返回顶部

部署主从dns


主机部署:
yum安装DNS服务和依赖

[admin@haifly-bj-dns1 ~]$ sudo yum install bind-chroot
启动named-chroot服务

[admin@haifly-bj-dns1 ~]$ sudo systemctl start named
[admin@haifly-bj-dns1 ~]$ sudo systemctl enable named

修改/etc/named.conf配置
[admin@haifly-bj-dns1 ~]$ sudo cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-recursion { 0.0.0.0/0; };

forward first;
forwarders {
180.76.76.76;
114.114.114.114;
};

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "feiersmart.local" IN {
type master;
file "feiersmart.local.zone";
allow-transfer { 192.168.1.219; };
allow-query { any; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


备机部署:
修改/etc/named.conf
[admin@haifly-bj-dns2 ~]$ sudo cat /etc/named.conf
[sudo] password for admin:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-recursion { 0.0.0.0/0; };

forward first;
forwarders {
119.29.29.29;
114.114.114.114;
};

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "feiersmart.local" IN {
type slave;
file "slaves/feiersmart.local.zone";
masters { 192.168.5.244; };
allow-query { any; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


配置修改:
每次修改 DNS 配置之后,只需要修改主机的配置,一定要修改时间戳,否则会导致配置备机配置不生效。

配置修改完成后,重启服务
[admin@haifly-bj-dns1 ~]$ sudo systemctl restart named

监控脚本
#!/usr/bin/python
#coding=utf-8

import dns.resolver
import sys

def query_domain(nameserverIP,domainName):

resolver = dns.resolver.Resolver(configure=False)
resolver.nameservers = [nameserverIP]

try:
answer = resolver.query(domainName, 'A')
if len(answer) >= 1:
return(True)
else:
return(False)
except:
return(False)

def main():

nameserverIPs = ['192.168.1.5','192.168.1.6']

domainNames = ['www.baidu.com',\
'api.weixin.qq.com','graph.qq.com','proxy-ling.jd.com','api.ximalaya.com',\
'vboxmongodb1.linglongtech.com','logs.linglongtech.com',\
'vboxdb.linglongtech.local','vboxmem.linglongtech.local','vboxdns1.linglongtech.local','vboxdns2.
linglongtech.local']

for x in nameserverIPs:
for y in domainNames:

#print(x,y)
#print(query_domain(x,y))

if query_domain(x,y):
continue
else:
print(1)
sys.exit(0)

print(0)

if __name__ == '__main__':
main()

 

posted @ 2019-10-17 17:44  凡间的精灵  阅读(210)  评论(0编辑  收藏  举报