智能DNS的安装和配置
参考:http://coralzd.blog.51cto.com/90341/431848
目录
一、相关术语简介
二、智能DNS系统服务规划
三、MYSQLReplication及添加GoogleTCMALLOC库降低系统负载
四、安装配置Bind-DLZ 及 相关脚本
五、测试Bind-DLZ相关总 结
一、相关术语简 介:
1、智能DNS(Bind-view):
智能DNS的原理很简单:在用户解析一个域名的时候,判断一下用户
的IP,然后跟DNS服务器内部的IP表匹配一下,看看用户是电信还是网通用户,然后给用户返回对应的IP地址。目前的域名服务运营商不提供智能DNS服务,所以必须自行架设DNS服务或者使用网上免费的智能DNS服务,如DNSPOD.
2.Bind-DLZ
Bind-DLZ主页:http://bind-dlz.sourceforge.net/
DLZ(Dynamically Loadable Zones)与传统的BIND9不同,BIND的不足之处:
* BIND从文本文件中获取数据,这样容易因为编辑错误出现问题。
* BIND需要将数据加载到内存中,如果域或者记录较多,会消耗大量的内存。
* BIND启动时解析Zone文件,对于一个记录较多的DNS来说,会耽误更多的时间。
* 如果近修改一条记录,那么要重新加载或者重启BIND才能生
效,那么需要时间,可能会影响客户端查询。
而Bind-dlz 即将帮你解决这些问题, 对Zone文件操作也更方便了,直接对数据库操作,可以很方
便扩充及开发管理程序。
二、 智能DNS系统服务规划
1. NameServer服务器注册(到新网或者万网后台添加)
ns2.zhang.com 192.168.3.203
ns1.zhang.com 192.168.100.221
NS1是master ,NS2是slave。两者数据通过mysql来同步。
2. 测试NS记录是否生效
#dig www.zhang.com
#dig www.zhang.com +trace
3. Bind-View规划
www.zhang.com 网通 (CNC) 192.168.100.224
www.zhang.com 电信(TELECOM) 192.168.100.225
www.zhang.com 教育网(EDU) 192.168.100.226
www.zhang.com 移动(ANY) 192.168.100.227
三、 Mysql的安装和主从的配置
关于mysql的安装以及主从的配置请参考:
http://blog.chinaunix.net/space.php?uid=20639775&do=blog&id=154497
http://blog.chinaunix.net/space.php?uid=20639775&do=blog&id=154420
四、安装配置Bind-DLZ 及 相关脚本
1.安装bind
#mkdir /usr/local/src/bind-dlz
#cd /usr/local/src/bind-dlz
#wget http://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz
#tar zxvf bind-9.6.0-P1.tar.gz
#cd bind-9.6.0-P1
# ./configure --with-dlz-mysql=/usr/local/mysql/ --enable-largefile
--enable-threads=no --prefix=/usr/local/bind --disable-openssl-version-check
#make && make install
2.创建相关配置文件
cd /usr/local/bind/etc
../sbin/rndc-confgen >rndc.conf
tail -n10 rndc.conf | head -n9 | sed -e s/#\//g >named.conf
# vi localhost.zone
ttl 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
# dig >named.root
#vi named.conf 在后面加入如下:
include"/usr/local/bind/etc/cnc_acl.conf"; //网通ACL
include "/usr/local/bind/etc/telecom_acl.conf"; //电信ACL
include "/usr/local/bind/etc/edu_acl.conf"; //教育网ACL
include "/usr/local/bind/etc/view.conf"; //DLZ相关的配
3、配置DNSTSIG
Ø 使用dnssec-keygenfunction 产生加密密钥,一个为public key,另一个为private key,本文假设应用服务器存在CNC,TELECOM,EDU,ANY
(1)产生加密金钥
#cd /usr/local/bind/sbin
#./dnssec-keygen -a hmac-md5 -b 128 -n HOST cnc
#./dnssec-keygen -a hmac-md5 -b 128 -n HOST telecom
#./dnssec-keygen
-ahmac-md5 -b 128 -n HOST edu
#./dnssec-keygen -a hmac-md5 -b 128 -n HOST any
(2)查看生成的密钥文件
# cat Kcnc.+157+24406.private //以网通为例.
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: YTjTOw00PzeEaasA16/Rvw==
Bits: AAA=
将:YTjTOw00PzeEaasA16/Rvw== 加入到named.conf,其它同例。
详细请参照named.conf配 置文件
Ø 配置named.conf
#vi /usr/local/bind/etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "gu0hQjfMt1+zBJbjQegTww==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
channel warning {
file "/var/log/bind/dns_warning" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/var/log/bind/dns_log" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
#
options {
directory "/usr/local/bind/etc";
pid-file "named.pid";
};
#TSIG-key
key "cnc" {
algorithm hmac-md5;
secret "XA7Xp3G9vwBmSafyl+swiQ==";
};
key "telecom" {
algorithm hmac-md5;
secret "rGJVJRLv7rNm0aoI+rw1Wg==";
};
key "edu" {
algorithm hmac-md5;
secret "bbx8zD5DoFRyDz5Xb0wBWw==";
};
key "any" {
algorithm hmac-md5;
secret "s16dv4VdR/BzEsxKjyDzOg==";
};
#acl
acl "dns-ip-list"{
192.168.100.203; #master DNS IP
192.168.100.221; #slave DNS IP
};
#acl include
include "/usr/local/bind/etc/cnc_acl.conf";
include "/usr/local/bind/etc/telecom_acl.conf";
include "/usr/local/bind/etc/edu_acl.conf";
include "/usr/local/bind/etc/view.conf";
Ø 配置view.conf
#vi /usr/local/bind/etc/view.conf
#cnc-view
view "cnc_view" {
match-clients { key cnc;dns-ip-list;CNC; };
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=localhost dbname=dns_view ssl=false port=3306 user=root pass=123456 }
{select zone from dns_records where zone = '%zone%' and view='CNC' limit 1}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum) else data end as mydata from dns_records where zone = '%zone%' and host = '%record%' and (view = 'CNC' or view = 'DF')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '%zone%' and view='CNC'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and view='CNC' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='CNC'}";
};
zone "." IN {
type hint;
file "named.root";
};
};
#telecom-view
view "telecom_view" {
match-clients { key telecom;dns-ip-list;TELECOM; };
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=localhost dbname=dns_view ssl=false port=3306 user=root pass=123456 }
{select zone from dns_records where zone = '%zone%' and view = 'TEL' limit 1}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum) else data end as mydata from dns_records where zone = '%zone%' and host = '%record%' and (view = 'TEL' or view = 'DF')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '%zone%' and view = 'TEL'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and view='TEL' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view = 'TEL'}";
};
};
#edu_view
view "edu_view" {
match-clients { key edu;dns-ip-list;EDU; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=localhost dbname=dns_view ssl=false port=3306 user=root pass=123456 }
{select zone from dns_records where zone = '%zone%' and view='EDU' limit 1}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum) else data end as mydata from dns_records where zone = '%zone%' and host = '%record%' and (view = 'EDU' or view = 'DF')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '%zone%' and view='EDU'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and view='EDU' limit 1}
{update data_count set count = count + 1 where zone ='%zone%' and view='EDU'}";
};
};
#any_view
view "any_view" {
match-clients { key any;dns-ip-list;ANY; };
allow-query-cache { none; };
allow-recursion { none; };
allow-transfer { none; };
recursion no;
dlz "Mysql zone" {
database "mysql
{host=localhost dbname=dns_view ssl=false port=3306 user=root pass=123456 }
{select zone from dns_records where zone = '%zone%' and view='ANY' limit 1}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum) else data end as mydata from dns_records where zone = '%zone%' and host = '%record%' and (view = 'ANY' or view = 'DF')}
{}
{select ttl, type, host, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') else data end as mydata, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '%zone%' and view='ANY'}
{select zone from xfr_table where zone = '%zone%' and client = '%client%' and view='ANY' limit 1}
{update data_count set count = count + 1 where zone ='%zone%'}";
};
};
Ø 配置cnc_acl.conf、telecom_acl.conf、edu_acl.conf
至于这些文件的配置,请访问
http://www.lbase.net/ISPIPInfo.aspx //自己用脚步处理下
Ø 需要用到的sql语句:
CREATE DATABASE dns_view;
USE dns_view;
-- ----------------------------
-- Table structure for data_count
-- ----------------------------
DROP TABLE IF EXISTS `data_count`;
CREATE TABLE `data_count` (
`zone` text NOT NULL,
`count` bigint(20) default '0',
`view` char(20) default 'DF',
KEY `data_count_index` (`zone`(30))
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
-- ----------------------------
-- Table structure for dns_records
-- ----------------------------
DROP TABLE IF EXISTS `dns_records`;
CREATE TABLE `dns_records` (
`id` int(10) unsigned NOT NULL auto_increment,
`zone` varchar(255) NOT NULL,
`host` varchar(255) NOT NULL default '@',
`type` enum('MX','CNAME','NS','SOA','A','AAAA','PTR') default NULL,
`data` varchar(255) default NULL,
`ttl` int(11) NOT NULL default '800',
`view` char(20) default 'DF',
`mx_priority` int(11) default NULL,
`refresh` int(11) NOT NULL default '3600',
`retry` int(11) NOT NULL default '3600',
`expire` int(11) NOT NULL default '86400',
`minimum` int(11) NOT NULL default '3600',
`serial` bigint(20) NOT NULL default '2008082700',
`resp_person` varchar(64) NOT NULL default 'root.domain.com.',
`primary_ns` varchar(64) NOT NULL default 'ns1.domain.com.',
`data_count` int(11) NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `type` (`type`),
KEY `host` (`host`),
KEY `zone` (`zone`)
) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Table structure for xfr_table
-- ----------------------------
DROP TABLE IF EXISTS `xfr_table`;
CREATE TABLE `xfr_table` (
`view` enum('CNC','TELECOM','EDU','CRTC','ANY') NOT NULL,
`zone` varchar(255) default NULL,
`client` varchar(255) default NULL,
KEY `zone_client_index` (`zone`(30),`client`(30))
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
-- ----------------------------
-- Records
-- ----------------------------
INSERT INTO `dns_records` VALUES ('1', 'zhang.com', '@', 'SOA', 'ns1.zhang.com.', '10', 'DF', null, '3600', '3600', '86400', '10', '2008082700', 'root.zhang.com.', 'ns1.zhang.com.', '0');
INSERT INTO `dns_records` VALUES ('2', 'zhang.com', '@', 'NS', 'ns1.zhang.com.', '800', 'DF', '0', '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('3', 'zhang.com', '@', 'NS', 'ns2.zhang.com.', '800', 'DF', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('4', 'zhang.com', 'ns1', 'A', '192.168.3.203', '800', 'DF', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('5', 'zhang.com', 'ns2', 'A', '192.168.100.221', '800', 'DF', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('8', 'zhang.com', 'www', 'A', '192.168.100.224', '3600', 'CNC', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('8', 'zhang.com', 'www', 'A', '192.168.100.225 ', '3600', 'TELECOM', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('8', 'zhang.com', 'www', 'A', '192.168.100.226', '3600', 'EDU', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
INSERT INTO `dns_records` VALUES ('8', 'zhang.com', 'www', 'A', '192.168.100.227', '3600', 'AYN', null, '3600', '3600', '86400', '3600', '2008082700', 'root.domain.com.', 'ns1.domain.com.', '0');
Ø Bind 启动脚本
#!/bin/bash
#start/stop/restart/reload/status
case "$1" in
start)
if [ -x/usr/local/bind/sbin/named ]; then
/usr/local/bind/sbin/named -c /usr/local/bind/etc/named.conf -u root
echo "BIND9-named server started"
fi
;;
stop)
kill `cat /usr/local/bind/etc/named.pid` && echo . && echo 'BIND9 serverstopped'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
reload)
/usr/local/bind/sbin/rndc reload
;;
status)
/usr/local/bind/sbin/rndc status
;;
*)
echo"$0 start | stop | restart |reload |status"
;;
Esac
./bind.sh start 启动bind;
./bind.sh stop停止bind;
./bind.sh reload #重载配置文件
# /usr/local/bind/sbin/named -uroot -g -d 9 //调试状态,如果没有报错说明环境配置正确。
五、 智能DNS的测试
由于是在虚拟机上测试,因此,智能模拟dns查询场景,找一台192.168.100.0/24网段的机器和一台192.168.3.0/24网段的机器,更改文件
vi /etc/resolv.conf 添加如下一行
nameserver 192.168.3.203
然后运行nslookup www.zhang.com ,看返回的IP是?
将该网段添加到cnc_acl.conf或telecom_acl.conf或edu_acl.conf,重启dns,再次运行
nslookup www.zhang.com,看返回的IP是否不同