Bind+DLZ构建企业智能DNS
目录:
一、简介
二、服务规划
三、安装BIND及基本环境
四、配置Bind-View-DLZ-MYSQL
五、添加相关记录并进行测试
六、配置从DNS
七、补充
一、简介:
1、智能DNS(Bind-view):
智能DNS 原理很简单:在用户解析一个域名的时候的,判断一下用户使用的IP,然后跟DNS 服务器内部的IP 表匹配一下,看看用户是电信还是网通用户,然后给用户返回对应的IP 地址。目前的域名服务运营商不提供智能DNS 服务,所以必须自行架设DNS 服务或者使用网上免费的智能DNS 服务.
2.Bind-DLZ
Bind-DLZ主页:http://bind-dlz.sourceforge.net/
DLZ(Dynamically Loadable Zones)与传统的BIND9不同,BIND的不足之处:
* BIND从文本文件中获取数据,这样容易因为编辑错误出现问题。
* BIND需要将数据加载到内存中,如果域或者记录较多,会消耗大量的内存。
* BIND启动时解析Zone文件,对于一个记录较多的DNS来说,会耽误更多的时间。
* 如果近修改一条记录,那么要重新加载或者重启BIND 才能生效,那么需要时间,可能会影响客户端查询。
而Bind-dlz 即将帮你解决这些问题, 对Zone文件操作也更方便了,直接对数据库操作,可以很方便扩充及开发管理程序。
2、Bind-view规划:
网通CNC cnc.txt
电信CT ct.txt
移动CMCC cmcc.txt
教育网EDU edu.txt
include "/usr/local/bind/etc/view.conf";(ip库里面没有的IP,属于any区域)
IP库及ACL,如果你有比较详细的按城市或者地域的IP库,在设计BIND-VIEW这个字段的时候,VIEW就可以以城市或地区来命名和规划.
三、安装BIND及基本环境:
1、安装mysql:
wget http://soft.vpser.net/datebase/mysql/mysql-5.1.54.tar.gz groupadd mysql useradd -g mysql -s /sbin/nologin -M mysql tar zxvf mysql-5.1.54.tar.gz cd mysql-5.1.54 ./configure --prefix=/usr/local/mysql/ --enable-assembler --with-extra-charsets=complex --enable-thread-safe-client -with-big-tables --with-readline --with-ssl --with-embedded-server --enable-local-infile --with-plugins=partition,innobase,myisammrg make && make install chown mysql:mysql -R /usr/local/mysql/ /usr/local/mysql/bin/mysql_install_db --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql cd /usr/local/mysql/ cp share/mysql/my-medium.cnf? /etc/my.cnf cp share/mysql/mysql.server? /etc/rc.d/init.d/mysqld chmod 755 /etc/rc.d/init.d/mysqld chkconfig --add mysqld sed -i 's/skip-locking/skip-external-locking/g' /etc/my.cnf echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf echo "/usr/local/lib" >>/etc/ld.so.conf ldconfig ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql ln -s /usr/local/mysql/include/mysql /usr/include/mysql /usr/local/mysql/bin/mysqld_safe --defaults-file=/etc/my.cnf --user=mysql & echo 'export PATH=$PATH:/usr/local/mysql/bin' >>/etc/profile source /etc/profile /etc/init.d/mysql start /usr/local/mysql/bin/mysqladmin -u root password 123456
2、编译安装bind:
wget http://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz tar zxvf bind-9.6.0-P1.tar.gz cd bind-9.6.0-P1 ./configure --with-dlz-mysql --enable-largefile --enable-threads=no --prefix=/usr/local/bind --disable-openssl-version-check make && make install
3、创建相关配置文件:
cd /usr/local/bind/etc/ ../sbin/rndc-confgen >rndc.conf tail -n10 rndc.conf | head -n9 | sed -e s/#\//g >named.conf
vim localhost.zone
ttl 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
dig >named.root(需要连接外网)
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25148
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 408518 IN NS f.root-servers.net.
. 408518 IN NS g.root-servers.net.
. 408518 IN NS h.root-servers.net.
. 408518 IN NS i.root-servers.net.
. 408518 IN NS j.root-servers.net.
. 408518 IN NS k.root-servers.net.
. 408518 IN NS l.root-servers.net.
. 408518 IN NS m.root-servers.net.
. 408518 IN NS a.root-servers.net.
. 408518 IN NS b.root-servers.net.
. 408518 IN NS c.root-servers.net.
. 408518 IN NS d.root-servers.net.
. 408518 IN NS e.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 585058 IN A 198.41.0.4
a.root-servers.net. 153174 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 15676 IN A 192.228.79.201
c.root-servers.net. 20756 IN A 192.33.4.12
d.root-servers.net. 494933 IN A 128.8.10.90
d.root-servers.net. 153058 IN AAAA 2001:500:2d::d
e.root-servers.net. 21330 IN A 192.203.230.10
f.root-servers.net. 325589 IN A 192.5.5.241
f.root-servers.net. 325589 IN AAAA 2001:500:2f::f
g.root-servers.net. 249133 IN A 192.112.36.4
h.root-servers.net. 494933 IN A 128.63.2.53
h.root-servers.net. 494933 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 325589 IN A 192.36.148.17
i.root-servers.net. 325589 IN AAAA 2001:7fe::53
;; Query time: 5 msec
;; SERVER: 211.157.97.1#53(211.157.97.1)
;; WHEN: Thu Jun 9 15:58:52 2011
;; MSG SIZE rcvd: 512
4、配置DNSTSIG:
用dnssec-keygen产生加密密钥,一个为public key,另一个为private key
#./dnssec-keygen -a hmac-md5 -b 128 -n HOST cnc #./dnssec-keygen -a hmac-md5 -b 128 -n HOST ct #./dnssec-keygen -a hmac-md5 -b 128 -n HOST edu #./dnssec-keygen -a hmac-md5 -b 128 -n HOST cmcc #./dnssec-keygen -a hmac-md5 -b 128 -n HOST any
named.conf内容如下:
key "rndc-key" {
algorithm hmac-md5;
secret "s6nZpVLBaIor85SFx4hvog==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
channel query_log {
file "/var/log/named.log" versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category queries {query_log;};
category lame-servers { null; };
};
options {
directory "/usr/local/bind/etc";
pid-file "named.pid";
allow-query { any; };
#allow-recursion { none; };
recursion no;
listen-on port 53 { 192.168.1.60;127.0.0.1;};
listen-on-v6 port 53 { any;};
};
#TSIG-key
key "cnc" {
algorithm hmac-md5;
secret "R9S1fBP2sZFpPilKfjyg==";};
key "ct" {
algorithm hmac-md5;
secret "B770VaC6LdwDgt3Sy59Vlw==";};
key "edu" {
algorithm hmac-md5;
secret "DFsPQkIPB/HXsV7vToKatw==";};
key "cmcc" {
algorithm hmac-md5;
secret "APpxsffFQLFyYZ0sIIKbrw==";};
key "any" {
algorithm hmac-md5;
secret "UUADyQriCDB8U6cZVVcprr==";};
acl "dns-ip-list"{
192.168.1.60; #master DNS IP
192.168.1.61; #slave DNS IP
};
include "/usr/local/bind/etc/ip_base/cnc.txt";
include "/usr/local/bind/etc/ip_base/ct.txt";
include "/usr/local/bind/etc/ip_base/cmcc.txt";
include "/usr/local/bind/etc/ip_base/edu.txt";
include "/usr/local/bind/etc/view.conf";配置各个服务商的对应的ACL:
#cat cnc.txt (在此之举一个例子)
acl cnc{
202.85.216.0/22;
202.85.221.0/24;
202.85.222.0/23;
202.95.18.145/32;
202.95.18.146/31;
202.95.18.148/30;
202.95.18.152/29;
202.95.18.160/27;
202.95.18.192/26;
};
四、配置Bind-View-DLZ-MYSQL:
1、配置view.conf
vim /usr/local/bind/etc/view/view.conf
view "CMCC_view" {
match-clients { key cmcc;dns-ip-list;CMCC;};
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=dns_view ssl=false port=3306 user=root pass=pass%!#@larry }
{select zone from dnstb where zone = '%zone%' and view = 'CMCC' limit 1 }
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data,
'\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial,
refresh, retry, expire, minimum) else data end as mydata from DNS_ALL where zone
= '%zone%' and host = '%record%' and (view = 'CMCC' or view = 'OP')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"',
data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire,
minimum from dnstb where zone = '%zone%' and view='CMCC'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and
view='CMCC' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='CMCC'}";
};
};
view "CNC_view" {
match-clients { key cnc;dns-ip-list;CNC;};
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=dns_view ssl=false port=3306 user=root pass=pass%!#@larry }
{select zone from dnstb where zone = '%zone%' and view = 'CNC' limit 1 }
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data,
'\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial,
refresh, retry, expire, minimum) else data end as mydata from DNS_ALL where zone
= '%zone%' and host = '%record%' and (view = 'CNC' or view = 'OP')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"',
data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire,
minimum from dnstb where zone = '%zone%' and view='CNC'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and
view='CNC' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='CNC'}";
};
};
view "EDU_view" {
match-clients { key edu;dns-ip-list;EDU;};
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=dns_view ssl=false port=3306 user=root pass=pass%!#@larry }
{select zone from DNS_ALL where zone = '%zone%' and view = 'EDU' limit 1 }
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data,
'\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial,
refresh, retry, expire, minimum) else data end as mydata from DNS_ALL where zone
= '%zone%' and host = '%record%' and (view = 'EDU' or view = 'OP')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"',
data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire,
minimum from dnstb where zone = '%zone%' and view='EDU'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and
view='EDU' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='EDU'}";
};
};
view "CT_view" {
match-clients { key ct;dns-ip-list;CT;};
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=dns_view ssl=false port=3306 user=root pass=pass%!#@larry }
{select zone from DNS_ALL where zone = '%zone%' and view = 'CT' limit 1 }
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data,
'\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial,
refresh, retry, expire, minimum) else data end as mydata from DNS_ALL where zone
= '%zone%' and host = '%record%' and (view = 'CT' or view = 'OP')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"',
data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire,
minimum from dnstb where zone = '%zone%' and view='CT'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and
view='CT' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='CT'}";
};
};
view "any_view" {
match-clients { key any;dns-ip-list;ANY;};
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=dns_view ssl=false port=3306 user=root pass=pass%!#@larry }
{select zone from dnstb where zone = '%zone%' and view = 'ANY' limit 1 }
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data,
'\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial,
refresh, retry, expire, minimum) else data end as mydata from DNS_ALL where zone
= '%zone%' and host = '%record%' and (view = 'ANY' or view='OP')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"',
data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire,
minimum from dnstb where zone = '%zone%' and view='ANY'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and
view='ANY' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='ANY'}";
};
};2、DLZ相关数据库表结构建立
五、添加相关记录并进行测试
–SOA
六、配置从DNS:
1、安装mysql(略)
2、安装bind配置和主的一样,可以通过rsync同步过来。
3、Mysql主从复制:
1)Master 配置
创建同步用户
mysql -u root mysql>UNLOCK TABLES; mysql>GRANT ALL PRIVILEGES ON *. TO 'larry'@'%' IDENTIFIED BY 'pass%!#@larry' WITH GRANT OPTION; mysql>exit
修改配置文件,并打包var文件到Slave 端
vim /etc/my.cnf
[mysqld] 在mysqld 里添加如下几项
long_query_time = 5 expire_logs_days= 3 binlog-do-db=cdn_view ==>要同步的数据库 binlog-ignore-db=mysql ==>不同步的数据库 binlog_format=mixed server-id = 160 ==>同一个网络唯一
mysqladmin -u root -S /tmp/mysql.sock shutdown 重启mysql
/usr/local/mysql/bin/mysqld_safe –defaults-file=/etc/my.cnf &
2)Slave配置:
将my.cnf 中的server-id=1 改成161
#log-bin=mysql-bin //注释掉这两行。
#binlog_format=mixed //修改成如下内容
七、根据职能DNS可以轻松实现企业DNS功能,同时还可以结合Squid,Nginx,Varnish打造CDN架构.