bind98-内网智能DNS之master服务器构建-阿里云开发者社区

公司有一测试环境，上面跑着线上的各个网站的线下版本（即上线之前在本地所做的测试）。起初，我们在配置该环境时，访问每个网站均采用独立IP的形式进行。这样一来，仅仅就这一个服务器上就占用了内网的10几个IP，再加上办公室同事的正常使用IP，IP就不足了（得再划分子网，麻烦）。现在想配置一台DNS服务器，不同的域名解析到同一个IP，达到节约IP资源的目的，此其一。其二，我也想该环境使用同线上一样的域名环境。但是有一个要求，仅仅测试部童鞋在使用特定域名时，解析到本地相应的IP，反之，解析到公网IP。同时，也希望该DNS服务器承担内网用户上网时解析域名的角色。

下面来看看整个实现的过程：

一、安装过程

由于DNS服务器易受攻击，所以安全性很重要。我们从dns的官网上下载最新stable版的bind98来做这个。（相对安全而言，本人还是比较青睐FreeBSD一点）。

bind98的下载地址：

ftp://ftp.isc.org/isc/bind/9.8.0-P4/bind-9.8.0-P4.tar.gz

将其下载到本地的目录中，编译安装即可

# tar xf bind-9.8.0-P4.tar.gz
# cd bind-9.8.0-P4
# ./configure --prefix=/usr/local/named --enable-epoll --enable-threads --enable-largefile

编译参数的说明：

--enable-threads enable multithreading
--enable-largefile 64-bit file support
--enable-epoll use Linux epoll when available [default=auto]

这样运行configure完之后，会有这样的提示

WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING
WARNING Your OpenSSL crypto library may be vulnerable to WARNING
WARNING one or more of the the following known security WARNING
WARNING flaws: WARNING
WARNING WARNING
WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING
WARNING CVE-2006-2940. WARNING
WARNING WARNING
WARNING It is recommended that you upgrade to OpenSSL WARNING
WARNING version 0.9.8d/0.9.7l (or greater). WARNING
WARNING WARNING
WARNING You can disable this warning by specifying: WARNING
WARNING WARNING
WARNING --disable-openssl-version-check WARNING
WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

这是因为configure时默认启用了这个参数所致

--enable-openssl-version-check
Check OpenSSL Version [default=yes]

你可以将其设置为NO，或者升级本地的openssl

顺便看一下本地的openssl版本吧

# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

让我们来升级它吧,最新的openssl版本下载地址

http://www.openssl.org/source/openssl-1.0.0d.tar.gz

接下来，

# tar xf openssl-1.0.0d.tar.gz
# cd openssl-1.0.0d
# ./config -fPIC --prefix=/usr enable-shared
# make && make install

再看一下openssl的版本

# openssl version
OpenSSL 1.0.0d 8 Feb 2011

oh,yeah,成功升级至openssl 1.0.0d,之后再次在bind目录下configure就没有上面的warning了

以上都做完了之后，最后make && make install，这样bind98就算安装完毕了。

二、配置bind98

准备一个用户来运行bind98

# groupadd named
# useradd named -g named -s /sbin/nologin -d /dev/null -M -c "DNS server"

生成rndc.conf文件

# rndc-confgen >/usr/local/named/etc/rndc.conf

修改rndc.conf如下

key "rndc-key" {
algorithm hmac-md5;
secret "pdz01kiIZhCDgYTDEr2YXA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

主配置文件named.conf

options {
directory "/usr/local/named/etc";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/var/run/named/named.pid";
version "Windows 2008 Enterprise Server";
notify yes;
/*
只当本域notify被激活时才是有意义的。能够收到本域DNS NOTIFY信息的计算机
的集合是由所有域中列明的名称服务器加上任何由also-notify设定的IP地址
*/
also-notify { 192.168.2.201; };
//如果为yes,服务器将收集所有区域的统计数据
zone-statistics yes;
listen-on port 53 { 192.168.2.200; };
//这里填写slave的地址
//allow-transfer { 192.168.2.201; };
//允许内外网查询本DNS
allow-query { intranet;external; };
//允许外部网络递归查询
allow-recursion { external; };
//在配置为”first”时，则在转发查询失败或没有查到结果时，会在本地发起查询。
forward first;
//上游DNS设置
forwarders { 202.101.172.46;202.101.172.47; };
//服务器可以使用的最大数据内存量，默认是default
datasize 50M;
auth-nxdomain no;
rrset-order { order random; };
};
logging {
channel warning {
file "/var/log/dns_warnings.log" versions 5 size 1024K;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_log {
file "/var/log/dns_security.log" versions 5 size 1024K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel query_log {
file "/var/log/dns_query.log" versions 10 size 1024K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category security { security_log; };
category queries { query_log; };
};
include "acl.conf";
include "rndc.conf";
view "intranet" {
match-clients { key intranet-key;intranet; };
match-destinations { any; };
//设定哪台主机允许和本地服务器进行域传输，这里指定传输到slave时使用的key
allow-transfer { key intranet-key; };
//这里是slave的地址
server 192.168.2.201 { keys { intranet-key; }; };
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.rev";
};
zone "wholesale-dress.net" IN {
type master;
/*
由于域名wholesale-dress.net已在公网上注册，所以对测试的童鞋来说，
该域名的记录应该返回的是内网中测试服务器所对应的IP，下同
*/
file "master/wholesale-dress.net.intranet";
};
zone "yixiebao.com" IN {
type master;
file "master/yixiebao.com.intranet";
};
zone "japan-dress.com" IN {
type master;
file "master/japan-dress.com.intranet";
};
zone "arab-clothes.com" IN {
type master;
file "master/arab-clothes.com.intranet";
};
zone "stamp-shopping.com" IN {
type master;
file "master/stamp-shopping.com.intranet";
};
zone "2.168.192.in-addr.arpa" IN {
type master;
file "master/2.168.192.rev";
};
};
view "external" {
match-clients { key external-key;external; };
match-destinations { any; };
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.rev";
};
zone "wholesale-dress.net" IN {
/*
对于外网用户来说（指定的），该域名已经作解析。我们就没有必要再解析一次
，当用户查询此域名时，直接丢给上游DNS即可。下同
*/
type forward;
};
zone "goods-of-china.com" IN {
type forward;
};
zone "japan-dress.com" IN {
type forward;
};
zone "russia-dress.com" IN {
type forward;
};
zone "stamp-shopping.com" IN {
type forward;
};
};

acl.conf

key "intranet-key" {
algorithm hmac-md5;
secret "qSFm5D26mtg1O1wJlyTKYA==";
};
key "external-key" {
algorithm hmac-md5;
secret "TorqY5N5hgkRhoXgSssaDQ==";
};
acl "intranet" {
localhost;
};
acl "external" {
any;
};

name.root下载地址：

wget ftp://ftp.internic.org/domain/named.root

还有一些准备工作

# touch /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
# chown named.named /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
# ll /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
-rw-r--r-- 1 named named 701587 Jul 13 10:53 /var/log/dns_query.log
-rw-r--r-- 1 named named 0 Jul 12 17:56 /var/log/dns_security.log
-rw-r--r-- 1 named named 1158 Jul 13 09:56 /var/log/dns_warnings.log
# chown -R named.named /usr/local/named/
# chown -R named.named /var/run/named/
# chown -R named.named /var/named/data/

生成两个key

# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST intranet
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST external

生成的key文件名like this

-rw------- 1 named named 52 Jul 12 16:04 Kexternal.+157+21581.key
-rw------- 1 named named 165 Jul 12 16:04 Kexternal.+157+21581.private
-rw------- 1 named named 52 Jul 12 16:03 Kintranet.+157+57599.key
-rw------- 1 named named 165 Jul 12 16:03 Kintranet.+157+57599.private

将下面红色部分的代码复制到acl.conf中

# cat Kexternal.+157+21581.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: TorqY5N5hgkRhoXgSssaDQ==
Bits: AAA=
Created: 20110712080429
Publish: 20110712080429
Activate: 20110712080429
cat Kintranet.+157+57599.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: qSFm5D26mtg1O1wJlyTKYA==
Bits: AAA=
Created: 20110712080358
Publish: 20110712080358
Activate: 20110712080358

localhost.zone

$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1

localhost.rev

$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.

/usr/local/named/etc/下新建一master目录

2.168.192.rev

$TTL 86400
@ IN SOA wholesale-dress.net. root.wholesale-dress.net. (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D) ; minimum
IN NS ns1.wholesale-dress.net.
200 IN PTR ns1.wholesale-dress.net.
201 IN PTR slave.wholesale-dress.net.
;88 IN PTR www.wholesale-dress.net.
;15 IN PTR js.wholesale-dress.net.
;15 IN PTR css.wholesale-dress.net.
;15 IN PTR img.wholesale-dress.net.
;14 IN PTR mail.wholesale-dress.net.
;18 IN PTR ftp.wholesale-dress.net.

arab-clothes.com.intranet

$TTL 86400
@ IN SOA ns1.arab-clothes.com. root.arab-clothes.com. (
105 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.arab-clothes.com.
; IN MX 10 mail.arab-clothes.com.
;mail IN A 192.168.1.14
ns1 IN A 192.168.2.200
slave IN A 192.168.2.201
www IN A 192.168.1.249
;js IN A 192.168.1.15
;css IN A 192.168.1.15
;img IN A 192.168.1.15
;ftp IN A 192.168.1.18

japan-dress.com.intranet

$TTL 86400
@ IN SOA ns1.japan-dress.com. root.japan-dress.com. (
101 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.japan-dress.com.
; IN MX 10 mail.japan-dress.com.
;mail IN A 192.168.1.14
ns1 IN A 192.168.2.200
slave IN A 192.168.2.201
www IN A 192.168.1.241
;js IN A 192.168.1.15
;css IN A 192.168.1.15
;img IN A 192.168.1.15
;ftp IN A 192.168.1.18

stamp-shopping.com.intranet

$TTL 86400
@ IN SOA ns1.stamp-shopping. root.stamp-shopping. (
101 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.stamp-shopping.
; IN MX 10 mail.stamp-shopping.
;mail IN A 192.168.1.14
ns1 IN A 192.168.2.200
slave IN A 192.168.2.201
www IN A 192.168.1.238
;js IN A 192.168.1.15
;css IN A 192.168.1.15
;img IN A 192.168.1.15
;ftp IN A 192.168.1.18

wholesale-dress.net.intranet

$TTL 86400
@ IN SOA ns1.wholesale-dress.net. root.wholesale-dress.net. (
101 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.wholesale-dress.net.
; IN MX 10 mail.wholesale-dress.net.
;mail IN A 192.168.1.14
ns1 IN A 192.168.2.200
slave IN A 192.168.2.201
www IN A 192.168.2.221
;js IN A 192.168.1.15
;css IN A 192.168.1.15
;img IN A 192.168.1.15
;ftp IN A 192.168.1.18

yixiebao.com.intranet

$TTL 86400
@ IN SOA ns1.yixiebao.com. root.yixiebao.com. (
101 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.yixiebao.com.
; IN MX 10 mail.yixiebao.com.
;mail IN A 192.168.1.14
ns1 IN A 192.168.2.200
slave IN A 192.168.2.201
;www IN A 192.168.1.87
;js IN A 192.168.1.15
;css IN A 192.168.1.15
;img IN A 192.168.1.15
;ftp IN A 192.168.1.18

后面几个正向解析文件基本上差不多。

三、启动named

基于以上的工作后，基本上算是配置完毕，在正式启动之前我们来检查一下mamed.conf 的语法

# named-checkconf named.conf

无错误输出即可。

进行调试模式启动，看是否有错误输出

named -u named -c named.conf -g -d 4

最后，创建bind98启动脚本

#!/bin/bash
#
# Init file for named
#
# chkconfig: - 80 12
# description: named daemon
#
# processname: named
# pidfile: /usr/local/named/var/run/named.pid
. /etc/init.d/functions
BIN="/usr/local/named/sbin"
PIDFILE="/var/run/named/named.pid"
RETVAL=0
prog="named"
desc="DNS Server"
start() {
if [ -e $PIDFILE ];then
echo "$desc already running...."
exit 1
fi
echo -n $"Starting $desc: "
daemon $BIN/$prog -u named -c /usr/local/named/etc/named.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Stop $desc: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog $PIDFILE
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

以上脚本是由另一脚本修改而来，经试用，没有问题。

四、测试过程（略）

1）将LAN中任意一台win 机器的DNS设置改成该服务器的IP，看是否能解析OK？

2）将LAN中任意一台win 机器的IP配置成acl中的intranet地址，看是否不能查询外网请求，在查询指定请求的域名是，是否返回所预定的结果。

注：按照以上的配置正常启动DNS后，会在dns_warnings.log里有一条错误的日志输出，此错误并不影响DNS的正常工作。大致是这样的

13-Jul-2011 17:18:07.098 general: error: managed-keys-zone ./IN/internal: loading from master file 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys failed: file not found
13-Jul-2011 17:18:07.100 general: error: managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found

在google上查了N久，没有该问题的详细描述以及任何可用的solution。肿么办办呢，本人突发奇想，既然是这个文件没有，那么好啦，我就自己创建一个这样的空文件，看如何

# touch 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
296
# touch 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys

紧接着更改这两个文件的属主设置，再次启动DNS，此时DNS日志中就木有这条该死的错误日志了，其他功能一切正常。哈哈， ^_^

五、随后某个时间，将附上该文档的后续版本，增加从服务器配置。

本文转自dongfang_09859 51CTO博客，原文链接：http://blog.51cto.com/hellosa/609881，如需转载请自行联系原作者

bind98-内网智能DNS之master服务器构建

DNS软件服务

热门文章

最新文章

相关产品

相关课程

相关电子书

相关实验场景

推荐镜像