WeChat official account: operation and development story, author: Jiang Zong
Write in front
With the rapid development of cloud native era, all walks of life have entered k8s. In just two or three years, recruitment requires "at least one year k8s practical experience". So that many traditional technologies used by many people in the early stage of the industry are quickly left behind. In other words, technology renewal iterations emerge one after another, old technologies will be replaced quickly, and new technologies will be favored. In the domain name resolution field, we are most familiar with the common cloud resolution DNSPod, Godaddy, CloudFlare, Alibaba cloud domain name resolution, and of course dnsmasq, powerdns and coreDNS used in k8s. But today I'll talk about bind9.
Maybe the current small and medium-sized companies will not use bind9, and when you search online, most of them directly use the named service and will not use named chroot. And even fewer use acl+view. Or the typesetting is not good enough. Novices may be blinded and configured incorrectly. Or they didn't say it in detail. Of course, there are. Maybe I didn't spend time searching or my search ability is limited. Here I will record bind9's attempt to implement Intelligent DNS process by using chroot and acl+view.
Environmental description
CentOS Linux release 8.4.2105
BIND Version: 9.11.26
Total network segment: 172.16.128.0/17
bind9 master-slave network segment: 172.16.0.0/24
| Host | IP | Role |
|---|---|---|
| named-srv1 | 172.16.0.55 | named master |
| named-srv2 | 172.16.0.56 | named slave |
bind9 master node deployment
/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services dnf -y install bind-chroot bind-utils # I want to enable chroot and need to change the named directory to / data/named/chroot # Therefore, you need to copy the file mkdir -p /data/named cp -ar /var/named/* /data/named/ # Create a directory to store logs mkdir -p /data/named/chroot/data/log/named/ ### Create relevant files in the directory of bind chroot touch /data/named/chroot/var/named/data/cache_dump.db touch /data/named/chroot/var/named/data/named_stats.txt touch /data/named/chroot/var/named/data/named_mem_stats.txt touch /data/named/chroot/var/named/data/named.run mkdir /data/named/chroot/var/named/dynamic touch /data/named/chroot/var/named/dynamic/managed-keys.bind # Go to the / data / directory of the linux system and change the owner and array of the named directory to named cd /data/ chown named.named -R named
Edit the main named.conf file
$ cat /data/named/chroot/etc/named.conf
acl telecom {
172.17.10.0/24;
};
acl unicom {
172.17.20.0/24;
};
acl mobile {
172.17.30.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 172.16.0.55;};
directory "/var/named";
dump-file "/data/named/data/cache_dump.db";
statistics-file "/data/named/data/named_stats.txt";
memstatistics-file "/data/named/data/named_mem_stats.txt";
// Hosts allowed to query; White list
allow-query { any; };
allow-query-cache { any; };
// I bought Alibaba cloud ECS server here, so I use Alibaba DNS here
forwarders { 223.5.5.5; 223.6.6.6; };
recursive-clients 200000;
check-names master warn;
max-cache-ttl 60;
max-ncache-ttl 0;
//recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
//session-keyfile "/run/named/session.key";
};
logging {
channel query_log {
file "/data/log/named/query.log" versions 10 size 300m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel client_log {
file "/data/log/named/client.log" versions 3 size 200m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel config {
file "/data/log/named/config.log" versions 3 size 100m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel default_log {
file "/data/log/named/default.log" versions 3 size 100m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
channel general_log {
file "/data/log/named/general.log" versions 3 size 200m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
category queries {
query_log;
};
category client {
client_log;
};
category general {
general_log;
};
category config {
config;
};
category default {
default_log;
};
};
view telcom_view {
match-clients { telcom; };
match-destinations { any };
recursion yes;
include "/etc/named-telcome.zones";
};
view unicom_view {
match-clients { unicom; };
match-destinations { any; };
recursion yes;
include "/etc/named-unicome.zones";
};
view mobile_view {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named-mobile.zones";
};
Note: you should be reminded that first, after the named chroot service is enabled, you must close the named service, one of the two. Second, if named chroot is enabled, all directories are relative to / var/named/chroot.
Using acl+view
Three ACLS and three view s have been defined above. Generally speaking, our acl will be placed at the beginning, that is, in front of options. It is also recommended to put it this way.
Next, you need to generate three area files included in the include under the view. Only the forward parsing area is shown here. Generally, intranet bind9 rarely needs reverse parsing.
Generate area file
$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
type master;
file "ayunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
type master;
file "iyunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
type master;
file "allenjol.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
Generate area resolution library file
$ cd /var/named/chroot/var
$ vi ayunw.cn.zone
$TTL 86400
@ IN SOA ayunw.cn. root.iyunw.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.ayunw.cn.
IN NS ns2.ayunw.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
www IN A 172.16.0.58
$ vi iyunw.cn.zone
$TTL 86400
@ IN SOA iyunw.cn. root.iyunw.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.iyunw.cn.
IN NS ns2.iyunw.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
web IN A 172.16.0.59
$ vi allenjol.cn.zone
$TTL 86400
@ IN SOA allenjol.cn. root.allenjol.cn. (
202111011 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.allenjol.cn.
IN NS ns2.allenjol.cn.
ns1 IN A 172.16.0.55
ns2 IN A 172.16.0.56
allen IN A 172.16.0.60
Start the service and set the startup self startup
/usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot
bind9 slave node deployment
/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services dnf -y install bind-chroot bind-utils # I want to enable chroot and need to change the named directory to / data/named/chroot # Therefore, you need to copy the file mkdir -p /data/named cp -ar /var/named/* /data/named/ # Create a directory to store logs mkdir -p /data/named/chroot/data/log/named/ ### Create relevant files in the directory of bind chroot touch /data/named/chroot/var/named/data/cache_dump.db touch /data/named/chroot/var/named/data/named_stats.txt touch /data/named/chroot/var/named/data/named_mem_stats.txt touch /data/named/chroot/var/named/data/named.run mkdir /data/named/chroot/var/named/dynamic touch /data/named/chroot/var/named/dynamic/managed-keys.bind # Go to the / data / directory of the linux system and change the owner and array of the named directory to named cd /data/ chown named.named -R named
Edit from named.conf file
$ cat /data/named/chroot/etc/named.conf
$ cat /data/named/chroot/etc/named.conf
acl telecom {
172.17.10.0/24;
};
acl unicom {
172.17.20.0/24;
};
acl mobile {
172.17.30.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 172.16.0.55;};
directory "/var/named";
dump-file "/data/named/data/cache_dump.db";
statistics-file "/data/named/data/named_stats.txt";
memstatistics-file "/data/named/data/named_mem_stats.txt";
// Hosts allowed to query; White list
allow-query { any; };
allow-query-cache { any; };
// I bought Alibaba cloud ECS server here, so I use Alibaba DNS here
forwarders { 223.5.5.5; 223.6.6.6; };
recursive-clients 200000;
check-names master warn;
max-cache-ttl 60;
max-ncache-ttl 0;
//recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
//session-keyfile "/run/named/session.key";
};
logging {
channel query_log {
file "/data/log/named/query.log" versions 10 size 300m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel client_log {
file "/data/log/named/client.log" versions 3 size 200m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel config {
file "/data/log/named/config.log" versions 3 size 100m;
severity info;
print-category yes;
print-time yes;
print-severity yes;
};
channel default_log {
file "/data/log/named/default.log" versions 3 size 100m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
channel general_log {
file "/data/log/named/general.log" versions 3 size 200m;
severity debug;
print-category yes;
print-time yes;
print-severity yes;
};
category queries {
query_log;
};
category client {
client_log;
};
category general {
general_log;
};
category config {
config;
};
category default {
default_log;
};
};
view telcom_view {
match-clients { telcom; };
match-destinations { any };
recursion yes;
include "/etc/named-telcome.zones";
};
view unicom_view {
match-clients { unicom; };
match-destinations { any; };
recursion yes;
include "/etc/named-unicome.zones";
};
view mobile_view {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named-mobile.zones";
};
Generate area file
$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
type master;
file "ayunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
type master;
file "iyunw.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
type master;
file "allenjol.cn.zone";
allow-update { none; };
masterfile-format text;
allow-transfer { 172.16.0.56; };
};
Start the service and set the startup self startup
/usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot
Note: the slave node does not need to create an area resolution library file. When the master node restarts the named chroot service, it will automatically synchronize the resolution library file to the slave node
Test analysis
Three machines are found, and the intranet ip addresses are 172.16.10.1, 172.16.20.1 and 172.16.30.1 respectively
$ dig -t A www.ayunw.cn ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good) ;; QUESTION SECTION: ;www.ayunw.cn. IN A ;; ANSWER SECTION: www.ayunw.cn. 86400 IN A 172.16.0.58 ;; AUTHORITY SECTION: ayunw.cn. 86400 IN NS ns2.ayunw.cn. ayunw.cn. 86400 IN NS ns1.ayunw.cn. ;; ADDITIONAL SECTION: ns1.ayunw.cn. 86400 IN A 172.16.0.55 ns2.ayunw.cn. 86400 IN A 172.16.0.56 ;; Query time: 0 msec ;; SERVER: 172.16.0.55#53(172.16.0.55) ;; WHEN: Tue Oct 26 09:50:40 CST 2021 ;; MSG SIZE rcvd: 161
$ dig -t A web.iyunw.cn ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good) ;; QUESTION SECTION: ;web.iyunw.cn. IN A ;; ANSWER SECTION: web.iyunw.cn. 86400 IN A 172.16.0.59 ;; AUTHORITY SECTION: iyunw.cn. 86400 IN NS ns2.iyunw.cn. iyunw.cn. 86400 IN NS ns1.iyunw.cn. ;; ADDITIONAL SECTION: ns1.iyunw.cn. 86400 IN A 172.16.0.55 ns2.iyunw.cn. 86400 IN A 172.16.0.56 ;; Query time: 0 msec ;; SERVER: 172.16.0.55#53(172.16.0.55) ;; WHEN: Tue Oct 26 09:50:40 CST 2021 ;; MSG SIZE rcvd: 161
$ dig -t A allen.allenjol.cn ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good) ;; QUESTION SECTION: ;allen.allenjol.cn. IN A ;; ANSWER SECTION: allen.allenjol.cn. 86400 IN A 172.16.0.60 ;; AUTHORITY SECTION: allenjol.cn. 86400 IN NS ns2.allenjol.cn. allenjol.cn. 86400 IN NS ns1.allenjol.cn. ;; ADDITIONAL SECTION: ns1.allenjol.cn. 86400 IN A 172.16.0.55 ns2.allenjol.cn. 86400 IN A 172.16.0.56 ;; Query time: 0 msec ;; SERVER: 172.16.0.55#53(172.16.0.55) ;; WHEN: Tue Oct 26 09:50:40 CST 2021 ;; MSG SIZE rcvd: 161
If you have enough machines, you can change machines that are not in the three network segments 172.16.10.0/24, 172.16.20.0/24, 172.16.30.0 and 24, and then analyze them arbitrarily
You will find that the domain names in the three zone files are returned without normal A records