WEB架构之DNS-智能DNS(02)

共计16111字 阅读大约54分钟 5480

第1章 智能DNS部署

1.1 通过DNS实现服务的负载均衡

  • 仅主DNS服务器上操作:
[root@linux-node1 ~]# vim /var/named/leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070904      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     10.10.10.101
www     A     10.10.10.102
web     CNAME www
test    A     10.10.10.100

[root@linux-node1 ~]# rndc reload
  • 从服务器上进行验证:
[root@linux-node1 ~]# host www.leonshadow.com 10.10.10.102
Using domain server:
Name: 10.10.10.102
Address: 10.10.10.102#53
Aliases:

www.leonshadow.com has address 10.10.10.102
www.leonshadow.com has address 10.10.10.101

备注:通过DNS负载均衡的时候无法动态感知后端服务状态是否正常,若后端服务出现问题的时候需要手动从zone文件中删除记录,所以生产环境不建议使用此功能。

1.2 配置DNS视图(智能DNS)

1.2.1 单机智能DNS部署

1.2.1.1 编辑DNS服务器的/etc/named.conf:

[root@linux-node1 ~]# vim /etc/named.conf
options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { 10.10.10.0/24; };
    forward only;
    forwarders { 223.5.5.5;1.1.1.1; };
 
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
         channel warning {
                 file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
                 severity warning;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         channel general_dns {
                 file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
                 severity info;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         category default {
                 warning;
         };

         category queries {
                 general_dns;
         };
};

# 添加两条acl规则,此规则的意思是当10.10.10.101向DNS发起请求的时候返回beijing-idc4的IP
# 当10.10.10.102向DNS发起请求的时候返回shanghai-idc5的IP
acl beijing-idc4 {
        # 生产环境中需将符合此规则的所有IP段添加进去
        # 如联通的规则则将所有联通的IP段添加到此规则中
        10.10.10.101;  
};
acl shanghai-idc5 {
        10.10.10.102;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

1.2.1.2 编辑DNS服务器的/etc/named.rfc1912.zones:

[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
view "beijing" {
        match-clients { beijing-idc4; };
        zone "leonshadow.com" IN {
                type master;
                file "beijing-idc4.leonshadow.com.zone";
        };
};

view "shanghai" {
        match-clients { shanghai-idc5; };
        zone "leonshadow.com" IN {
                type master;
                file "shanghai-idc5.leonshadow.com.zone";
        };
};

1.2.1.3 编写DNS服务器上的zone文件:

[root@linux-node1 ~]# vim /var/named/beijing-idc4.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     192.168.10.101

[root@linux-node1 ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     172.16.1.101

[root@linux-node1 ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone

1.2.1.4 重启DNS服务器服务:

[root@linux-node1 ~]# systemctl restart named

1.2.1.5 测试运行结果:

[root@linux-node1 ~]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1890
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   192.168.10.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 0 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 15:42:02 CST 2020
;; MSG SIZE  rcvd: 97

[root@linux-node2 slaves]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34389
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   172.16.1.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 1 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 15:42:11 CST 2020
;; MSG SIZE  rcvd: 97

1.2.2 主从智能DNS部署

1.2.2.1 编辑主和从DNS服务器的/etc/named.conf:

[root@linux-node ~]# vim /etc/named.conf
options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { 10.10.10.0/24; };
    forward only;
    forwarders { 223.5.5.5;1.1.1.1; };
 
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

# 匹配beijing-idc4的Key
key "beijing-idc4-key" {
        algorithm hmac-md5;
        secret "C0ROpZURBTYZ4NhQV4eJfg==";
};
# 匹配shanghai-idc5的Key
key "shanghai-idc5-key" {
        algorithm hmac-md5;
        secret "K5rpsP8utfX7K3Q38WYPxw==";
};
# 不匹配以上两个ked的时候匹配此Key,此处有错误,待修正
key "any-key" {
        algorithm hmac-md5;
        secret "fxe5wmufv275rD029312og==";
};

logging {
         channel warning {
                 file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
                 severity warning;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         channel general_dns {
                 file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
                 severity info;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };

         category default {
                 warning;
         };

         category queries {
                 general_dns;
         };
};

acl beijing-idc4 {
        10.10.10.101;
};

acl shanghai-idc5 {
        10.10.10.102;
};

acl any {
        *;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

1.2.2.2 编辑主DNS服务器的/etc/named.rfc1912.zones:

[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
view "beijing" {
        match-clients { key beijing-idc4-key; beijing-idc4; };
        allow-transfer { key beijing-idc4-key; };
        server 10.10.10.102 {keys beijing-idc4-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type master;
                file "beijing-idc4.leonshadow.com.zone";
        };
};

view "shanghai" {
        match-clients { key shanghai-idc5-key; shanghai-idc5; };
        allow-transfer { key shanghai-idc5-key; };
        server 10.10.10.102 {keys shanghai-idc5-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type master;
                file "shanghai-idc5.leonshadow.com.zone";
        };
};

view "any" {
        match-clients { key any-key; any; };
        allow-transfer { key any-key; };
        server 10.10.10.102 { keys any-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type master;
                file "any.leonshadow.com.zone";         
        };
};

1.2.2.3 在主DNS服务器上创建zone文件

[root@linux-node1 ~]# vim /var/named/beijing-idc4.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     192.168.10.101

[root@linux-node1 ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     172.16.1.101

[root@linux-node1 ~]# vim /var/named/any.leonshadow.com.zone
$TTL 1D
@ IN SOA  ns1.leonshadow.com. 632113590.qq.com. (
                                2020070901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.leonshadow.com.

$ORIGIN leonshadow.com.
ns1     A     10.10.10.101
www     A     10.10.10.101

[root@linux-node1 ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone any.leonshadow.com.zone

1.2.2.4 编辑从DNS服务器的/etc/named.rfc1912.zones:

[root@linux-node2 ~]# vim /etc/named.rfc1912.zones
view "SlaveBeijing" {
        match-clients { key beijing-idc4-key; beijing-idc4; };
        allow-transfer { key beijing-idc4-key; };
        server 10.10.10.101 {keys beijing-idc4-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type slave;
                masters { 10.10.10.101; };
                file "slaves/slave.beijing-idc4.leonshadow.com.zone";
        };
};

view "SlaveShanghai" {
        match-clients { key shanghai-idc5-key; shanghai-idc5; };
        allow-transfer { key shanghai-idc5-key; };
        server 10.10.10.101 {keys shanghai-idc5-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type slave;
                masters { 10.10.10.101; };
                file "slaves/slave.shanghai-idc5.leonshadow.com.zone";
        };
};

view "SlaveAny" {
        match-clients { key any-key; any; };
        allow-transfer { key any-key; };
        server 10.10.10.101 { keys any-key; };
        zone "leonshadow.com" IN {
                check-names ignore;
                type slave;
                masters { 10.10.10.101; };
                file "slaves/slave.any.leonshadow.com.zone";
        };
};

1.2.2.5 重启主和从DNS服务器

[root@linux-node ~]# systemctl restart named

1.2.2.6 测试运行结果:

[root@linux-node1 ~]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58913
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   192.168.10.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 0 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 16:30:13 CST 2020
;; MSG SIZE  rcvd: 97


[root@linux-node1 ~]# dig @10.10.10.102 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50723
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   192.168.10.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 1 msec
;; SERVER: 10.10.10.102#53(10.10.10.102)
;; WHEN: Thu Jul 09 16:30:58 CST 2020
;; MSG SIZE  rcvd: 97


[root@linux-node2 ~]# dig @10.10.10.101 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13723
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   172.16.1.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 2 msec
;; SERVER: 10.10.10.101#53(10.10.10.101)
;; WHEN: Thu Jul 09 16:32:16 CST 2020
;; MSG SIZE  rcvd: 97


[root@linux-node2 ~]# dig @10.10.10.102 www.leonshadow.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12877
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leonshadow.com.        IN  A

;; ANSWER SECTION:
www.leonshadow.com. 86400   IN  A   172.16.1.101

;; AUTHORITY SECTION:
leonshadow.com.     86400   IN  NS  ns1.leonshadow.com.

;; ADDITIONAL SECTION:
ns1.leonshadow.com. 86400   IN  A   10.10.10.101

;; Query time: 0 msec
;; SERVER: 10.10.10.102#53(10.10.10.102)
;; WHEN: Thu Jul 09 16:32:18 CST 2020
;; MSG SIZE  rcvd: 97
温馨提示:本文最后更新于2022-12-20 20:57:40,已超过492天没有更新。某些文章具有时效性,若文章内容或图片资源有错误或已失效,请联系站长。谢谢!
转载请注明本文链接:https://blog.leonshadow.cn/763482/2032.html
© 版权声明
版权声明
1. 本网站名称:Leon的博客
2. 本站永久网址:https://blog.leonshadow.cn
3. 本网站的文章部分内容可能来源于网络,仅供大家学习与参考,如有侵权,请联系站长QQ632113590进行删除处理。
4. 本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。
5. 本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报
6. 本站资源大多存储在云盘,如发现链接失效,请联系我们我们会第一时间更新。
THE END
linux系统
# dns
喜欢就支持一下吧
点赞0 分享
Leon的博客的头像|leon的博客
Snort部署及使用|leon的博客
Snort部署及使用
Snort部署及使用
6年前 4537
HP服务器UEFI安装CentOS7.x后无法引导的问题|leon的博客
HP服务器UEFI安装CentOS7.x后无法引导的问题
HP服务器UEFI安装CentOS7.x后无法引导的问题
6年前 4202
Windows 1909中Windows沙盒和VMWare虚拟机冲突的解决办法|leon的博客
Windows 1909中Windows沙盒和VMWare虚拟机冲突的解决办法
Windows 1909中Windows沙盒和VMWare虚拟机冲突的解决办法
4年前 3978
修复nessus无法导出pdf|leon的博客
修复nessus无法导出pdf
修复nessus无法导出pdf
5年前 3818
自动化部署(kickstart/cobbler)问题总结|leon的博客
自动化部署(kickstart/cobbler)问题总结
自动化部署(kickstart/cobbler)问题总结
7年前 3805
zabbix相关错误及问题总结(五)|leon的博客
zabbix相关错误及问题总结(五)
zabbix相关错误及问题总结(五)
6年前 3231
相关推荐
Snort部署及使用|leon的博客
Snort部署及使用
Snort部署及使用
6年前 4537
修复nessus无法导出pdf|leon的博客
修复nessus无法导出pdf
修复nessus无法导出pdf
5年前 3818
Centos7中Logstash使用最新版GeoIP并自动更新|leon的博客
Centos7中Logstash使用最新版GeoIP并自动更新
Centos7中Logstash使用最新版GeoIP并自动更新
4年前 2965
KVM简单使用|leon的博客
KVM简单使用
KVM简单使用
7年前 2658
Rancher部署k8s及使用(一)|leon的博客
Rancher部署k8s及使用(一)
Rancher部署k8s及使用(一)
5年前 2656
容器技术(一)—LXC安装及使用|leon的博客
容器技术(一)—LXC安装及使用
容器技术(一)—LXC安装及使用
7年前 2613
开启精彩搜索
用户封面
Leon的博客的头像|leon的博客
最热文章
Snort部署及使用|leon的博客
4537人已阅读
Snort部署及使用
TOP1
HP服务器UEFI安装CentOS7.x后无法引导的问题|leon的博客
HP服务器UEFI安装CentOS7.x后无法引导的问题
6年前4202人已阅读
TOP2
Windows 1909中Windows沙盒和VMWare虚拟机冲突的解决办法|leon的博客
Windows 1909中Windows沙盒和VMWare虚拟机冲突的解决办法
4年前3978人已阅读
TOP3
修复nessus无法导出pdf|leon的博客
修复nessus无法导出pdf
5年前3818人已阅读
TOP4
自动化部署(kickstart/cobbler)问题总结|leon的博客
自动化部署(kickstart/cobbler)问题总结
7年前3805人已阅读
TOP5
zabbix相关错误及问题总结(五)|leon的博客
zabbix相关错误及问题总结(五)
6年前3231人已阅读
TOP6
Centos7中Logstash使用最新版GeoIP并自动更新|leon的博客
Centos7中Logstash使用最新版GeoIP并自动更新
4年前2965人已阅读
TOP7
草根吧论坛部署恢复|leon的博客
草根吧论坛部署恢复
5年前2783人已阅读
TOP8
KVM简单使用|leon的博客
KVM简单使用
7年前2658人已阅读
TOP9
Rancher部署k8s及使用(一)|leon的博客
Rancher部署k8s及使用(一)
5年前2656人已阅读
TOP10
标签云
黑客 (1)高可用 (6)靶场 (4)防火墙 (6)问题汇总 (3)镜像 (2)远程控制卡 (1)负载均衡 (3)读写分离 (1)语言 (1)证书 (1)论坛 (1)蚁剑 (1)虚拟机 (1)虚拟化 (9)草根吧 (1)自动化 (9)腾讯云 (1)网络安全 (47)网络 (1)网盘 (2)编程语言 (3)缓存 (4)经验总结 (1)系统 (1)硬件 (1)破解 (2)监控 (9)病毒 (6)版本控制 (5)激活 (1)漏洞扫描 (6)漏洞 (6) (1)渗透 (3)浏览器 (2)沙盒 (1)框架 (10)木马 (6)服务器硬件 (1)暴力破解 (5)日志 (1)数据库 (31)提权 (2)持久化 (7)批量管理 (9)性能 (6)开发 (25)