Intranet master-slave Intelligent DNS will no longer worry

Posted by ev66 on Tue, 16 Nov 2021 09:33:20 +0100

WeChat official account: operation and development story, author: Jiang Zong

Write in front

With the rapid development of cloud native era, all walks of life have entered k8s. In just two or three years, recruitment requires "at least one year k8s practical experience". So that many traditional technologies used by many people in the early stage of the industry are quickly left behind. In other words, technology renewal iterations emerge one after another, old technologies will be replaced quickly, and new technologies will be favored. In the domain name resolution field, we are most familiar with the common cloud resolution DNSPod, Godaddy, CloudFlare, Alibaba cloud domain name resolution, and of course dnsmasq, powerdns and coreDNS used in k8s. But today I'll talk about bind9.

Maybe the current small and medium-sized companies will not use bind9, and when you search online, most of them directly use the named service and will not use named chroot. And even fewer use acl+view. Or the typesetting is not good enough. Novices may be blinded and configured incorrectly. Or they didn't say it in detail. Of course, there are. Maybe I didn't spend time searching or my search ability is limited. Here I will record bind9's attempt to implement Intelligent DNS process by using chroot and acl+view.

Environmental description

CentOS Linux release 8.4.2105

BIND Version: 9.11.26

Total network segment: 172.16.128.0/17

bind9 master-slave network segment: 172.16.0.0/24

HostIPRole
named-srv1172.16.0.55named master
named-srv2172.16.0.56named slave

bind9 master node deployment

/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services

dnf -y install bind-chroot bind-utils


# I want to enable chroot and need to change the named directory to / data/named/chroot
# Therefore, you need to copy the file
mkdir -p /data/named
cp -ar /var/named/* /data/named/


# Create a directory to store logs
mkdir -p /data/named/chroot/data/log/named/

### Create relevant files in the directory of bind chroot
touch /data/named/chroot/var/named/data/cache_dump.db
touch /data/named/chroot/var/named/data/named_stats.txt
touch /data/named/chroot/var/named/data/named_mem_stats.txt
touch /data/named/chroot/var/named/data/named.run
mkdir /data/named/chroot/var/named/dynamic
touch /data/named/chroot/var/named/dynamic/managed-keys.bind

# Go to the / data / directory of the linux system and change the owner and array of the named directory to named
cd /data/
chown named.named -R named

Edit the main named.conf file

$ cat /data/named/chroot/etc/named.conf

acl telecom {
  172.17.10.0/24;
};

acl unicom {
  172.17.20.0/24;
};

acl mobile {
  172.17.30.0/24;
};

options {
	listen-on port 53 { 127.0.0.1; 172.16.0.55;};
	directory 	"/var/named";
	dump-file 	"/data/named/data/cache_dump.db";
	statistics-file "/data/named/data/named_stats.txt";
	memstatistics-file "/data/named/data/named_mem_stats.txt";
  // Hosts allowed to query; White list 
	allow-query     { any; };
  allow-query-cache  { any; };
  // I bought Alibaba cloud ECS server here, so I use Alibaba DNS here
  forwarders { 223.5.5.5; 223.6.6.6; };
  recursive-clients  200000;
  check-names master warn;
  max-cache-ttl	     60;
  max-ncache-ttl	   0;

	//recursion yes;
	//dnssec-enable yes;
	//dnssec-validation yes;
	//managed-keys-directory "/var/named/dynamic";
	pid-file "/run/named/named.pid";
	//session-keyfile "/run/named/session.key";

};

logging {
       channel query_log {
               file "/data/log/named/query.log" versions 10 size 300m;
               severity info;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel client_log {
               file "/data/log/named/client.log" versions 3 size 200m;
               severity info;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel config {
               file "/data/log/named/config.log" versions 3 size 100m;
               severity info;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel default_log {
               file "/data/log/named/default.log" versions 3 size 100m;
               severity debug;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel general_log {
               file "/data/log/named/general.log" versions 3 size 200m;
               severity debug;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       category queries {
               query_log;
               };
       category client {
               client_log;
               };
       category general {
               general_log;
               };
       category config {
               config;
               };
       category default {
               default_log;
               };
};

view telcom_view {
  match-clients { telcom; };
  match-destinations { any };
  recursion yes;
  include "/etc/named-telcome.zones";
};

view unicom_view {
  match-clients { unicom; };
  match-destinations { any; };
  recursion yes;
  include "/etc/named-unicome.zones";
};

view  mobile_view {
  match-clients      { any; };
  match-destinations { any; };
  recursion yes;
  include "/etc/named-mobile.zones";
};

Note: you should be reminded that first, after the named chroot service is enabled, you must close the named service, one of the two. Second, if named chroot is enabled, all directories are relative to / var/named/chroot.

Using acl+view

Three ACLS and three view s have been defined above. Generally speaking, our acl will be placed at the beginning, that is, in front of options. It is also recommended to put it this way.

Next, you need to generate three area files included in the include under the view. Only the forward parsing area is shown here. Generally, intranet bind9 rarely needs reverse parsing.

Generate area file

$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
        type master;
        file "ayunw.cn.zone";
        allow-update { none; };
        masterfile-format text;
        allow-transfer { 172.16.0.56; };
};

$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
        type master;
        file "iyunw.cn.zone";
        allow-update { none; };
        masterfile-format text;
        allow-transfer { 172.16.0.56; };
};

$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
        type master;
        file "allenjol.cn.zone";
        allow-update { none; };
        masterfile-format text;
        allow-transfer { 172.16.0.56; };
};

Generate area resolution library file

$ cd /var/named/chroot/var

$ vi ayunw.cn.zone
$TTL    86400
@       IN      SOA     ayunw.cn.       root.iyunw.cn.  (
                                        202111011       ; serial (d. adams)
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                IN      NS              ns1.ayunw.cn.
                IN      NS              ns2.ayunw.cn.

ns1             IN      A	172.16.0.55
ns2             IN      A	172.16.0.56
www           IN      A 172.16.0.58



$ vi iyunw.cn.zone
$TTL    86400
@       IN      SOA     iyunw.cn.       root.iyunw.cn.  (
                                        202111011       ; serial (d. adams)
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                IN      NS              ns1.iyunw.cn.
                IN      NS              ns2.iyunw.cn.

ns1             IN      A	172.16.0.55
ns2             IN      A	172.16.0.56
web            IN      A 172.16.0.59

$ vi allenjol.cn.zone
$TTL    86400
@       IN      SOA     allenjol.cn.       root.allenjol.cn.  (
                                        202111011       ; serial (d. adams)
                                        1H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                IN      NS              ns1.allenjol.cn.
                IN      NS              ns2.allenjol.cn.

ns1             IN      A	172.16.0.55
ns2             IN      A	172.16.0.56
allen           IN      A 172.16.0.60

Start the service and set the startup self startup

/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot

bind9 slave node deployment

/bin/chattr -i /etc/fstab /etc/passwd /etc/group /etc/shadow /etc/sudoers /etc/services

dnf -y install bind-chroot bind-utils

# I want to enable chroot and need to change the named directory to / data/named/chroot
# Therefore, you need to copy the file
mkdir -p /data/named
cp -ar /var/named/* /data/named/


# Create a directory to store logs
mkdir -p /data/named/chroot/data/log/named/

### Create relevant files in the directory of bind chroot
touch /data/named/chroot/var/named/data/cache_dump.db
touch /data/named/chroot/var/named/data/named_stats.txt
touch /data/named/chroot/var/named/data/named_mem_stats.txt
touch /data/named/chroot/var/named/data/named.run
mkdir /data/named/chroot/var/named/dynamic
touch /data/named/chroot/var/named/dynamic/managed-keys.bind

# Go to the / data / directory of the linux system and change the owner and array of the named directory to named
cd /data/
chown named.named -R named

Edit from named.conf file

$ cat /data/named/chroot/etc/named.conf
$ cat /data/named/chroot/etc/named.conf

acl telecom {
  172.17.10.0/24;
};

acl unicom {
  172.17.20.0/24;
};

acl mobile {
  172.17.30.0/24;
};

options {
	listen-on port 53 { 127.0.0.1; 172.16.0.55;};
	directory 	"/var/named";
	dump-file 	"/data/named/data/cache_dump.db";
	statistics-file "/data/named/data/named_stats.txt";
	memstatistics-file "/data/named/data/named_mem_stats.txt";
  // Hosts allowed to query; White list 
	allow-query     { any; };
  allow-query-cache  { any; };
  // I bought Alibaba cloud ECS server here, so I use Alibaba DNS here
  forwarders { 223.5.5.5; 223.6.6.6; };
  recursive-clients  200000;
  check-names master warn;
  max-cache-ttl	     60;
  max-ncache-ttl	   0;

	//recursion yes;
	//dnssec-enable yes;
	//dnssec-validation yes;
	//managed-keys-directory "/var/named/dynamic";
	pid-file "/run/named/named.pid";
	//session-keyfile "/run/named/session.key";

};

logging {
       channel query_log {
               file "/data/log/named/query.log" versions 10 size 300m;
               severity info;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel client_log {
               file "/data/log/named/client.log" versions 3 size 200m;
               severity info;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel config {
               file "/data/log/named/config.log" versions 3 size 100m;
               severity info;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel default_log {
               file "/data/log/named/default.log" versions 3 size 100m;
               severity debug;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       channel general_log {
               file "/data/log/named/general.log" versions 3 size 200m;
               severity debug;
               print-category yes;
               print-time yes;
               print-severity yes;
               };
       category queries {
               query_log;
               };
       category client {
               client_log;
               };
       category general {
               general_log;
               };
       category config {
               config;
               };
       category default {
               default_log;
               };
};

view telcom_view {
  match-clients { telcom; };
  match-destinations { any };
  recursion yes;
  include "/etc/named-telcome.zones";
};

view unicom_view {
  match-clients { unicom; };
  match-destinations { any; };
  recursion yes;
  include "/etc/named-unicome.zones";
};

view  mobile_view {
  match-clients      { any; };
  match-destinations { any; };
  recursion yes;
  include "/etc/named-mobile.zones";
};

Generate area file

$ vi /var/named/chroot/etc/named-telcome.zones
zone "ayunw.cn" IN {
        type master;
        file "ayunw.cn.zone";
        allow-update { none; };
        masterfile-format text;
        allow-transfer { 172.16.0.56; };
};

$ vi /var/named/chroot/etc/named-unicom.zones
zone "iyunw.cn" IN {
        type master;
        file "iyunw.cn.zone";
        allow-update { none; };
        masterfile-format text;
        allow-transfer { 172.16.0.56; };
};

$ vi /var/named/chroot/etc/named-mobile.zones
zone "allenjol.cn" IN {
        type master;
        file "allenjol.cn.zone";
        allow-update { none; };
        masterfile-format text;
        allow-transfer { 172.16.0.56; };
};

Start the service and set the startup self startup

/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot

Note: the slave node does not need to create an area resolution library file. When the master node restarts the named chroot service, it will automatically synchronize the resolution library file to the slave node

Test analysis

Three machines are found, and the intranet ip addresses are 172.16.10.1, 172.16.20.1 and 172.16.30.1 respectively

$ dig -t A www.ayunw.cn

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;www.ayunw.cn.		IN	A

;; ANSWER SECTION:
www.ayunw.cn.	86400	IN	A	172.16.0.58

;; AUTHORITY SECTION:
ayunw.cn.	86400	IN	NS	ns2.ayunw.cn.
ayunw.cn.	86400	IN	NS	ns1.ayunw.cn.

;; ADDITIONAL SECTION:
ns1.ayunw.cn.	86400	IN	A	172.16.0.55
ns2.ayunw.cn.	86400	IN	A	172.16.0.56

;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE  rcvd: 161
$ dig -t A web.iyunw.cn

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;web.iyunw.cn.		IN	A

;; ANSWER SECTION:
web.iyunw.cn.	86400	IN	A	172.16.0.59

;; AUTHORITY SECTION:
iyunw.cn.	86400	IN	NS	ns2.iyunw.cn.
iyunw.cn.	86400	IN	NS	ns1.iyunw.cn.

;; ADDITIONAL SECTION:
ns1.iyunw.cn.	86400	IN	A	172.16.0.55
ns2.iyunw.cn.  86400	IN	A	172.16.0.56

;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE  rcvd: 161
$ dig -t A allen.allenjol.cn

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
;; QUESTION SECTION:
;allen.allenjol.cn.		IN	A

;; ANSWER SECTION:
allen.allenjol.cn.	86400	IN	A	172.16.0.60

;; AUTHORITY SECTION:
allenjol.cn.	86400	IN	NS	ns2.allenjol.cn.
allenjol.cn.	86400	IN	NS	ns1.allenjol.cn.

;; ADDITIONAL SECTION:
ns1.allenjol.cn.	86400	IN	A	172.16.0.55
ns2.allenjol.cn.   86400	IN	A	172.16.0.56

;; Query time: 0 msec
;; SERVER: 172.16.0.55#53(172.16.0.55)
;; WHEN: Tue Oct 26 09:50:40 CST 2021
;; MSG SIZE  rcvd: 161

If you have enough machines, you can change machines that are not in the three network segments 172.16.10.0/24, 172.16.20.0/24, 172.16.30.0 and 24, and then analyze them arbitrarily
You will find that the domain names in the three zone files are returned without normal A records

Topics: Operation & Maintenance Operating System cloud computing Alibaba Cloud