本文已参与「新人创作礼」活动, 一起开启掘金创作之路。
1.实战案例:利用view实现智能DNS
1.1 实验目的
搭建DNS主从服务器架构,实现DNS服务冗余
1.2 环境要求
需要五台主机
DNS主服务器和web服务器1:172.31.1.8/21,10.0.1.8/21
web服务器2:172.31.0.7/21
web服务器3:10.0.0.7/21
DNS客户端1:172.31.0.27/21
DNS客户端2:10.0.0.37/21
1.3 前提准备
关闭SElinux
关闭防火墙
时间同步
1.4 实现步骤
1.4.1 DNS 服务器的网卡配置
#配置两个IP地址
[root@rocky8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:75:53:9e brd ff:ff:ff:ff:ff:ff
inet 172.31.1.8/21 brd 172.31.7.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe75:539e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:75:53:a8 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.8/21 brd 10.0.7.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe75:53a8/64 scope link
valid_lft forever preferred_lft forever
1.4.2 主DNS服务端配置文件实现view
[root@rocky8 ~]# dnf -y install bind
[root@rocky8 ~]# vim /etc/named.conf
#在文件最前面加下面行
acl beijingnet {
172.31.0.0/21;
};
acl shanghainet {
10.0.0.0/21;
};
acl othernet {
any;
};
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#关闭加密验证
dnssec-enable no;
dnssec-validation no
# 创建view
view beijingview {
match-clients {beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients {shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients {othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.root.key";
#下面是/etc/named.conf 文件的完整配置
[root@rocky8 ~]# cat /etc/named.conf
acl beijingnet {
172.31.0.0/21;
};
acl shanghainet {
10.0.0.0/21;
};
acl othernet {
any;
};
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view beijingview {
match-clients {beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients {shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients {othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.root.key";
1.4.3 实现区域配置文件
[root@rocky8 ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@rocky8 ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.sh
[root@rocky8 ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.other
[root@rocky8 ~]# vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "raymonds.cc" {
type master;
file "raymonds.cc.zone.bj";
};
[root@rocky8 ~]# vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "raymonds.cc" {
type master;
file "raymonds.cc.zone.sh";
};
[root@rocky8 ~]# vim /etc/named.rfc1912.zones.other
zone "." IN {
type hint;
file "named.ca";
};
zone "raymonds.cc" {
type master;
file "raymonds.cc.zone.other"
};
[root@rocky8 ~]# ll //etc/named.rfc1912.zones.*
-rw-r----- 1 root named 1231 Dec 5 22:39 //etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 1249 Dec 5 22:41 //etc/named.rfc1912.zones.other
-rw-r----- 1 root named 1250 Dec 5 22:40 //etc/named.rfc1912.zones.sh
1.4.4 创建区域数据库文件
[root@rocky8 ~]# cp -p /var/named/named.localhost /var/named/raymonds.cc.zone.bj
[root@rocky8 ~]# vim /var/named/raymonds.cc.zone.bj
$TTL 1D
@ IN SOA master admin.neteagles.vip. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.1.8
www A 172.31.0.7
[root@rocky8 ~]# cp -p /var/named/raymonds.cc.zone.bj /var/named/raymonds.cc.zone.sh
[root@rocky8 ~]# vim /var/named/raymonds.cc.zone.sh
$TTL 1D
@ IN SOA master admin.neteagles.vip. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.1.8
www A 10.0.0.7
[root@rocky8 ~]# cp -p /var/named/raymonds.cc.zone.bj /var/named/raymonds.cc.zone.other
[root@rocky8 ~]# vim /var/named/raymonds.cc.zone.other
$TTL 1D
@ IN SOA master admin.neteagles.vip. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.1.8
www A 127.0.0.1
[root@rocky8 ~]# ll /var/named/raymonds.cc.zone.*
-rw-r----- 1 root named 403 Dec 5 22:45 /var/named/raymonds.cc.zone.bj
-rw-r----- 1 root named 402 Dec 5 22:49 /var/named/raymonds.cc.zone.other
-rw-r----- 1 root named 401 Dec 5 22:48 /var/named/raymonds.cc.zone.sh
[root@rocky8 ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
1.4.5 实现位于不同区域的三个WEB服务器
#分别在三台主机上安装http服务
#在web服务器1:10.0.1.8/21上实现
[root@rocky8 ~]# dnf -y install httpd;echo www.raymonds.cc in other> /var/www/html/index.html;systemctl enable --now httpd
[root@rocky8 ~]# curl 10.0.1.8
www.raymonds.cc in other
#在web服务器2:172.31.0.7/21
[root@centos7 ~]# yum -y install httpd;echo www.raymonds.cc in beijing> /var/www/html/index.html;systemctl enable --now httpd
[root@centos7 ~]# curl 172.31.0.7
www.raymonds.cc in beijing
#在web服务器3:10.0.0.7/21
[root@centos7-2 ~]# yum -y install httpd;echo www.raymonds.cc in shanghai> /var/www/html/index.html;systemctl enable --now httpd
[root@centos7-2 ~]# curl 10.0.0.17
www.raymonds.cc in shanghai
1.4.6 客户端测试
#分别在三台主机上访问
#DNS客户端1:172.31.0.27/21 实现,确保DNS指向172.31.1.8
[root@centos7-3 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.31.1.8
[root@centos7-3 ~]# curl www.raymonds.cc
www.raymonds.cc in beijing
#DNS客户端2:10.0.0.37/21 实现,确保DNS指向10.0.1.8
[root@centos7-4 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.0.1.8
[root@centos7-4 ~]# ccurl www.neteagles.vip
www.raymonds.cc in shanghai
#DNS客户端3:172.31.1.8 实现,,确保DNS指向127.0.0.1
[root@rocky8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1
[root@rocky8 ~]# curl www.raymonds.cc
www.raymonds.cc in other
