DNS BIND 搭建企业内部高可用DNS服务器

对于一个互联网企业来说,搭建一个公司内部的DNS服务器是很必要的,一来可以通过公司内网的DNS缓存提高公司内部的DNS解析效率,二来域名服务商提供的解析服务并不可靠,为了安全起见,自己搭建(当然也有不错的第三方DNS解析服务,如DNSpod,但需要收费),三来公司内部有一些服务在内网需要解析成内网IP,对于公网的用户访问就需要访问公网的IP,这样可以通过DNS配置轻松实现,当然还有其他很多实现方式。

为了提高DNS可用性部署采用一主多辅的方式部署,使用辅服务器提供解析读服务,主服务处理写服务。另外,为了实现内外网解析的不同,使用bind的ACL+VIEW实现智能解析。

一、搭建环境


为了测试方便我们搭建一主一辅,对个辅服务器配置都雷同。

Mater:192.168.36.54外网:121.42.81.52

Slave:192.168.36.189外网:121.42.81.53

公司内外网解析不同域名:

域名(slimsmart.cn):

主机内网地址外网地址

mail.slimsmart.cn192.168.0.25 121.42.81.20

ftp.slimsmart.cn192.168.0.21121.42.81.21

二、安装bind

请参考:http://blog.csdn.net/zhu_tianwei/article/details/45045431

三、配置

1.生成内外网TSIG

vi /etc/keys.conf

key "neiwang_key" {
        algorithm hmac-md5;
        secret "XvbglfmP8aZ20CLEP5NL+w==";
};

key "waiwang_key" {
        algorithm hmac-md5;
        secret "6Ube2jTRIPxuIBlL5rCg5Q==";
};
关于生成方法参考:dnssec-keygen命令

2.主服务器

vi /etc/named.conf

key "rndc-key" {
        algorithm hmac-md5;
        secret "GfdVJ8ppCKJiCejNVq3xkQ==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};

options{
        listen-on port 53{
                192.168.36.54;
        };
        version "slim-dns3.0";
        directory "/var/named";
        pid-file "/var/run/named.pid";
        session-keyfile "/var/run/session.key";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursion no; 
        allow-query{
                any;
        };
        allow-query-cache{
                any;
        };
        allow-new-zones yes;
};

logging { 
        channel default_debug {
                file "/var/named/data/named.run";
                severity dynamic;
        };
        channel query_info { 
                file "/var/named/log/query.log" versions 1 size 100m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category queries { 
                query_info; 
                default_debug; 
        }; 
 
        channel notify_info { 
                file "/var/named/log/notify.log" versions 8 size 128m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category notify { 
                notify_info; 
        };

        channel xfer_in_log {  
                file "/var/named/log/xfer_in.log" versions 100 size 10m;  
                severity info;  
                print-category yes;  
                print-severity yes;  
                print-time yes;  
        };  
  
        channel xfer_out_log {  
                file "/var/named/log/xfer_out.log" versions 100 size 10m;  
                severity info;  
                print-category yes;  
                print-severity yes;  
                print-time yes;  
        };  

        category xfer-in { xfer_in_log; };  
        category xfer-out { xfer_out_log; };  
 
};

include "/etc/keys.conf";

acl "lan" {
        10.0.0.0/8;
        172.16.0.0/12;
	#192.168.0.0/16;
};

view "neiwang" {
        match-clients {
                key neiwang_key;
                lan;
                127.0.0.1;
        };
        server 192.168.36.189 {keys neiwang_key;};
        zone "." in {
                type hint;
                file "named.root";
        };
        zone "localhost" in {
                type master;
                file "localhost.zone";
                allow-update { none; };
        };
        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "localhost.rev";
                allow-update { none; };
        };
        zone "slimsmart.cn" IN {
                type master;
                allow-transfer{  
                        192.168.36.189;
                        key neiwang_key;  
                };   
                notify yes;  
                also-notify{  
                        192.168.36.189;  
                };
                file "zone/neiwang/slimsmart.cn.zone";
                allow-update {any; };
        };
};


view "waiwang" {
        match-clients {
                key waiwang_key;
                any;
        };
        server 192.168.36.189 {keys waiwang_key;};
        zone "." in {
                type hint;
                file "named.root";
        };
        zone "localhost" in {
                type master;
                file "localhost.zone";
                allow-update { none; };
        };
        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "localhost.rev";
                allow-update { none; };
        };
        zone "slimsmart.cn" IN {
                type master;
                allow-transfer{
                        192.168.36.189;
                        key waiwang_key;
                };
                notify yes;
                also-notify{
                        192.168.36.189;
                };      
                file "zone/waiwang/slimsmart.cn.zone";
                allow-update {any;};
        };
};
主服务器不提供查询服务,所以关闭递归服务:recursion no;

由于需要动态添加zone和解析记录RR,所以acl lan排除了自己的网络地址,也可以根据自己的实际情况,使用!排除单个IP地址,如:

acl "lan" {
        10.0.0.0/8;
        172.16.0.0/12;
	192.168.0.0/16;
	!192.168.36.100;
};
对于zone允许更新:allow-update {any; };,由于排除自己的IP地址,会根据TSIG查找view。
在/var/named/zone/neiwang和/var/named/zone/waiwang创建slimsmart.cn.zone文件

vi /var/named/zone/neiwang/slimsmart.cn.zone

$TTL      86400
@               IN      SOA     slimsmart.cn.   admin.slimsmart.cn. (
                                        1       ; serial (d. adams)
                                        3H      ; refresh
                                        15M     ; retry
                                        1W      ; expiry
                                        1D )    ; minimu
                IN      NS      ns.slimsmart.cn.
ns              IN      A       192.168.36.189
mail            IN      A       192.168.0.25
ftp             IN      A       192.168.0.21
vi /var/named/zone/waiwang/slimsmart.cn.zone

$TTL      86400
@               IN      SOA     slimsmart.cn.   admin.slimsmart.cn. (
                                        1       ; serial (d. adams)
                                        3H      ; refresh
                                        15M     ; retry
                                        1W      ; expiry
                                        1D )    ; minimu
                IN      NS      ns.slimsmart.cn.
ns              IN      A       121.42.81.53
mail            IN      A       121.42.81.20
ftp             IN      A       121.42.81.21
3.辅服务器

复制/etc/keys.conf到辅服务器。

vi /etc/named.conf

key "rndc-key" {
        algorithm hmac-md5;
        secret "6Kb4sKpIUJq5i4ozE2AXzQ==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};

options{
        listen-on port 53{
                192.168.36.189;
        };
        version "slim-dns 3.0";
        directory "/var/named";
        pid-file "/var/run/named.pid";
        session-keyfile "/var/run/session.key";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursion yes; 
        allow-query{
                any;
        };
        allow-query-cache{
                any;
        };
        allow-transfer{
                none;
        }; 
};

logging { 
        channel default_debug {
                file "/var/named/data/named.run";
                severity dynamic;
        };
        channel query_info { 
                file "/var/named/log/query.log" versions 1 size 100m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category queries { 
                query_info; 
                default_debug; 
        }; 
 
        channel notify_info { 
                file "/var/named/log/notify.log" versions 8 size 128m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category notify { 
                notify_info;  
        }; 
        channel xfer_in_log {  
                file "/var/named/log/xfer_in.log" versions 100 size 10m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel xfer_out_log {
                file "/var/named/log/xfer_out.log" versions 100 size 10m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };    

        category xfer-in { xfer_in_log; };
        category xfer-out { xfer_out_log; }; 
}; 

include "/etc/keys.conf";

acl "lan" {
        10.0.0.0/8;
        172.16.0.0/12;
        #192.168.0.0/16;
};

view "neiwang" {
        match-clients {
                key neiwang_key;
                lan;
127.0.0.1;
        };
        server 192.168.36.54 {keys neiwang_key;};
        zone "." in {
                type hint;
                file "named.root";
        };
        zone "localhost" in {
                type master;
                file "localhost.zone";
                allow-update { none; };
        };
        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "localhost.rev";
                allow-update { none; };
        };
        zone "slimsmart.cn" IN {
                type slave;
                masters {192.168.36.54;};
                file "zone/neiwang/slimsmart.cn.zone";
        };
};


view "waiwang" {
        match-clients {
                key waiwang_key;
                any;
        };
        server 192.168.36.54 {keys waiwang_key;};
        zone "." in {
                type hint;
                file "named.root";
        };
        zone "localhost" in {
                type master;
                file "localhost.zone";
                allow-update { none; };
        };
        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "localhost.rev";
                allow-update { none; };
        };
        zone "slimsmart.cn" IN {
                type slave;
                masters {192.168.36.54;};
                file "zone/waiwang/slimsmart.cn.zone";
        };
};

创建zone目录:mkdir /var/named/zone/{neiwang,waiwang}

四、启动服务

/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf -g

使用-g参数查看日志。

五、测试

使用dig命令指定TSIG查询对应的view数据。

内网:

$ dig @192.168.36.189 -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w== mail.slimsmart.cn A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y neiwang_key mail.slimsmart.cn A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8707
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.slimsmart.cn.             IN      A

;; ANSWER SECTION:
mail.slimsmart.cn.      86400   IN      A       192.168.0.25

;; AUTHORITY SECTION:
slimsmart.cn.           86400   IN      NS      ns.slimsmart.cn.

;; ADDITIONAL SECTION:
ns.slimsmart.cn.        86400   IN      A       192.168.36.189

;; TSIG PSEUDOSECTION:
neiwang_key.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1429441020 300 16 XtXO82VDmuWwuFk80zyjcA== 8707 NOERROR 0 

;; Query time: 2 msec
;; SERVER: 192.168.36.189#53(192.168.36.189)
;; WHEN: Sun Apr 19 03:57:05 2015
;; MSG SIZE  rcvd: 165
外网:

$ dig @192.168.36.189 -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q== mail.slimsmart.cn A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y waiwang_key mail.slimsmart.cn A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.slimsmart.cn.             IN      A

;; ANSWER SECTION:
mail.slimsmart.cn.      86400   IN      A       121.42.81.20

;; AUTHORITY SECTION:
slimsmart.cn.           86400   IN      NS      ns.slimsmart.cn.

;; ADDITIONAL SECTION:
ns.slimsmart.cn.        86400   IN      A       121.42.81.53

;; TSIG PSEUDOSECTION:
waiwang_key.            0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1429441069 300 16 BWW92tBf9nezkxK4nQE91Q== 53129 NOERROR 0 

;; Query time: 1 msec
;; SERVER: 192.168.36.189#53(192.168.36.189)
;; WHEN: Sun Apr 19 03:57:53 2015
;; MSG SIZE  rcvd: 165
使用nsupdate添加内外网解析记录,

内网:

www.slimsmart.cn  A  1.1.1.1

$ ./bind/bin/nsupdate -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w==
> server 192.168.36.54
> zone slimsmart.cn
> update add www.slimsmart.cn 6000 A 1.1.1.1
> send
>quit
外网:

www.slimsmart.cn  A  2.2.2.2

$ ./bind/bin/nsupdate -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q==
> server 192.168.36.54
> zone slimsmart.cn
> update add www.slimsmart.cn 6000 A 2.2.2.2
> send
> quit

再使用dig查询一下,解析正常。

参考文章:

1.使用bind构建高可用智能dns服务器

你可能感兴趣的:(DNS/DHCP,DNS,BIND学习与应用)