使用Bind9搭建DNS主从服务器


背景介绍:
服务器数量较多时,有效的规划主机名并搭建一个内网DNS来进行解析,会大幅度提高工作效率。
在我们的线上环境中,就是通过Bind9搭建的一套DNS主从服务器来完成的,并且自动化伸缩的脚本(新建/删除EC2虚拟机)也与DNS相结合,自动调用一个简单的Shell脚本来实现DNS记录的新增和删除。

具体步骤:
环境介绍:
OS: CentOS 6.4 x86_64 Minimal
Domain: heylinux.com
Master: 172.16.8.246
Slave: 172.16.8.247

1. 安装配置DNS主服务器
1.1 安装Bind9所需软件包
yum install bind bind-devel bind-libs bind-utils bind-chroot

1.2 创建/var/named/heylinux.com.key用于主从服务器之间的校验
cd /var/named/
dnssec-keygen -a HMAC-MD5 -b 128 -n USER heylinux.com.

Kheylinux.com.+157+59510

ls Kheylinux.com*

Kheylinux.com.+157+59510.key  Kheylinux.com.+157+59510.private

grep -w Key Kheylinux.com.+157+59510.private

Key: 4Cn0wwI+STjsW+3S5dEEdQ==

vim heylinux.com.key

key "heylinux.com." {
        algorithm hmac-md5;
        secret "4Cn0wwI+STjsW+3S5dEEdQ==";
};

1.3 修改文件属性
chown named:named *heylinux.com*
chown named:named /var/named

1.4 启动named服务,生成/etc/rndc.key文件
service named start

1.5 配置named服务开机自启动
chkconfig named on

1.6 修改/etc/named.conf配置文件
vim /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

include "/etc/rndc.key";
include "/var/named/heylinux.com.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl slave_servers { 172.16.8.247; };

options {
	#listen-on port 53 { 127.0.0.1; };
	#listen-on-v6 port 53 { ::1; };
	listen-on-v6 { none; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };
	allow-transfer  { slave_servers; };
	also-notify     { 172.16.8.247; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
    channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};

view "internal_resolver" {
        match-clients {
                localhost;
                172.16.8.0/24;
        };

        zone "." IN {
        	type hint;
        	file "named.ca";
        };

        zone "heylinux.com" IN {
                type master;
                file "heylinux.com.zone";
                allow-update { key "heylinux.com."; };
        };

        zone "8.16.172.in-addr.arpa" IN {
                type master;
                file "8.16.172.in-addr.arpa.zone";
                allow-update { key "heylinux.com."; };
        };

        include "/etc/named.rfc1912.zones";
};

注:在以上配置文件中,主要内容包括:
载入rndc.key与heylinux.com.key的内容;
设置主从之间的信任与通知,并以heylinux.com.key作为校验;
将日志文件进行精细化的切分;
创建视图"internal_resolver"并指定用于解析与反解析的Zone文件;

1.7 创建日志所需目录与文件
mkdir /var/named/chroot/var/log/named
touch /var/named/chroot/var/log/named/{default.log,general.log,database.log,security.log,config.log}
touch /var/named/chroot/var/log/named/{resolver.log,xfer-in.log,xfer-out.log,notify.log,client.log}
touch /var/named/chroot/var/log/named/{unmatched.log,queries.log,network.log,update.log,dispatch.log}
touch /var/named/chroot/var/log/named/{dnssec.log,lame-servers.log,general.log,notify.log,queries.log}
chown -R named:named /var/named/chroot/var/log/named

1.8 初始化/var/named/heylinux.com.zone解析Zone文件
vim heylinux.com.zone

$ORIGIN .
$TTL 86400      ; 1 day
heylinux.com            IN SOA  ns1.heylinux.com. root.heylinux.com. (
                                2014091816 ; serial
                                300        ; refresh (5 minutes)
                                60         ; retry (1 minute)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.heylinux.com.
                        NS      ns2.heylinux.com.
                        A       54.238.131.140
                        MX      5 mxbiz1.qq.com.
                        MX      10 mxbiz2.qq.com.
$ORIGIN heylinux.com.
mail                    CNAME   exmail.qq.com.
ns1                     A       172.16.8.246
ns2                     A       172.16.8.247
www                     CNAME   heylinux.com.

chown named:named heylinux.com.zone

1.9 初始化/var/named/8.16.172.in-addr.arpa.zone反解析Zone文件
vim

$ORIGIN .
$TTL 86400      ; 1 day
8.16.172.in-addr.arpa   IN SOA  ns1.heylinux.com. root.heylinux.com. (
                                2014061519 ; serial
                                3600       ; refresh (1 hour)
                                60         ; retry (1 minute)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.heylinux.com.
                        A       255.255.255.0
                        PTR     heylinux.com.
$ORIGIN 8.16.172.in-addr.arpa.
246                     PTR     ns1.heylinux.com.
247                     PTR     ns2.heylinux.com.

chown named:named 8.16.172.in-addr.arpa.zone

1.10 重启named服务
service named restart

2. 安装配置DNS从服务器
2.1 安装Bind9所需软件包
yum install bind bind-devel bind-libs bind-utils bind-chroot

2.2 从主服务器复制/var/named/heylinux.com.key用于校验
cd /var/named
scp root@172.16.8.246:/var/named/heylinux.com.key .

2.3 修改文件属性
chown named:named *heylinux.com*
chown named:named /var/named

2.4 配置named服务开机自启动
chkconfig named on

2.5 修改/etc/named.conf配置文件

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

include "/var/named/heylinux.com.key";

acl master_server { 172.16.8.246; };

options {
	#listen-on port 53 { 127.0.0.1; };
	#listen-on-v6 port 53 { ::1; };
	listen-on-v6 { none; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };
	allow-transfer  { none; };
	also-notify     { 172.16.8.246; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
    channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
    channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};

view "internal_resolver" {
        match-clients {
                localhost;
                172.16.8.0/24;
        };

        zone "." IN {
        	type hint;
        	file "named.ca";
        };

        zone "heylinux.com" IN {
                type slave;
                masters { 172.16.8.246; };
                file "slaves/heylinux.com.zone";
        };

        zone "8.16.172.in-addr.arpa" IN {
                type slave;
                masters { 172.16.8.246; };
                file "slaves/8.16.172.in-addr.arpa.zone";
        };
        include "/etc/named.rfc1912.zones";
};

注:在以上配置文件中,主要内容包括:
载入heylinux.com.key的内容;
设置自身角色为Slave,配置Master的IP地址,并以heylinux.com.key作为校验;
将日志文件进行精细化的切分;
指定视图"internal_resolver"并指定用于解析与反解析的Zone文件;

2.6 创建日志所需目录与文件
mkdir /var/named/chroot/var/log/named
touch /var/named/chroot/var/log/named/{default.log,general.log,database.log,security.log,config.log}
touch /var/named/chroot/var/log/named/{resolver.log,xfer-in.log,xfer-out.log,notify.log,client.log}
touch /var/named/chroot/var/log/named/{unmatched.log,queries.log,network.log,update.log,dispatch.log}
touch /var/named/chroot/var/log/named/{dnssec.log,lame-servers.log,general.log,notify.log,queries.log}
chown -R named:named /var/named/chroot/var/log/named

2.7 重启named服务
service named restart

3. 测试主从服务器搭建效果
3.1 修改测试主机的/etc/resolv.conf
[root@iad2-dong2 ~]# cat /etc/resolv.conf

nameserver 172.16.8.246
nameserver 172.16.8.247
search heylinux.com

3.2 查看DNS记录
dig heylinux.com

; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 heylinux.com
;; global options: +cmd
;; Got answer:
;; - HEADER - opcode: QUERY, status: NOERROR, id: 7741
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;heylinux.com.                  IN      A

;; ANSWER SECTION:
heylinux.com.           86400   IN      A       54.238.131.140

;; AUTHORITY SECTION:
heylinux.com.           86400   IN      NS      ns1.heylinux.com.
heylinux.com.           86400   IN      NS      ns2.heylinux.com.

;; ADDITIONAL SECTION:
ns1.heylinux.com.       86400   IN      A       172.16.8.246
ns2.heylinux.com.       86400   IN      A       172.16.8.247

;; Query time: 1 msec
;; SERVER: 172.16.8.246#53(172.16.8.246)
;; WHEN: Thu Sep 18 18:40:02 2014
;; MSG SIZE  rcvd: 114

3.3 登陆从服务器查看同步过来的Zone文件
cd /var/named/slaves
ls

8.16.172.in-addr.arpa.zone heylinux.com.zone

4. 使用脚本对DNS记录进行新增/删除
4.1 将脚本下载并放置到DNS主服务器上:
https://github.com/mcsrainbow/shell-scripts/blob/master/scripts/dns_ops.sh
cd /var/named
wget https://raw.githubusercontent.com/mcsrainbow/shell-scripts/master/scripts/dns_ops.sh
chmod +x dns_ops.sh

4.2 对常用的 A|CNAME|PTR 记录进行新增/删除操作,脚本主要对nsupdate命令与需要执行的内容进行了封装

4.3 操作示例:
./dns_ops.sh -t A -u add -n ns1 -v 172.16.8.246
./dns_ops.sh -t A -u del -n ns1 -v 172.16.8.246
./dns_ops.sh -t CNAME -u add -n ns3 -v ns1.heylinux.com
./dns_ops.sh -t CNAME -u del -n ns3 -v ns1.heylinux.com
./dns_ops.sh -t PTR -u add -n 172.16.8.246 -v ns1.heylinux.com
./dns_ops.sh -t PTR -u del -n 172.16.8.246 -v ns1.heylinux.com

4.4 在新增/删除记录后,使用'dig -x'命令校验PTR记录信息,使用'host'命令校验A|CNAME信息:
./dns_ops.sh -t A -u add -n ns4 -v 172.16.8.249

update add ns4.heylinux.com 86400 A 172.16.8.249
Successful
zone reload up-to-date
The zone reload and thaw was successful.

host ns4

ns4.heylinux.com has address 172.16.8.249

./dns_ops.sh -t A -u del -n ns4 -v 172.16.8.249

update delete ns4.heylinux.com 86400 A 172.16.8.249
Successful
zone reload up-to-date
The zone reload and thaw was successful.

host ns4

Host ns4 not found: 3(NXDOMAIN)

./dns_ops.sh -t CNAME -u add -n ns3 -v ns1.heylinux.com

update add ns3.heylinux.com 86400 CNAME ns1.heylinux.com
Successful
zone reload up-to-date
The zone reload and thaw was successful.

host ns3

ns3.heylinux.com is an alias for ns1.heylinux.com.
ns1.heylinux.com has address 172.16.8.246

./dns_ops.sh -t CNAME -u del -n ns3 -v ns1.heylinux.com

update delete ns3.heylinux.com 86400 CNAME ns1.heylinux.com
Successful
zone reload up-to-date
The zone reload and thaw was successful.

host ns3

Host ns3 not found: 3(NXDOMAIN)

./dns_ops.sh -t PTR -u add -n 172.16.8.249 -v ns4.heylinux.com

update add 249.8.16.172.in-addr.arpa 86400 PTR ns4.heylinux.com
Successful
zone reload up-to-date
The zone reload and thaw was successful.

dig -x 172.16.8.249

; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -x 172.16.8.248
;; global options: +cmd
;; Got answer:
;; - HEADER - opcode: QUERY, status: NOERROR, id: 16817
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;249.8.16.172.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
249.8.16.172.in-addr.arpa. 86400 IN     PTR     ns4.heylinux.com.

;; AUTHORITY SECTION:
8.16.172.in-addr.arpa.  86400   IN      NS      ns1.heylinux.com.

;; ADDITIONAL SECTION:
ns1.heylinux.com.       86400   IN      A       172.16.8.246

;; Query time: 1 msec
;; SERVER: 172.16.8.246#53(172.16.8.246)
;; WHEN: Thu Sep 18 18:51:29 2014
;; MSG SIZE  rcvd: 107

./dns_ops.sh -t PTR -u del -n 172.16.8.249 -v ns4.heylinux.com

update delete 249.8.16.172.in-addr.arpa 86400 PTR ns4.heylinux.com
Successful
zone reload up-to-date
The zone reload and thaw was successful.

dig -x 172.16.8.249

; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -x 172.16.8.249
;; global options: +cmd
;; Got answer:
;; - HEADER - opcode: QUERY, status: NXDOMAIN, id: 48597
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;249.8.16.172.in-addr.arpa.     IN      PTR

;; AUTHORITY SECTION:
8.16.172.in-addr.arpa.  3600    IN      SOA     ns1.heylinux.com. root.heylinux.com. 2014061525 3600 60 604800 3600

;; Query time: 1 msec
;; SERVER: 172.16.8.246#53(172.16.8.246)
;; WHEN: Thu Sep 18 19:02:39 2014
;; MSG SIZE  rcvd: 100

4.5 查看自动更新后的Zone文件内容
./dns_ops.sh -t A -u add -n ns4 -v 172.16.8.249

update add ns4.heylinux.com 86400 A 172.16.8.249
Successful
zone reload up-to-date
The zone reload and thaw was successful.

./dns_ops.sh -t CNAME -u add -n ns3 -v ns1.heylinux.com

update add ns3.heylinux.com 86400 CNAME ns1.heylinux.com
Successful
zone reload up-to-date
The zone reload and thaw was successful.

./dns_ops.sh -t PTR -u add -n 172.16.8.249 -v ns4.heylinux.com

update add 249.8.16.172.in-addr.arpa 86400 PTR ns4.heylinux.com
Successful
zone reload up-to-date
The zone reload and thaw was successful.

cat heylinux.com.zone

$ORIGIN .
$TTL 86400      ; 1 day
heylinux.com            IN SOA  ns1.heylinux.com. root.heylinux.com. (
                                2014091826 ; serial
                                300        ; refresh (5 minutes)
                                60         ; retry (1 minute)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.heylinux.com.
                        NS      ns2.heylinux.com.
                        A       54.238.131.140
                        MX      5 mxbiz1.qq.com.
                        MX      10 mxbiz2.qq.com.
$ORIGIN heylinux.com.
mail                    CNAME   exmail.qq.com.
ns1                     A       172.16.8.246
ns2                     A       172.16.8.247
ns3                     CNAME   ns1
ns4                     A       172.16.8.249
www                     CNAME   heylinux.com.

cat 8.16.172.in-addr.arpa.zone

$ORIGIN .
$TTL 86400      ; 1 day
8.16.172.in-addr.arpa   IN SOA  ns1.heylinux.com. root.heylinux.com. (
                                2014061529 ; serial
                                3600       ; refresh (1 hour)
                                60         ; retry (1 minute)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.heylinux.com.
                        A       255.255.255.0
                        PTR     heylinux.com.
$ORIGIN 8.16.172.in-addr.arpa.
246                     PTR     ns1.heylinux.com.
$ORIGIN 8.16.172.in-addr.arpa.
247                     PTR     ns2.heylinux.com.
$ORIGIN 8.16.172.in-addr.arpa.
249                     PTR     ns4.heylinux.com.

  1. No comments yet.
(will not be published)
*