也有,可能我没有好好花时间搜索或者搜索能力有限。这里我就记录一下bind9使用chroot以及使用acl+view试图实现智能DNS过程。
环境说明
CentOS Linux release 8.4.2105
BIND Version:9.11.26
总网段:172.16.128.0/17
bind9主从所在网段:172.16.0.0/24
bind9 master节点部署
/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services
dnf -y install bind-chroot bind-utils
# 我要启用chroot,并且需要更改named的目录到/data/named/chroot
# 因此需要拷贝文件
mkdir -p /data/named
cp -ar /var/named/* /data/named/
# 创建存放日志的目录
mkdir -p /data/named/chroot/data/log/named/
### 在bind chroot 的目录中创建相关文件
touch /data/named/chroot/var/named/data/cache_dump.db
touch /data/named/chroot/var/named/data/named_stats.txt
touch /data/named/chroot/var/named/data/named_mem_stats.txt
touch /data/named/chroot/var/named/data/named.run
mkdir /data/named/chroot/var/named/dynamic
touch /data/named/chroot/var/named/dynamic/managed-keys.bind
# 到linux系统的/data/目录下,更改named目录的属主和数组为named
cd /data/
chown named.named -R named
编辑主named.conf文件
$ cat /data/named/chroot/etc/named.conf
acl telecom {
172.17.10.0/24;
};
acl unicom {
172.17.20.0/24;
};
acl mobile {
172.17.30.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 172.16.0.55;};
directory "/var/named";
dump-file "/data/named/data/cache_dump.db";
statistics-file "/data/named/data/named_stats.txt";
memstatistics-file "/data/named/data/named_mem_stats.txt";
// 允许查询的主机;白名单
allow-query { any; };
allow-query-cache { any; };
// 我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS
forwarders { 223.5.5.5; 223.6.6.6; };
recursive-clients 200000;
check-names master warn;
max-cache-ttl 60;
max-ncache-ttl 0;
//recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
//session-keyfile "/run/named/session.key";
};
logging {
channel query_log {
file "/data/log/named/query.log" versions 10 size 300m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel client_log {
file "/data/log/named/client.log" versions 3 size 200m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel config {
file "/data/log/named/config.log" versions 3 size 100m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel default_log {
file "/data/log/named/default.log" versions 3 size 100m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
channel general_log {
file "/data/log/named/general.log" versions 3 size 200m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
category queries {
query_log;
};
category client {
client_log;
};
category general {
general_log;
};
category config {
config;
};
category default {
default_log;
};
};
view telcom_view {
match-clients { telcom; };
match-destinations { any; };
recursion yes;
include "/etc/named-telcome.zones";
};
view unicom_view {
match-clients { unicom; };
match-destinations { any; };
recursion yes;
include "/etc/named-unicome.zones";
};
view mobile_view {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named-mobile.zones";
};
注意:需要提醒大家的是:第一,启用了named-chroot服务以后,就必须关闭named服务,两者取其一。第二,如果启用了named-chroot,那么目录就都是相对目录,都是相对于/var/named/chroot而言的。
使用acl+view
上面已经定义好了三个acl和三个view。一般来说我们的acl都会放在最开头,也就是options的前面,也建议这样放。
接下来就需要生成三个view下面的include包含进来的区域文件了。这里只演示正向解析区域,一般内网bind9很少需要反向解析。
生成区域文件
$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
type master;
file "ayunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
type master;
file "iyunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
type master;
file "allenjol.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
生成区域解析库文件
$ cd /var/named/chroot/var
$ vi ayunw.cn.zone
$TTL 86400
@ IN SOA ayunw.cn. root.iyunw.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.ayunw.cn.
IN NS ns2.ayunw.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
www IN A 172.16.0.58
$ vi iyunw.cn.zone
$TTL 86400
@ IN SOA iyunw.cn. root.iyunw.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.iyunw.cn.
IN NS ns2.iyunw.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
web IN A 172.16.0.59
$ vi allenjol.cn.zone
$TTL 86400
@ IN SOA allenjol.cn. root.allenjol.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.allenjol.cn.
IN NS ns2.allenjol.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
allen IN A 172.16.0.60
启动服务并设置开机自启
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
bind9 slave节点部署
/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services
dnf -y install bind-chroot bind-utils
# 我要启用chroot,并且需要更改named的目录到/data/named/chroot
# 因此需要拷贝文件
mkdir -p /data/named
cp -ar /var/named/* /data/named/
# 创建存放日志的目录
mkdir -p /data/named/chroot/data/log/named/
### 在bind chroot 的目录中创建相关文件
touch /data/named/chroot/var/named/data/cache_dump.db
touch /data/named/chroot/var/named/data/named_stats.txt
touch /data/named/chroot/var/named/data/named_mem_stats.txt
touch /data/named/chroot/var/named/data/named.run
mkdir /data/named/chroot/var/named/dynamic
touch /data/named/chroot/var/named/dynamic/managed-keys.bind
# 到linux系统的/data/目录下,更改named目录的属主和数组为named
cd /data/
chown named.named -R named
编辑从named.conf文件
$ cat /data/named/chroot/etc/named.conf
$ cat /data/named/chroot/etc/named.conf
acl telecom {
172.17.10.0/24;
};
acl unicom {
172.17.20.0/24;
};
acl mobile {
172.17.30.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 172.16.0.55;};
directory "/var/named";
dump-file "/data/named/data/cache_dump.db";
statistics-file "/data/named/data/named_stats.txt";
memstatistics-file "/data/named/data/named_mem_stats.txt";
// 允许查询的主机;白名单
allow-query { any; };
allow-query-cache { any; };
// 我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS
forwarders { 223.5.5.5; 223.6.6.6; };
recursive-clients 200000;
check-names master warn;
max-cache-ttl 60;
max-ncache-ttl 0;
//recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
//session-keyfile "/run/named/session.key";
};
logging {
channel query_log {
file "/data/log/named/query.log" versions 10 size 300m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel client_log {
file "/data/log/named/client.log" versions 3 size 200m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel config {
file "/data/log/named/config.log" versions 3 size 100m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel default_log {
file "/data/log/named/default.log" versions 3 size 100m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
channel general_log {
file "/data/log/named/general.log" versions 3 size 200m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
category queries {
query_log;
};
category client {
client_log;
};
category general {
general_log;
};
category config {
config;
};
category default {
default_log;
};
};
view telcom_view {
match-clients { telcom; };
match-destinations { any };
recursion yes;
include "/etc/named-telcome.zones";
};
view unicom_view {
match-clients { unicom; };
match-destinations { any; };
recursion yes;
include "/etc/named-unicome.zones";
};
view mobile_view {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named-mobile.zones";
};
生成区域文件
$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
type master;
file "ayunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
type master;
file "iyunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
type master;
file "allenjol.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
启动服务并设置开机自启
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
注意:从节点无需创建区域解析库文件,当主节点重启named-chroot服务的时候会自动同步解析库文件到从节点
测试解析
找了三台机器,内网ip分别为:172.16.10.1、172.16.20.1、172.16.30.1,分别解析http://www.ayunw.cn、http://web.iyunw.cn以及http://allen.allenjol.cn,都是能正常解析的。
$ dig -t A www.ayunw.cn
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good);; QUESTION SECTION:;www.ayunw.cn. IN A;; ANSWER SECTION:www.ayunw.cn. 86400 IN A 172.16.0.58;; AUTHORITY SECTION:ayunw.cn. 86400 IN NS ns2.ayunw.cn.ayunw.cn. 86400 IN NS ns1.ayunw.cn.;; ADDITIONAL SECTION:ns1.ayunw.cn. 86400 IN A 172.16.0.55ns2.ayunw.cn. 86400 IN A 172.16.0.56;; Query time: 0 msec;; SERVER: 172.16.0.55#53(172.16.0.55);; WHEN: Tue Oct 26 09:50:40 CST 2021;; MSG SIZE rcvd: 161
$ dig -t A web.iyunw.cn
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;web.iyunw.cn. IN A
;; ANSWER SECTION:
web.iyunw.cn. 86400 IN A 172.16.0.59
;; AUTHORITY SECTION:
iyunw.cn. 86400 IN NS ns2.iyunw.cn.
iyunw.cn. 86400 IN NS ns1.iyunw.cn.
;; ADDITIONAL SECTION:
ns1.iyunw.cn. 86400 IN A 172.16.0.55
ns2.iyunw.cn. 86400 IN A 172.16.0.56
;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE rcvd: 161
$ dig -t A allen.allenjol.cn
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;allen.allenjol.cn. IN A
;; ANSWER SECTION:
allen.allenjol.cn. 86400 IN A 172.16.0.60
;; AUTHORITY SECTION:
allenjol.cn. 86400 IN NS ns2.allenjol.cn.
allenjol.cn. 86400 IN NS ns1.allenjol.cn.
;; ADDITIONAL SECTION:
ns1.allenjol.cn. 86400 IN A 172.16.0.55
ns2.allenjol.cn. 86400 IN A 172.16.0.56
;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE rcvd: 161
如果你有足够的机器,那么你换一台不在172.16.10.0/24、172.16.20.0/24、172.16.30.0/24这三个网段的机器,然后去任意解析 这三个zone文件中的域名,你会发现最终都是没有正常的A记录返回的。
或者如果你用172.16.10.1去解析http://web.iyunw.cn或者是http://allen.allenjol.cn,那么就无法正常解析了。这就是acl+view实现的智能DNS的效果。
最后,求关注。如果你还想看更多优质原创文章,欢迎关注我们的公众号「运维开发故事」。
如果我的文章对你有所帮助,还请帮忙点赞、在看、转发一下,你的支持会激励我输出更高质量的文章,非常感谢!
你还可以把我的公众号设为「星标」,这样当公众号文章更新时,你会在第一时间收到推送消息,避免错过我的文章更新。
标签:named,chroot,log,烦恼,DNS,yes,data,主从,cn From: https://www.cnblogs.com/gaoyanbing/p/17330927.html