DNS BIND 搭建企业内部高可用DNS服务器
来源:互联网 发布:核技术及应用 知乎 编辑:程序博客网 时间:2024/04/28 00:07
对于一个互联网企业来说,搭建一个公司内部的DNS服务器是很必要的,一来可以通过公司内网的DNS缓存提高公司内部的DNS解析效率,二来域名服务商提供的解析服务并不可靠,为了安全起见,自己搭建(当然也有不错的第三方DNS解析服务,如DNSpod,但需要收费),三来公司内部有一些服务在内网需要解析成内网IP,对于公网的用户访问就需要访问公网的IP,这样可以通过DNS配置轻松实现,当然还有其他很多实现方式。
在/var/named/zone/neiwang和/var/named/zone/waiwang创建slimsmart.cn.zone文件
为了提高DNS可用性部署采用一主多辅的方式部署,使用辅服务器提供解析读服务,主服务处理写服务。另外,为了实现内外网解析的不同,使用bind的ACL+VIEW实现智能解析。
一、搭建环境
为了测试方便我们搭建一主一辅,对个辅服务器配置都雷同。
Mater:192.168.36.54外网:121.42.81.52
Slave:192.168.36.189外网:121.42.81.53
公司内外网解析不同域名:
域名(slimsmart.cn):
主机内网地址外网地址
mail.slimsmart.cn192.168.0.25 121.42.81.20
ftp.slimsmart.cn192.168.0.21121.42.81.21
二、安装bind
请参考:http://blog.csdn.net/zhu_tianwei/article/details/45045431
三、配置
1.生成内外网TSIG
vi /etc/keys.conf
key "neiwang_key" { algorithm hmac-md5; secret "XvbglfmP8aZ20CLEP5NL+w==";};key "waiwang_key" { algorithm hmac-md5; secret "6Ube2jTRIPxuIBlL5rCg5Q==";};关于生成方法参考:dnssec-keygen命令2.主服务器
vi /etc/named.conf
key "rndc-key" { algorithm hmac-md5; secret "GfdVJ8ppCKJiCejNVq3xkQ==";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};options{ listen-on port 53{ 192.168.36.54; }; version "slim-dns3.0"; directory "/var/named"; pid-file "/var/run/named.pid"; session-keyfile "/var/run/session.key"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion no; allow-query{ any; }; allow-query-cache{ any; }; allow-new-zones yes;};logging { channel default_debug { file "/var/named/data/named.run"; severity dynamic; }; channel query_info { file "/var/named/log/query.log" versions 1 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries { query_info; default_debug; }; channel notify_info { file "/var/named/log/notify.log" versions 8 size 128m; severity info; print-category yes; print-severity yes; print-time yes; }; category notify { notify_info; }; channel xfer_in_log { file "/var/named/log/xfer_in.log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; channel xfer_out_log { file "/var/named/log/xfer_out.log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; category xfer-in { xfer_in_log; }; category xfer-out { xfer_out_log; }; };include "/etc/keys.conf";acl "lan" { 10.0.0.0/8; 172.16.0.0/12;#192.168.0.0/16;};view "neiwang" { match-clients { key neiwang_key; lan; 127.0.0.1; }; server 192.168.36.189 {keys neiwang_key;}; zone "." in { type hint; file "named.root"; }; zone "localhost" in { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" in { type master; file "localhost.rev"; allow-update { none; }; }; zone "slimsmart.cn" IN { type master; allow-transfer{ 192.168.36.189; key neiwang_key; }; notify yes; also-notify{ 192.168.36.189; }; file "zone/neiwang/slimsmart.cn.zone"; allow-update {any; }; };};view "waiwang" { match-clients { key waiwang_key; any; }; server 192.168.36.189 {keys waiwang_key;}; zone "." in { type hint; file "named.root"; }; zone "localhost" in { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" in { type master; file "localhost.rev"; allow-update { none; }; }; zone "slimsmart.cn" IN { type master; allow-transfer{ 192.168.36.189; key waiwang_key; }; notify yes; also-notify{ 192.168.36.189; }; file "zone/waiwang/slimsmart.cn.zone"; allow-update {any;}; };};主服务器不提供查询服务,所以关闭递归服务:recursion no;由于需要动态添加zone和解析记录RR,所以acl lan排除了自己的网络地址,也可以根据自己的实际情况,使用!排除单个IP地址,如:
acl "lan" { 10.0.0.0/8; 172.16.0.0/12;192.168.0.0/16;!192.168.36.100;};对于zone允许更新:allow-update {any; };,由于排除自己的IP地址,会根据TSIG查找view。在/var/named/zone/neiwang和/var/named/zone/waiwang创建slimsmart.cn.zone文件
vi /var/named/zone/neiwang/slimsmart.cn.zone
$TTL 86400@ IN SOA slimsmart.cn. admin.slimsmart.cn. ( 1 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimu IN NS ns.slimsmart.cn.ns IN A 192.168.36.189mail IN A 192.168.0.25ftp IN A 192.168.0.21vi /var/named/zone/waiwang/slimsmart.cn.zone
$TTL 86400@ IN SOA slimsmart.cn. admin.slimsmart.cn. ( 1 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimu IN NS ns.slimsmart.cn.ns IN A 121.42.81.53mail IN A 121.42.81.20ftp IN A 121.42.81.213.辅服务器
复制/etc/keys.conf到辅服务器。
vi /etc/named.conf
key "rndc-key" { algorithm hmac-md5; secret "6Kb4sKpIUJq5i4ozE2AXzQ==";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};options{ listen-on port 53{ 192.168.36.189; }; version "slim-dns 3.0"; directory "/var/named"; pid-file "/var/run/named.pid"; session-keyfile "/var/run/session.key"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion yes; allow-query{ any; }; allow-query-cache{ any; }; allow-transfer{ none; }; };logging { channel default_debug { file "/var/named/data/named.run"; severity dynamic; }; channel query_info { file "/var/named/log/query.log" versions 1 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries { query_info; default_debug; }; channel notify_info { file "/var/named/log/notify.log" versions 8 size 128m; severity info; print-category yes; print-severity yes; print-time yes; }; category notify { notify_info; }; channel xfer_in_log { file "/var/named/log/xfer_in.log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; channel xfer_out_log { file "/var/named/log/xfer_out.log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; category xfer-in { xfer_in_log; }; category xfer-out { xfer_out_log; }; }; include "/etc/keys.conf";acl "lan" { 10.0.0.0/8; 172.16.0.0/12; #192.168.0.0/16;};view "neiwang" { match-clients { key neiwang_key; lan;127.0.0.1; }; server 192.168.36.54 {keys neiwang_key;}; zone "." in { type hint; file "named.root"; }; zone "localhost" in { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" in { type master; file "localhost.rev"; allow-update { none; }; }; zone "slimsmart.cn" IN { type slave; masters {192.168.36.54;}; file "zone/neiwang/slimsmart.cn.zone"; };};view "waiwang" { match-clients { key waiwang_key; any; }; server 192.168.36.54 {keys waiwang_key;}; zone "." in { type hint; file "named.root"; }; zone "localhost" in { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" in { type master; file "localhost.rev"; allow-update { none; }; }; zone "slimsmart.cn" IN { type slave; masters {192.168.36.54;}; file "zone/waiwang/slimsmart.cn.zone"; };};创建zone目录:mkdir /var/named/zone/{neiwang,waiwang}四、启动服务
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf -g
使用-g参数查看日志。
五、测试
使用dig命令指定TSIG查询对应的view数据。
内网:
$ dig @192.168.36.189 -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w== mail.slimsmart.cn A; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y neiwang_key mail.slimsmart.cn A; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8707;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; QUESTION SECTION:;mail.slimsmart.cn. IN A;; ANSWER SECTION:mail.slimsmart.cn. 86400 IN A 192.168.0.25;; AUTHORITY SECTION:slimsmart.cn. 86400 IN NS ns.slimsmart.cn.;; ADDITIONAL SECTION:ns.slimsmart.cn. 86400 IN A 192.168.36.189;; TSIG PSEUDOSECTION:neiwang_key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1429441020 300 16 XtXO82VDmuWwuFk80zyjcA== 8707 NOERROR 0 ;; Query time: 2 msec;; SERVER: 192.168.36.189#53(192.168.36.189);; WHEN: Sun Apr 19 03:57:05 2015;; MSG SIZE rcvd: 165外网:
$ dig @192.168.36.189 -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q== mail.slimsmart.cn A; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y waiwang_key mail.slimsmart.cn A; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53129;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; QUESTION SECTION:;mail.slimsmart.cn. IN A;; ANSWER SECTION:mail.slimsmart.cn. 86400 IN A 121.42.81.20;; AUTHORITY SECTION:slimsmart.cn. 86400 IN NS ns.slimsmart.cn.;; ADDITIONAL SECTION:ns.slimsmart.cn. 86400 IN A 121.42.81.53;; TSIG PSEUDOSECTION:waiwang_key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1429441069 300 16 BWW92tBf9nezkxK4nQE91Q== 53129 NOERROR 0 ;; Query time: 1 msec;; SERVER: 192.168.36.189#53(192.168.36.189);; WHEN: Sun Apr 19 03:57:53 2015;; MSG SIZE rcvd: 165使用nsupdate添加内外网解析记录,
内网:
www.slimsmart.cn A 1.1.1.1
$ ./bind/bin/nsupdate -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w==> server 192.168.36.54> zone slimsmart.cn> update add www.slimsmart.cn 6000 A 1.1.1.1> send>quit外网:
www.slimsmart.cn A 2.2.2.2
$ ./bind/bin/nsupdate -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q==> server 192.168.36.54> zone slimsmart.cn> update add www.slimsmart.cn 6000 A 2.2.2.2> send> quit
再使用dig查询一下,解析正常。
参考文章:
1.使用bind构建高可用智能dns服务器
0 0
- DNS BIND 搭建企业内部高可用DNS服务器
- 使用bind构建高可用智能DNS服务器
- DNS BIND 搭建域名智能解析DNS服务器之配置
- centos6.5环境DNS-本地DNS服务器bind的搭建
- linux DNS服务器的搭建(bind)
- Redhat 6.4 用bind 搭建DNS服务器
- centos6.8搭建DNS服务器(bind)
- 使用bind搭建权威DNS服务器
- bind主从DNS服务器搭建(1)
- Ubuntu系统搭建bind DNS服务器
- 利用bind搭建dns
- DNS服务器-bind
- centos6.5 bind-DNS服务器bind的搭建详解
- 使用bind搭建权威DNS、智能DNS
- Linux下使用bind搭建DNS主从服务器
- CentOS下源码安装bind.9.6.1搭建DNS服务器
- 使用BIND来搭建简单的主辅DNS服务器
- Linux下使用 bind搭建DNS主从服务器
- 求平均成绩
- Android下的RTSP客户端搭建
- C语言合法标识符
- iOS生成静态库方法-iOS集成静态库-iOS合并静态库
- BUYING FEED
- DNS BIND 搭建企业内部高可用DNS服务器
- order by/limit 注入
- (二)matlab中voicebox工具箱的添加
- 浅析linux可执行文件
- heap和stack的差别
- MySQL 数据批量恢复时 [Err] 2006 - MySQL server has gone away 错误的解决
- Android5 RecyclerView 使用完全解析 体验艺术般的控件
- 基于MinGW的QT环境配置OpenCV
- Git简单教程(三)--Fork and Pull Requests
