Bind9主从+实时同步阿里云PrivateZone

ErrorMan 运维 centos bind
发布时间 :
字数:1.2k 阅读 : 评论:
  1. 一、节点规划
  2. 二、服务安装
  3. 三、主DNS服务器配置
  4. 四、从DNS服务器配置
  5. 五、客户端验证

一、节点规划

角色 IP 服务及版本号 配置文件
Master 192.168.1.250 bind v9.11.4 /etc/named.conf、/etc/named.rfc1912.zones
Slave 192.168.1.251 bind v9.11.4 /etc/named.conf、/etc/named.rfc1912.zones
Client 192.168.1.5 bind-utils

二、服务安装

主从节点都需要通过yum安装bind软件包,通过named守护进程维护

yum install -y bind
systemctl enable --now named

关闭IPV6传输,避免出现network unreachable resolving报错

echo OPTIONS=\"-4\" >> /etc/sysconfig/named
systemctl restart named

服务配置文件 /etc/named.conf 中 incloud 了 /etc/named.rfc1912.zones
一般域配置文件放在 /var/named目录下

三、主DNS服务器配置

  1. /etc/named.rfc1912.zones中新增正向域配置, master模式

    添加一个正向解析的区域,当需要查询的域名的根域名为xuhandsome.org时均会查询该区域,后面阿里云PrivateZone会同步到这个域。

cat <<EOF>> /etc/named.rfc1912.zones
zone "xuhandsome.org" IN {
        type master;
        // 这里的zone文件在相对路径/var/named目录下
        file "xuhandsome.org.zone";
        allow-update { 127.0.0.1; };
        allow-transfer { 192.168.1.251; };
        notify yes;
        also-notify { 192.168.1.251; };
};
EOF
  1. 主配置文件/etc/named.conf
options {
        // 监听内网ip 53端口
        listen-on port 53 { 127.0.0.1;192.168.1.250; };
        ...
        // 配置开放DNS服务器给所有主机(可以设置特定主机)
        allow-query     { any; };
        ...
        // 配置客户端并发数量,不设置的话默认是100,可以根据使用情况评估
        tcp-clients 50;
        // 开启查询日志
        querylog yes;
};
...
// 日志配置, 为后期接入elk做准备
logging {
        // 查询日志 ,绝对路径是/var/named/data/query.log
        channel query_log {
                file "data/query.log" versions 5 size 100m;
                print-time yes;
                severity info;
        };
        channel query_syslog {
                syslog local0;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity info;
        };
        category queries { query_log;query_syslog; };

        // 查询错误日志
        channel query-errors_log {
                file "data/query_error.log" versions 10 size 100m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 2;
        };
        category query-errors { query-errors_log; };

        // 所有等级日志设置
        channel general_log {
                file "data/access.log" versions 5 size 100m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity info;
        };
        category default  { general_log; };
        category general  { general_log; };

        channel notify_log {
                file "data/notify.log" versions 2 size 20m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity dynamic;
        };
        category notify { notify_log; };
};
...
// 开启服务监控状态统计, 后期配合bind9-exporter + prometheus进行监控
statistics-channels {
  inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
  1. 安装阿里云PrivateZone同步工具

    更多用法参考如何PrivateZone同步至自建DNS

cd /opt
wget -O tools.zip -c "https://dns-tool.oss-cn-beijing.aliyuncs.com/pvzone-sync-record/tools.zip?spm=a2c4g.11186623.0.0.146e6fddvxwgz8&file=tools.zip"
unzip -q tools.zip
chmod +x /opt/release/Zone_file_sync
cp /opt/release/Zone_file_sync /usr/bin/Zone_file_sync
cat >/root/.bind9_sync_privatezone_config.json << EOF
{
  "accessKeyId": "xxxxxxx",
  "accessKeySecret": "xxxxxxx",
  "zone": [
    {
      "zoneName": "xuhandsome.org",
      "zoneId": "52ac2clex4c6175e7a906b1f2a6i3917",
      "filePath": "/var/named/xuhandsome.org.zone"
    }
  ]
}
EOF

chmod 400 /root/.bind9_sync_privatezone_config.json
  1. 编写实时同步脚本
#while true无限循环,每隔10s执行一次
cat >/app/scripts/sync_privatezone.sh << EOF
#!/bin/bash
while true;do
    /usr/sbin/rndc reload
    /usr/sbin/rndc freeze xuhandsome.org
    /usr/bin/Zone_file_sync -c /root/.bind9_sync_privatezone_config.json
    /usr/sbin/rndc thaw xuhandsome.org
    sleep 10
done
EOF

chmod +x /app/scripts/sync_privatezone.sh
  1. 添加实时同步守护进程sync_privatezone.service
cat >/etc/systemd/system/sync_privatezone.service <<EOF
[Unit]
Description=Auto Sync Zone Configure From PrivateZone
Wants=network-online.target
After=network-online.target


[Service]
Type=simple
ExecStart=/app/scripts/sync_privatezone.sh
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOF


systemctl daemon-reload
systemctl enable --now sync_privatezone
systemctl status sync_privatezone
  1. zone文件同步内容检查

    可以看到已经同步下来了,由于内容敏感就不截图了

wc -l /var/named/xuhandsome.org.zone
32 /var/named/xuhandsome.org.zone

四、从DNS服务器配置

  1. /etc/named.rfc1912.zones中新增正向域配置, slave模式
cat <<EOF>> /etc/named.rfc1912.zones
zone "xuhandsome.org" IN {
        type slave;
        file "slaves/xuhandsome.org.zone";
        masters { 192.168.1.250; };
};
  1. 主配置文件/etc/named.conf
options {
        listen-on port 53 { 127.0.0.1;192.168.1.251; };
        ...
        allow-query     { any; };
        ...
        // 避免同步过来的zone文件内容乱码
        masterfile-format    text;
        ...
        tcp-clients 50;
        ...
};
statistics-channels {
  inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
  1. 开启同步
named-checkconf /etc/named.conf ## 检查配置文件语法
/usr/sbin/rndc reload  ##配置文件重载
ls -l /var/named/slaves/xuhandsome.org.zone

五、客户端验证

  1. 在阿里云PrivateZone xuhandsome.org下添加子域名ops.xuhandsome.org A记录解析到192.168.1.21
  2. 在客户端通过nslookup分别指定DNS Server为上面搭建的主从服务器解析ops.xuhandsome.org.

    nslookup domain DNSServer

# 使用主DNS server解析
nslookup ops.xuhandsome.org 192.168.1.250
Server:		192.168.1.250
Address:	192.168.1.250#53

Name:	ops.xuhandsome.org
Address: 192.168.1.21

# 使用主DNS server解析
nslookup ops.xuhandsome.org 192.168.1.251
Server:		192.168.1.251
Address:	192.168.1.251#53

Name:	ops.xuhandsome.org
Address: 192.168.1.21
转载请注明来源, 欢迎对文章中的引用来源进行考证, 欢迎指出任何有错误或不够清晰的表达, 可以邮件至 chinaops666@gmail.com

©2022-2022 XuHandsome

相册