第1章 智能DNS部署
1.1 通过DNS实现服务的负载均衡
- 仅主DNS服务器上操作:
[[email protected] ~]# vim /var/named/leonshadow.com.zone $TTL 1D @ IN SOA ns1.leonshadow.com. 632113590.qq.com. ( 2020070904 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.leonshadow.com. $ORIGIN leonshadow.com. ns1 A 10.10.10.101 www A 10.10.10.101 www A 10.10.10.102 web CNAME www test A 10.10.10.100 [[email protected] ~]# rndc reload
- 从服务器上进行验证:
[[email protected] ~]# host www.leonshadow.com 10.10.10.102 Using domain server: Name: 10.10.10.102 Address: 10.10.10.102#53 Aliases: www.leonshadow.com has address 10.10.10.102 www.leonshadow.com has address 10.10.10.101
备注:通过DNS负载均衡的时候无法动态感知后端服务状态是否正常,若后端服务出现问题的时候需要手动从zone文件中删除记录,所以生产环境不建议使用此功能。
1.2 配置DNS视图(智能DNS)
1.2.1 单机智能DNS部署
1.2.1.1 编辑DNS服务器的/etc/named.conf:
[[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { 10.10.10.0/24; }; forward only; forwarders { 223.5.5.5;1.1.1.1; }; recursion yes; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel warning { file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m; severity warning; print-category yes; print-severity yes; print-time yes; }; channel general_dns { file "/var/named/chroot/var/log/dns_log" versions 10 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { warning; }; category queries { general_dns; }; }; # 添加两条acl规则,此规则的意思是当10.10.10.101向DNS发起请求的时候返回beijing-idc4的IP # 当10.10.10.102向DNS发起请求的时候返回shanghai-idc5的IP acl beijing-idc4 { # 生产环境中需将符合此规则的所有IP段添加进去 # 如联通的规则则将所有联通的IP段添加到此规则中 10.10.10.101; }; acl shanghai-idc5 { 10.10.10.102; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
1.2.1.2 编辑DNS服务器的/etc/named.rfc1912.zones:
[[email protected] ~]# vim /etc/named.rfc1912.zones view "beijing" { match-clients { beijing-idc4; }; zone "leonshadow.com" IN { type master; file "beijing-idc4.leonshadow.com.zone"; }; }; view "shanghai" { match-clients { shanghai-idc5; }; zone "leonshadow.com" IN { type master; file "shanghai-idc5.leonshadow.com.zone"; }; };
1.2.1.3 编写DNS服务器上的zone文件:
[[email protected] ~]# vim /var/named/beijing-idc4.leonshadow.com.zone $TTL 1D @ IN SOA ns1.leonshadow.com. 632113590.qq.com. ( 2020070901 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.leonshadow.com. $ORIGIN leonshadow.com. ns1 A 10.10.10.101 www A 192.168.10.101 [[email protected] ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone $TTL 1D @ IN SOA ns1.leonshadow.com. 632113590.qq.com. ( 2020070901 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.leonshadow.com. $ORIGIN leonshadow.com. ns1 A 10.10.10.101 www A 172.16.1.101 [[email protected] ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone
1.2.1.4 重启DNS服务器服务:
[[email protected] ~]# systemctl restart named
1.2.1.5 测试运行结果:
[[email protected] ~]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1890 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 192.168.10.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 0 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 15:42:02 CST 2020 ;; MSG SIZE rcvd: 97 [[email protected] slaves]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34389 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 172.16.1.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 1 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 15:42:11 CST 2020 ;; MSG SIZE rcvd: 97
1.2.2 主从智能DNS部署
1.2.2.1 编辑主和从DNS服务器的/etc/named.conf:
[[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { 10.10.10.0/24; }; forward only; forwarders { 223.5.5.5;1.1.1.1; }; recursion yes; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; # 匹配beijing-idc4的Key key "beijing-idc4-key" { algorithm hmac-md5; secret "C0ROpZURBTYZ4NhQV4eJfg=="; }; # 匹配shanghai-idc5的Key key "shanghai-idc5-key" { algorithm hmac-md5; secret "K5rpsP8utfX7K3Q38WYPxw=="; }; # 不匹配以上两个ked的时候匹配此Key,此处有错误,待修正 key "any-key" { algorithm hmac-md5; secret "fxe5wmufv275rD029312og=="; }; logging { channel warning { file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m; severity warning; print-category yes; print-severity yes; print-time yes; }; channel general_dns { file "/var/named/chroot/var/log/dns_log" versions 10 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { warning; }; category queries { general_dns; }; }; acl beijing-idc4 { 10.10.10.101; }; acl shanghai-idc5 { 10.10.10.102; }; acl any { *; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
1.2.2.2 编辑主DNS服务器的/etc/named.rfc1912.zones:
[[email protected] ~]# vim /etc/named.rfc1912.zones view "beijing" { match-clients { key beijing-idc4-key; beijing-idc4; }; allow-transfer { key beijing-idc4-key; }; server 10.10.10.102 {keys beijing-idc4-key; }; zone "leonshadow.com" IN { check-names ignore; type master; file "beijing-idc4.leonshadow.com.zone"; }; }; view "shanghai" { match-clients { key shanghai-idc5-key; shanghai-idc5; }; allow-transfer { key shanghai-idc5-key; }; server 10.10.10.102 {keys shanghai-idc5-key; }; zone "leonshadow.com" IN { check-names ignore; type master; file "shanghai-idc5.leonshadow.com.zone"; }; }; view "any" { match-clients { key any-key; any; }; allow-transfer { key any-key; }; server 10.10.10.102 { keys any-key; }; zone "leonshadow.com" IN { check-names ignore; type master; file "any.leonshadow.com.zone"; }; };
1.2.2.3 在主DNS服务器上创建zone文件
[[email protected] ~]# vim /var/named/beijing-idc4.leonshadow.com.zone $TTL 1D @ IN SOA ns1.leonshadow.com. 632113590.qq.com. ( 2020070901 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.leonshadow.com. $ORIGIN leonshadow.com. ns1 A 10.10.10.101 www A 192.168.10.101 [[email protected] ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone $TTL 1D @ IN SOA ns1.leonshadow.com. 632113590.qq.com. ( 2020070901 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.leonshadow.com. $ORIGIN leonshadow.com. ns1 A 10.10.10.101 www A 172.16.1.101 [[email protected] ~]# vim /var/named/any.leonshadow.com.zone $TTL 1D @ IN SOA ns1.leonshadow.com. 632113590.qq.com. ( 2020070901 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.leonshadow.com. $ORIGIN leonshadow.com. ns1 A 10.10.10.101 www A 10.10.10.101 [[email protected] ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone any.leonshadow.com.zone
1.2.2.4 编辑从DNS服务器的/etc/named.rfc1912.zones:
[[email protected] ~]# vim /etc/named.rfc1912.zones view "SlaveBeijing" { match-clients { key beijing-idc4-key; beijing-idc4; }; allow-transfer { key beijing-idc4-key; }; server 10.10.10.101 {keys beijing-idc4-key; }; zone "leonshadow.com" IN { check-names ignore; type slave; masters { 10.10.10.101; }; file "slaves/slave.beijing-idc4.leonshadow.com.zone"; }; }; view "SlaveShanghai" { match-clients { key shanghai-idc5-key; shanghai-idc5; }; allow-transfer { key shanghai-idc5-key; }; server 10.10.10.101 {keys shanghai-idc5-key; }; zone "leonshadow.com" IN { check-names ignore; type slave; masters { 10.10.10.101; }; file "slaves/slave.shanghai-idc5.leonshadow.com.zone"; }; }; view "SlaveAny" { match-clients { key any-key; any; }; allow-transfer { key any-key; }; server 10.10.10.101 { keys any-key; }; zone "leonshadow.com" IN { check-names ignore; type slave; masters { 10.10.10.101; }; file "slaves/slave.any.leonshadow.com.zone"; }; };
1.2.2.5 重启主和从DNS服务器
[[email protected] ~]# systemctl restart named
1.2.2.6 测试运行结果:
[[email protected] ~]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58913 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 192.168.10.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 0 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 16:30:13 CST 2020 ;; MSG SIZE rcvd: 97 [[email protected] ~]# dig @10.10.10.102 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50723 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 192.168.10.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 1 msec ;; SERVER: 10.10.10.102#53(10.10.10.102) ;; WHEN: Thu Jul 09 16:30:58 CST 2020 ;; MSG SIZE rcvd: 97 [[email protected] ~]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13723 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 172.16.1.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 2 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 16:32:16 CST 2020 ;; MSG SIZE rcvd: 97 [[email protected] ~]# dig @10.10.10.102 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12877 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 172.16.1.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 0 msec ;; SERVER: 10.10.10.102#53(10.10.10.102) ;; WHEN: Thu Jul 09 16:32:18 CST 2020 ;; MSG SIZE rcvd: 97
我的微信
如果有技术上的问题可以扫一扫我的微信
