DNS BIND 搭建企业内部高可用DNS服务器
对于一个互联网企业来说,搭建一个公司内部的DNS服务器是很必要的,一来可以通过公司内网的DNS缓存提高公司内部的DNS解析效率,二来域名服务商提供的解析服务并不可靠,为了安全起见,自己搭建(当然也有不错的第三方DNS解析服务,如DNSpod,但需要收费),三来公司内部有一些服务在内网需要解析成内网IP,对于公网的用户访问就需要访问公网的IP,这样可以通过DNS配置轻松实现,当然还有其他很多实现方式。
在/var/named/zone/neiwang和/var/named/zone/waiwang创建slimsmart.cn.zone文件
为了提高DNS可用性部署采用一主多辅的方式部署,使用辅服务器提供解析读服务,主服务处理写服务。另外,为了实现内外网解析的不同,使用bind的ACL+VIEW实现智能解析。
一、搭建环境
为了测试方便我们搭建一主一辅,对个辅服务器配置都雷同。
Mater:192.168.36.54外网:121.42.81.52
Slave:192.168.36.189外网:121.42.81.53
公司内外网解析不同域名:
域名(slimsmart.cn):
主机内网地址外网地址
mail.slimsmart.cn192.168.0.25 121.42.81.20
ftp.slimsmart.cn192.168.0.21121.42.81.21
二、安装bind
请参考:http://blog.csdn.net/zhu_tianwei/article/details/45045431
三、配置
1.生成内外网TSIG
vi /etc/keys.conf
key "neiwang_key" {
algorithm hmac-md5;
secret "XvbglfmP8aZ20CLEP5NL+w==";
};
key "waiwang_key" {
algorithm hmac-md5;
secret "6Ube2jTRIPxuIBlL5rCg5Q==";
};关于生成方法参考:dnssec-keygen命令
2.主服务器
vi /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "GfdVJ8ppCKJiCejNVq3xkQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
listen-on port 53{
192.168.36.54;
};
version "slim-dns3.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion no;
allow-query{
any;
};
allow-query-cache{
any;
};
allow-new-zones yes;
};
logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
channel query_info {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
query_info;
default_debug;
};
channel notify_info {
file "/var/named/log/notify.log" versions 8 size 128m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category notify {
notify_info;
};
channel xfer_in_log {
file "/var/named/log/xfer_in.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer_out_log {
file "/var/named/log/xfer_out.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category xfer-in { xfer_in_log; };
category xfer-out { xfer_out_log; };
};
include "/etc/keys.conf";
acl "lan" {
10.0.0.0/8;
172.16.0.0/12;
#192.168.0.0/16;
};
view "neiwang" {
match-clients {
key neiwang_key;
lan;
127.0.0.1;
};
server 192.168.36.189 {keys neiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type master;
allow-transfer{
192.168.36.189;
key neiwang_key;
};
notify yes;
also-notify{
192.168.36.189;
};
file "zone/neiwang/slimsmart.cn.zone";
allow-update {any; };
};
};
view "waiwang" {
match-clients {
key waiwang_key;
any;
};
server 192.168.36.189 {keys waiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type master;
allow-transfer{
192.168.36.189;
key waiwang_key;
};
notify yes;
also-notify{
192.168.36.189;
};
file "zone/waiwang/slimsmart.cn.zone";
allow-update {any;};
};
};主服务器不提供查询服务,所以关闭递归服务:recursion no;
由于需要动态添加zone和解析记录RR,所以acl lan排除了自己的网络地址,也可以根据自己的实际情况,使用!排除单个IP地址,如:
acl "lan" {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
!192.168.36.100;
};
对于zone允许更新:allow-update {any; };,由于排除自己的IP地址,会根据TSIG查找view。在/var/named/zone/neiwang和/var/named/zone/waiwang创建slimsmart.cn.zone文件
vi /var/named/zone/neiwang/slimsmart.cn.zone
$TTL 86400
@ IN SOA slimsmart.cn. admin.slimsmart.cn. (
1 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimu
IN NS ns.slimsmart.cn.
ns IN A 192.168.36.189
mail IN A 192.168.0.25
ftp IN A 192.168.0.21vi /var/named/zone/waiwang/slimsmart.cn.zone
$TTL 86400
@ IN SOA slimsmart.cn. admin.slimsmart.cn. (
1 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimu
IN NS ns.slimsmart.cn.
ns IN A 121.42.81.53
mail IN A 121.42.81.20
ftp IN A 121.42.81.21
3.辅服务器
复制/etc/keys.conf到辅服务器。
vi /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "6Kb4sKpIUJq5i4ozE2AXzQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
listen-on port 53{
192.168.36.189;
};
version "slim-dns 3.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
allow-query{
any;
};
allow-query-cache{
any;
};
allow-transfer{
none;
};
};
logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
channel query_info {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
query_info;
default_debug;
};
channel notify_info {
file "/var/named/log/notify.log" versions 8 size 128m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category notify {
notify_info;
};
channel xfer_in_log {
file "/var/named/log/xfer_in.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer_out_log {
file "/var/named/log/xfer_out.log" versions 100 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category xfer-in { xfer_in_log; };
category xfer-out { xfer_out_log; };
};
include "/etc/keys.conf";
acl "lan" {
10.0.0.0/8;
172.16.0.0/12;
#192.168.0.0/16;
};
view "neiwang" {
match-clients {
key neiwang_key;
lan;
127.0.0.1;
};
server 192.168.36.54 {keys neiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type slave;
masters {192.168.36.54;};
file "zone/neiwang/slimsmart.cn.zone";
};
};
view "waiwang" {
match-clients {
key waiwang_key;
any;
};
server 192.168.36.54 {keys waiwang_key;};
zone "." in {
type hint;
file "named.root";
};
zone "localhost" in {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "slimsmart.cn" IN {
type slave;
masters {192.168.36.54;};
file "zone/waiwang/slimsmart.cn.zone";
};
};
创建zone目录:mkdir /var/named/zone/{neiwang,waiwang}
四、启动服务
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf -g
使用-g参数查看日志。
五、测试
使用dig命令指定TSIG查询对应的view数据。
内网:
$ dig @192.168.36.189 -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w== mail.slimsmart.cn A ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y neiwang_key mail.slimsmart.cn A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8707 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.slimsmart.cn. IN A ;; ANSWER SECTION: mail.slimsmart.cn. 86400 IN A 192.168.0.25 ;; AUTHORITY SECTION: slimsmart.cn. 86400 IN NS ns.slimsmart.cn. ;; ADDITIONAL SECTION: ns.slimsmart.cn. 86400 IN A 192.168.36.189 ;; TSIG PSEUDOSECTION: neiwang_key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1429441020 300 16 XtXO82VDmuWwuFk80zyjcA== 8707 NOERROR 0 ;; Query time: 2 msec ;; SERVER: 192.168.36.189#53(192.168.36.189) ;; WHEN: Sun Apr 19 03:57:05 2015 ;; MSG SIZE rcvd: 165外网:
$ dig @192.168.36.189 -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q== mail.slimsmart.cn A ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> @192.168.36.189 -y waiwang_key mail.slimsmart.cn A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53129 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;mail.slimsmart.cn. IN A ;; ANSWER SECTION: mail.slimsmart.cn. 86400 IN A 121.42.81.20 ;; AUTHORITY SECTION: slimsmart.cn. 86400 IN NS ns.slimsmart.cn. ;; ADDITIONAL SECTION: ns.slimsmart.cn. 86400 IN A 121.42.81.53 ;; TSIG PSEUDOSECTION: waiwang_key. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1429441069 300 16 BWW92tBf9nezkxK4nQE91Q== 53129 NOERROR 0 ;; Query time: 1 msec ;; SERVER: 192.168.36.189#53(192.168.36.189) ;; WHEN: Sun Apr 19 03:57:53 2015 ;; MSG SIZE rcvd: 165使用nsupdate添加内外网解析记录,
内网:
www.slimsmart.cn A 1.1.1.1
$ ./bind/bin/nsupdate -y neiwang_key:XvbglfmP8aZ20CLEP5NL+w== > server 192.168.36.54 > zone slimsmart.cn > update add www.slimsmart.cn 6000 A 1.1.1.1 > send >quit外网:
www.slimsmart.cn A 2.2.2.2
$ ./bind/bin/nsupdate -y waiwang_key:6Ube2jTRIPxuIBlL5rCg5Q== > server 192.168.36.54 > zone slimsmart.cn > update add www.slimsmart.cn 6000 A 2.2.2.2 > send > quit
再使用dig查询一下,解析正常。
参考文章:
1.使用bind构建高可用智能dns服务器