环境准备
创建虚拟机
环境准备
创建虚拟机
vmcentos[0]=CentOS7X64-client
vmcentos[1]=CentOS7X64-bind01
vmcentos[2]=CentOS7X64-bind02
vmcentos[3]=CentOS7X64-httpd01
vmcentos[4]=CentOS7X64-httpd02
parentPath="/media/WNTime/本地磁盘/VirtualMachine.Spaces"
vmsour="$parentPath/CentOS7X64.Core/CentOS7X64.Core.vmx"
for item in ${vmcentos[*]};
do
vmdest="$parentPath/$item/$item.vmx"
echo "Clone: $vmdest"
vmrun -T ws clone $vmsour $vmdest full -cloneName=$item
sleep 5s;
done;
启动虚拟机
parentPath="/media/WNTime/本地磁盘/VirtualMachine.Spaces"
for item in ${vmcentos[*]};
do
vmdest="$parentPath/$item/$item.vmx"
vmshot=`date +%Y%m%d%H%M`
echo "Start: $vmdest"
vmrun -T ws start $vmdest
sleep 5s;
read -p "按任意键继续..."
done;
挂起虚拟机
parentPath="/media/WNTime/本地磁盘/VirtualMachine.Spaces"
for item in ${vmcentos[*]};
do
vmdest="$parentPath/$item/$item.vmx"
vmshot=`date +%Y%m%d%H%M`
echo "Suspend: $vmdest"
vmrun -T ws suspend $vmdest
sleep 5s;
done;
快照备份
parentPath="/media/WNTime/本地磁盘/VirtualMachine.Spaces"
for item in ${vmcentos[*]};
do
vmdest="$parentPath/$item/$item.vmx"
vmshot=`date +%Y%m%d`
echo "Snapshot: $vmdest"
vmrun -T ws snapshot $vmdest $vmshot
vmrun -T ws listSnapshots $vmdest
sleep 5s;
done;
还原虚拟机
parentPath="/media/WNTime/本地磁盘/VirtualMachine.Spaces"
vmshot=`date +%Y%m%d`
for item in ${vmcentos[*]};
do
vmdest="$parentPath/$item/$item.vmx"
vmshot=`date +%Y%m%d`
echo "Revert: $vmdest"
vmrun -T ws revertToSnapshot $vmdest $vmshot
sleep 5s;
done;
关闭虚拟机
parentPath="/media/WNTime/本地磁盘/VirtualMachine.Spaces"
for item in ${vmcentos[*]};
do
vmdest="$parentPath/$item/$item.vmx"
vmshot=`date +%Y%m%d%H%M`
echo "Stop: $vmdest"
vmrun -T ws stop $vmdest
sleep 5s;
read -p "按任意键继续..."
done;
实验网络规划
client | DNS | DNS | httpd | httpd |
---|---|---|---|---|
client | bind-01 | bind-02 | httpd-111 | httpd-112 |
192.168.86.16 | 192.168.86.100 | 192.168.86.200 | 192.168.86.111 | 192.168.86.112 |
配置hostname及ipaddress
client
## client
# vim /etc/sysconfig/network-script/ifcfg-en33
sudo hostnamectl set-hostname client
sudo sed -i -e 's/192.168.86.6/192.168.86.16/g' \
-e '/^UUID=/d' \
/etc/sysconfig/network-scripts/ifcfg-ens33
sudo systemctl restart network
bind-01
## gateway
# vim /etc/sysconfig/network-script/ifcfg-en33
sudo hostnamectl set-hostname bind-01
sudo cp /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-ens33
sudo sed -i -e 's/192.168.86.6/192.168.86.100/g' \
-e '/^UUID=/d' \
/etc/sysconfig/network-scripts/ifcfg-ens33
sudo systemctl restart network
bind-02
## gateway
# vim /etc/sysconfig/network-script/ifcfg-en33
sudo hostnamectl set-hostname bind-02
sudo cp /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-ens33
sudo sed -i -e 's/192.168.86.6/192.168.86.200/g' \
-e '/^UUID=/d' \
/etc/sysconfig/network-scripts/ifcfg-ens33
sudo systemctl restart network
httpd-111
## httpd-111
# vim /etc/sysconfig/network-script/ifcfg-en33
sudo hostnamectl set-hostname httpd-111
sudo sed -i -e 's/192.168.86.6/192.168.86.111/g' \
-e '/^UUID=/d' \
/etc/sysconfig/network-scripts/ifcfg-ens33
sudo systemctl restart network
httpd-112
## httpd-112
# vim /etc/sysconfig/network-script/ifcfg-en33
sudo hostnamectl set-hostname httpd-112
sudo sed -i -e 's/192.168.86.6/192.168.86.112/g' \
-e '/^UUID=/d' \
/etc/sysconfig/network-scripts/ifcfg-ens33
sudo systemctl restart network
关闭防火墙
sudo setenforce 0
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sudo systemctl disable firewalld
sudo systemctl stop firewalld
sudo yum makecache
sudo yum install -y wget net-tools
sudo mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
sudo wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sudo yum makecache
注意:一定要关闭防火墙,或是添加相关端口!
确认网关是否生效
route -n
安装软件服务
安装 web服务测试
httpd-111, httpd-112
sudo yum install -y httpd
sudo systemctl stop firewalld
echo " sed -i 's/123/$HOSTNAME/' /usr/share/httpd/noindex/index.html" | sudo bash -
sudo systemctl enable httpd
sudo systemctl restart httpd
安装bind基础依赖
sudo yum -y install net-tools iptables-services vim gcc tcpdump cmake bind-utils zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel libffi-devel libxml* git wget libtool
# pipe
sudo yum install -y epel-release python-pip libnghttp2 libnghttp2-devel libcap-devel
如果不安装ply模块,bind在编译时会报错如下
configure: error: Python >= 2.7 or >= 3.2 and the PLY package are required for dnssec-keymgr and other Python-based tools. PLY may be available from your OS package manager as python-ply or python3-ply; it can also be installed via pip. To build without Python/PLY, use --without-python.
如果不安装ply模块,bind在编译时会报错如下
checking for libuv... checking for libuv >= 1.0.0... no configure: error: libuv not found
如果不安装libtool模块,bind在编译时会报错如下
configure: error: sys/capability.h header is required for Linux capabilities support. Either install libcap or use --disable-linux-caps.
yum install libcap-devel
下载并安装bind9
wget https://ftp.isc.org/isc/bind9/9.19.5/bind-9.19.5.tar.xz
tar -xf bind-9.19.5.tar.xz
cd bind-9.19.5
./configure --prefix=/usr/local/bind9
make && sudo make install
注:–enable-threads enable multithreading参数已经在9.14及后续不再单独设置,9.11之前需要指定。9.14版本开始默认使用了SO_REUSEPORT特性(后期文档详细介绍)
安装完成
bind初始化配置
使用yum安装的bind文件目录如下:
源码安装的与上面有所区别
bind官方推荐使用rndc(Remote Name Domain Controllerr)工具,rndc是一个远程管理bind的工具,通过这个工具可以在本地或者远程查看当前服务器的运行状况,也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作,后期文档详细介绍。
cd /usr/local/bind9
su
sbin/rndc-confgen > etc/rndc.conf
# 注意:如果这里卡住不动可改用下面的命令
## sbin/rndc-confgen -r /dev/urandom > etc/rndc.conf # 未验证
cd /usr/local/bind9/etc/
tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf
此时named.conf文件内容如下
[root@localhost etc]# cat named.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "AXeCgzN/af9naYrVgtmdBkBEO2XYDl4k+rlq3dICfrY=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
编辑named.conf文件,在当前文件的最后增加全局options配置如下。
cat >> named.conf <<EOF
options {
directory "/usr/local/bind9/var/run";
pid-file "named.pid";
recursion yes;
allow-query { any; };
listen-on port 53 { any; };
};
EOF
参数名称 | 参数说明 |
---|---|
directory | named程序运行后cd到此目录,区文件、输出的文件也写在此目录 |
pid-file | 进程id文件名 |
recursion | 全局开启递归查询 |
allow-query | 源IP解析限制,any代表所有 |
listen-on port 53 | 监听53端口的IP地址,any代表本机所有IP |
groupadd -g 53 -r named
useradd -u 53 -s /sbin/nolgin -r named -g named
mkdir -p /usr/local/bind9/var/run
chown -R named:named /usr/local/bind9
cd /usr/local/bind9
# 执行sbin/named -u named -g 检查配置文件合规性。
sbin/named -u named -g
运行bind
执行如下命令启动bind。
sudo /usr/local/bind9/sbin/named -u named -c /usr/local/bind9/etc/named.conf
# 测试能正常解析
ps -ef|grep named
netstat -anp|grep 53
测试DNS解析
#
dig www.baidu.com
# 从指定的 DNS 服务器上查询
dig @127.0.0.1 www.baidu.com
配置开机启动
cat >> /usr/lib/systemd/system/named.service<<EOF
[Unit]
Description=Bind DNS Named
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/bind9/sbin/named -u named -c /usr/local/bind9/etc/named.conf
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=3s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl list-unit-files --all | grep named
systemctl start named
systemctl enable named
systemctl status named
bind配置介绍
named.conf 配置文件
//单行注释类型1
/*
多行注释
*/
//声明控制通道
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
//全局选项
options {
version none; //隐藏bind版本,为了安全考虑
directory "/var/named";
pid-file "named.pid";
recursion yes; //全局开启递归
listen-on port 53 { any; }; //监听IPv4的53端口
listen-on-v6 port 53 { any;}; //监听IPv6的53端口
allow-query { any; }; //面向所有源IP提供解析服务
};
//指明日志记录
logging {
channel query_log {
file "/usr/local/bind/log/query.log." versions 5 size 50m;
print-time yes;
severity info;
};
category queries { query_log;};
};
//包含另一个文件的配置
include "acl.conf";
//视图
view "view_wntime" {
match-clients { wntime; }; //这个视图匹配的源IP地址
zone "example.com" {
type master; //定义此权威区是主区
file "example.com.zone"; //权威区文件的名称,他应该放在/var/named/下面
};
};
view "view_any" {
match-clients { any; };
zone "wntime.cn" IN {
type forward; //配置域名转发,当接到wntime.cn域名查询时bind向forwarders中的IP地址发起递归查询请求。
forward only; //如果转发服务器应答超时或者失败,则不再尝试自己做迭代查询。
forwarders {8.8.8.8; 114.114.114.114; };
};
};
-
注释语法
bind9的配置文件注释可以写成C,C++或者shell的风格。上面的配置中有注释单行//和注释多行/* …*/的例子,可以用井号#注释单行。但要注意在主配置文件中不能像zone文件(后面会详细讲解)一样使用分号(“;”)注释。
-
配置文件语法(语句)
语句和注释是可以出现在花括号之外的元素,而语句中由包含很多的自语句并组成语句块,子语句以分号结束。下面是bind9支持的语句。
语句 | 含义 |
---|---|
acl | 定义IP地址列表, 用于访问控制或者其他用途 |
include | 包含(引入)一个配置文件 |
key | 在使用TSIG的时候用于认证和授权的秘钥信息 |
conctrols | 声明一个控制通道,用于rndc |
options | 控制全局的配置或者其他语句的缺省配置,此配置是我们需要重点关注的,很多DNS的调优都是在这里进行配置,目前它包含的配置自语句数量是211条大家不需要去死记硬背,只需要了解一些常用的语句即可,我们在后面也会详细讲解这些常用的配置语句。 |
logging | 指定bind记录哪些日志以及在哪里输出这些日志 |
view | 定义一个视图,视图在bind中是逻辑的概念,类似将DNS进行隔离,不同的视图之间不互相影响,视图要匹配acl也就是客户端的源IP,是实现智能解析的关键配置。 |
zone | 定义一个权威区 |
server | 可以出现在配置文件的顶级,可以在一个view中,定义对特定的服务器设置参数 |
masters | 定义一个命名的主服务器列表,一般包含在存根区或者辅区的masters或者also-notify列表中。 |
trusted-keys | 定义信任的DNSSEC密钥 |
statistics-channels | 声明通信的通道,用于访问bind的统计信息数据 |
== 注意:logging和options语句在每个配置文件中只能出现一次。
配置named.conf
下面named.conf是实现最简单的权威主区wntime.com的举例,先从这个简单的例子了解权威区的含义和区(zone)文件的格式。
key "rndc-key" {
algorithm hmac-sha256;
secret "AXeCgzN/af9naYrVgtmdBkBEO2XYDl4k+rlq3dICfrY=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; }
keys { "rndc-key"; };
};
options {
directory "/usr/local/bind/var/run";
pid-file "named.pid";
recursion yes;
allow-query { any; };
listen-on port 53 { any; };
};
//创建 wntime.com权威区
zone "wntime.com" {
type master;
file "wntime.com.zone";
};
创建区正向文件
在指定的目录下创建zone文件名称wntime.com.zone内容如下。
# vim var/run/wntime.com.zone
$TTL 3h
@ IN SOA wntime.com. manager.wntime.com. (
1 ;Serial
3h ;Refresh after 3 hours
1h ;Retry after 1 hour
1w ;Expire after 1 week
1h) ;Negative caching TTL of 1 hour
;
@ IN NS dns1.wntime.com.
@ IN NS dns2.wntime.com.
;
;server domain
;
dns1 3600 IN A 192.168.86.100
dns2 3600 IN A 192.168.86.200
hello 300 IN A 192.168.86.111
hello 300 IN A 192.168.86.112
区文件的相关说明如下:
-
第一行以$TTL 3h开始,此行设置了域名记录的默认TTL值,如果整个zone文件中没有其他的同类TTL默认设置,那么这个就是全局的域名默认TTL设置。
-
第二行是wntime.com区的SOA记录(start of authority,起始授权机构),一个区文件中必须有而且只能有一个SOA记录。wntime.com是wntime.com的master名称服务器(DNS)的名称。
-
@是一种简写方法,这个位置等同于wntime.com,bind启动后会把zone名称作为一种“来源域名”引入,在zone中的域名如果与来源域名相同,那么这个域名就可以简写为@。
-
上面提到的“来源域名”会附加在zone文件中的每个记录名称后面,所以zone文件中例如www.wntime.com域名就可以简写为www,bind会自动的附加这个来源域名后缀。当然我们在zone文件中直接写www.wntime.com.也是可以的,注意域名后面有一个(“.”),否则域名其实是www.wntime.com.wntime.com
-
分号开头代表注释,适当的空行和注释对zone文件的维护有好处。
合规检验
完成zone文件配置后可以使用bind自带的检查工具对zone文件配置合规性进行检查,检查举例如下:
[root@localhost sbin]# ./named-checkzone wntime.com ../var/run/wntime.com.zone
zone wntime.com/IN: loaded serial 1
named-checkzone是bind自带的工具,用于检查zone文件合规,结果是OK代表zone文件能正常加载,解析测试如下
[root@localhost ~]# dig @192.168.86.160 hello.wntime.com
创建反向文件
编辑etc/named.zone追加下面内容
# vim etc/named.conf
//
zone "86.168.192.in-addr.arpa" {
type master;
file "wntime.192.168.86";
allow-transfer { any; };
};
在指定的目录下创建文件名称wntime.192.168.86内容如下。
# vim var/run/wntime.192.168.86
$TTL 3h
@ IN SOA 86.168.192.in-addr.arpa manager.wntime.com. (
1 ;Serial
3h ;Refresh after 3 hours
1h ;Retry after 1 hour
1w ;Expire after 1 week
1h) ;Negative caching TTL of 1 hour
;
@ IN NS dns1.wntime.com.
@ IN NS dns2.wntime.com.
;
;server domain
;
dns1 3600 IN A 192.168.86.100
dns2 3600 IN A 192.168.86.200
111 300 IN PTR hello.wntime.com.
112 300 IN PTR hello.wntime.com.
测试
dig -x 192.168.86.111 @192.168.86.100
dig -x 192.168.86.112 @192.168.86.200
主从配置
调整192.168.86.200 为从DNS
# vim etc/named.conf
//创建 wntime.com权威区
zone "wntime.com" {
type slave;
masters { 192.168.86.100; };
file "slaves/wntime.com.zone";
};
//
zone "86.168.192.in-addr.arpa" {
type slave;
masters { 192.168.86.100; };
file "slaves/wntime.192.168.86";
};
mkdir -p /usr/local/bind9/var/run/slaves
chown -R named:named /usr/local/bind9
bin/named-checkconf etc/named.conf
systemctl restart named
# 测试
ls -lvh /usr/local/bind9/var/run/slaves
dig @192.168.86.200 hello.wntime.com
dig -x 192.168.86.112 @192.168.86.200
nsupdate动态更新
编译etc/named.conf
# 生成key
sbin/tsig-keygen -a hmac-md5 wntime > wntime.key
# vim etc/named.conf
key "wntime" {
algorithm hmac-md5;
secret "ow/epgEiRTvGnBw/7cARjw==";
};
//创建 wntime.com权威区
zone "wntime.com" {
type master;
file "wntime.com.zone";
allow-update { key rndc-key; };
};
//
zone "86.168.192.in-addr.arpa" {
type master;
file "wntime.192.168.86";
allow-update { key rndc-key; };
};
bin/named-checkconf etc/named.conf
systemctl restart named
# 动态更新
cat >etc/nsupdate.sh<<EOF
server 192.168.86.100
zone wntime.com
update add www.wntime.com. 86400 IN A 192.168.86.233
show
send
EOF
secret=$(cat wntime.key |grep secret|sed -e 's/"//g' -e 's/;//g'|awk '{print $2}')
nsupdate -y key-wntime:$secret < etc/nsupdate.sh
# 查看当前生效的DNS记录
dig +noquestion +nocmd +nostat +nocomments @192.168.86.100 AXFR wntime.com
更新脚本
#!/bin/bash
#
## Update DNS Records Interactive
## Rahul Patil
#
## Functions
#
ask() {
while [[ $ans == "" ]]
do
read -p "${@}" ans
done
echo $ans
}
forward_zone_update() {
local rr=${@}
echo "
server $DNS_SERVER
zone $DNS_ZONE
update add $rr
show
send" | nsupdate
}
delete_record() {
local rr=${@}
echo "
server $DNS_SERVER
zone $DNS_ZONE
update delete $rr
show
send" | nsupdate
}
#
## Global Variable
#
DNS_IP="192.168.86.100"
DNS_SERVER="dns1.wntime.com"
DNS_ZONE="wntime.com"
DIG_CMD='dig +noquestion +nocmd +nostat +nocomments'
update_rr_a=$( ask "Enter FQDN of Record (Ex. xyz.${DNS_ZONE}) :-")
update_rr=$( ask "Enter IP of Record :-")
found_rr=$($DIG_CMD @${DNS_IP} AXFR ${DNS_ZONE} | grep ^"${update_rr_a%.$DNS_ZONE}" | tee /tmp/rr.tmp )
echo "Checking ${update_rr_a}..."
if [[ -z "${found_rr}" ]]
then
echo "${update_rr_a} does exists"
echo "${update_rr_a} adding to ${DNS_ZONE}"
forward_zone_update "${update_rr_a} 86400 IN A ${update_rr}"
echo "Done!!"
else
echo "${update_rr_a} already exists"
ans=$(ask "Do you want to Delete RR and want to re-add(y/n?)")
case $ans in
[yY]|[yY][eE][sS]) while read r;
do delete_record $r ;
done < /tmp/rr.tmp ;;
[nN]|[nN][oO]) exit 1 ;;
esac
forward_zone_update "${update_rr_a} 86400 IN A ${update_rr}"
echo "Done!!"
fi