zoukankan      html  css  js  c++  java
  • bind智能DNS + bindUI管理系统(mysql + bind dlz)

    # 软件环境

    * Centos 7.6

    * bind-9.14.1.tar.gz

    * mariadb-server-5.5.60

    * python 3.7

    * django 2.2.1

    QPS:单节点2400 qps

    # bind UI 管理系统

    https://github.com/cucker0/BindUI

    具体安装可参考https://www.cnblogs.com/linkenpark/p/10862347.html

    # bind安装

    cd /usr/local/src

    wget http://ftp.isc.org/isc/bind9/9.14.1/bind-9.14.1.tar.gz

    wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz

    yum -y install ncursess ncurses-devel zlib perl mariadb-server mariadb mariadb-devel --skip-broken

    cd /usr/local/src

    tar -zxvf openssl-1.0.2r.tar.gz; cd openssl-1.0.2r; ./config; make; make install

    tar -zxvf bind-9.14.1.tar.gz

    cd /usr/local/src/bind-9.14.1

    export LDFLAGS=-L/usr/lib64/mysql  #linker flags, e.g. -L<lib dir>,指定mysql lib所在目录,查找其lib所在目录mysql_config --libs

    ./configure --prefix=/usr/local/bind_9.14.1 --with-dlz-mysql=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r

    # bind-9.12.1配置方法,有多线程参数,bind-9.13、bind-9.14版本已经没有此参数

    ./configure --prefix=/usr/local/bind --with-dlz-mysql=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r

    # --enable-threads=no表示关闭多线程

    make; make install

    ln -s /usr/local/bind_9.14.1 /usr/local/bind

    groupadd -g 25 named

    useradd named -M -u 25 -g 25 -s /sbin/nologin

    chown -R named:named /usr/local/bind/var

    mkdir -p /var/log/named /etc/named/conf.d; chown -R named.named /var/log/named

    systemctl 启动脚本

    cat /usr/lib/systemd/system/named.service

    [Unit]
    Description=Berkeley Internet Name Domain (DNS)
    After=network.target
     
    [Service]
    Type=forking
    PIDFile=/usr/local/bind/var/named.pid
    ExecStart=/usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf
    ExecReload=/bin/sh -c '/usr/local/bind/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
    ExecStop=/bin/sh -c '/usr/local/bind/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
    PrivateTmp=true
    Restart=always
    RestartSec=10
     
    [Install]
    WantedBy=multi-user.target

    # /usr/local/bind/sbin/named -n 1 线程数

    注意

        * bind-9.12.1 版本使用mysql作数据库时,使用单线程更快。有实验过启动2线程或4线程并发时相当慢(服务器CPU4核心),几乎全部超时。

        * bind-9.12.1 dlz + mariadb-server-5.5.60单线程查询达600 qps左右,5个bind实例的集群查询达2700 qps左右

        * bind-9.14.1 dlz + mariadb-server-5.5.60单线程查询达 2400 qps左右,且设置多个线程与1个线程的性能一样

        * 如果需要调试时打印详细日志时,运行 /usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf -d 4 -g

    配置bind

    cd /usr/local/bind/etc/ 

    /usr/local/bind/sbin/rndc-confgen > rndc.conf 

    // cat rndc.conf >rndc.key 

    ln -s /usr/local/bind/etc /etc/named

    tail -10 rndc.conf | head -9 | sed s/# //g > named.conf    #内容类似下面这样:

    key "rndc-key" {
        algorithm hmac-sha256;
        secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";
    };
     
    controls {
        inet 127.0.0.1 port 953
            allow { 127.0.0.1; } keys { "rndc-key"; };
    };

    cat /etc/name/named.conf

    key "rndc-key" {
        algorithm hmac-sha256;
        secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";
    };
    
    controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
    };
    
    options {
        listen-on port 53 { any; };    # 开启侦听53端口,any表示接受任意ip连接
        directory "/usr/local/bind/var";
        dump-file "/usr/local/bind/var/named_dump.db"; # 执行rndc dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]时保存数据的导出文件
        pid-file "named.pid";  # 文件内容就是named进程的id  
        allow-query{ any; };     # 允许任意ip查询
        allow-query-cache { any; }; # 允许任意ip查询缓存
        recursive-clients 60000;
        forwarders{ # 设置转发的公网ip
            202.96.128.86;
            223.5.5.5;
        };
        forward only; # 置只使用forwarders DNS服务器做域名解析,如果查询不到则返回DNS客户端查询失败。
        # forward first; 设置优先使用forwarders DNS服务器做域名解析,如果查询不到再使用本地DNS服务器做域名解析。
        max-cache-size 4g;
        dnssec-enable no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全设置,否则转发失败,报broken trust chain/broken trust chain错
        dnssec-validation no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全验证设置
    };
    
    logging {
        channel query_log {    # 查询日志
            file "/var/log/named/query.log" versions 20 size 300m;
            severity info;
            print-time yes;
            print-category yes;
        };
     
        channel error_log {    # 报错日志
            file "/var/log/named/error.log" versions 3 size 10m;
            severity notice;
            print-time yes;
            print-severity yes;
            print-category yes;
        };
     
        category queries { query_log; };
        category default { error_log; };
    };
    
    
    # acl
    include "/etc/named/conf.d/cn_dx.acl";
    include "/etc/named/conf.d/cn_lt.acl";
    include "/etc/named/conf.d/cn_yd.acl";
    include "/etc/named/conf.d/cn_jy.acl";
    include "/etc/named/conf.d/cn.acl";
    
    
    # view
    include "/etc/named/conf.d/cn_dx.conf";
    include "/etc/named/conf.d/cn_lt.conf";
    include "/etc/named/conf.d/cn_yd.conf";
    include "/etc/named/conf.d/cn_jy.conf";
    include "/etc/named/conf.d/cn.conf";
    include "/etc/named/conf.d/default.conf";    # default view 放最后

    日志级别:

    在定义通道的语句中,severity是指定记录消息的级别。在bind中主要有以下几个级别(按照严重性递减的顺序):

    critical
    error
    warning
    notice
    info
    debug [ level ]
    dynamic

    versions 20:保留20个文件

    acl配置:

    ip列表:https://ip.cn/chnroutes.html

    示例:

    cat cn_yd.acl 

    # 中国移动
    # 2017101711, 74 routes
    
    acl cn_yd {
    36.128.0.0/10;
    39.128.0.0/10;
    42.83.200.0/23;
    43.239.172.0/22;
    43.241.112.0/22;
    43.251.244.0/22;
    45.121.68.0/22;
    45.121.72.0/22;
    45.121.172.0/22;
    45.121.176.0/22;
    45.122.96.0/21;
    45.123.152.0/22;
    45.124.36.0/22;
    45.125.24.0/22;
    58.83.240.0/21;
    59.153.68.0/22;
    61.14.244.0/22;
    103.20.112.0/22;
    103.21.176.0/22;
    103.35.104.0/22;
    103.37.176.0/23;
    103.40.12.0/22;
    103.43.124.0/22;
    103.45.160.0/22;
    103.61.156.0/22;
    103.61.160.0/22;
    103.62.24.0/22;
    103.62.204.0/22;
    103.62.208.0/22;
    103.83.72.0/22;
    103.192.0.0/22;
    103.192.144.0/22;
    103.193.140.0/22;
    103.205.116.0/22;
    103.227.48.0/22;
    111.0.0.0/10;
    111.235.182.0/24;
    112.0.0.0/10;
    114.66.68.0/22;
    117.128.0.0/10;
    118.187.40.0/21;
    118.191.248.0/21;
    118.194.165.0/24;
    120.192.0.0/10;
    121.255.0.0/16;
    131.228.96.0/24;
    163.53.56.0/22;
    183.192.0.0/10;
    202.141.176.0/20;
    211.103.0.0/17;
    211.136.0.0/13;
    211.148.224.0/19;
    211.155.236.0/24;
    218.200.0.0/13;
    221.130.0.0/15;
    221.176.0.0/19;
    221.176.32.0/20;
    221.176.48.0/21;
    221.176.56.0/24;
    221.176.58.0/23;
    221.176.60.0/22;
    221.176.64.0/18;
    221.176.128.0/17;
    221.177.0.0/16;
    221.178.0.0/15;
    221.180.0.0/14;
    223.64.0.0/11;
    223.96.0.0/12;
    223.112.0.0/14;
    223.116.0.0/15;
    223.118.2.0/24;
    223.118.10.0/24;
    223.118.18.0/24;
    223.120.0.0/13;
    };

    其他类似

    view配置:

    连接数据库帐号只需只读权限就可以

    cat cn_yd.conf       # match-clients要与定义的acl匹配

    view "cn_yd" {
    match-clients { cn_yd; };
    
    dlz "Mysql zone" {
        database "mysql
            {host=db_ip dbname=db_name ssl=false port=db_port user=bind_ui_r pass=db_pass}
            {select zone_name from DnsRecord_zonetag where zone_name = '$zone$'}
            {select ttl, type, mx_priority, 
                case when lower(type)='txt' then
                    concat('"', data, '"')
                when lower(type) = 'soa' then
                    concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
                else
                    data
                end
                from DnsRecord_zonetag inner join DnsRecord_record on DnsRecord_record.zone_tag_id = DnsRecord_zonetag.id
                    and DnsRecord_zonetag.zone_name = '$zone$'
                    and DnsRecord_record.host = '$record$'
                    where DnsRecord_zonetag.status = 'on'
                        and DnsRecord_record.status = 'on'
                        and (DnsRecord_record.resolution_line = '103' or DnsRecord_record.resolution_line = '0')
            }
        ";
    };
    
    };

    注意:这里

    DnsRecord_record.resolution_line 的值要与 bindUI定义值相同,以区别不同的解析线路

    其他类似

     cat default.conf    # 默认view,any  acl表示所有,不需要定义,所以默认view一定要放在配置中所有view的最后

    view "default" {
    match-clients { any; };
    
    dlz "Mysql zone" {
        database "mysql
            {host=db_ip dbname=db_name ssl=false port=db_port user=bind_ui_r pass=db_pass}
            {select zone_name from DnsRecord_zonetag where zone_name = '$zone$'}
            {select ttl, type, mx_priority, 
                case when lower(type)='txt' then
                    concat('"', data, '"')
                when lower(type) = 'soa' then
                    concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
                else
                    data
                end
                from DnsRecord_zonetag inner join DnsRecord_record on DnsRecord_record.zone_tag_id = DnsRecord_zonetag.id
                    and DnsRecord_zonetag.zone_name = '$zone$'
                    and DnsRecord_record.host = '$record$'
                    where DnsRecord_zonetag.status = 'on'
                        and DnsRecord_record.status = 'on'
                        and DnsRecord_record.resolution_line = '0'
            }
        ";
    };
    
    };

    # 初始化项目

    # 初始化
    python manage.py migrate
    python manage.py makemigrations
    python manage.py migrate
    python manage.py createsuperuser
    用django自带web运行:python manage.py runserver ipaddr:port

    DNS压力测试:

    http://www.cnblogs.com/linkenpark/p/8952350.html

    DNS统计分析:

    dnstop DNS分析工具

  • 相关阅读:
    SSH、SCP和SFTP 解析(转)
    SQL Server数据库partition by 与ROW_NUMBER()函数使用详解 (转载)
    Git版本控制与工作流详解(转)
    IQueryable,IEnumberable,.AsEnumerable() 和 .AsQueryable() (转载)
    ASP.NET 中Http处理流程与 HttpModule,HttpHandler学习之初步认知
    xml Node 是否存在
    MVC-前台调用后台action 传递upload file 参数问题
    ResXResourceWriter 与ResourceWriter
    "= ="与 equals 的区别 摘录
    jpg文件格式分析
  • 原文地址:https://www.cnblogs.com/linkenpark/p/8950183.html
Copyright © 2011-2022 走看看