您的位置:首页 > 运维架构 > 网站架构

DNS BIND 搭建企业内部高可用DNS服务器

2015-04-19 19:04 302 查看
对于一个互联网企业来说,搭建一个公司内部的DNS服务器是很必要的,一来可以通过公司内网的DNS缓存提高公司内部的DNS解析效率,二来域名服务商提供的解析服务并不可靠,为了安全起见,自己搭建(当然也有不错的第三方DNS解析服务,如DNSpod,但需要收费),三来公司内部有一些服务在内网需要解析成内网IP,对于公网的用户访问就需要访问公网的IP,这样可以通过DNS配置轻松实现,当然还有其他很多实现方式。

为了提高DNS可用性部署采用一主多辅的方式部署,使用辅服务器提供解析读服务,主服务处理写服务。另外,为了实现内外网解析的不同,使用bind的ACL+VIEW实现智能解析。

一、搭建环境



为了测试方便我们搭建一主一辅,对个辅服务器配置都雷同。

Mater:192.168.36.54外网:121.42.81.52

Slave:192.168.36.189外网:121.42.81.53

公司内外网解析不同域名:

域名(slimsmart.cn):

主机内网地址外网地址

mail.slimsmart.cn192.168.0.25 121.42.81.20

ftp.slimsmart.cn192.168.0.21121.42.81.21

二、安装bind

请参考:http://blog.csdn.net/zhu_tianwei/article/details/45045431

三、配置

1.生成内外网TSIG

vi /etc/keys.conf

key "neiwang_key" {
algorithm hmac-md5;
secret "XvbglfmP8aZ20CLEP5NL+w==";
};

key "waiwang_key" {
algorithm hmac-md5;
secret "6Ube2jTRIPxuIBlL5rCg5Q==";
};
关于生成方法参考:dnssec-keygen命令

2.主服务器

vi /etc/named.conf

key "rndc-key" {
algorithm hmac-md5;
secret "GfdVJ8ppCKJiCejNVq3xkQ==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

options{
listen-on port 53{
192.168.36.54;
};
version "slim-dns3.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion no;
allow-query{
any;
};
allow-query-cache{
any;
};
allow-new-zones yes;
};

logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
channel query_info {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

category queries {
query_info;
default_debug;
};

channel notify_info {
file "/var/named/log/notify.log" versions 8 size 128m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

category notify {
notify_info;
};

channel xfer_in_log {
file "/var/named/log/xfer_in.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

channel xfer_out_log {
file "/var/named/log/xfer_out.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

category xfer-in { xfer_in_log; };
category xfer-out { xfer_out_log; };

};

include "/etc/keys.conf";

acl "lan" {
10.0.0.0/8;
172.16.0.0/12;
#192.168.0.0/16;
};

view "neiwang" {
match-clients {
key neiwang_key;
lan;
127.0.0.1;
};
server 192.168.36.189 {keys neiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type master;
allow-transfer{
192.168.36.189;
key neiwang_key;
};
notify yes;
also-notify{
192.168.36.189;
};
file "zone/neiwang/slimsmart.cn.zone";
allow-update {any; };
};
};

view "waiwang" {
match-clients {
key waiwang_key;
any;
};
server 192.168.36.189 {keys waiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type master;
allow-transfer{
192.168.36.189;
key waiwang_key;
};
notify yes;
also-notify{
192.168.36.189;
};
file "zone/waiwang/slimsmart.cn.zone";
allow-update {any;};
};
};
主服务器不提供查询服务,所以关闭递归服务:recursion no;

由于需要动态添加zone和解析记录RR,所以acl lan排除了自己的网络地址,也可以根据自己的实际情况,使用!排除单个IP地址,如:

acl "lan" {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
!192.168.36.100;
};
对于zone允许更新:allow-update {any; };,由于排除自己的IP地址,会根据TSIG查找view。

在/var/named/zone/neiwang和/var/named/zone/waiwang创建slimsmart.cn.zone文件

vi /var/named/zone/neiwang/slimsmart.cn.zone

$TTL      86400
@               IN      SOA     slimsmart.cn.   admin.slimsmart.cn. (
1       ; serial (d. adams)
3H      ; refresh
15M     ; retry
1W      ; expiry
1D )    ; minimu
IN      NS      ns.slimsmart.cn.
ns              IN      A       192.168.36.189
mail            IN      A       192.168.0.25
ftp             IN      A       192.168.0.21
vi /var/named/zone/waiwang/slimsmart.cn.zone

$TTL      86400
@               IN      SOA     slimsmart.cn.   admin.slimsmart.cn. (
1       ; serial (d. adams)
3H      ; refresh
15M     ; retry
1W      ; expiry
1D )    ; minimu
IN      NS      ns.slimsmart.cn.
ns              IN      A       121.42.81.53
mail            IN      A       121.42.81.20
ftp             IN      A       121.42.81.21
3.辅服务器

复制/etc/keys.conf到辅服务器。

vi /etc/named.conf

key "rndc-key" {
algorithm hmac-md5;
secret "6Kb4sKpIUJq5i4ozE2AXzQ==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

options{
listen-on port 53{
192.168.36.189;
};
version "slim-dns 3.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
allow-query{
any;
};
allow-query-cache{
any;
};
allow-transfer{
none;
};
};

logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
channel query_info {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

category queries {
query_info;
default_debug;
};

channel notify_info {
file "/var/named/log/notify.log" versions 8 size 128m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

category notify {
notify_info;
};
channel xfer_in_log {
file "/var/named/log/xfer_in.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

channel xfer_out_log {
file "/var/named/log/xfer_out.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};

category xfer-in { xfer_in_log; };
category xfer-out { xfer_out_log; };
};

include "/etc/keys.conf";

acl "lan" {
10.0.0.0/8;
172.16.0.0/12;
#192.168.0.0/16;
};

view "neiwang" {
match-clients {
key neiwang_key;
lan;
127.0.0.1;
};
server 192.168.36.54 {keys neiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type slave;
masters {192.168.36.54;};
file "zone/neiwang/slimsmart.cn.zone";
};
};

view "waiwang" {
match-clients {
key waiwang_key;
any;
};
server 192.168.36.54 {keys waiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type slave;
masters {192.168.36.54;};
file "zone/waiwang/slimsmart.cn.zone";
};
};


创建zone目录:mkdir /var/named/zone/{neiwang,waiwang}

四、启动服务

/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf -g

使用-g参数查看日志。

五、测试

使用dig命令指定TSIG查询对应的view数据。

内网:

$ dig @192.168.36.189 -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w== mail.slimsmart.cn A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y neiwang_key mail.slimsmart.cn A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8707
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.slimsmart.cn.             IN      A

;; ANSWER SECTION:
mail.slimsmart.cn.      86400   IN      A       192.168.0.25

;; AUTHORITY SECTION:
slimsmart.cn.           86400   IN      NS      ns.slimsmart.cn.

;; ADDITIONAL SECTION:
ns.slimsmart.cn.        86400   IN      A       192.168.36.189

;; TSIG PSEUDOSECTION:
neiwang_key.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1429441020 300 16 XtXO82VDmuWwuFk80zyjcA== 8707 NOERROR 0

;; Query time: 2 msec
;; SERVER: 192.168.36.189#53(192.168.36.189)
;; WHEN: Sun Apr 19 03:57:05 2015
;; MSG SIZE  rcvd: 165
外网:

$ dig @192.168.36.189 -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q== mail.slimsmart.cn A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y waiwang_key mail.slimsmart.cn A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.slimsmart.cn.             IN      A

;; ANSWER SECTION:
mail.slimsmart.cn.      86400   IN      A       121.42.81.20

;; AUTHORITY SECTION:
slimsmart.cn.           86400   IN      NS      ns.slimsmart.cn.

;; ADDITIONAL SECTION:
ns.slimsmart.cn.        86400   IN      A       121.42.81.53

;; TSIG PSEUDOSECTION:
waiwang_key.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1429441069 300 16 BWW92tBf9nezkxK4nQE91Q== 53129 NOERROR 0

;; Query time: 1 msec
;; SERVER: 192.168.36.189#53(192.168.36.189)
;; WHEN: Sun Apr 19 03:57:53 2015
;; MSG SIZE  rcvd: 165
使用nsupdate添加内外网解析记录,

内网:

www.slimsmart.cn  A  1.1.1.1

$ ./bind/bin/nsupdate -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w==
> server 192.168.36.54
> zone slimsmart.cn
> update add www.slimsmart.cn 6000 A 1.1.1.1
> send
>quit
外网:

www.slimsmart.cn  A  2.2.2.2

$ ./bind/bin/nsupdate -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q==
> server 192.168.36.54
> zone slimsmart.cn
> update add www.slimsmart.cn 6000 A 2.2.2.2
> send
> quit

再使用dig查询一下,解析正常。

参考文章:

1.使用bind构建高可用智能dns服务器
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  DNS
相关文章推荐
新的分享
章节导航