以前博文写过几篇假设DNS服务的博文,今天结合ATS和分运营商解析域名,实现建议CDN功能
利用NSD配置DNS主从解析域名及报错处理
利用powerdns自建DNS服务器
基于运营商的分布式DNS搭建
自建DNS权威服务器全过程(多域名解析)假定:
主DNS节点的IP为1.1.1.1
从DNS节点的IP为2.2.2.2
WWW节点的IP为3.3.3.3
1、在主DNS节点和从DNS节点,安装bind软件 yum install bind bind-utils -y
2、在主DNS节点和从DNS节点,创建zone目录存放域名的zone文件,并设置用户和用户组
[root@us zone]# mkdir /etc/named/zone
[root@us zone]# chown -R named.named /etc/named
4、配置主DNS节点的/etc/named.conf
//生成rndc的key文件
[root@us home]# rndc-confgen
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "I56/OZDjks6WZz24AWUf2g==";
};
[root@us ansible]# vi /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "YpSNg7XRmxxxxJs3QYj9Q==";
};
//可以操作此台dns的IP,注意:可以设置为远程IP,然后通过上面的rndc的key来连接
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
//引入ACL文件,就是运营商的IP列表:获取地址:https://github.com/gaoyifan/china-operator-ip
//本文也会在附件中提供下载
include "/etc/named/isp/telcom_acl";
include "/etc/named/isp/cmcc_acl";
include "/etc/named/isp/unicom_acl";
//主要的配置
options {
//监听外网IP
listen-on port 53 { 1.1.1.1; };
// listen-on-v6 port 53 { ::1; };
//工作目录
directory "/var/named";
//缓存文件相关
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
//允许任何查询
allow-query { any; };
//不允许递归查询
recursion no;
//开启dnssec防止污染
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
//使用可读的text格式传输zone文件
masterfile-format text;
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//定义的view,注意cmcc_acl需要与引入的acl定时的名称一致,原理dns获取用户的IP地址,去匹配对应的view分区,如果都没有匹配成功,执行最下面的默认分区
view view_cmcc {
match-clients { cmcc_acl; };
zone "." IN {
type hint;
file "named.ca";
};
//需要解析的域名及zone文件,下同,每个view对应一个文件
zone "kaifashuo.com" IN {
type master;
file "/etc/named/zone/kaifashuo.cmcc";
allow-update { 2.2.2.2; };
also-notify { 2.2.2.2; };
allow-transfer { 2.2.2.2; };
};
};
//电信的view分区
view view_telcom {
match-clients { telcom_acl; };
zone "." IN {
type hint;
file "named.ca";
};
zone "kaifashuo.com" IN {
type master;
file "/etc/named/zone/kaifashuo.chinatelecom";
allow-update { 2.2.2.2; };
also-notify { 2.2.2.2; };
allow-transfer { 2.2.2.2; };
};
};
//联通的view分区
view view_unicom {
match-clients { unicom_acl; };
zone "." IN {
type hint;
file "named.ca";
};
zone "kaifashuo.com" IN {
type master;
file "/etc/named/zone/kaifashuo.unicom";
allow-update { 2.2.2.2; };
also-notify { 2.2.2.2; };
allow-transfer { 2.2.2.2; };
};
};
//如果以上的view分区都没有匹配到IP地址,默认访问此文件
view default {
zone "kaifashuo.com" IN {
type master;
file "/etc/named/zone/kaifashuo.default";
allow-update { 2.2.2.2; };
also-notify { 2.2.2.2; };
allow-transfer { 2.2.2.2; };
};
};
5、创建zone文件,和每个view里面的zone文件对象,以移动view的zone为例,注意:需要在/etc/named/zone目录创建4个zone文件
[root@us zone]# cat kaifashuo.cmcc
$ORIGIN kaifashuo.com.
$TTL 300
@ IN SOA ns1.kaifashuo.com. admin.kaifashuo.com. (
2020072402 ; serial number
3600 ; refresh
180 ; retry
1209600 ; expire
300 ; ttl
)
; Name servers
IN NS ns1.kaifashuo.com.
IN NS ns2.kaifashuo.com.
; A records for name servers
ns1 IN A 1.1.1.1
ns2 IN A 2.2.2.2
; Additional A records
www IN A 3.3.3.3
6、配置从DNS节点的配置文件
[root@localhost ~]# vi /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "YpSNg7XRmR8tv/Js3QYj9Q==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "/etc/named/isp/telcom_acl";
include "/etc/named/isp/cmcc_acl";
include "/etc/named/isp/unicom_acl";
options {
listen-on port 53 { 2.2.2.2; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
masterfile-format text;
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view view_cmcc {
match-clients { cmcc_acl; };
zone "." IN {
type hint;
file "named.ca";
};
zone "kaifashuo.com" IN {
//设置type为slave
type slave;
masters { 1.1.1.1; };
file "/etc/named/zone/kaifashuo.cmcc";
};
};
view view_telcom {
match-clients { telcom_acl; };
zone "." IN {
type hint;
file "named.ca";
};
zone "kaifashuo.com" IN {
type slave;
masters { 1.1.1.1; };
file "/etc/named/zone/kaifashuo.chinatelecom";
};
};
view view_unicom {
match-clients { unicom_acl; };
zone "." IN {
type hint;
file "named.ca";
};
zone "kaifashuo.com" IN {
type slave;
masters { 1.1.1.1; };
file "/etc/named/zone/kaifashuo.unicom";
};
};
view default {
zone "kaifashuo.com" IN {
type slave;
masters { 1.1.1.1; };
file "/etc/named/zone/kaifashuo.default";
};
};
7、把bind加入开机自启动并启动bind,并在防火墙开启dns服务
[root@us zone]# systemctl enable named
[root@us zone]# systemctl restart named
[root@us zone]# firewall-cmd --zone=public --add-service=dns --permanent
[root@us zone]# firewall-cmd --reload
还没有任何评论,你来说两句吧