為了將來可能做DNS負載均衡、或故障轉移等,先快速建一個簡單的DNS服務,本次安裝OS為Centos 7
步驟:先建立三台VM、其中一台是DNS SERVER,起初只能用ip找尋到其他主機,有了DNS SERVER之後,能用hostname找尋。
vm1: 10.10.0.100 (將使用這一台當作DNS SERVER)
vm2: 10.10.0.101
vm3: 10.10.0.102 (比照vm1只是IPADDR=10.10.0.102)
vm1修改網路部分vi /etc/sysconfig/network-scripts/ifcfg-ens33
JohnnyPy
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static # 設為靜態IP
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=9537f42b-e1fc-4aa4-8852-4cdc856ec5ea
DEVICE=ens33
ONBOOT=yes
IPADDR=10.10.0.100 # 固定IP
GATEWAY=10.10.0.2 # VM設定的GATEWAY,可在VM NETWORK中查看
NETMASK=255.255.255.0 # MASK
DNS1=8.8.8.8 # 一開始先設定8.8.8.8 之後會改成自己的DNS SERVER IP
vm2 vm3 比照vm1只是IPADDR=10.10.0.101以及IPADDR=10.10.0.102
記得systemctl restart network 讓設定生效
vm1、vm2、vm3分別設定 # 記住這就要先加域名host.com # 這裡範例域名為host.comhostnamectl set-hostname jgnr68-100.host.comhostnamectl set-hostname jgnr68-101.host.comhostnamectl set-hostname jgnr68-102.host.com
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
firewall-cmd --add-port=53/udp --permanent firewall-cmd --reload
yum install -y bind bind-utils
rpm -qa bind
bind-9.11.4-26.P2.el7_9.3.x86_64 (本次安裝版本)
vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 10.10.0.100;};
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
forwarders { 8.8.8.8;};
allow-query { localhost; any;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
主要在listen-on port 53加入自己,並且把listen v6的的設定拿掉,否則啟動可能會失敗。forwarders是指當本DNS解析不了的域名,要轉給誰來解析的意思,通常轉給再上一層,也就是外網本身的DNS,簡單來說可直接使用8.8.8.8,並添加allow-query any;,讓集群內的網段都能來使用。
vi /etc/named.rfc1912.zones
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.10.0.100;};
};
添加一個zone,並設定type為主節點、檔案路徑file為host.com.zone(自訂,只要/var/named這個路徑下能找到該檔案即可),allow-update設定自己的ip (這個不太確定用途是甚麼)
vi /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2021012101 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
; 下方添加域名對照
dns A 10.10.0.100
jgnr68-100 A 10.10.0.100
jgnr68-101 A 10.10.0.101
jgnr68-102 A 10.10.0.102
systemctl restart named
dig -t A jgnr68-101.host.com @10.10.0.100 +short
使用dig問自己 jgnr68-101.host.com的位置在哪,回傳對照表中IP表示正確解析
10.10.0.101
vi /etc/sysconfig/network-scripts/ifcfg-ens33
DNS1="10.10.0.100"
將原本的8.8.8.8改成10.10.0.100
systemctl restart network
ping jgnr68-101.host.comping www.google.com
已能透過hostname搜尋到其他主機,而其他外網的還是會forward給8.8.8.8做正確的解析。
JohnnyPy 大大您好
很幸運地…搜尋DNS相關資訊找到你的文章
如果您還有餘力
想請您撥空分享DNS負載均衡、故障轉移或相關的內容
謝謝?
iThome鐵人賽
看影片追技術