+++++++子域授權與編譯安裝(二)
阿新 • • 發佈:2017-09-18
博客 linux 運維
子域授權、轉發區域<子域解析父域>、DNS安全配置<acl定義,內置變量,acl安全指令>、dns使用view實現智能dns、CDN,全局負載均衡、編譯安裝bind、dns壓力測試
一、恢復快照
二、緩存服務器
三、(正、反)區域解析庫配置
四、主從同步
五、子域授權
六、轉發區域
七、安全配置
八、view實現智能DNS
九、編譯安裝BIND
十、壓力測試
拓撲模型
一、配置ntp服務器<192.168.58.131>
1、安裝ntp # yum -y -q install ntp 2、配置ntp # cp -v /etc/ntp.conf{,.bak} 在文件中添加: restrict 192.168.58.0 mask 255.255.255.0 nomodify notrap 3、啟動ntp # service ntpd start
二、緩存服務器<192.168.58.131>
1、安裝程序包 # yum -y -q install bind bind-utils bind-libs 2、修改配置 # cp -v /etc/named.conf{,.bak} # vim /etc/named.conf options { listen-on port 53 { 192.168.58.129; 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ /*bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";*/ }; 3、啟動服務 # service named start 4、查看服務是否監聽在53端口 # ss -tunlp | grep 53 udp UNCONN 0 0 192.168.58.131:53 *:* users:(("named",1784,513)) udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",1784,512)) udp UNCONN 0 0 ::1:53 :::* users:(("named",1784,514)) tcp LISTEN 0 3 ::1:53 :::* users:(("named",1784,22)) tcp LISTEN 0 3 192.168.58.131:53 *:* users:(("named",1784,21)) tcp LISTEN 0 3 127.0.0.1:53 *:* users:(("named",1784,20)) tcp LISTEN 0 128 ::1:953 :::* users:(("named",1784,24)) tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",1784,23))
三、(正、反)區域解析庫配置
正向配置
1、配置/etc/named.rfc1912.zones # vim + /etc/named.rfc1912.zones zone "magedu.com" IN { type master; file "magedu.com.zone"; }; 2、測試文件 # named-checkconf 3、添加區域解析庫 # vim /var/named/magedu.com.zone $TTL 1D $ORIGIN magedu.com. @ IN SOA @ lccnx.foxmail.com. ( 20170917 1H 10M 1W 1D) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 192.168.58.131 ns2 IN A 192.168.58.129 mx1 IN A 192.168.58.131 mx2 IN A 192.168.58.129 www IN A 192.168.58.131 www IN A 192.168.58.129 * IN A 192.168.58.131 magedu.com. IN A 192.168.58.131 ftp IN CNAME www 4、權限 # ls -l /var/named //顯示文件的屬主、權限 總用量 32 drwxrwx--- 2 named named 4096 9月 17 18:49 data drwxrwx--- 2 named named 4096 9月 17 18:50 dynamic -rw-r--r-- 1 root root 358 9月 17 18:56 magedu.com.zone -rw-r----- 1 root named 3289 4月 11 23:01 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback drwxrwx--- 2 named named 4096 7月 5 17:51 slaves # ps axu | fgrep named //named進程名:named named 1784 0.0 4.0 48040 10128 ? Ssl 18:49 0:00 /usr/sbin/named -u named root 1806 0.0 0.2 5752 648 pts/0 S+ 18:57 0:00 fgrep named # id named //named用戶的組屬於name uid=25(named) gid=25(named) 組=25(named) # chgrp named /var/named/magedu.com.zone # chmod 640 /var/named/magedu.com.zone # ls -l /var/named 總用量 32 drwxrwx--- 2 named named 4096 9月 17 18:49 data drwxrwx--- 2 named named 4096 9月 17 18:50 dynamic -rw-r----- 1 root named 358 9月 17 18:56 magedu.com.zone -rw-r----- 1 root named 3289 4月 11 23:01 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback drwxrwx--- 2 named named 4096 7月 5 17:51 slaves 5、測試文件 # named-checkzone "magedu.com" /var/named/magedu.com.zone zone magedu.com/IN: loaded serial 20170917 OK 6、重載配置文件 # pgrep named 1784 # kill -HUP 1784 # rndc status version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 CPUs found: 1 worker threads: 1 number of zones: 20 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running 7、測試解析 # dig -t A www.magedu.com @192.168.58.131 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32246 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.58.129 www.magedu.com. 86400 IN A 192.168.58.131 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns2.magedu.com. magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 192.168.58.131 ns2.magedu.com. 86400 IN A 192.168.58.129 ;; Query time: 2 msec ;; SERVER: 192.168.58.131#53(192.168.58.131) ;; WHEN: Sun Sep 17 19:01:53 2017 ;; MSG SIZE rcvd: 132 # host -t A www.magedu.com 192.168.58.131 Using domain server: Name: 192.168.58.131 Address: 192.168.58.131#53 Aliases: www.magedu.com has address 192.168.58.131 www.magedu.com has address 192.168.58.129
反向配置
# pwd /var/named # cp -p magedu.com.zone lcc.org //復制,修改為反向區域解析庫 # ls -l 總用量 36 drwxrwx--- 2 named named 4096 9月 17 18:49 data drwxrwx--- 2 named named 4096 9月 17 18:50 dynamic -rw-r----- 1 root named 358 9月 17 18:56 lcc.org -rw-r----- 1 root named 358 9月 17 18:56 magedu.com.zone -rw-r----- 1 root named 3289 4月 11 23:01 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback drwxrwx--- 2 named named 4096 7月 5 17:51 slaves 1、添加配置 # vim + /etc/named.rfc1912.zones zone "58.168.192.in-addr.arpa" IN { type master; file "lcc.org"; //directory目錄起始的相對路徑下的文件 }; 2、測試文件 # named-checkconf 3、修改反向區域解析庫 # vim /var/named/lcc.org $TTL 1D $ORIGIN 58.168.192.in-addr.arpa. @ IN SOA @ lccnx.foxmail.com. ( 20170917 1H 10M 1W 1D) IN NS ns1.magedu.com. IN NS ns2.magedu.com. 131 IN PTR ns1.magedu.com. 129 IN PTR ns2.magedu.com. 131 IN PTR mx1.magedu.com. 129 IN PTR mx2.magedu.com. 131 IN PTR www.magedu.com. 129 IN PTR 4、測試文件 # named-checkzone "58.168.192.in-addr.arpa" /var/named/lcc.org zone 58.168.192.in-addr.arpa/IN: loaded serial 20170917 OK 5、重載配置文件 # rndc reload server reload successful # rndc status version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 CPUs found: 1 worker threads: 1 number of zones: 21 //多了一個zone debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running 6、測試 # nslookup > server 192.168.58.131 //DNS服務器的IP Default server: 192.168.58.131 Address: 192.168.58.131#53 > set q=PTR //測試類型 > 192.168.58.129 //需要解析的IP Server: 192.168.58.131 Address: 192.168.58.131#53 129.58.168.192.in-addr.arpa name = ns2.magedu.com. 129.58.168.192.in-addr.arpa name = mx2.magedu.com. 129.58.168.192.in-addr.arpa name = www.magedu.com. > 192.168.58.131 Server: 192.168.58.131 Address: 192.168.58.131#53 131.58.168.192.in-addr.arpa name = www.magedu.com. 131.58.168.192.in-addr.arpa name = ns1.magedu.com. 131.58.168.192.in-addr.arpa name = mx1.magedu.com. > exit #
四、主從同步<192.168.3.129>
1、配置為緩存DNS服務器 dnssec-enable no; dnssec-validation no; 時間同步: ntpdate 192.168.58.131 正從 2、配置/etc/named.rfc1912.zones # vim + /etc/named.rfc1912.zones zone "magedu.com" IN { type slave; masters { 192.168.58.131; }; file "slaves/magedu.com.zone"; }; 3、測試語法 # named-checkconf 4、重載配置 # rndc reload server reload successful 5、查看日誌 # tail -f /var/log/messages Sep 9 19:43:45 localhost named[26184]: reloading zones succeeded Sep 9 19:43:45 localhost named[26184]: zone magedu.com/IN: Transfer started. Sep 9 19:43:45 localhost named[26184]: transfer of ‘magedu.com/IN‘ from 192.168.58.131#53: connected using 192.168.58.129#37616 Sep 9 19:43:45 localhost named[26184]: zone magedu.com/IN: transferred serial 20170917 Sep 9 19:43:45 localhost named[26184]: transfer of ‘magedu.com/IN‘ from 192.168.58.131#53: Transfer completed: 1 messages, 15 records, 342 bytes, 0.005 secs (68400 bytes/sec) Sep 9 19:43:45 localhost named[26184]: zone magedu.com/IN: sending notifies (serial 20170917) 6、查看文件 反從 7、配置/etc/named.rfc1912.zones # vim + /etc/named.rfc1912.zones zone "58.168.192.in-addr.arpa" IN { type slave; masters { 192.168.58.131; }; file "slaves/lcc.org"; }; 8、測試文件 # named-checkconf 9、重載 # rndc reload server reload successful 10、查看日誌 # tail -f /var/log/messages Sep 9 19:46:40 localhost named[26184]: reloading zones succeeded Sep 9 19:46:40 localhost named[26184]: zone 58.168.192.in-addr.arpa/IN: Transfer started. Sep 9 19:46:40 localhost named[26184]: transfer of ‘58.168.192.in-addr.arpa/IN‘ from 192.168.58.131#53: connected using 192.168.58.129#42508 Sep 9 19:46:40 localhost named[26184]: zone 58.168.192.in-addr.arpa/IN: transferred serial 20170917 Sep 9 19:46:40 localhost named[26184]: transfer of ‘58.168.192.in-addr.arpa/IN‘ from 192.168.58.131#53: Transfer completed: 1 messages, 10 records, 277 bytes, 0.005 secs (55400 bytes/sec) Sep 9 19:46:40 localhost named[26184]: zone 58.168.192.in-addr.arpa/IN: sending notifies (serial 20170917) 11、查看文件 # ls /var/named/slaves/ lcc.org magedu.com.zone 12、修改主dns的serial和Resource Record $TTL 1D $ORIGIN 58.168.192.in-addr.arpa. @ IN SOA @ lccnx.foxmail.com. ( 20170918 //修改Serial 1H 10M 1W 1D) IN NS ns1.magedu.com. IN NS ns2.magedu.com. 131 IN PTR ns1.magedu.com. 129 IN PTR ns2.magedu.com. 131 IN PTR mx1.magedu.com. 129 IN PTR mx2.magedu.com. 131 IN PTR www.magedu.com. 129 IN PTR www.magedu.com. 129 IN PTR ftp.magedu.com. //添加一個RR rndc reload 13、在從DNS查看結果<192.168.58.129> $ORIGIN . $TTL 86400 ; 1 day 58.168.192.in-addr.arpa IN SOA 58.168.192.in-addr.arpa. lccnx.foxmail.com. ( 20170918 ; serial 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns1.magedu.com. NS ns2.magedu.com. $ORIGIN 58.168.192.in-addr.arpa. 129 PTR ns2.magedu.com. PTR mx2.magedu.com. PTR www.magedu.com. PTR ftp.magedu.com. 131 PTR ns1.magedu.com. PTR mx1.magedu.com. PTR 14、修改主DNS<192.168.58.131> # vim magedu.com.zone $TTL 1D $ORIGIN magedu.com. @ IN SOA @ lccnx.foxmail.com. ( 20170918 //序列號+1 1H 10M 1W 1D) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 192.168.58.131 ns2 IN A 192.168.58.129 mx1 IN A 192.168.58.131 mx2 IN A 192.168.58.129 www IN A 192.168.58.131 www IN A 192.168.58.129 * IN A 192.168.58.131 magedu.com. IN A 192.168.58.131 ftp IN CNAME www pop3 IN CNAME www //添加一個pop3RR 15、測試配置文件 # named-checkzone "magedu.com" magedu.com.zone zone magedu.com/IN: loaded serial 20170918 OK 16、重 # rndc reload server reload successful 17、查看從DNS $ORIGIN . $TTL 86400 ; 1 day magedu.com IN SOA magedu.com. lccnx.foxmail.com. ( 20170918 ; serial //可見+1 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns1.magedu.com. NS ns2.magedu.com. A 192.168.58.131 MX 10 mx1.magedu.com. MX 20 mx2.magedu.com. $ORIGIN magedu.com. * A 192.168.58.131 ftp CNAME www mx1 A 192.168.58.131 mx2 A 192.168.58.129 ns1 A 192.168.58.131 ns2 A 192.168.58.129 pop3 CNAME www //pop3記錄已經同步過來了 www A 192.168.58.131 A 192.168.58.129
五、子域授權<192.168.58.130>
1、在主DNS中,授權 # vim magedu.com.zone $TTL 1D $ORIGIN magedu.com. @ IN SOA @ lccnx.foxmail.com. ( 20170918 1H 10M 1W 1D) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 192.168.58.131 ns2 IN A 192.168.58.129 mx1 IN A 192.168.58.131 mx2 IN A 192.168.58.129 www IN A 192.168.58.131 www IN A 192.168.58.129 * IN A 192.168.58.131 magedu.com. IN A 192.168.58.131 ftp IN CNAME www pop3 IN CNAME www ops IN NS ns1.ops.magedu.com. ops IN NS ns2.ops.magedu.com. ns1.ops IN A 192.168.58.130 ns2.ops IN A 192.168.58.139 2、在另一個主機上配置 1)配置緩存DNS服務器 # yum -q -y install bind bind-libs bind-utils 2)配置/etc/named.conf文件 # cp -v /etc/named.conf{,.bak} 3)啟動: # service named start 4)查看:# ss -tunlp | fgrep 53 5)配置/etc/named.rfc1912.zones zone "ops.magedu.com" IN { type master; file "ops.magedu.com.zone"; }; 6)測試: # named-checkconf 7)區域解析庫: $TTL 1D $ORIGIN ops.magedu.com. @ IN SOA @ lccnx.foxmail.com. ( 20170917 1H 10M 1W 1D) IN NS ns1 IN NS ns2 ns1 IN A 192.168.58.130 ns2 IN A 192.168.58.139 www IN A 192.168.58.130 www IN A 192.168.58.139 8)權限 # chmod 640 ops.magedu.com.zone # chown :named ops.magedu.com.zone 9)測試 # named-checkzone "ops.magedu.com" ops.magedu.com.zone zone ops.magedu.com/IN: loaded serial 20170917 OK 10)重載 # rndc reload 11)測試 # dig -t A www.ops.magedu.com @192.168.58.130 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.ops.magedu.com @192.168.58.130 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33988 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.ops.magedu.com. IN A ;; ANSWER SECTION: www.ops.magedu.com. 86400 IN A 192.168.58.139 www.ops.magedu.com. 86400 IN A 192.168.58.130 ;; AUTHORITY SECTION: ops.magedu.com. 86400 IN NS ns2.ops.magedu.com. ops.magedu.com. 86400 IN NS ns1.ops.magedu.com. ;; ADDITIONAL SECTION: ns1.ops.magedu.com. 86400 IN A 192.168.58.130 ns2.ops.magedu.com. 86400 IN A 192.168.58.139 ;; Query time: 1 msec ;; SERVER: 192.168.58.130#53(192.168.58.130) ;; WHEN: Sun Sep 17 22:10:00 2017 ;; MSG SIZE rcvd: 136
1、父域解析子域<192.168.58.131> # dig -t A www.ops.magedu.com @192.168.58.131 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.ops.magedu.com @192.168.58.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15973 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.ops.magedu.com. IN A ;; ANSWER SECTION: www.ops.magedu.com. 86400 IN A 192.168.58.130 www.ops.magedu.com. 86400 IN A 192.168.58.139 ;; AUTHORITY SECTION: ops.magedu.com. 86400 IN NS ns2.ops.magedu.com. ops.magedu.com. 86400 IN NS ns1.ops.magedu.com. ;; ADDITIONAL SECTION: ns1.ops.magedu.com. 86400 IN A 192.168.58.130 ns2.ops.magedu.com. 86400 IN A 192.168.58.139 ;; Query time: 15 msec ;; SERVER: 192.168.58.131#53(192.168.58.131) ;; WHEN: Sun Sep 17 22:12:10 2017 ;; MSG SIZE rcvd: 136 2、子域解析父域 # dig -t A www.magedu.com @192.168.58.130 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.130 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 562 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 16 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 477 IN A 101.200.188.230 ;; AUTHORITY SECTION: magedu.com. 172677 IN NS ns1.alidns.com. magedu.com. 172677 IN NS ns2.alidns.com. ;; ADDITIONAL SECTION: ns1.alidns.com. 172677 IN A 106.11.141.121 ns1.alidns.com. 172677 IN A 106.11.211.51 ns1.alidns.com. 172677 IN A 106.11.211.61 ns1.alidns.com. 172677 IN A 140.205.41.11 ns1.alidns.com. 172677 IN A 140.205.41.21 ns1.alidns.com. 172677 IN A 140.205.81.11 ns1.alidns.com. 172677 IN A 140.205.81.21 ns1.alidns.com. 172677 IN A 106.11.141.111 ns2.alidns.com. 172677 IN A 106.11.211.52 ns2.alidns.com. 172677 IN A 106.11.211.62 ns2.alidns.com. 172677 IN A 140.205.41.12 ns2.alidns.com. 172677 IN A 140.205.41.22 ns2.alidns.com. 172677 IN A 140.205.81.12 ns2.alidns.com. 172677 IN A 140.205.81.22 ns2.alidns.com. 172677 IN A 106.11.141.112 ns2.alidns.com. 172677 IN A 106.11.141.122 ;; Query time: 1 msec ;; SERVER: 192.168.58.130#53(192.168.58.130) ;; WHEN: Sun Sep 17 22:12:59 2017 ;; MSG SIZE rcvd: 347
六、轉發區域<192.168.1.130>
1、全部轉發 # vim /etc/named.conf options { listen-on port 53 { 192.168.58.0/24; 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; forward first; forwarders { 192.168.58.131; }; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; // managed-keys-directory "/var/named/dynamic"; }; # named-checkconf # rndc reload # dig -t A www.magedu.com @192.168.58.130 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.130 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15274 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.58.129 www.magedu.com. 86400 IN A 192.168.58.131 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns2.magedu.com. magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns2.magedu.com. 86400 IN A 192.168.58.129 ns1.magedu.com. 86400 IN A 192.168.58.131 ;; Query time: 6 msec ;; SERVER: 192.168.58.130#53(192.168.58.130) ;; WHEN: Sun Sep 17 22:21:14 2017 ;; MSG SIZE rcvd: 132 2、區域轉發 # vim /etc/named.rfc1912.zones zone "magedu.com" IN { type forward; forward first; forwarders { 192.168.58.129; }; }; # named-checkconf # rndc reload 在從DNS上查詢<192.168.58.129> 首先改變主DNSserial, rndc reload,同步之後 在從DNS上開啟查詢日誌: rndc querylog Sep 17 22:24:13 localhost named[26184]: query logging is now on Sep 17 22:24:31 localhost named[26184]: client 192.168.58.130#30952: query: www.magedu.com IN A +EDC (192.168.58.129) 在進行查詢 [[email protected] named]# dig -t A www.magedu.com @192.168.58.130 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.130 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.58.129 www.magedu.com. 86400 IN A 192.168.58.131 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns2.magedu.com. magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns2.magedu.com. 86400 IN A 192.168.58.129 ns1.magedu.com. 86400 IN A 192.168.58.131 ;; Query time: 9 msec ;; SERVER: 192.168.58.130#53(192.168.58.130) ;; WHEN: Sun Sep 17 22:24:41 2017 ;; MSG SIZE rcvd: 132
七、安全配置
1、查詢 allow-query { any; }; 2、傳送:主DNS僅允許從 allow-transfer { 192.168.58.129; }; 其它: allow-transfer { none; }; acl slaves { //在options之上 192.168.58.129; }; zone allow-transfer { slaves; }; 3、遞歸,只為內部主機遞歸 acl mynet { //在options之上 192.168.58.0/24; 127.0.0.1; }; options { allow-transfer { mynet; }; }; 4、查詢只允許dhcp服務器,一般都不允許 zone allow-update { none; };
模型
八、view實現智能DNS
1、搭建實驗環境<恢復快照>
1)不開snat和net.ipv4.ip_forward,從172.16網絡的主機ping192.168.1網絡內的主機
2)打開net.ipv4.ip_forward,從172.16網絡的主機ping192.168.1網絡內的主機
1、在172.16.128.1主機之上配置DNS
1、掛載光盤 # [ -d /media/cdrom ] || install -d /media/cdrom # mount -r /dev/cdrom /media/cdrom 2、配置yum源 # rm -rf /etc/yum.repos.d/* # vim /etc/yum.repos.d/CentOS-Base.repo [Base] name=Base repo for CentOS 6.9 failovermethod=priority baseurl=file:///media/cdrom gpgcheck=1 gpgkey=file:///media/cdrom/RPM-GPG-KEY-CentOS-6 enabled=1 3、重建緩存 # yum makecache 4、緩存服務器 # yum install bind bind-utils bind-libs # cp -v /etc/ntp.conf{,.bak} # vim # service ntpd start # cp -v /etc/named.conf{,.bak} # vim /etc/named.conf # named-checkconf # service named start # ss -tunlp | fgrep 53 5、配置view 所有zone在同一個文件中 1、刪除/etc/named.conf文件中根域 2、在/etc/named.rfc1912.zones添加根域<僅在匹配的客戶端可以遞歸的客戶端的VIEW中添加根域> 3、添加後測試語法 # named-checkconf 4、添加正向解析區域 1)配置 zone "magedu.com" IN { type master; file "magedu.com.zone"; allow-update { none; }; allow-transfer { 127.0.0.1; }; }; 2)解析庫 # vim /var/named/magedu.com.zone $TTL 1D $ORIGIN magedu.com. @ IN SOA @ lccnx.foxmail.com. ( 20170918 1H 10M 1W 1D) IN NS ns1.magedu.com. ns1 IN A 172.16.128.1 www IN A 172.16.100.13 3)權限 # chmod 640 /var/named/magedu.com.zone # chown :named /var/named/magedu.com.zone 4)重載配置文件 # rndc reload 5)測試 # dig -t A www.magedu.com @172.16.128.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A www.magedu.com @172.16.128.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12511 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 172.16.100.13 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 172.16.128.1 ;; Query time: 4 msec ;; SERVER: 172.16.128.1#53(172.16.128.1) ;; WHEN: Sun Sep 17 19:27:22 2017 ;; MSG SIZE rcvd: 82 # nslookup > server 172.16.128.1 Default server: 172.16.128.1 Address: 172.16.128.1#53 > set q=A > www.magedu.com Server: 172.16.128.1 Address: 172.16.128.1#53 Name: www.magedu.com Address: 172.16.100.13 > exit 5、添加view 172.16解析至內網 192.168.3其他解析至外網 172.16解析至內網 # vim /etc/named.conf acl mynet { 172.16.0.0/16; 127.0.0.1; }; options {}; # vim /etc/named.rfc1912.zones view internal { match-clients { mynet; }; recursion yes; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magedu.com" IN { type master; file "magedu.com.zone"; allow-update { none; }; allow-transfer { 127.0.0.1; }; }; }; # named-checkconf # rndc reload # dig -t A www.magedu.com @172.16.128.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A www.magedu.com @172.16.128.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64602 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 86400 IN A 172.16.100.13 ;; AUTHORITY SECTION: magedu.com. 86400 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 86400 IN A 172.16.128.1 ;; Query time: 2 msec ;; SERVER: 172.16.128.1#53(172.16.128.1) ;; WHEN: Sun Sep 17 19:34:33 2017 ;; MSG SIZE rcvd: 82 192.168.3其他解析至外網 # vim /etc/named.rfc1912.zones view external { match-clients { any; }; recursion no; zone "magedu.com" IN { type master; file "magedu.com.external"; allow-update { none; }; allow-transfer { 127.0.0.1; }; }; }; # named-checkconf # rndc reload server reload successful # cp -p /var/named/magedu.com.zone /var/named/magedu.com.external //權限 # vim /var/named/magedu.com.external $TTL 1D $ORIGIN magedu.com. @ IN SOA @ lccnx.foxmail.com. ( 20170918 1H 10M 1W 1D) IN NS ns1.magedu.com. ns1 IN A 172.16.128.1 www IN A 2.2.2.2 測試 # named-checkzone "magedu.com" magedu.com.external zone magedu.com/IN: loaded serial 20170918 OK 重載 # rndc reload 在192.168.3網絡內的3.3主機上測試
九、編譯安裝BIND
1、恢復快照
2、下載bind , C源碼
# wget -c -nc https://www.isc.org/downloads/file/bind-9-10-6/
3、展開編譯
4、編譯後操作
5、配置文件
6、區域解析庫
7、rndc文件
8、準備一個服務腳本
3、展開編譯 # tar xf bind-9.10.6.tar.gz # cd bind-9.10.6 # yum groupinstall "Development Tools" "Server Platform Development" # groupadd -r -g 53 named # useradd -r -g 53 -u 53 named # ./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named/ --disable-ipv6 --disable-chroot --enable-threads --disable-chroot chroot不方便使用 --prefix= 便於刪除 --enable-threads 多核CPU,更好使用 # make -j 4 && make install 4、編譯後操作 導出PATH # ls /usr/local/bind9/ bin include lib sbin share var # vim /etc/profile.d/named.sh declare -x PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH # . /etc/profile.d/named.sh 庫 # vim /etc/ld.so.conf.d/named.conf /usr/local/bind9/lib # ldconfig -v 頭文件 # ln -sv /usr/local/bind9/include /usr/include/named MAN手冊 # vim /etc/man.config MANPATH /usr/man MANPATH /usr/share/man MANPATH /usr/local/man MANPATH /usr/local/share/man MANPATH /usr/X11R6/man MANPATH /usr/local/bind9/share/man 5、配置文件 # vim /etc/named/named.conf options { directory "/var/named"; allow-query { any; }; allow-recursion { any; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { any; }; }; zone "0.0.127.in-addr.arpa" { type master; file "named.loopback"; allow-update { any; }; }; 6、區域解析庫 # install -d /var/named # vim /var/named/named.localhost $TTL 1D $ORIGIN localhost. @ IN SOA @ lccnx.foxmail.com ( 20170918 1H 10M 1W 1D) IN NS localhost. IN A 127.0.0.1 # vim /var/named/named.loopback $TTL 1D $ORIGIN 0.0.127.in-addr.arpa. @ IN SOA @ lccnx.foxmail.com. ( 20170918 1H 10M 1W 1D) IN NS localhost. 1 IN PTR localhost. # dig -t NS . > /var/named/named.ca 權限 # chmod 640 /var/named/named.ca # chown :named /var/named/named.ca # ls -l /var/named/named.ca -rw-r----- 1 root named 2188 Sep 9 20:40 /var/named/named.ca # chown :named /etc/named/named.conf /var/named/named.lo* # chmod 640 /etc/named/named.conf /var/named/named.lo* # ls -l /etc/named/named.conf /var/named/named.lo* -rw-r----- 1 root named 512 Sep 9 20:25 /etc/named/named.conf -rw-r----- 1 root named 125 Sep 9 20:27 /var/named/named.localhost -rw-r----- 1 root named 143 Sep 9 20:30 /var/named/named.loopback 7、rndc文件 # rndc-confgen -r /dev/urandom > /etc/named/rndc.conf key "rndc-key" { algorithm hmac-md5; secret "ZaRjlHwFaun/mfn648NDGQ=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; 8、測試起動 # chown root.named /usr/local/bind9/var/run # ls -ld /usr/local/bind9/var/run drwxr-xr-x 2 root named 4096 Sep 9 19:58 /usr/local/bind9/var/run # chmod g+w /usr/local/bind9/var/run # named -u named -f -g -d 3 9、查看監聽端口 [[email protected] ~]# ss -tunlp | fgrep 53 udp UNCONN 0 0 192.168.1.100:53 *:* users:(("named",6870,513)) udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",6870,512)) tcp LISTEN 0 10 192.168.1.100:53 *:* users:(("named",6870,22)) tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",6870,21)) tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",6870,23)) 10、服務腳本 # install -d /usr/local/bind9/var/lock #!/bin/bash # # Author: lcc.org # Verion: 1.1.1 # chkconfig: - 12 88 # Description: BIND(Berkerley Information Name Domain) prog=$(echo $0 | sed ‘s,/$,,‘ | sed -r ‘[email protected](.*/)([^/]+)@\[email protected]‘) lockfile=/var/lock/subsys/$prog start() { if killall -0 $prog 2> /dev/null; then if [ -e $lockfile ]; then echo "$prog is already started" return 0 fi else if named -u named; then [ ! -e $lockfile ] && touch $lockfile echo "start $prog finished" fi fi } stop() { [ -e $lockfile ] && rm -rf $lockfile if killall -0 $prog 2> /dev/null; then pkill named && echo "stop $prog ok" else echo "stop $prog ok" fi } status() { if [ -e $lockfile ] && killall -0 named 2> /dev/null; then echo "$prog is running...." elif [ ! -e $lockfile ] && ! killall -0 named 2> /dev/null; then echo "$prog is stpped yet..." else echo "WARINING....." stop fi } reload() { rndc reload 2> /dev/null } case $1 in start) start ;; stop) stop ;; restart) stop start ;; status) status ;; reload) reload ;; *) echo "Usage: $0 {start|stop|restart|status|reload}" ;; esac 11、添加進/etc/rc.d/init.d/中 # chmod +x named # cp -p named /etc/init.d/named # chkconfig --add named # chkconfig --list named named 0:off 1:off 2:off 3:off 4:off 5:off 6:off 12、手動測試配置正反向解析區域,看是否有任何差錯 .....
十、壓力測試
1、進入源碼目錄中的contrib目錄中 # cd ~/bind-9.10.6/contrib/ 2、進入queryperf目錄中 # cd queryperf 3、編譯 # less README # ./configure # make 4、復制 # cp -a queryperf /usr/local/bind9/bin/ 5、benchmark
queryperf命令<DNS Bench Mark>
Usage: queryperf [-d datafile] [-s server_addr]
[[email protected] queryperf]# queryperf -d file -s 192.168.1.100 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.1.100) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 702000 queries Queries completed: 702000 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.184500 sec RTT min: 0.000148 sec RTT average: 0.003078 sec RTT std deviation: 0.001178 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Sun Sep 10 03:13:45 2017 Finished at: Sun Sep 10 03:15:34 2017 Ran for: 109.150809 seconds Queries per second: 6431.468593 qps TOP PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 7774 named 20 0 50152 12m 2748 S 53.4 5.3 2:06.29 named 22591 root 20 0 20032 17m 676 S 45.2 7.4 0:05.06 queryperf VMSTAT procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu----- r b swpd free buff cache si so bi bo in cs us sy id wa st 2 0 4160 3876 8032 150904 0 0 74 75 62 128 2 3 90 6 0 2 0 4160 3868 8032 150904 0 0 0 0 965 12360 4 96 0 0 0 2 0 4160 3808 8032 150960 0 0 68 0 988 11908 20 80 0 0 0 2 0 4160 3688 8040 151040 0 0 72 12 981 11791 4 96 0 0 0 2 0 4160 3688 8040 151044 0 0 0 0 990 11952 4 96 0 0 0 2 0 4160 3628 8040 151044 0 0 0 0 979 11990 3 97 0 0 0 2 0 4160 3628 8040 151044 0 0 0 0 991 12712 16 84 0 0 0 IOSTAT # iostat 1 Linux 2.6.32-696.el6.i686 (localhost.localdomain) 09/10/2017 _i686_ (1 CPU) avg-cpu: %user %nice %system %iowait %steal %idle 1.25 0.46 2.62 5.61 0.00 90.06 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.01 0.00 376 0 sda 3.91 146.89 150.43 5265774 5392628 dm-0 4.04 20.10 28.64 720634 1026544 dm-1 0.05 0.18 0.25 6520 9032 dm-2 0.01 0.06 0.00 2018 56 dm-3 14.64 106.06 97.85 3802226 3507896 dm-4 3.30 20.31 23.68 728258 849040 avg-cpu: %user %nice %system %iowait %steal %idle 19.39 2.04 78.57 0.00 0.00 0.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.00 0.00 0 0 sda 117.35 4693.88 57.14 4600 56 dm-0 72.45 3126.53 0.00 3064 0 dm-1 0.00 0.00 0.00 0 0 dm-2 0.00 0.00 0.00 0 0 dm-3 4.08 146.94 0.00 144 0 dm-4 67.35 481.63 57.14 472 56
[[email protected] queryperf]# rndc querylog [[email protected] queryperf]# rndc status version: BIND 9.10.6 <id:9d1ea0b> boot time: Sat, 09 Sep 2017 17:45:08 GMT last configured: Sat, 09 Sep 2017 18:04:13 GMT CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON //開啟查詢日誌,每次請求都會有IO產生 recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running [[email protected] queryperf]# queryperf -d file -s 192.168.1.100 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.1.100) top[Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 702000 queries Queries completed: 702000 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 1.141619 sec RTT min: 0.000149 sec RTT average: 0.006632 sec RTT std deviation: 0.008464 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Sun Sep 10 03:22:50 2017 Finished at: Sun Sep 10 03:26:45 2017 Ran for: 235.257594 seconds Queries per second: 2983.963187 qps
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 7774 named 20 0 50152 13m 2784 S 50.8 5.4 3:39.84 named 23274 root 20 0 20032 17m 672 S 24.5 7.4 0:17.01 queryperf # vmstat 1 procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu----- r b swpd free buff cache si so bi bo in cs us sy id wa st 2 0 4160 8052 6944 148324 0 0 77 78 67 187 2 3 89 6 0 2 0 4160 8060 6944 148352 0 0 24 12 999 13770 4 96 0 0 0 1 1 4160 8052 6944 148348 0 0 12 0 977 12900 4 96 0 0 0 2 0 4160 7992 6952 148428 0 0 56 52 988 12689 21 79 0 0 0 2 0 4160 7872 6960 148436 0 0 0 56 989 14114 3 97 0 0 0 1 1 4160 7880 6960 148440 0 0 16 56 974 13079 3 97 0 0 0 1 1 4160 7872 6960 148528 0 0 84 88 1008 13114 8 92 0 0 0 2 0 4160 7880 6960 148540 0 0 0 0 981 13744 15 85 0 0 0 2 1 4160 7700 6968 148776 0 0 232 52 1013 14028 2 98 0 0 0 # iostat 1 Linux 2.6.32-696.el6.i686 (localhost.localdomain) 09/10/2017 _i686_ (1 CPU) avg-cpu: %user %nice %system %iowait %steal %idle 1.27 0.54 3.01 5.79 0.00 89.40 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.01 0.00 376 0 sda 4.04 154.73 156.98 5587614 5669060 dm-0 4.09 20.75 28.96 749330 1045720 dm-1 0.05 0.18 0.25 6520 9032 dm-2 0.01 0.06 0.00 2018 56 dm-3 15.51 113.36 104.19 4093554 3762752 dm-4 3.29 20.19 23.58 729154 851440 avg-cpu: %user %nice %system %iowait %steal %idle 3.12 1.04 95.83 0.00 0.00 0.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.00 0.00 0 0 sda 3.12 41.67 75.00 40 72 dm-0 0.00 0.00 0.00 0 0 dm-1 0.00 0.00 0.00 0 0 dm-2 0.00 0.00 0.00 0 0 dm-3 11.46 41.67 75.00 40 72 dm-4 0.00 0.00 0.00 0 0
本文出自 “Reading” 博客,請務必保留此出處http://sonlich.blog.51cto.com/12825953/1966447
+++++++子域授權與編譯安裝(二)