大家好,我是小姜。
写在前面
随着云原生时代的快速发展,各行各业纷纷进军k8s,短短两三年,招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。亦或者说技术更新迭代层出不穷,老技术会被很快代替,新技术会备受宠爱。而在域名解析领域,大家最熟悉的常用的云解析DNSPod、Godaddy、CloudFlare、阿里云的域名解析等,当然还有dnsmasq、powerdns以及在k8s中用的coreDNS。但是今天我这里就聊聊bind9。
可能目前的中小型公司都不会使用bind9,而且网上你去搜索,大多都是直接使用named服务,不会使用named-chroot。而且更少的是使用acl+view的。要么排版不够好,新手可能看懵逼,配置错误。要么就是没有说的很详细的。当然也有,可能我没有好好花时间搜索或者搜索能力有限。这里我就记录一下bind9使用chroot以及使用acl+view试图实现智能DNS过程。
环境说明
CentOS Linux release 8.4.2105
BIND Version:9.11.26
总网段:172.16.128.0/17
bind9主从所在网段:172.16.0.0/24
| Host | IP | Role |
| named-srv1 | 172.16.0.55 | named master |
| named-srv2 | 172.16.0.56 | named slave |
bind9 master节点部署
/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services dnf -y install bind-chroot bind-utils # 我要启用chroot,并且需要更改named的目录到/data/named/chroot # 因此需要拷贝文件 mkdir -p /data/named cp -ar /var/named/* /data/named/ # 创建存放日志的目录 mkdir -p /data/named/chroot/data/log/named/ ### 在bind chroot 的目录中创建相关文件 touch /data/named/chroot/var/named/data/cache_dump.db touch /data/named/chroot/var/named/data/named_stats.txt touch /data/named/chroot/var/named/data/named_mem_stats.txt touch /data/named/chroot/var/named/data/named.run mkdir /data/named/chroot/var/named/dynamic touch /data/named/chroot/var/named/dynamic/managed-keys.bind # 到linux系统的/data/目录下,更改named目录的属主和数组为named cd /data/ chown named.named -R named
编辑主named.conf文件
$ cat /data/named/chroot/etc/named.conf acl telecom { 172.17.10.0/24; }; acl unicom { 172.17.20.0/24; }; acl mobile { 172.17.30.0/24; }; options { listen-on port 53 { 127.0.0.1; 172.16.0.55;}; directory "/var/named"; dump-file "/data/named/data/cache_dump.db"; statistics-file "/data/named/data/named_stats.txt"; memstatistics-file "/data/named/data/named_mem_stats.txt"; // 允许查询的主机;白名单 allow-query { any; }; allow-query-cache { any; }; // 我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS forwarders { 223.5.5.5; 223.6.6.6; }; recursive-clients 200000; check-names master warn; max-cache-ttl 60; max-ncache-ttl 0; //recursion yes; //dnssec-enable yes; //dnssec-validation yes; //managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; //session-keyfile "/run/named/session.key"; }; logging { channel query_log { file "/data/log/named/query.log" versions 10 size 300m; severity info; print-category yes; print-time yes; print-severity yes; }; channel client_log { file "/data/log/named/client.log" versions 3 size 200m; severity info; print-category yes; print-time yes; print-severity yes; }; channel config { file "/data/log/named/config.log" versions 3 size 100m; severity info; print-category yes; print-time yes; print-severity yes; }; channel default_log { file "/data/log/named/default.log" versions 3 size 100m; severity debug; print-category yes; print-time yes; print-severity yes; }; channel general_log { file "/data/log/named/general.log" versions 3 size 200m; severity debug; print-category yes; print-time yes; print-severity yes; }; category queries { query_log; }; category client { client_log; }; category general { general_log; }; category config { config; }; category default { default_log; }; }; view telcom_view { match-clients { telcom; }; match-destinations { any; }; recursion yes; include "/etc/named-telcome.zones"; }; view unicom_view { match-clients { unicom; }; match-destinations { any; }; recursion yes; include "/etc/named-unicome.zones"; }; view mobile_view { match-clients { any; }; match-destinations { any; }; recursion yes; include "/etc/named-mobile.zones"; };
注意:需要提醒大家的是:第一,启用了named-chroot服务以后,就必须关闭named服务,两者取其一。第二,如果启用了named-chroot,那么目录就都是相对目录,都是相对于/var/named/chroot而言的。
使用acl+view
上面已经定义好了三个acl和三个view。一般来说我们的acl都会放在最开头,也就是options的前面,也建议这样放。
接下来就需要生成三个view下面的include包含进来的区域文件了。这里只演示正向解析区域,一般内网bind9很少需要反向解析。
生成区域文件
$ vi /var/named/chroot/etc/named-telcome.zones zone "ayunw.cn" IN { type master; file "ayunw.cn.zone"; allow-update { none; }; masterfile-format text; allow-transfer { 172.16.0.56; }; }; $ vi /var/named/chroot/etc/named-unicom.zones zone "iyunw.cn" IN { type master; file "iyunw.cn.zone"; allow-update { none; }; masterfile-format text; allow-transfer { 172.16.0.56; }; }; $ vi /var/named/chroot/etc/named-mobile.zones zone "allenjol.cn" IN { type master; file "allenjol.cn.zone"; allow-update { none; }; masterfile-format text; allow-transfer { 172.16.0.56; }; };
生成区域解析库文件
$ cd /var/named/chroot/var $ vi ayunw.cn.zone $TTL 86400 @ IN SOA ayunw.cn. root.iyunw.cn. ( 202111011 ; serial (d. adams) 1H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS ns1.ayunw.cn. IN NS ns2.ayunw.cn. ns1 IN A 172.16.0.55 ns2 IN A 172.16.0.56 www IN A 172.16.0.58 $ vi iyunw.cn.zone $TTL 86400 @ IN SOA iyunw.cn. root.iyunw.cn. ( 202111011 ; serial (d. adams) 1H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS ns1.iyunw.cn. IN NS ns2.iyunw.cn. ns1 IN A 172.16.0.55 ns2 IN A 172.16.0.56 web IN A 172.16.0.59 $ vi allenjol.cn.zone $TTL 86400 @ IN SOA allenjol.cn. root.allenjol.cn. ( 202111011 ; serial (d. adams) 1H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS ns1.allenjol.cn. IN NS ns2.allenjol.cn. ns1 IN A 172.16.0.55 ns2 IN A 172.16.0.56 allen IN A 172.16.0.60
启动服务并设置开机自启
/usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot
bind9 slave节点部署
/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services dnf -y install bind-chroot bind-utils # 我要启用chroot,并且需要更改named的目录到/data/named/chroot # 因此需要拷贝文件 mkdir -p /data/named cp -ar /var/named/* /data/named/ # 创建存放日志的目录 mkdir -p /data/named/chroot/data/log/named/ ### 在bind chroot 的目录中创建相关文件 touch /data/named/chroot/var/named/data/cache_dump.db touch /data/named/chroot/var/named/data/named_stats.txt touch /data/named/chroot/var/named/data/named_mem_stats.txt touch /data/named/chroot/var/named/data/named.run mkdir /data/named/chroot/var/named/dynamic touch /data/named/chroot/var/named/dynamic/managed-keys.bind # 到linux系统的/data/目录下,更改named目录的属主和数组为named cd /data/ chown named.named -R named
编辑从named.conf文件
$ cat /data/named/chroot/etc/named.conf $ cat /data/named/chroot/etc/named.conf acl telecom { 172.17.10.0/24; }; acl unicom { 172.17.20.0/24; }; acl mobile { 172.17.30.0/24; }; options { listen-on port 53 { 127.0.0.1; 172.16.0.55;}; directory "/var/named"; dump-file "/data/named/data/cache_dump.db"; statistics-file "/data/named/data/named_stats.txt"; memstatistics-file "/data/named/data/named_mem_stats.txt"; // 允许查询的主机;白名单 allow-query { any; }; allow-query-cache { any; }; // 我这里买的是阿里云的ECS服务器,因此这里使用阿里的DNS forwarders { 223.5.5.5; 223.6.6.6; }; recursive-clients 200000; check-names master warn; max-cache-ttl 60; max-ncache-ttl 0; //recursion yes; //dnssec-enable yes; //dnssec-validation yes; //managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; //session-keyfile "/run/named/session.key"; }; logging { channel query_log { file "/data/log/named/query.log" versions 10 size 300m; severity info; print-category yes; print-time yes; print-severity yes; }; channel client_log { file "/data/log/named/client.log" versions 3 size 200m; severity info; print-category yes; print-time yes; print-severity yes; }; channel config { file "/data/log/named/config.log" versions 3 size 100m; severity info; print-category yes; print-time yes; print-severity yes; }; channel default_log { file "/data/log/named/default.log" versions 3 size 100m; severity debug; print-category yes; print-time yes; print-severity yes; }; channel general_log { file "/data/log/named/general.log" versions 3 size 200m; severity debug; print-category yes; print-time yes; print-severity yes; }; category queries { query_log; }; category client { client_log; }; category general { general_log; }; category config { config; }; category default { default_log; }; }; view telcom_view { match-clients { telcom; }; match-destinations { any }; recursion yes; include "/etc/named-telcome.zones"; }; view unicom_view { match-clients { unicom; }; match-destinations { any; }; recursion yes; include "/etc/named-unicome.zones"; }; view mobile_view { match-clients { any; }; match-destinations { any; }; recursion yes; include "/etc/named-mobile.zones"; };
生成区域文件
$ vi /var/named/chroot/etc/named-telcome.zones zone "ayunw.cn" IN { type master; file "ayunw.cn.zone"; allow-update { none; }; masterfile-format text; allow-transfer { 172.16.0.56; }; }; $ vi /var/named/chroot/etc/named-unicom.zones zone "iyunw.cn" IN { type master; file "iyunw.cn.zone"; allow-update { none; }; masterfile-format text; allow-transfer { 172.16.0.56; }; }; $ vi /var/named/chroot/etc/named-mobile.zones zone "allenjol.cn" IN { type master; file "allenjol.cn.zone"; allow-update { none; }; masterfile-format text; allow-transfer { 172.16.0.56; }; };
启动服务并设置开机自启
/usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot
注意:从节点无需创建区域解析库文件,当主节点重启named-chroot服务的时候会自动同步解析库文件到从节点
测试解析
找了三台机器,内网ip分别为:172.16.10.1、172.16.20.1、172.16.30.1,分别解析www.ayunw.cn、web.iyunw.cn以及allen.allenjol.cn,都是能正常解析的。
$ dig -t A www.ayunw.cn ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good) ;; QUESTION SECTION: ;www.ayunw.cn. IN A ;; ANSWER SECTION: www.ayunw.cn. 86400 IN A 172.16.0.58 ;; AUTHORITY SECTION: ayunw.cn. 86400 IN NS ns2.ayunw.cn. ayunw.cn. 86400 IN NS ns1.ayunw.cn. ;; ADDITIONAL SECTION: ns1.ayunw.cn. 86400 IN A 172.16.0.55 ns2.ayunw.cn. 86400 IN A 172.16.0.56 ;; Query time: 0 msec ;; SERVER: 172.16.0.55#53(172.16.0.55) ;; WHEN: Tue Oct 26 09:50:40 CST 2021 ;; MSG SIZE rcvd: 161
$ dig -t A web.iyunw.cn ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good) ;; QUESTION SECTION: ;web.iyunw.cn. IN A ;; ANSWER SECTION: web.iyunw.cn. 86400 IN A 172.16.0.59 ;; AUTHORITY SECTION: iyunw.cn. 86400 IN NS ns2.iyunw.cn. iyunw.cn. 86400 IN NS ns1.iyunw.cn. ;; ADDITIONAL SECTION: ns1.iyunw.cn. 86400 IN A 172.16.0.55 ns2.iyunw.cn. 86400 IN A 172.16.0.56 ;; Query time: 0 msec ;; SERVER: 172.16.0.55#53(172.16.0.55) ;; WHEN: Tue Oct 26 09:50:40 CST 2021 ;; MSG SIZE rcvd: 161
$ dig -t A allen.allenjol.cn ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good) ;; QUESTION SECTION: ;allen.allenjol.cn. IN A ;; ANSWER SECTION: allen.allenjol.cn. 86400 IN A 172.16.0.60 ;; AUTHORITY SECTION: allenjol.cn. 86400 IN NS ns2.allenjol.cn. allenjol.cn. 86400 IN NS ns1.allenjol.cn. ;; ADDITIONAL SECTION: ns1.allenjol.cn. 86400 IN A 172.16.0.55 ns2.allenjol.cn. 86400 IN A 172.16.0.56 ;; Query time: 0 msec ;; SERVER: 172.16.0.55#53(172.16.0.55) ;; WHEN: Tue Oct 26 09:50:40 CST 2021 ;; MSG SIZE rcvd: 161
如果你有足够的机器,那么你换一台不在172.16.10.0/24、172.16.20.0/24、
172.16.30.0/24这三个网段的机器,然后去任意解析 这三个zone文件中的域名,你会发现最终都是没有正常的A记录返回的。
或者如果你用172.16.10.1去解析web.iyunw.cn或者是allen.allenjol.cn,那么就无法正常解析了。这就是acl+view实现的智能DNS的效果。
