【Linux】【Services】【DNS】使用Bind搭建DNS服务
1. 简介
1.1. 实现的功能:DNS解析以及智能转发
1.2. 官方文档:
1.3. 基础概念:http://www.cnblogs.com/demonzk/p/6494968.html
2. 环境:
2.1. OS:Red Hat Enterprise Linux Server release 7.4 (Maipo)
2.2. Kernel:3.10.0-693.el7.x86_64
2.3. Bind:9.9.4-51.el7_4.1
3. 安装:
3.1. 操作系统:(略)
3.2. 配置yum:(略)
3.2. 安装bind
yum install bind
3.3. 在主节点172.16.0.81上修改配置文件/etc/named.conf,监听端口打开,不必要的选项注释掉或者写no
options { listen-on port 53 { 172.16.0.81; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "/var/log/named/default.log"; severity dynamic; }; channel query_logs { file "/var/log/named/bind.log"; severity info; print-severity yes; print-time yes; print-category yes; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "hccos.cn" IN { type master; file "hccos.cn.zone"; allow-transfer { 172.16.0.82; }; notify yes; also-notify { 172.16.0.82; }; }; zone "0.16.172.in-addr.arpa" IN { type master; file "0.16.172.in-addr.arpa.zone"; allow-transfer { 172.16.0.82; }; notify yes; also-notify { 172.16.0.82; }; };
在主节点上配置正向解析文件/var/named/hccos.cn.zone
$TTL 3600 $ORIGIN hccos.cn. @ IN SOA hctjosinfra01.hccos.cn. hctjosinfra01.hccos.cn. ( 2018010301 ; serial 2H ; refresh 10M ; retry 1W ; expire 1D ; negative answer ttl ) ;ns server IN NS hctjosinfra01 IN NS hctjosinfra02 ;docker+k8s hctjosinfra01 IN A 172.16.0.81 hctjosinfra02 IN A 172.16.0.82 hctjosetcd01 IN A 172.16.0.83 hctjosetcd02 IN A 172.16.0.84 hctjosetcd03 IN A 172.16.0.85 hctjcephmon01 IN A 172.16.0.86 hctjcephmon02 IN A 172.16.0.87 hctjcephmon03 IN A 172.16.0.88 hctjcephadm01 IN A 172.16.0.89 hctjosk8smaster01 IN A 172.16.0.90 hctjosk8sslave01 IN A 172.16.0.91 hctjosk8sslave02 IN A 172.16.0.92 hctjcephblock01 IN A 172.16.0.93 hctjcephblock02 IN A 172.16.0.94 hctjosk8snode01 IN A 172.16.0.95 hctjosk8snode02 IN A 172.16.0.96 hctjosk8snode03 IN A 172.16.0.97 hctjosk8snode04 IN A 172.16.0.98 ;openstack hctjosmysql01 IN A 172.16.0.25 hctjosmysql02 IN A 172.16.0.26 hctjosmysql03 IN A 172.16.0.27 hctjoscache01 IN A 172.16.0.45 hctjoscache02 IN A 172.16.0.46 hctjoscache03 IN A 172.16.0.47 hctjosdr01 IN A 172.16.0.48 hctjosdr02 IN A 172.16.0.49
在主节点上配置反向解析文件/var/named/0.16.172.in-addr.arpa.zone
$TTL 3600 $ORIGIN 0.16.172.in-addr.arpa. @ IN SOA hctjosinfra01.hccos.cn. hctjosinfra01.hccos.cn. ( 20180103 1H 10M 3D 12H ) IN NS hctjosinfra01.hccos.cn. IN NS hctjosinfra02.hccos.cn. ;docker+k8s 81 IN PTR hctjosinfra01.hccos.cn. 82 IN PTR hctjosinfra02.hccos.cn. 83 IN PTR hctjosetcd01.hccos.cn. 84 IN PTR hctjosetcd02.hccos.cn. 85 IN PTR hctjosetcd03.hccos.cn. 86 IN PTR hctjcephmon01.hccos.cn. 87 IN PTR hctjcephmon02.hccos.cn. 88 IN PTR hctjcephmon03.hccos.cn. 89 IN PTR hctjcephadm01.hccos.cn. 90 IN PTR hctjosk8smaster01.hccos.cn. 91 IN PTR hctjosk8sslave01.hccos.cn. 92 IN PTR hctjosk8sslave02.hccos.cn. 93 IN PTR hctjcephblock01.hccos.cn. 94 IN PTR hctjcephblock02.hccos.cn. 95 IN PTR hctjosk8snode01.hccos.cn. 96 IN PTR hctjosk8snode02.hccos.cn. 97 IN PTR hctjosk8snode03.hccos.cn. 98 IN PTR hctjosk8snode04.hccos.cn. ;openstack 25 IN PTR hctjosmysql01.hccos.cn. 26 IN PTR hctjosmysql02.hccos.cn. 27 IN PTR hctjosmysql03.hccos.cn. 45 IN PTR hctjoscache01.hccos.cn. 46 IN PTR hctjoscache02.hccos.cn. 47 IN PTR hctjoscache03.hccos.cn. 48 IN PTR hctjosdr01.hccos.cn. 49 IN PTR hctjosdr02.hccos.cn.
3.4. 在slave节点上配置/etc/named.conf
options { listen-on port 53 { 172.16.0.82; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; //dnssec-enable yes; //dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "/var/log/named/default.log"; severity dynamic; }; channel query_logs { file "/var/log/named/bind.log"; severity info; print-severity yes; print-time yes; print-category yes; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "hccos.cn" IN { type slave; file "slaves/hccos.cn.zone"; masters { 172.16.0.81; }; }; zone "0.16.172.in-addr.arpa" IN { type slave; file "slaves/0.16.172.in-addr.arpa.zone"; masters { 172.16.0.81; }; };