WEB架构之DNS-智能DNS(02)

第1章 智能DNS部署

1.1 通过DNS实现服务的负载均衡

  • 仅主DNS服务器上操作:
[root@linux-node1 ~]# vim /var/named/leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070904      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     10.10.10.101
www     A     10.10.10.102
web     CNAME www
test    A     10.10.10.100

[root@linux-node1 ~]# rndc reload
  • 从服务器上进行验证:
[root@linux-node1 ~]# host www.leonshadow.com 10.10.10.102
Using domain server:
Name: 10.10.10.102
Address: 10.10.10.102#53
Aliases:

www.leonshadow.com has address 10.10.10.102
www.leonshadow.com has address 10.10.10.101

备注:通过DNS负载均衡的时候无法动态感知后端服务状态是否正常,若后端服务出现问题的时候需要手动从zone文件中删除记录,所以生产环境不建议使用此功能。

1.2 配置DNS视图(智能DNS)

1.2.1 单机智能DNS部署

1.2.1.1 编辑DNS服务器的/etc/named.conf:

[root@linux-node1 ~]# vim /etc/named.conf
options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { 10.10.10.0/24; };
    forward only;
    forwarders { 223.5.5.5;1.1.1.1; };
 
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
         channel warning {
                 file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
                 severity warning;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         channel general_dns {
                 file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
                 severity info;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         category default {
                 warning;
         };

         category queries {
                 general_dns;
         };
};

# 添加两条acl规则,此规则的意思是当10.10.10.101向DNS发起请求的时候返回beijing-idc4的IP
# 当10.10.10.102向DNS发起请求的时候返回shanghai-idc5的IP
acl beijing-idc4 {
        # 生产环境中需将符合此规则的所有IP段添加进去
        # 如联通的规则则将所有联通的IP段添加到此规则中
        10.10.10.101;  
};
acl shanghai-idc5 {
        10.10.10.102;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

1.2.1.2 编辑DNS服务器的/etc/named.rfc1912.zones:

[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
view "beijing" {
        match-clients { beijing-idc4; };
        zone "leonshadow.com" IN {
                type master;
                file "beijing-idc4.leonshadow.com.zone";
        };
};

view "shanghai" {
        match-clients { shanghai-idc5; };
        zone "leonshadow.com" IN {
                type master;
                file "shanghai-idc5.leonshadow.com.zone";
        };
};

1.2.1.3 编写DNS服务器上的zone文件:

[root@linux-node1 ~]# vim /var/named/beijing-idc4.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     192.168.10.101

[root@linux-node1 ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     172.16.1.101

[root@linux-node1 ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone

1.2.1.4 重启DNS服务器服务:

[root@linux-node1 ~]# systemctl restart named

1.2.1.5 测试运行结果:

[root@linux-node1 ~]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1890
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   192.168.10.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 0 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 15:42:02 CST 2020
;; MSG SIZE  rcvd: 97

[root@linux-node2 slaves]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34389
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   172.16.1.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 1 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 15:42:11 CST 2020
;; MSG SIZE  rcvd: 97

1.2.2 主从智能DNS部署

1.2.2.1 编辑主和从DNS服务器的/etc/named.conf:

[root@linux-node ~]# vim /etc/named.conf
options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { 10.10.10.0/24; };
    forward only;
    forwarders { 223.5.5.5;1.1.1.1; };
 
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

# 匹配beijing-idc4的Key
key "beijing-idc4-key" {
        algorithm hmac-md5;
        secret "C0ROpZURBTYZ4NhQV4eJfg==";
};
# 匹配shanghai-idc5的Key
key "shanghai-idc5-key" {
        algorithm hmac-md5;
        secret "K5rpsP8utfX7K3Q38WYPxw==";
};
# 不匹配以上两个ked的时候匹配此Key,此处有错误,待修正
key "any-key" {
        algorithm hmac-md5;
        secret "fxe5wmufv275rD029312og==";
};

logging {
         channel warning {
                 file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
                 severity warning;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         channel general_dns {
                 file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
                 severity info;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         category default {
                 warning;
         };

         category queries {
                 general_dns;
         };
};

acl beijing-idc4 {
        10.10.10.101;
};

acl shanghai-idc5 {
        10.10.10.102;
};

acl any {
        *;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

1.2.2.2 编辑主DNS服务器的/etc/named.rfc1912.zones:

[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
view "beijing" {
        match-clients { key beijing-idc4-key; beijing-idc4; };
        allow-transfer { key beijing-idc4-key; };
        server 10.10.10.102 {keys beijing-idc4-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type master;
                file "beijing-idc4.leonshadow.com.zone";
        };
};

view "shanghai" {
        match-clients { key shanghai-idc5-key; shanghai-idc5; };
        allow-transfer { key shanghai-idc5-key; };
        server 10.10.10.102 {keys shanghai-idc5-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type master;
                file "shanghai-idc5.leonshadow.com.zone";
        };
};

view "any" {
        match-clients { key any-key; any; };
        allow-transfer { key any-key; };
        server 10.10.10.102 { keys any-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type master;
                file "any.leonshadow.com.zone";         
        };
};

1.2.2.3 在主DNS服务器上创建zone文件

[root@linux-node1 ~]# vim /var/named/beijing-idc4.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     192.168.10.101

[root@linux-node1 ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     172.16.1.101

[root@linux-node1 ~]# vim /var/named/any.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     10.10.10.101

[root@linux-node1 ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone any.leonshadow.com.zone

1.2.2.4 编辑从DNS服务器的/etc/named.rfc1912.zones:

[root@linux-node2 ~]# vim /etc/named.rfc1912.zones
view "SlaveBeijing" {
        match-clients { key beijing-idc4-key; beijing-idc4; };
        allow-transfer { key beijing-idc4-key; };
        server 10.10.10.101 {keys beijing-idc4-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type slave;
                masters { 10.10.10.101; };
                file "slaves/slave.beijing-idc4.leonshadow.com.zone";
        };
};

view "SlaveShanghai" {
        match-clients { key shanghai-idc5-key; shanghai-idc5; };
        allow-transfer { key shanghai-idc5-key; };
        server 10.10.10.101 {keys shanghai-idc5-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type slave;
                masters { 10.10.10.101; };
                file "slaves/slave.shanghai-idc5.leonshadow.com.zone";
        };
};

view "SlaveAny" {
        match-clients { key any-key; any; };
        allow-transfer { key any-key; };
        server 10.10.10.101 { keys any-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type slave;
                masters { 10.10.10.101; };
                file "slaves/slave.any.leonshadow.com.zone";
        };
};

1.2.2.5 重启主和从DNS服务器

[root@linux-node ~]# systemctl restart named

1.2.2.6 测试运行结果:

[root@linux-node1 ~]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58913
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   192.168.10.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 0 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 16:30:13 CST 2020
;; MSG SIZE  rcvd: 97


[root@linux-node1 ~]# dig @10.10.10.102 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50723
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   192.168.10.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 1 msec
;; SERVER: 10.10.10.102#53(10.10.10.102)
;; WHEN: Thu Jul 09 16:30:58 CST 2020
;; MSG SIZE  rcvd: 97


[root@linux-node2 ~]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13723
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   172.16.1.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 2 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 16:32:16 CST 2020
;; MSG SIZE  rcvd: 97


[root@linux-node2 ~]# dig @10.10.10.102 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12877
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   172.16.1.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 0 msec
;; SERVER: 10.10.10.102#53(10.10.10.102)
;; WHEN: Thu Jul 09 16:32:18 CST 2020
;; MSG SIZE  rcvd: 97
温馨提示:本文最后更新于2022-12-20 20:57:40,已超过431天没有更新。某些文章具有时效性,若文章内容或图片资源有错误或已失效,请联系站长。谢谢!
转载请注明本文链接:https://blog.leonshadow.cn/763482/2032.html
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享