大家好,我是小姜。
写在前面
随着云原生时代的快速发展,各行各业纷纷进军k8s,短短两三年,招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。亦或者说技术更新迭代层出不穷,老技术会被很快代替,新技术会备受宠爱。而在域名解析领域,大家最熟悉的常用的云解析DNSPod、Godaddy、CloudFlare、阿里云的域名解析等,当然还有dnsmasq、powerdns以及在k8s中用的coreDNS。但是今天我这里就聊聊bind9。
可能目前的中小型公司都不会使用bind9,而且网上你去搜索,大多都是直接使用named服务,不会使用named-chroot。而且更少的是使用acl+view的。要么排版不够好,新手可能看懵逼,配置错误。要么就是没有说的很详细的。当然也有,可能我没有好好花时间搜索或者搜索能力有限。这里我就记录一下bind9使用chroot以及使用acl+view试图实现智能DNS过程。
环境说明
CentOS Linux release 8.4.2105
BIND Version:9.11.26
总网段:172.16.128.0/17
bind9主从所在网段:172.16.0.0/24
Host
IP
Role
named-srv1
172.16.0.55
named master
named-srv2
172.16.0.56
named slave
bind9 master节点部署
- /bin/chattr-i/etc/fstab/etc/passwd/etc/group/etc/shadow/etc/sudoers/etc/services
- dnf-yinstallbind-chrootbind-utils
- #我要启用chroot,并且需要更改named的目录到/data/named/chroot
- #因此需要拷贝文件
- mkdir-p/data/named
- cp-ar/var/named/*/data/named/
- #创建存放日志的目录
- mkdir-p/data/named/chroot/data/log/named/
- ###在bindchroot的目录中创建相关文件
- touch/data/named/chroot/var/named/data/cache_dump.db
- touch/data/named/chroot/var/named/data/named_stats.txt
- touch/data/named/chroot/var/named/data/named_mem_stats.txt
- touch/data/named/chroot/var/named/data/named.run
- mkdir/data/named/chroot/var/named/dynamic
- touch/data/named/chroot/var/named/dynamic/managed-keys.bind
- #到linux系统的/data/目录下,更改named目录的属主和数组为named
- cd/data/
- chownnamed.named-Rnamed
编辑主named.conf文件
- $cat/data/named/chroot/etc/named.conf
- acltelecom{
- 172.17.10.0/24;
- };
- aclunicom{
- 172.17.20.0/24;
- };
- aclmobile{
- 172.17.30.0/24;
- };
- options{
- listen-onport53{127.0.0.1;172.16.0.55;};
- directory"/var/named";
- dump-file"/data/named/data/cache_dump.db";
- statistics-file"/data/named/data/named_stats.txt";
- memstatistics-file"/data/named/data/named_mem_stats.txt";
- //允许查询的主机;白名单
- allow-query{any;};
- allow-query-cache{any;};
- //我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS
- forwarders{223.5.5.5;223.6.6.6;};
- recursive-clients200000;
- check-namesmasterwarn;
- max-cache-ttl60;
- max-ncache-ttl0;
- //recursionyes;
- //dnssec-enableyes;
- //dnssec-validationyes;
- //managed-keys-directory"/var/named/dynamic";
- pid-file"/run/named/named.pid";
- //session-keyfile"/run/named/session.key";
- };
- logging{
- channelquery_log{
- file"/data/log/named/query.log"versions10size300m;
- severityinfo;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channelclient_log{
- file"/data/log/named/client.log"versions3size200m;
- severityinfo;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channelconfig{
- file"/data/log/named/config.log"versions3size100m;
- severityinfo;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channeldefault_log{
- file"/data/log/named/default.log"versions3size100m;
- severitydebug;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channelgeneral_log{
- file"/data/log/named/general.log"versions3size200m;
- severitydebug;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- categoryqueries{
- query_log;
- };
- categoryclient{
- client_log;
- };
- categorygeneral{
- general_log;
- };
- categoryconfig{
- config;
- };
- categorydefault{
- default_log;
- };
- };
- viewtelcom_view{
- match-clients{telcom;};
- match-destinations{any;};
- recursionyes;
- include"/etc/named-telcome.zones";
- };
- viewunicom_view{
- match-clients{unicom;};
- match-destinations{any;};
- recursionyes;
- include"/etc/named-unicome.zones";
- };
- viewmobile_view{
- match-clients{any;};
- match-destinations{any;};
- recursionyes;
- include"/etc/named-mobile.zones";
- };
注意:需要提醒大家的是:第一,启用了named-chroot服务以后,就必须关闭named服务,两者取其一。第二,如果启用了named-chroot,那么目录就都是相对目录,都是相对于/var/named/chroot而言的。
使用acl+view
上面已经定义好了三个acl和三个view。一般来说我们的acl都会放在最开头,也就是options的前面,也建议这样放。
接下来就需要生成三个view下面的include包含进来的区域文件了。这里只演示正向解析区域,一般内网bind9很少需要反向解析。
生成区域文件
- $vi/var/named/chroot/etc/named-telcome.zones
- zone"ayunw.cn"IN{
- typemaster;
- file"ayunw.cn.zone";
- allow-update{none;};
- masterfile-formattext;
- allow-transfer{172.16.0.56;};
- };
- $vi/var/named/chroot/etc/named-unicom.zones
- zone"iyunw.cn"IN{
- typemaster;
- file"iyunw.cn.zone";
- allow-update{none;};
- masterfile-formattext;
- allow-transfer{172.16.0.56;};
- };
- $vi/var/named/chroot/etc/named-mobile.zones
- zone"allenjol.cn"IN{
- typemaster;
- file"allenjol.cn.zone";
- allow-update{none;};
- masterfile-formattext;
- allow-transfer{172.16.0.56;};
- };
生成区域解析库文件
- $cd/var/named/chroot/var
- $viayunw.cn.zone
- $TTL86400
- @INSOAayunw.cn.root.iyunw.cn.(
- 202111011;serial(d.adams)
- 1H;refresh
- 15M;retry
- 1W;expiry
- 1D);minimum
- INNSns1.ayunw.cn.
- INNSns2.ayunw.cn.
- ns1INA172.16.0.55
- ns2INA172.16.0.56
- wwwINA172.16.0.58
- $viiyunw.cn.zone
- $TTL86400
- @INSOAiyunw.cn.root.iyunw.cn.(
- 202111011;serial(d.adams)
- 1H;refresh
- 15M;retry
- 1W;expiry
- 1D);minimum
- INNSns1.iyunw.cn.
- INNSns2.iyunw.cn.
- ns1INA172.16.0.55
- ns2INA172.16.0.56
- webINA172.16.0.59
- $viallenjol.cn.zone
- $TTL86400
- @INSOAallenjol.cn.root.allenjol.cn.(
- 202111011;serial(d.adams)
- 1H;refresh
- 15M;retry
- 1W;expiry
- 1D);minimum
- INNSns1.allenjol.cn.
- INNSns2.allenjol.cn.
- ns1INA172.16.0.55
- ns2INA172.16.0.56
- allenINA172.16.0.60
启动服务并设置开机自启
- /usr/libexec/setup-named-chroot.sh/var/named/chrooton
- systemctlstopnamed
- systemctldisablenamed
- systemctlstartnamed-chroot
- systemctlenablenamed-chroot
bind9 slave节点部署
- /bin/chattr-i/etc/fstab/etc/passwd/etc/group/etc/shadow/etc/sudoers/etc/services
- dnf-yinstallbind-chrootbind-utils
- #我要启用chroot,并且需要更改named的目录到/data/named/chroot
- #因此需要拷贝文件
- mkdir-p/data/named
- cp-ar/var/named/*/data/named/
- #创建存放日志的目录
- mkdir-p/data/named/chroot/data/log/named/
- ###在bindchroot的目录中创建相关文件
- touch/data/named/chroot/var/named/data/cache_dump.db
- touch/data/named/chroot/var/named/data/named_stats.txt
- touch/data/named/chroot/var/named/data/named_mem_stats.txt
- touch/data/named/chroot/var/named/data/named.run
- mkdir/data/named/chroot/var/named/dynamic
- touch/data/named/chroot/var/named/dynamic/managed-keys.bind
- #到linux系统的/data/目录下,更改named目录的属主和数组为named
- cd/data/
- chownnamed.named-Rnamed
编辑从named.conf文件
- $cat/data/named/chroot/etc/named.conf
- $cat/data/named/chroot/etc/named.conf
- acltelecom{
- 172.17.10.0/24;
- };
- aclunicom{
- 172.17.20.0/24;
- };
- aclmobile{
- 172.17.30.0/24;
- };
- options{
- listen-onport53{127.0.0.1;172.16.0.55;};
- directory"/var/named";
- dump-file"/data/named/data/cache_dump.db";
- statistics-file"/data/named/data/named_stats.txt";
- memstatistics-file"/data/named/data/named_mem_stats.txt";
- //允许查询的主机;白名单
- allow-query{any;};
- allow-query-cache{any;};
- //我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS
- forwarders{223.5.5.5;223.6.6.6;};
- recursive-clients200000;
- check-namesmasterwarn;
- max-cache-ttl60;
- max-ncache-ttl0;
- //recursionyes;
- //dnssec-enableyes;
- //dnssec-validationyes;
- //managed-keys-directory"/var/named/dynamic";
- pid-file"/run/named/named.pid";
- //session-keyfile"/run/named/session.key";
- };
- logging{
- channelquery_log{
- file"/data/log/named/query.log"versions10size300m;
- severityinfo;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channelclient_log{
- file"/data/log/named/client.log"versions3size200m;
- severityinfo;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channelconfig{
- file"/data/log/named/config.log"versions3size100m;
- severityinfo;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channeldefault_log{
- file"/data/log/named/default.log"versions3size100m;
- severitydebug;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- channelgeneral_log{
- file"/data/log/named/general.log"versions3size200m;
- severitydebug;
- print-categoryyes;
- print-timeyes;
- print-severityyes;
- };
- categoryqueries{
- query_log;
- };
- categoryclient{
- client_log;
- };
- categorygeneral{
- general_log;
- };
- categoryconfig{
- config;
- };
- categorydefault{
- default_log;
- };
- };
- viewtelcom_view{
- match-clients{telcom;};
- match-destinations{any};
- recursionyes;
- include"/etc/named-telcome.zones";
- };
- viewunicom_view{
- match-clients{unicom;};
- match-destinations{any;};
- recursionyes;
- include"/etc/named-unicome.zones";
- };
- viewmobile_view{
- match-clients{any;};
- match-destinations{any;};
- recursionyes;
- include"/etc/named-mobile.zones";
- };
生成区域文件
- $vi/var/named/chroot/etc/named-telcome.zones
- zone"ayunw.cn"IN{
- typemaster;
- file"ayunw.cn.zone";
- allow-update{none;};
- masterfile-formattext;
- allow-transfer{172.16.0.56;};
- };
- $vi/var/named/chroot/etc/named-unicom.zones
- zone"iyunw.cn"IN{
- typemaster;
- file"iyunw.cn.zone";
- allow-update{none;};
- masterfile-formattext;
- allow-transfer{172.16.0.56;};
- };
- $vi/var/named/chroot/etc/named-mobile.zones
- zone"allenjol.cn"IN{
- typemaster;
- file"allenjol.cn.zone";
- allow-update{none;};
- masterfile-formattext;
- allow-transfer{172.16.0.56;};
- };
启动服务并设置开机自启
- /usr/libexec/setup-named-chroot.sh/var/named/chrooton
- systemctlstopnamed
- systemctldisablenamed
- systemctlstartnamed-chroot
- systemctlenablenamed-chroot
注意:从节点无需创建区域解析库文件,当主节点重启named-chroot服务的时候会自动同步解析库文件到从节点
测试解析
找了三台机器,内网ip分别为:172.16.10.1、172.16.20.1、172.16.30.1,分别解析www.ayunw.cn、web.iyunw.cn以及allen.allenjol.cn,都是能正常解析的。
- $dig-tAwww.ayunw.cn
- ;<<>>DiG9.11.26-RedHat-9.11.26-4.el8_4<<>>-tAallen.ptcloud.t.home
- ;;globaloptions:+cmd
- ;;Gotanswer:
- ;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40756
- ;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:2,ADDITIONAL:3
- ;;OPTPSEUDOSECTION:
- ;EDNS:version:0,flags:;udp:1232
- ;COOKIE:e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6(good)
- ;;QUESTIONSECTION:
- ;www.ayunw.cn.INA
- ;;ANSWERSECTION:
- www.ayunw.cn.86400INA172.16.0.58
- ;;AUTHORITYSECTION:
- ayunw.cn.86400INNSns2.ayunw.cn.
- ayunw.cn.86400INNSns1.ayunw.cn.
- ;;ADDITIONALSECTION:
- ns1.ayunw.cn.86400INA172.16.0.55
- ns2.ayunw.cn.86400INA172.16.0.56
- ;;Querytime:0msec
- ;;SERVER:172.16.0.55#53(172.16.0.55)
- ;;WHEN:TueOct2609:50:40CST2021
- ;;MSGSIZErcvd:161
- $dig-tAweb.iyunw.cn
- ;<<>>DiG9.11.26-RedHat-9.11.26-4.el8_4<<>>-tAallen.ptcloud.t.home
- ;;globaloptions:+cmd
- ;;Gotanswer:
- ;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40756
- ;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:2,ADDITIONAL:3
- ;;OPTPSEUDOSECTION:
- ;EDNS:version:0,flags:;udp:1232
- ;COOKIE:e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6(good)
- ;;QUESTIONSECTION:
- ;web.iyunw.cn.INA
- ;;ANSWERSECTION:
- web.iyunw.cn.86400INA172.16.0.59
- ;;AUTHORITYSECTION:
- iyunw.cn.86400INNSns2.iyunw.cn.
- iyunw.cn.86400INNSns1.iyunw.cn.
- ;;ADDITIONALSECTION:
- ns1.iyunw.cn.86400INA172.16.0.55
- ns2.iyunw.cn.86400INA172.16.0.56
- ;;Querytime:0msec
- ;;SERVER:172.16.0.55#53(172.16.0.55)
- ;;WHEN:TueOct2609:50:40CST2021
- ;;MSGSIZErcvd:161
- $dig-tAallen.allenjol.cn
- ;<<>>DiG9.11.26-RedHat-9.11.26-4.el8_4<<>>-tAallen.ptcloud.t.home
- ;;globaloptions:+cmd
- ;;Gotanswer:
- ;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40756
- ;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:2,ADDITIONAL:3
- ;;OPTPSEUDOSECTION:
- ;EDNS:version:0,flags:;udp:1232
- ;COOKIE:e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6(good)
- ;;QUESTIONSECTION:
- ;allen.allenjol.cn.INA
- ;;ANSWERSECTION:
- allen.allenjol.cn.86400INA172.16.0.60
- ;;AUTHORITYSECTION:
- allenjol.cn.86400INNSns2.allenjol.cn.
- allenjol.cn.86400INNSns1.allenjol.cn.
- ;;ADDITIONALSECTION:
- ns1.allenjol.cn.86400INA172.16.0.55
- ns2.allenjol.cn.86400INA172.16.0.56
- ;;Querytime:0msec
- ;;SERVER:172.16.0.55#53(172.16.0.55)
- ;;WHEN:TueOct2609:50:40CST2021
- ;;MSGSIZErcvd:161
如果你有足够的机器,那么你换一台不在172.16.10.0/24、172.16.20.0/24、172.16.30.0/24这三个网段的机器,然后去任意解析 这三个zone文件中的域名,你会发现最终都是没有正常的A记录返回的。
或者如果你用172.16.10.1去解析web.iyunw.cn或者是allen.allenjol.cn,那么就无法正常解析了。这就是acl+view实现的智能DNS的效果。
原文链接:https://mp.weixin.qq.com/s/DqxcTfccHyhalSW_uTvI3g
