内网主从智能 DNS 从此不再烦恼

随着云原生时代的快速发展，各行各业纷纷进军k8s，短短两三年，招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。

作者：小姜来源：运维开发故事|2021-11-03 06:57: 收藏

分享

大家好，我是小姜。

写在前面

随着云原生时代的快速发展，各行各业纷纷进军k8s，短短两三年，招聘上面就要求“至少有一年k8s实战经验”。以至于好多传统的、行业初期用的人非常多的一些技术被飞快的甩在后头。亦或者说技术更新迭代层出不穷，老技术会被很快代替，新技术会备受宠爱。而在域名解析领域，大家最熟悉的常用的云解析DNSPod、Godaddy、CloudFlare、阿里云的域名解析等，当然还有dnsmasq、powerdns以及在k8s中用的coreDNS。但是今天我这里就聊聊bind9。

可能目前的中小型公司都不会使用bind9，而且网上你去搜索，大多都是直接使用named服务，不会使用named-chroot。而且更少的是使用acl+view的。要么排版不够好，新手可能看懵逼，配置错误。要么就是没有说的很详细的。当然也有，可能我没有好好花时间搜索或者搜索能力有限。这里我就记录一下bind9使用chroot以及使用acl+view试图实现智能DNS过程。

环境说明

CentOS Linux release 8.4.2105

BIND Version：9.11.26

总网段：172.16.128.0/17

bind9主从所在网段：172.16.0.0/24

Host	IP	Role
named-srv1	172.16.0.55	named master
named-srv2	172.16.0.56	named slave

bind9 master节点部署

/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services
dnf -y install bind-chroot bind-utils
# 我要启用chroot，并且需要更改named的目录到/data/named/chroot
# 因此需要拷贝文件
mkdir -p /data/named
cp -ar /var/named/* /data/named/
# 创建存放日志的目录
mkdir -p /data/named/chroot/data/log/named/
### 在bind chroot 的目录中创建相关文件
touch /data/named/chroot/var/named/data/cache_dump.db
touch /data/named/chroot/var/named/data/named_stats.txt
touch /data/named/chroot/var/named/data/named_mem_stats.txt
touch /data/named/chroot/var/named/data/named.run
mkdir /data/named/chroot/var/named/dynamic
touch /data/named/chroot/var/named/dynamic/managed-keys.bind
# 到linux系统的/data/目录下，更改named目录的属主和数组为named
cd /data/
chown named.named -R named

编辑主named.conf文件

$ cat /data/named/chroot/etc/named.conf
acl telecom {
172.17.10.0/24;
};
acl unicom {
172.17.20.0/24;
};
acl mobile {
172.17.30.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 172.16.0.55;};
directory "/var/named";
dump-file "/data/named/data/cache_dump.db";
statistics-file "/data/named/data/named_stats.txt";
memstatistics-file "/data/named/data/named_mem_stats.txt";
// 允许查询的主机；白名单
allow-query { any; };
allow-query-cache { any; };
// 我这里买的是阿里云的ECS服务器，因此这里使用阿里的DNS
forwarders { 223.5.5.5; 223.6.6.6; };
recursive-clients 200000;
check-names master warn;
max-cache-ttl 60;
max-ncache-ttl 0;
//recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
//session-keyfile "/run/named/session.key";
};
logging {
channel query_log {
file "/data/log/named/query.log" versions 10 size 300m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel client_log {
file "/data/log/named/client.log" versions 3 size 200m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel config {
file "/data/log/named/config.log" versions 3 size 100m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel default_log {
file "/data/log/named/default.log" versions 3 size 100m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
channel general_log {
file "/data/log/named/general.log" versions 3 size 200m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
category queries {
query_log;
};
category client {
client_log;
};
category general {
general_log;
};
category config {
config;
};
category default {
default_log;
};
};
view telcom_view {
match-clients { telcom; };
match-destinations { any; };
recursion yes;
include "/etc/named-telcome.zones";
};
view unicom_view {
match-clients { unicom; };
match-destinations { any; };
recursion yes;
include "/etc/named-unicome.zones";
};
view mobile_view {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named-mobile.zones";
};

注意：需要提醒大家的是：第一，启用了named-chroot服务以后，就必须关闭named服务，两者取其一。第二，如果启用了named-chroot，那么目录就都是相对目录，都是相对于/var/named/chroot而言的。

使用acl+view

上面已经定义好了三个acl和三个view。一般来说我们的acl都会放在最开头，也就是options的前面，也建议这样放。

接下来就需要生成三个view下面的include包含进来的区域文件了。这里只演示正向解析区域，一般内网bind9很少需要反向解析。

生成区域文件

$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
type master;
file "ayunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
type master;
file "iyunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
type master;
file "allenjol.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};

生成区域解析库文件

$ cd /var/named/chroot/var
$ vi ayunw.cn.zone
$TTL 86400
@ IN SOA ayunw.cn. root.iyunw.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.ayunw.cn.
IN NS ns2.ayunw.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
www IN A 172.16.0.58
$ vi iyunw.cn.zone
$TTL 86400
@ IN SOA iyunw.cn. root.iyunw.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.iyunw.cn.
IN NS ns2.iyunw.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
web IN A 172.16.0.59
$ vi allenjol.cn.zone
$TTL 86400
@ IN SOA allenjol.cn. root.allenjol.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.allenjol.cn.
IN NS ns2.allenjol.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
allen IN A 172.16.0.60

启动服务并设置开机自启

/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot

bind9 slave节点部署

/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services
dnf -y install bind-chroot bind-utils
# 我要启用chroot，并且需要更改named的目录到/data/named/chroot
# 因此需要拷贝文件
mkdir -p /data/named
cp -ar /var/named/* /data/named/
# 创建存放日志的目录
mkdir -p /data/named/chroot/data/log/named/
### 在bind chroot 的目录中创建相关文件
touch /data/named/chroot/var/named/data/cache_dump.db
touch /data/named/chroot/var/named/data/named_stats.txt
touch /data/named/chroot/var/named/data/named_mem_stats.txt
touch /data/named/chroot/var/named/data/named.run
mkdir /data/named/chroot/var/named/dynamic
touch /data/named/chroot/var/named/dynamic/managed-keys.bind
# 到linux系统的/data/目录下，更改named目录的属主和数组为named
cd /data/
chown named.named -R named

编辑从named.conf文件

$ cat /data/named/chroot/etc/named.conf
$ cat /data/named/chroot/etc/named.conf
acl telecom {
172.17.10.0/24;
};
acl unicom {
172.17.20.0/24;
};
acl mobile {
172.17.30.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 172.16.0.55;};
directory "/var/named";
dump-file "/data/named/data/cache_dump.db";
statistics-file "/data/named/data/named_stats.txt";
memstatistics-file "/data/named/data/named_mem_stats.txt";
// 允许查询的主机；白名单
allow-query { any; };
allow-query-cache { any; };
// 我这里买的是阿里云的ECS服务器，因此这里使用阿里的DNS
forwarders { 223.5.5.5; 223.6.6.6; };
recursive-clients 200000;
check-names master warn;
max-cache-ttl 60;
max-ncache-ttl 0;
//recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
//session-keyfile "/run/named/session.key";
};
logging {
channel query_log {
file "/data/log/named/query.log" versions 10 size 300m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel client_log {
file "/data/log/named/client.log" versions 3 size 200m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel config {
file "/data/log/named/config.log" versions 3 size 100m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel default_log {
file "/data/log/named/default.log" versions 3 size 100m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
channel general_log {
file "/data/log/named/general.log" versions 3 size 200m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
category queries {
query_log;
};
category client {
client_log;
};
category general {
general_log;
};
category config {
config;
};
category default {
default_log;
};
};
view telcom_view {
match-clients { telcom; };
match-destinations { any };
recursion yes;
include "/etc/named-telcome.zones";
};
view unicom_view {
match-clients { unicom; };
match-destinations { any; };
recursion yes;
include "/etc/named-unicome.zones";
};
view mobile_view {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named-mobile.zones";
};

生成区域文件

$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
type master;
file "ayunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
type master;
file "iyunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
type master;
file "allenjol.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};

启动服务并设置开机自启

/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot

注意：从节点无需创建区域解析库文件，当主节点重启named-chroot服务的时候会自动同步解析库文件到从节点

测试解析

找了三台机器，内网ip分别为：172.16.10.1、172.16.20.1、172.16.30.1，分别解析www.ayunw.cn、web.iyunw.cn以及allen.allenjol.cn，都是能正常解析的。

$ dig -t A www.ayunw.cn
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;www.ayunw.cn. IN A
;; ANSWER SECTION:
www.ayunw.cn. 86400 IN A 172.16.0.58
;; AUTHORITY SECTION:
ayunw.cn. 86400 IN NS ns2.ayunw.cn.
ayunw.cn. 86400 IN NS ns1.ayunw.cn.
;; ADDITIONAL SECTION:
ns1.ayunw.cn. 86400 IN A 172.16.0.55
ns2.ayunw.cn. 86400 IN A 172.16.0.56
;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE rcvd: 161
$ dig -t A web.iyunw.cn
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;web.iyunw.cn. IN A
;; ANSWER SECTION:
web.iyunw.cn. 86400 IN A 172.16.0.59
;; AUTHORITY SECTION:
iyunw.cn. 86400 IN NS ns2.iyunw.cn.
iyunw.cn. 86400 IN NS ns1.iyunw.cn.
;; ADDITIONAL SECTION:
ns1.iyunw.cn. 86400 IN A 172.16.0.55
ns2.iyunw.cn. 86400 IN A 172.16.0.56
;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE rcvd: 161
$ dig -t A allen.allenjol.cn
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;allen.allenjol.cn. IN A
;; ANSWER SECTION:
allen.allenjol.cn. 86400 IN A 172.16.0.60
;; AUTHORITY SECTION:
allenjol.cn. 86400 IN NS ns2.allenjol.cn.
allenjol.cn. 86400 IN NS ns1.allenjol.cn.
;; ADDITIONAL SECTION:
ns1.allenjol.cn. 86400 IN A 172.16.0.55
ns2.allenjol.cn. 86400 IN A 172.16.0.56
;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE rcvd: 161

如果你有足够的机器，那么你换一台不在172.16.10.0/24、172.16.20.0/24、172.16.30.0/24这三个网段的机器，然后去任意解析这三个zone文件中的域名，你会发现最终都是没有正常的A记录返回的。

或者如果你用172.16.10.1去解析web.iyunw.cn或者是allen.allenjol.cn，那么就无法正常解析了。这就是acl+view实现的智能DNS的效果。

内网主从智能 DNS 从此不再烦恼
2021-11-03 运维开发故事

内网主从智能 DNS 从此不再烦恼

写在前面