第1章 智能DNS部署
1.1 通过DNS实现服务的负载均衡
- 仅主DNS服务器上操作:
[root@linux-node1 ~]# vim /var/named/leonshadow.com.zone
$TTL 1D
@ IN SOA ns1.leonshadow.com. 632113590.qq.com. (
2020070904 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.leonshadow.com.
$ORIGIN leonshadow.com.
ns1 A 10.10.10.101
www A 10.10.10.101
www A 10.10.10.102
web CNAME www
test A 10.10.10.100
[root@linux-node1 ~]# rndc reload
- 从服务器上进行验证:
[root@linux-node1 ~]# host www.leonshadow.com 10.10.10.102 Using domain server: Name: 10.10.10.102 Address: 10.10.10.102#53 Aliases: www.leonshadow.com has address 10.10.10.102 www.leonshadow.com has address 10.10.10.101
备注:通过DNS负载均衡的时候无法动态感知后端服务状态是否正常,若后端服务出现问题的时候需要手动从zone文件中删除记录,所以生产环境不建议使用此功能。
1.2 配置DNS视图(智能DNS)
1.2.1 单机智能DNS部署
1.2.1.1 编辑DNS服务器的/etc/named.conf:
[root@linux-node1 ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { 10.10.10.0/24; };
forward only;
forwarders { 223.5.5.5;1.1.1.1; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel warning {
file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
# 添加两条acl规则,此规则的意思是当10.10.10.101向DNS发起请求的时候返回beijing-idc4的IP
# 当10.10.10.102向DNS发起请求的时候返回shanghai-idc5的IP
acl beijing-idc4 {
# 生产环境中需将符合此规则的所有IP段添加进去
# 如联通的规则则将所有联通的IP段添加到此规则中
10.10.10.101;
};
acl shanghai-idc5 {
10.10.10.102;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
1.2.1.2 编辑DNS服务器的/etc/named.rfc1912.zones:
[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
view "beijing" {
match-clients { beijing-idc4; };
zone "leonshadow.com" IN {
type master;
file "beijing-idc4.leonshadow.com.zone";
};
};
view "shanghai" {
match-clients { shanghai-idc5; };
zone "leonshadow.com" IN {
type master;
file "shanghai-idc5.leonshadow.com.zone";
};
};
1.2.1.3 编写DNS服务器上的zone文件:
[root@linux-node1 ~]# vim /var/named/beijing-idc4.leonshadow.com.zone
$TTL 1D
@ IN SOA ns1.leonshadow.com. 632113590.qq.com. (
2020070901 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.leonshadow.com.
$ORIGIN leonshadow.com.
ns1 A 10.10.10.101
www A 192.168.10.101
[root@linux-node1 ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone
$TTL 1D
@ IN SOA ns1.leonshadow.com. 632113590.qq.com. (
2020070901 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.leonshadow.com.
$ORIGIN leonshadow.com.
ns1 A 10.10.10.101
www A 172.16.1.101
[root@linux-node1 ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone
1.2.1.4 重启DNS服务器服务:
[root@linux-node1 ~]# systemctl restart named
1.2.1.5 测试运行结果:
[root@linux-node1 ~]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1890 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 192.168.10.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 0 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 15:42:02 CST 2020 ;; MSG SIZE rcvd: 97 [root@linux-node2 slaves]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34389 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 172.16.1.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 1 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 15:42:11 CST 2020 ;; MSG SIZE rcvd: 97
1.2.2 主从智能DNS部署
1.2.2.1 编辑主和从DNS服务器的/etc/named.conf:
[root@linux-node ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { 10.10.10.0/24; };
forward only;
forwarders { 223.5.5.5;1.1.1.1; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
# 匹配beijing-idc4的Key
key "beijing-idc4-key" {
algorithm hmac-md5;
secret "C0ROpZURBTYZ4NhQV4eJfg==";
};
# 匹配shanghai-idc5的Key
key "shanghai-idc5-key" {
algorithm hmac-md5;
secret "K5rpsP8utfX7K3Q38WYPxw==";
};
# 不匹配以上两个ked的时候匹配此Key,此处有错误,待修正
key "any-key" {
algorithm hmac-md5;
secret "fxe5wmufv275rD029312og==";
};
logging {
channel warning {
file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
acl beijing-idc4 {
10.10.10.101;
};
acl shanghai-idc5 {
10.10.10.102;
};
acl any {
*;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
1.2.2.2 编辑主DNS服务器的/etc/named.rfc1912.zones:
[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
view "beijing" {
match-clients { key beijing-idc4-key; beijing-idc4; };
allow-transfer { key beijing-idc4-key; };
server 10.10.10.102 {keys beijing-idc4-key; };
zone "leonshadow.com" IN {
check-names ignore;
type master;
file "beijing-idc4.leonshadow.com.zone";
};
};
view "shanghai" {
match-clients { key shanghai-idc5-key; shanghai-idc5; };
allow-transfer { key shanghai-idc5-key; };
server 10.10.10.102 {keys shanghai-idc5-key; };
zone "leonshadow.com" IN {
check-names ignore;
type master;
file "shanghai-idc5.leonshadow.com.zone";
};
};
view "any" {
match-clients { key any-key; any; };
allow-transfer { key any-key; };
server 10.10.10.102 { keys any-key; };
zone "leonshadow.com" IN {
check-names ignore;
type master;
file "any.leonshadow.com.zone";
};
};
1.2.2.3 在主DNS服务器上创建zone文件
[root@linux-node1 ~]# vim /var/named/beijing-idc4.leonshadow.com.zone
$TTL 1D
@ IN SOA ns1.leonshadow.com. 632113590.qq.com. (
2020070901 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.leonshadow.com.
$ORIGIN leonshadow.com.
ns1 A 10.10.10.101
www A 192.168.10.101
[root@linux-node1 ~]# vim /var/named/shanghai-idc5.leonshadow.com.zone
$TTL 1D
@ IN SOA ns1.leonshadow.com. 632113590.qq.com. (
2020070901 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.leonshadow.com.
$ORIGIN leonshadow.com.
ns1 A 10.10.10.101
www A 172.16.1.101
[root@linux-node1 ~]# vim /var/named/any.leonshadow.com.zone
$TTL 1D
@ IN SOA ns1.leonshadow.com. 632113590.qq.com. (
2020070901 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.leonshadow.com.
$ORIGIN leonshadow.com.
ns1 A 10.10.10.101
www A 10.10.10.101
[root@linux-node1 ~]# chown root.named beijing-idc4.leonshadow.com.zone shanghai-idc5.leonshadow.com.zone any.leonshadow.com.zone
1.2.2.4 编辑从DNS服务器的/etc/named.rfc1912.zones:
[root@linux-node2 ~]# vim /etc/named.rfc1912.zones
view "SlaveBeijing" {
match-clients { key beijing-idc4-key; beijing-idc4; };
allow-transfer { key beijing-idc4-key; };
server 10.10.10.101 {keys beijing-idc4-key; };
zone "leonshadow.com" IN {
check-names ignore;
type slave;
masters { 10.10.10.101; };
file "slaves/slave.beijing-idc4.leonshadow.com.zone";
};
};
view "SlaveShanghai" {
match-clients { key shanghai-idc5-key; shanghai-idc5; };
allow-transfer { key shanghai-idc5-key; };
server 10.10.10.101 {keys shanghai-idc5-key; };
zone "leonshadow.com" IN {
check-names ignore;
type slave;
masters { 10.10.10.101; };
file "slaves/slave.shanghai-idc5.leonshadow.com.zone";
};
};
view "SlaveAny" {
match-clients { key any-key; any; };
allow-transfer { key any-key; };
server 10.10.10.101 { keys any-key; };
zone "leonshadow.com" IN {
check-names ignore;
type slave;
masters { 10.10.10.101; };
file "slaves/slave.any.leonshadow.com.zone";
};
};
1.2.2.5 重启主和从DNS服务器
[root@linux-node ~]# systemctl restart named
1.2.2.6 测试运行结果:
[root@linux-node1 ~]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58913 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 192.168.10.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 0 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 16:30:13 CST 2020 ;; MSG SIZE rcvd: 97 [root@linux-node1 ~]# dig @10.10.10.102 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50723 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 192.168.10.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 1 msec ;; SERVER: 10.10.10.102#53(10.10.10.102) ;; WHEN: Thu Jul 09 16:30:58 CST 2020 ;; MSG SIZE rcvd: 97 [root@linux-node2 ~]# dig @10.10.10.101 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.101 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13723 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 172.16.1.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 2 msec ;; SERVER: 10.10.10.101#53(10.10.10.101) ;; WHEN: Thu Jul 09 16:32:16 CST 2020 ;; MSG SIZE rcvd: 97 [root@linux-node2 ~]# dig @10.10.10.102 www.leonshadow.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> @10.10.10.102 www.leonshadow.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12877 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.leonshadow.com. IN A ;; ANSWER SECTION: www.leonshadow.com. 86400 IN A 172.16.1.101 ;; AUTHORITY SECTION: leonshadow.com. 86400 IN NS ns1.leonshadow.com. ;; ADDITIONAL SECTION: ns1.leonshadow.com. 86400 IN A 10.10.10.101 ;; Query time: 0 msec ;; SERVER: 10.10.10.102#53(10.10.10.102) ;; WHEN: Thu Jul 09 16:32:18 CST 2020 ;; MSG SIZE rcvd: 97
我的微信
如果有技术上的问题可以扫一扫我的微信
