当前位置: 主页 > Linux >

智能DNS简单配置

时间:2012-03-26 00:43来源:未知 作者:tiewan 点击:

 

一 环境:
  DNS Server   : Linux CentOS Version 5.6 ip 10.5.8.6 (DNS服务器)
  Test Client_A: Linux CentOS Version 5.6 ip 10.5.8.7 (模拟电信TELECOM)
  Test Client_B: Linux CentOS Version 5.6 ip 10.5.8.8 (模拟网通CNC)
  Test Client_C: Linux CentOS Version 5.6 ip 10.5.8.9 (模拟ANY)
 
实现目标:
  简单配置DNS,对itminer.net做View智能解析,当Client端请求域名解析时,DNS先判断Client端的ip.
  然后与内部的ACL IP表进行匹配.并给用户返回对应的VIEW指定IP地址.
  Client_A 请求解析www.itminer.net DNS返回192.168.0.1
  Client_B 请求解析www.itminer.net DNS返回192.168.0.2
  Client_C 请求解析www.itminer.net DNS返回192.168.0.3
 
PS:本文档是以Mysql数据库已部署完毕为基础前提.此处不再对Mysql数据库的安装部署做解释
 
二 智能DNS部署(10.5.8.6):
 
1 编译安装Bind-DLZ
  [root@localhost opt]#wget http://ftp.isc.org/isc/bind9/bind-9.8.0-P1.tar.gz
  [root@localhost opt]#tar zxf bind-9.8.0-P1.tar.gz 
  [root@localhost opt]# cd bind-9.8.0-P1
  [root@localhost bind-9.8.0-P1]#export LDFLAGS=-L/usr/lib64/mysql
  [root@localhost bind-9.8.0-P1]#./configure --with-dlz-mysql=/usr/local/webserver/mysql/ --enable-largefile --enable-threads=no --
prefix=/usr/local/bind --disable-openssl-version-check
  [root@localhost bind-9.8.0-P1]#make
  [root@localhost bind-9.8.0-P1]#make install
 
2 创建配置文件
  [root@localhost bind-9.8.0-P1]# cd /usr/local/bind/etc/
  [root@localhost etc]# ../sbin/rndc-confgen >rndc.conf
  [root@localhost etc]# tail -n10 rndc.conf | head -n9 | sed -e s/#\//g >named.conf
  [root@localhost etc]# ll
  total 24
  -rw-r--r-- 1 root root 2389 Mar 23 11:35 bind.keys
  -rw-r--r-- 1 root root  171 Mar 23 11:49 named.conf
  -rw-r--r-- 1 root root  479 Mar 23 11:48 rndc.conf
 
  [root@localhost etc]# vi  localhost.zone  
 
  [root@localhost etc]# cat localhost.zone 
  $TTL    86400
  @       IN      SOA     localhost. root.localhost.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
          IN      NS      localhost.
  1       IN      PTR     localhost.
 
 
  [root@localhost etc]# dig >named.root
  [root@localhost etc]# mkdir acl
  [root@localhost etc]# cd acl/
  [root@localhost acl]# touch telecom_acl.conf
  [root@localhost acl]# touch cnc_acl.conf    
  [root@localhost acl]# touch view.conf 
  [root@localhost acl]# cat telecom_acl.conf 
  acl "TELECOM" {
  10.5.8.7;
  };
  [root@localhost acl]# cat cnc_acl.conf 
  acl "CNC" {
  10.5.8.8;
  };
备注:实际应用中 TELECOM CNC的ip库需要经常维护 此处的ACL仅供实验用
 
3 将acl文件引入named.conf文件
  [root@localhost etc]#
 
  include "/usr/local/bind/etc/acl/telecom_acl.conf";
  include "/usr/local/bind/etc/acl/cnc_acl.conf";
  include "/usr/local/bind/etc/acl/view.conf";
 
 
4 配置DNS TSIG 将私有key配置到named.conf
  [root@localhost etc]# cd ../sbin/
  [root@localhost sbin]# pwd
  /usr/local/bind/sbin
  [root@localhost sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST cnc
  [root@localhost sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST telecom
  [root@localhost sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST any
  [root@localhost sbin]# cat Ktelecom.+157+49071.private |grep ^Key
  Key: u681/8czyTI+uTjSakdWKg==
  [root@localhost sbin]# cat Kcnc.+157+64950.private |grep ^Key                          
  Key: 2FVe62ymagIFdbk9wcdptQ==
  [root@localhost sbin]# cat Kany.+157+35836.private |grep ^Key                        
  Key: y4BJwznU+AhOJCfxNGKUxg==
 
  [root@localhost sbin]# cat ../etc/named.conf
  #TSIG-key
  key "telecom" {
  algorithm hmac-md5;
  secret "u681/8czyTI+uTjSakdWKg==";
  };
 
  key "cnc" {
  algorithm hmac-md5;
  secret "2FVe62ymagIFdbk9wcdptQ==";
  };
 
 key "any" {
 algorithm hmac-md5;
 secret "y4BJwznU+AhOJCfxNGKUxg==";
 };
 
 最终的named.conf样板示例及说明:
[root@localhost etc]# cat named.conf 
 key "rndc-key" {
        algorithm hmac-md5;
        secret "bDtC6uEDcGOo38idxT/aZQ==";
 };
 
 controls {
        inet 127.0.0.1 port 953
                allow { localhost; } keys { "rndc-key"; };
         };
 
 options {
        directory "/usr/local/bind/etc";
        listen-on port 53 { any; };
        pid-file "named.pid";
        statistics-file "/usr/local/bind/etc/named.stats";
        recursion yes;
        allow-query-cache { any; };
        allow-query { any; };
        version "9.8.0";
 };
 
 #Log conf
 logging {
   channel warning {
    file "/usr/local/bind/etc/log/dns_warning" versions 3 size 10m;
    severity warning;
    print-category yes;
    print-severity yes;
    print-time yes;
   };
   channel general_dns {
       file "/usr/local/bind/etc/log/dns_log" versions 3 size 10m;
       severity info;
       print-category yes;
       print-severity yes;
       print-time yes;
  };
 category default {
       warning;
   };
   category queries {
       general_dns;
   };
 };
 
 
 #TSIG-key
 
 key "telecom" {
 algorithm hmac-md5;
 secret "u681/8czyTI+uTjSakdWKg==";
 };
 
 key "cnc" {
 algorithm hmac-md5;
 secret "2FVe62ymagIFdbk9wcdptQ==";
 };
 
 key "any" {
 algorithm hmac-md5;
 secret "y4BJwznU+AhOJCfxNGKUxg==";
 };
 
 #include acl
 
 include "/usr/local/bind/etc/acl/telecom_acl.conf";
 include "/usr/local/bind/etc/acl/cnc_acl.conf";
 include "/usr/local/bind/etc/acl/view.conf";
 
 
 
5 配置Bind-view-DLZ-MySQL
  [root@localhost etc]# cd acl/
  [root@localhost acl]# pwd
  /usr/local/bind/etc/acl
  [root@localhost acl]# ls -l
  total 16
  -rw-r--r-- 1 root root 0 Mar 23 11:59 any_acl.conf
  -rw-r--r-- 1 root root 0 Mar 23 11:59 cnc_acl.conf
  -rw-r--r-- 1 root root 0 Mar 23 11:59 telecom_acl.conf
  -rw-r--r-- 1 root root 0 Mar 23 12:02 view.conf
 
  [root@localhost acl]# cat view.conf (样板示例 本文档最核心部分设置)
 
  view "cnc_view" {
 
        match-clients   { cnc;CNC;};
        match-destinations { localhost; };
        recursion yes;
 
        dlz "Mysql zone" {
        database "mysql
        {host=127.0.0.1 dbname=cdn_view ssl=false port=3306 user=cdn_view pass=123123! }
        {select zone from dns_records where zone = '$zone$' limit 1}
        {select ttl,type,mx_priority,case 
                        when lower(type) = 'txt' then concat('\"',data, '\"') 
                        when lower(type) = 'soa' then concat_ws('  ',data,resp_person,serial,refresh,retry,expire,minimum) 
                else data end as mydata 
                from dns_records where zone = '$zone$' and host ='$record$' and (view = 'CNC' or view = 'DF')
        }
        {}
        {select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') 
                else data end as mydata, resp_person, serial, refresh, retry, expire, minimum 
                from dns_records where zone = '$zone$' and (view='CNC' or view= 'DF')
        }
        {select zone from xfr_table where zone = '$zone$' and client = '$client$' and view='CNC' limit 1}
        {update data_count set count = count + 1 where zone ='$zone$' and view='CNC'}";
 
                        };
                };
 
  view "telecom_view" {
 
        match-clients   { telecom;TELECOM;};
        match-destinations { localhost; };
        recursion yes;
 
        dlz "Mysql zone" {
        database "mysql
        {host=127.0.0.1 dbname=cdn_view ssl=false port=3306 user=cdn_view pass=123123! }
        {select zone from dns_records where zone = '$zone$' limit 1}
        {select ttl,type,mx_priority,case
                        when lower(type) = 'txt' then concat('\"',data, '\"')
                        when lower(type) = 'soa' then concat_ws('  ',data,resp_person,serial,refresh,retry,expire,minimum)
                else data end as mydata
                from dns_records where zone = '$zone$' and host ='$record$' and (view = 'TELECOM' or view = 'DF') 
        }
        {}
        {select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"')
                else data end as mydata, resp_person, serial, refresh, retry, expire, minimum
                from dns_records where zone = '$zone$' and (view='TELECOM' or view= 'DF')
        }
        {select zone from xfr_table where zone = '$zone$' and client = '$client$' and view='TELECOM' limit 1}
        {update data_count set count = count + 1 where zone ='$zone$' and view='TELECOM'}";
 
                        };
                };
 
  view "any_view" {
 
        match-clients   { any;ANY;};
        match-destinations { localhost; };
        recursion yes;
 
        dlz "Mysql zone" {
        database "mysql
        {host=127.0.0.1 dbname=cdn_view ssl=false port=3306 user=cdn_view pass=123123! }
        {select zone from dns_records where zone = '$zone$' limit 1}
        {select ttl,type,mx_priority,case
                        when lower(type) = 'txt' then concat('\"',data, '\"')
                        when lower(type) = 'soa' then concat_ws('  ',data,resp_person,serial,refresh,retry,expire,minimum)
                else data end as mydata
                from dns_records where zone = '$zone$' and host ='$record$' and (view = 'ANY' or view = 'DF')
        }
        {}
        {select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"')
                else data end as mydata, resp_person, serial, refresh, retry, expire, minimum
                from dns_records where zone = '$zone$' and (view='ANY' or view= 'DF')
        }
        {select zone from xfr_table where zone = '$zone$' and client = '$client$' and view='ANY' limit 1}
        {update data_count set count = count + 1 where zone ='$zone$' and view='ANY'}";
 
                        };
                };
 
6 创建Mysql View库
 
mysql>create database cdn_view; //创建数据库名为cdn_view
mysql>use cdn_view;
DROP TABLE IF EXISTS `dns_records`;
CREATE TABLE `dns_records` (
`id` int(10) unsigned NOT NULL auto_increment,
`zone` varchar(255) NOT NULL,
`host` varchar(255) NOT NULL default '@',
`type` enum('MX','CNAME','NS','SOA','A','PTR') NOT NULL,
`data` varchar(255) default NULL,
`ttl` int(11) NOT NULL default '800',
`view` char(20) default 'DF',
`mx_priority` int(11) default NULL,
`refresh` int(11) NOT NULL default '3600',
`retry` int(11) NOT NULL default '3600',
`expire` int(11) NOT NULL default '86400',
`minimum` int(11) NOT NULL default '3600',
`serial` bigint(20) NOT NULL default '2008082700',
`resp_person` varchar(64) NOT NULL default 'root.domain.com.',
`primary_ns` varchar(64) NOT NULL default 'ns1.domain.com.',
`data_count` int(11) NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `type` (`type`),
KEY `host` (`host`),
KEY `zone` (`zone`)
) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
 
7 创建mysql DNS管理帐号
mysql>GRANT ALL PRIVILEGES ON *.* TO 'cdn_view'@'localhost' IDENTIFIED BY '123123!';  
mysql>GRANT ALL PRIVILEGES ON *.* TO 'cdn_view'@'127.0.0.1' IDENTIFIED BY '123123!'; 
 
8 执行SQL创建相关ZONE及记录
  --SOA
 
  INSERT INTO `dns_records` (`zone`, `host`, `type`, `data`, `ttl`,`mx_priority`, `refresh`, `retry`, `expire`, `minimum`, `serial`, `resp_person`, 
`primary_ns`, `data_count`) VALUES
  ('itminer.net', '@', 'SOA', 'ns1.itminer.net.', 10, NULL, 3600, 3600, 86400, 10, 2008082700, 'root.itminer.net.', 'ns1.itminer.net.', 0);
 
  --@ NS
 
  INSERT INTO `dns_records` (`zone`, `host`, `type`, `data`) VALUES
  ('itminer.net', '@', 'NS', 'ns.itminer.net.'),
  ('itminer.net', '@', 'NS', 'ns1.itminer.net.');
 
  --NS A
 
  INSERT INTO `dns_records` (`zone`, `host`, `type`, `data`) VALUES
  ('itminer.net', 'ns', 'A', '10.5.8.6'),
  ('itminer.net', 'ns1', 'A', '10.5.8.6');
 
  --A
  INSERT INTO `dns_records` (`zone`, `host`, `type`, `data`, `ttl`, `view`) VALUES
  ('itminer.net', 'www', 'A', '192.168.0.1', 3600, 'TELECOM'),
  ('itminer.net', 'www', 'A', '192.168.0.2', 3600, 'CNC'),
  ('itminer.net', 'www', 'A', '192.168.0.3', 3600, 'ANY');
 
  --CNAME
 
  INSERT INTO dns_records (zone,host,type,DATA,view)
  VALUES ('itminer.net', 'man', 'CNAME', 'www','TELECOM'),
  ('itminer.net', 'man', 'CNAME', 'www','CNC'),
  ('itminer.net', 'man', 'CNAME', 'www','ANY');
 
 
 
9 DNS服务器的启动
  /usr/local/bind/sbin/named -uroot -g -d 9 (调试模式 出错时有详细提示)
  /usr/local/bind/sbin/rndc reload  (重载)
  /usr/local/bind/sbin/named -uroot -c /usr/local/bind/etc/named.conf (指定配置启动)
 
 
10 收官测试
  1 切10.5.8.7 模拟telecom测试
  [wenwen@www ~]$ nslookup 
  > server 10.5.8.6
  Default server: 10.5.8.6
  Address: 10.5.8.6#53
  > www.itminer.net
  Server:         10.5.8.6
  Address:        10.5.8.6#53
 
  Non-authoritative answer:
  Name:   www.itminer.net
  Address: 192.168.0.1
  > set type=soa
  > itminer.net
  Server:         10.5.8.6
  Address:        10.5.8.6#53
 
  Non-authoritative answer:
  itminer.net
        origin = ns1.itminer.net
        mail addr = root.itminer.net
        serial = 2008082700
        refresh = 3600
        retry = 3600
        expire = 86400
        minimum = 10
 
  Authoritative answers can be found from:
  itminer.net       nameserver = ns.itminer.net.
  itminer.net       nameserver = ns1.itminer.net.
  > 
 
  2 切10.5.8.8 模拟cnc测试
  [wenwen@www ~]$ nslookup 
  > server 10.5.8.6
  Default server: 10.5.8.6
  Address: 10.5.8.6#53
  > www.itminer.net
  Server:         10.5.8.6
  Address:        10.5.8.6#53
 
  Non-authoritative answer:
  Name:   www.itminer.net
  Address: 192.168.0.2
  > set type=soa
  > itminer.net
  Server:         10.5.8.6
  Address:        10.5.8.6#53
 
  Non-authoritative answer:
  itminer.net
        origin = ns1.itminer.net
        mail addr = root.itminer.net
        serial = 2008082700
        refresh = 3600
        retry = 3600
        expire = 86400
        minimum = 10
 
  Authoritative answers can be found from:
  itminer.net       nameserver = ns.itminer.net.
  itminer.net       nameserver = ns1.itminer.net.
  > 
 
  3 切10.5.8.9 模拟any测试
  [wenwen@www ~]$ nslookup 
  > server 10.5.8.6
  Default server: 10.5.8.6
  Address: 10.5.8.6#53
  > www.itminer.net
  Server:         10.5.8.6
  Address:        10.5.8.6#53
 
  Non-authoritative answer:
  Name:   www.itminer.net
  Address: 192.168.0.3
  > set type=soa
  > itminer.net
  Server:         10.5.8.6
  Address:        10.5.8.6#53
 
  Non-authoritative answer:
  itminer.net
        origin = ns1.itminer.net
        mail addr = root.itminer.net
        serial = 2008082700
        refresh = 3600
        retry = 3600
        expire = 86400
        minimum = 10
 
  Authoritative answers can be found from:
  itminer.net       nameserver = ns.itminer.net.
  itminer.net       nameserver = ns1.itminer.net.
  > 
 
 
11 最后备注及建议:
   1 如果DNS启动报错类似以下错误
     libmysqlclient.so.16: cannot open shared object file: No such file or directory
     解决办法:
     在/etc/ld.so.conf里面加入下面2行:
     /usr/local/mysql/lib/mysql (视实际情况指定路径)
     /usr/local/lib
     然后用ldconfig重新加载下库文件即可
 
   2 View配置部分,配置的sql语句定义的变量参数边界符会因为不同版本的bind而不尽相同,启动会有相应的报错提示,边界符一般是%或者$
 
   3 有可能存在一个情况就是改记录不能够及时生效 建议将ttl值设置跟上层NS服务商一样
 
   4 管理dns直接对mysql记录做管理即可,为方便管理可以写一个程序对记录增删查改,此方案的可管理性非常高.
 
   5 如果部署多台DNS做负载均衡的话,建议每个从节点采用mysql的replication复制服务将数据记录同步,维护好mysql记录的一致性即可
 
   6 本文档仅仅是做简单的测试,权当抛砖引玉之作用,真正的运营应用得根据实际情况来好好维护对应的各个acl ip库.可以做更详细的view设置.
 
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------

发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
用户名:密码: 验证码:点击我更换图片
加入我们
推荐内容
赞助商
赞助商