DNS 服务搭建
搭建内网 DNS 让网络更加安全。
描述
DNS作为最常见的基础服务之一,我们应当学习并使用它,让我们先从安装DNS开始.
出于安全考虑我们选择使用named普通用户启动bind,先创建named账号
useradd -r -d /home/named -s /sbin/nologin -u 53 named
注意
-r 指定系统账号;-d指定家目录为/var/named; -s指定shell环境为/sbin/nologin; -u 指定UID为53
安装bind依赖包
先安装基础依赖包:
sudo yum -y install openssl-devel libcap-devel libcap libffi-devel
提示
bind9依赖python3.7和ply模块
安装python3.7及ply
查看现有的python环境,只有python2.7
[echoxu@localhost bind-9.14.0]$ cd /usr/bin/
[echoxu@localhost bin]$ ls -lh python*
lrwxrwxrwx. 1 root root 7 Nov 27 13:30 python -> python2
lrwxrwxrwx. 1 root root 9 Nov 27 13:30 python2 -> python2.7
-rwxr-xr-x. 1 root root 6.3K Oct 31 20:14 python2.7
备份原来的python程序:
sudo mv /usr/bin/python /usr/bin/python.bak
开始安装python3.7
sudo mkdir /usr/local/python3.7
cd ~/software/tools
wget https://www.python.org/ftp/python/3.7.3/Python-3.7.3.tar.xz
tar xvJf Python-3.7.3.tar.xz
cd Python-3.7.3
sudo ./configure --prefix=/usr/local/python3.7 --with-ssl
sudo make
sudo make install
sudo ln -s /usr/local/python3.7/bin/python3 /usr/bin/python
sudo ln -s /usr/local/python3.7/bin/pip3 /usr/bin/pip3
提示
添加--with-ssl是因为pip需要用到ssl协议,不然通过pip安装软件时会报错
- 安装ply
sudo pip3 install ply
修改yum的python配置
因为执行yum需要python2版本,所以我们还要修改yum的配置,执行:
sudo vim /usr/bin/yum
把#! /usr/bin/python修改为#! /usr/bin/python2
sudo vim /usr/libexec/urlgrabber-ext-down文件里面的#! /usr/bin/python也要修改为#! /usr/bin/python2
至此python3.7安装完成,python2和python3共存.
[echoxu@localhost Python-3.7.3]$ python -V
Python 3.7.3
[echoxu@localhost Python-3.7.3]$ python2 -V
Python 2.7.5
安装bind
下面是编译过程:
./configure --prefix=/home/named/software/bind-9.14.0 enable-threads
编译过程需要一段时间,请耐心等待.
完整的bind配置目录结构:
[echoxu@localhost bind]$ tree etc/
etc/
├── bind.keys
├── named.conf
├── rndc.conf
├── zones.echoxu
└── zones.rfc1918
[echoxu@localhost bind]$ tree log
log
├── named_warning.log
├── query.log
└── testAB.txt
[echoxu@localhost bind]$ tree var
var
├── named
│ ├── db.0
│ ├── db.127
│ ├── db.255
│ ├── db.empty
│ ├── db.local
│ ├── named.192.168.1
│ ├── named.echo.xu
│ └── root.ca
└── run
├── named
│ └── session.key
└── named.pid
配置named环境变量
sudo echo 'export PATH=/home/named/software/bind/bin:/home/named/software/bind/sbin:$PATH' > /etc/profile.d/named.sh
source /etc/profile.d/named.sh
非root用户开启53端口
setcap cap_net_bind_service=+eip /home/named/software/bind/sbin/named
sudo setcap cap_net_bind_service=+eip /home/named/software/bind/sbin/rndc
创建named.conf
编译安装的Bind默认是没有namd.conf配置文件的,所以要自己创建配置文集
vim /home/echoxu/software/bind/etc/named.conf 添加如下内容:
options {
listen-on port 53 { any; };
directory "/home/echoxu/software/bind/var/named";
pid-file "/home/echoxu/software/bind/var/run/named.pid";
dump-file "/home/echoxu/software/bind/var/cache_dump.db";
allow-query { any; };
recursion yes;
forwarders {
10.64.0.100;
10.64.0.200;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
forward first;
dnssec-enable no;
dnssec-validation no;
auth-nxdomain no;
};
zone "." {
type hint;
file "root.ca";
};
zone "echo.xu" IN {
type master;
file "named.echo.xu";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.1";
};
logging{ #日志记录模块
channel warning {
file "/home/echoxu/software/bind/log/named_warning.log" versions 3 size 20m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
channel query{
file "/home/echoxu/software/bind/log/query.log" versions 3 size 20m; #versions 3 size 20m 意思为保留三份,每份 20MB
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { query; };
};
key "rndc-key" {
algorithm hmac-sha256;
secret "sX20LXA91qep9Kx7jDxGtnPlYI4OfisB9rgdBlF1G3Y=";
};
这里附上bind的logging的category语句含义解析:
category 语句是指定哪一种类别的信息使用哪个或者哪几个已经定义了的通道输出。
BIND 9 中可用的类别名(category_name)有:
类别 说明
client 处理客户端请求。
config 配置文件分析和处理。
database 同BIND内部数据库相关的消息,用来存储区数据和缓存记录。
default 匹配所有未明确指定通道的类别。
dnssec 处理 DNSSEC 签名的响应。
general 包括所有未明确分类的 BIND 消息。
lame-servers 发现错误授权,即残缺服务器。
network 网络操作。
notify 区更新通知消息。
queries 查询日志
resolver 名字解析,包括对来自解析器的递归查询信息。
security 批准/非批准的请求。
update 动态更新事件。
xfer-in 从远程名字服务器到本地名字服务器的区传送。
xfer-out 从本地名字服务器到远程名字服务器的区传送。
创建root.ca根文件
这里是从网络中抓取根文件,其实这里的198.41.0.4也是DNS的其中一个根,也可从已经安装好的DNS中复制
dig -t NS . @198.41.0.4 > /home/echoxu/software/bind/etc/root.ca
注意
这个文件的名字可以随便取
rndc配置管理
生成rndc.conf配置文件:
rndc-confgen > /home/echoxu/software/bind/etc/rndc.conf
将如下内容复制到rndc.conf中
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "bm1A2tAFC/aDuJevMQftai1IbDnkiu8KuFg+TfNzMyg=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
将如下内容复制到named.conf中并取消注释:
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-sha256;
# secret "bm1A2tAFC/aDuJevMQftai1IbDnkiu8KuFg+TfNzMyg=";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
区域文件解析
[echoxu@localhost etc]$ more zones.echoxu
zone "." {
type hint;
file "root.ca";
};
zone "echo.xu" IN {
type master;
file "named.echo.xu";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.1";
};
zone "localhost" {
type master;
file "db.local";
};
zone "127.in-addr.arpa" {
type master;
file "db.127";
};
zone "0.in-addr.arpa" {
type master;
file "db.0";
};
zone "255.in-addr.arpa" {
type master;
file "db.255";
};
常用命令
/usr/local/named/sbin/named-checkzone yourdomain.com /data/named/db.yourdomain.com #检查解析文件
/usr/local/named/sbin/named-checkconf /etc/named/named.conf #检查配置文件
rndc reload #rndc命令已安装
rndc querylog #打开named的日志功能
rndc status #查看named的状态信息
named -f -g -d 3 -u named #以debug启动named
bind开机启动
编写开机启动脚本
# vim /etc/init.d/named
#!/bin/bash
# named
# This shell script takes care of starting and stopping
# named (BIND DNS server).
# chkconfig: - 13 87
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
user=named
named=named
named_conf="/etc/named/named.conf"
ROOTDIR="/usr/local/named"
CHKCONF="$ROOTDIR/sbin/named-checkconf"
CHKZONE="$ROOTDIR/sbin/named-checkzone"
RNDC="$ROOTDIR/sbin/rndc"
start() {
echo -n $"Starting $named: "
if [ -n "`/sbin/pidof -o %PPID $named`" ]; then
echo -n $"$named: already running"
failure
echo
return 1
fi
conf_ok=0;
if [ -x $CHKCONF ] && [ -x $CHKZONE ] && $CHKCONF ${named_conf} >/dev/null 2>&1; then
conf_ok=1;
else
RETVAL=$?;
fi
if [ $conf_ok -eq 1 ]; then
daemon $ROOTDIR/sbin/$named -u $user ;
# daemon $ROOTDIR/sbin/$named -c $named_conf &
RETVAL=$?;
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
return $RETVAL
fi
}
stop() {
# Stop daemons.
echo -n $"Stopping $named: "
$RNDC stop >/dev/null 2>&1
RETVAL=$?
[ "$RETVAL" -eq 0 ] || killproc "$named" -TERM >/dev/null 2>&1
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/named &> /dev/null
rm -f $ROOTDIR/var/run/named.pid &> /dev/null
fi;
if [ $RETVAL -eq 0 ]; then
success
else
failure
fi;
echo
return $RETVAL
}
restart() {
stop
sleep 2
start
}
status() {
$RNDC status
# status $ROOTDIR/sbin/$named
return $?
}
reload() {
echo -n $"Reloading $named: "
p=`/sbin/pidof -o %PPID $named`
RETVAL=$?
if [ "$RETVAL" -eq 0 ]; then
$RNDC reload >/dev/null 2>&1 || /bin/kill -HUP $p;
RETVAL=$?
fi
[ "$RETVAL" -eq 0 ] && success $"$named reload" || failure $"$named reload"
echo
return $RETVAL
}
checkconfig() {
if [ -x $CHKCONF ] && [ -x $CHKZONE ] && $CHKCONF ${named_conf} ; then
return 0;
else
return 1;
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
restart
;;
reload)
reload
;;
checkconfig|configtest|check|test)
checkconfig
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|configtest|probe}"
exit 2
;;
esac
exit $?
安装queryperf压力测试工具
bind9.14.0中没有queryperf工具,得重bind9.12.4中复制过来
开始安装queryperf:
/home/echoxu/software/tools/bind-9.14.0/contrib/queryperf #进入到bind的源码目录
./configure
make
cp queryperf /home/echoxu/software/bind/bin/ #复制生成的工具到bind的/bin或者sbin目录下
创建测试文件
vim /home/echoxu/software/bind/log/testAB.txt
往里面添加如下命令:
xjj.echo.xu A
v.echo.xu A
jenkins.echo.xu A
git.echo.xu A
echo.xu NS
批量生成数据
要生成大量数据时可先用vim编辑文件,然后在vim里面输入:1,$y 再一直重复按p就可生成大量的文件,此操作可多次重复执行
DNS压力测试
queryperf -d /home/echoxu/software/bind/log/testAB.txt -s 192.168.1.108
提示
192.168.1.108是本地服务器地址
下面是测试结果:
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.108)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 981825 queries
Queries completed: 981825 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.059573 sec
RTT min: 0.000919 sec
RTT average: 0.005862 sec
RTT std deviation: 0.001525 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sat Apr 13 15:47:26 2019
Finished at: Sat Apr 13 15:52:18 2019
Ran for: 291.599337 seconds
Queries per second: 3367.034404 qps
高可用DNS
可通过LVS+Keepalived实现高可用DNS