企业级DNS服务集群架构设计及BIND部署配置实战
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了企业级DNS服务集群架构设计及BIND部署配置实战相关的知识,希望对你有一定的参考价值。
DNS(域名解析系统)
简单地说就是一个IP地址和域名之间的转换系统,方便用户通过域名访问正确的服务地址,而不用记住不易区分的具体IP。DNS协议运行在UDP协议之上,使用端口53。
DNS解析流程
以访问www.qq.com为例,当用户在浏览器中输入网址点击回车以后,会经过以下查找IP过程,也就是DNS解析过程:
1)本地计算机host文件
2)如果本地没有解析记录,则开始递归查询本地域名服务器LOCAL DNS(也就是你网络中配置的首选和备选DNS)
3)LDNS也没有则会去查询根服务器,并开始迭代查询顶级域下的二级域或者三级域,直到查找到想要解析的域名
4)找到www.qq.com对应的ns域名地址后开始返回给LDNS,LDNS缓存一份记录后返回给计算机
5)计算机拿到地址直接对该地址发起访问请求,完成本次DNS解析过程。
常见的DNS服务软件
DNSMASQ
DNSmasq是一款小巧且方便的DNS和DHCP配置工具,适用于本地小型网络本地DNS解析,很多公司会在每台服务器上起着dnsmasq,来充当本地dns缓存服务,来提高dns解析性能同时减轻dnsserver压力
BIND
BIND是目前为止应用最为广泛的DNS部署服务开源软件,特点就是稳定、高效
HTTPDNS
移动解析,基于Http协议向云DNS服务器发送域名解析请求,替代了基于DNS协议向运营商Local DNS发起解析请求的传统方式,可以避免Local DNS造成的域名劫持和跨网访问问题,解决移动互联网服务中域名解析异常带来的困扰
这几年HTTPDNS开始兴起,目前最主要的应用领域还是移动app上解决切换流量数据时,造成新旧数据不一致的情况
DNS在企业服务集群中的作用
DNS作为整个集群中的基础服务性质存在,即可以完全独立服务于本地集群的IP解析,也可以部署位于外网环境中供公网解析使用;在集群部署环境配置中使用域名解析的好处就是当服务器迁移或者IP变更时,使用相同的主机域名,就不需要更改大量的应用配置。
大中型网络DNS集群
实验环境
[[email protected] ~]# cat /etc/redhat-release CentOS release 6.7 (Final) [[email protected] ~]# uname -r 2.6.32-573.el6.x86_64
主机
172.16.2.1 m01 主DNS(Master DNS) 172.16.2.2 m02 从DNS(Slave DNS)
DNS主从配置
1)软件安装
[[email protected] ~]# yum install -y bind-utils bind bind-devel bind-chroot [[email protected] ~]# rpm -qa|egrep "bind-utils|bind|bind-devel|bind-chroot" bind-libs-9.8.2-0.47.rc1.el6.x86_64 bind-utils-9.8.2-0.47.rc1.el6.x86_64 rpcbind-0.2.0-12.el6.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 bind-devel-9.8.2-0.47.rc1.el6.x86_64 bind-chroot-9.8.2-0.47.rc1.el6.x86_64
2)修改主文件配置
[[email protected] etc]# cat /etc/named.conf options { version "1.1.1"; listen-on port 53 { any; }; #监听端口 directory "/var/named/chroot/etc/"; #工作目录 pid-file "/var/named/chroot/var/run/named/named.pid"; allow-query { any; }; #授权解析 dump-file "/var/named/chroot/var/log/binddump.db"; #当执行rndc dumpdb 命令时,服务器存放数据库文件的路径名 statistics-file "/var/named/chroot/var/log/named_stats"; #解析数据统计文件 zone-statistics yes; #设置允许服务收集所有域的统计数据 memstatistics-file "log/mem_stats"; #服务器输出的内存使用统计文件的路径名 empty-zones-enable no; #不允许域中没有主机 forwarders {202.106.196.115;8.8.8.8; }; #转发服务器地址,先查转发服务器,如果没有 得到回答,则自己解析;only只会转发,不自己解析 }; #设置密匙信息,它应用在通过TSIG 进行授权和认证的配置中 key "rndc-key" { algorithm hmac-md5; secret "Eqw4hC1GExUWeDkKBX/pBg=="; }; #宣告rnde utility 使用的控制通道(channel) controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; #设置日志服务器,和日志信息的发送地 logging { channel warning { file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m; severity warning; print-category yes; print-severity yes; print-time yes; }; channel general_dns { file "/var/named/chroot/var/log/dns_log" versions 10 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { warning; }; category queries { general_dns; }; }; #包含一个定义视图文件 include "/var/named/chroot/etc/view.conf";
3)编辑命令通道密匙文件rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "Eqw4hC1GExUWeDkKBX/pBg==";
};
key "rndc-key" {
algorithm hmac-md5;
secret "Eqw4hC1GExUWeDkKBX/pBg==";
};
rndc.conf
[[email protected] etc]# vim /etc/rndc.conf
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
4)编辑view.conf
[[email protected] etc]# cd /var/named/chroot/etc/ [[email protected] etc]# vim view.conf view "View" { zone "lnh.com" { type master; file "lnh.com.zone"; allow-transfer { 172.16.2.2; }; notify yes; also-notify { 172.16.2.2; }; }; }; 5)编辑lnh.com.zone [[email protected] etc]# pwd /var/named/chroot/etc $ORIGIN . $TTL 3600 ; 1 hour lnh.com IN SOA op.lnh.com. dns.lnh.com. ( 2000 ;serial 900 ;refresh (15min) 600 ;retry (10min) 86400 ;expire (1 day) 3600 ;minimum (1 hour) ) NS op.lnh.com. $ORIGIN lnh.com. shanks A 1.2.3.4 op A 1.2.3.4 a A 1.2.3.4
6)启动DNS
修改目录权限,并启动服务
[[email protected] etc]# cd /var && chown -R named.named named/ [[email protected] var]# /etc/init.d/named start 启动 named: [确定]
重启
[[email protected] var]# rndc reload WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) server reload successful
加入开机启动并查看端口
[[email protected] var]# chkconfig named on [[email protected] var]# netstat -tunlp|grep named tcp 0 0 172.16.2.1:53 0.0.0.0:* LISTEN 2073/named tcp 0 0 10.0.0.101:53 0.0.0.0:* LISTEN 2073/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2073/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2073/named udp 0 0 172.16.2.1:53 0.0.0.0:* 2073/named udp 0 0 10.0.0.101:53 0.0.0.0:* 2073/named udp 0 0 127.0.0.1:53 0.0.0.0:* 2073/named
7)测试解析
[[email protected] var]# dig @127.0.0.1 a.lnh.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @127.0.0.1 a.lnh.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56660 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;a.lnh.com. IN A ;; ANSWER SECTION: a.lnh.com. 3600 IN A 1.2.3.4 ;; AUTHORITY SECTION: lnh.com. 3600 IN NS op.lnh.com. ;; ADDITIONAL SECTION: op.lnh.com. 3600 IN A 1.2.3.4 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 15 20:52:11 2016 ;; MSG SIZE rcvd: 76
8)从DNS服务器
下面来配置一台从DNS服务器
安装软件(同主服务器)
编辑named.conf(同主服务器)
编辑rndc-key(同主服务器)
编辑rndc.cnf(同主服务器)
编辑view.conf
[[email protected] etc]# cd /var/named/chroot/etc/ [[email protected] etc]# vim view.conf view "SlaveView" { zone "lnh.com" { type slave; masters {172.16.2.1; }; file "slave.lnh.com.zone"; }; };
更改属主并启动
[[email protected] etc]# cd /var && chown -R named.named named/ [[email protected] var]# /etc/init.d/named start 启动 named:
自动同步了主DNS上面的lnh.com.zone说明主从成功
[[email protected] var]# cd /var/named/chroot/etc/ [[email protected] etc]# ll slave.lnh.com.zone -rw-r--r--. 1 named named 326 9月 15 21:15 slave.lnh.com.zone
添加解析记录
编辑lnh.com.zone,添加一条A记录、CNAME记录、MX记录
注意serial号手动加1,不然不能同步到从服务器
[[email protected] etc]# rndc reload WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) server reload successful $ORIGIN . $TTL 3600 ; 1 hour lnh.com IN SOA op.lnh.com. dns.lnh.com. ( 2003 ;serial 900 ;refresh (15min) 600 ;retry (10min) 86400 ;expire (1 day) 3600 ;minimum (1 hour) ) NS op.lnh.com. $ORIGIN lnh.com. shanks A 1.2.3.4 op A 1.2.3.4 a A 1.2.3.4 a A 172.16.2.100 cname CNAME a.lnh.com. mx MX 5 172.16.2.101 [[email protected] etc]# rndc reload WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) server reload successful [[email protected] etc]# host mx.lnh.com 172.16.2.1 Using domain server: Name: 172.16.2.1 Address: 172.16.2.1#53 Aliases: mx.lnh.com mail is handled by 5 172.16.2.101.lnh.com.
添加RTP记录(反向解析)
作用:简单查看当前IP主机是什么用途
编辑maste节点/var/named/chroot/etc/view.conf,加入ptr的zone配置
[[email protected] etc]# vim /var/named/chroot/etc/view.conf view "View" { zone "lnh.com" { type master; file "lnh.com.zone"; allow-transfer { 172.16.2.2; }; notify yes; also-notify { 172.16.2.2; }; }; zone "16.172.in-addr.arpa" { type master; file "16.172.zone"; allow-transfer { 172.16.2.2; }; notify yes; also-notify { 172.16.2.2; }; }; };
编辑master节点/var/named/chroot/etc/16.172.zone
[[email protected] etc]# vim /var/named/chroot/etc/16.172.zone $TTL 3600 ; 1 hour @ IN SOA op.lnh.com. dns.lnh.com. ( 2004 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS op.lnh.com. 102.122 IN PTR a.lnh.com.
修改16.172.zone文件属性
[[email protected] etc]# chown named.named 16.172.zone [[email protected] etc]# rndc reload WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) server reload successful
编辑slave节点/var/named/chroot/etc/view.conf加入ptr的zone配置
[[email protected] etc]# vim /var/named/chroot/etc/view.conf view "SlaveView" { zone "lnh.com" { type slave; masters {172.16.2.1; }; file "slave.lnh.com.zone"; }; zone "16.172.in-addr.arpa" { type slave; masters {172.16.2.1; }; file "slave.16.172.zone"; }; }; [[email protected] etc]# rndc reload WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) server reload successful [[email protected] etc]# ll -rw-r--r--. 1 named named 325 9月 15 22:15 slave.16.172.zone -rw-r--r--. 1 named named 383 9月 15 22:04 slave.lnh.com.zone
测试反向解析
主上
[[email protected] etc]# host 172.16.122.102 172.16.2.1 Using domain server: Name: 172.16.2.1 Address: 172.16.2.1#53 Aliases: 102.122.16.172.in-addr.arpa domain name pointer a.lnh.com.
从上
[[email protected] etc]# host 172.16.122.102 172.16.2.2 Using domain server: Name: 172.16.2.2 Address: 172.16.2.2#53 Aliases: 102.122.16.172.in-addr.arpa domain name pointer a.lnh.com.
智能DNS
DNS服务器判断来源IP来分配不同的域解析
编辑master节点 /var/named/chroot/etc/named.conf,在include添加
[[email protected] etc]# vim /var/named/chroot/etc/named.conf … category queries { general_dns; }; }; acl group1 { 172.16.2.1; }; acl group2 { 172.16.2.2; }; include "/var/named/chroot/etc/view.conf";
编辑master节点/var/named/chroot/etc/view.conf
[[email protected] etc]# vim /var/named/chroot/etc/view.conf view "GROUP1" { match-clients { group1; }; zone "viewlnh.com" { type master; file "group1.viewlnh.com.zone"; }; }; view "GROUP2" { match-clients { group2; }; zone "viewlnh.com" { type master; file "group2.viewlnh.com.zone"; }; };
编辑maste节点新的/var/named/chroot/etc/group1.viewlnh.com.zone文件
[[email protected] etc]# vim /var/named/chroot/etc/group1.viewlnh.com.zone $ORIGIN . $TTL 3600 ; 1 hour lnh.com IN SOA op.lnh.com. dns.lnh.com. ( 2005 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS op.viewlnh.com. $ORIGIN viewlnh.com. op A 172.16.122.1 view A 172.16.122.1
编辑maste节点新的/var/named/chroot/etc/group2.viewlnh.com.zone文件
[[email protected] etc]# vim /var/named/chroot/etc/group2.viewlnh.com.zone $ORIGIN . $TTL 3600 ; 1 hour viewlnh.com IN SOA op.viewlnh.com. dns.viewlnh.com. ( 2008 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS op.viewlnh.com. $ORIGIN viewlnh.com. op A 172.16.122.2 view A 172.16.122.2
改属主
[[email protected] etc]# cdown named.named group* [[email protected] etc]# rndc reload
测试从两台机器上解析
从172.16.2.1上
[[email protected] etc]# host view.viewlnh.com 172.16.2.1 Using domain server: Name: 172.16.2.1 Address: 172.16.2.1#53 Aliases: view.viewlnh.com has address 172.16.122.1
从172.16.2.2上
[[email protected] etc]# host view.viewlnh.com 172.16.2.1 Using domain server: Name: 172.16.2.1 Address: 172.16.2.1#53 Aliases: view.viewlnh.com has address 172.16.122.2
本文出自 “改变从每一天开始” 博客,请务必保留此出处http://lilongzi.blog.51cto.com/5519072/1853606
以上是关于企业级DNS服务集群架构设计及BIND部署配置实战的主要内容,如果未能解决你的问题,请参考以下文章
云原生打造企业内部DNS+ETCD+NTP+Quay高可用实战(完结篇)