Intranet master-slave smart DNS, no more worries

Intranet master-slave smart DNS, no more worries

[[432985]]

This article is reprinted from the WeChat public account "Operation and Development Story", written by Xiao Jiang. Please contact the Operation and Development Story public account to reprint this article.

Hello everyone, I am Xiao Jiang.

Preface

With the rapid development of the cloud-native era, all walks of life have entered k8s. In just two or three years, recruitment requires "at least one year of k8s practical experience". As a result, many traditional technologies that were used by many people in the early stages of the industry have been quickly left behind. In other words, technology updates and iterations are endless, old technologies will be quickly replaced, and new technologies will be favored. In the field of domain name resolution, the most familiar and commonly used cloud resolution DNSPod, Godaddy, CloudFlare, Alibaba Cloud's domain name resolution, etc., of course, there are dnsmasq, powerdns, and coreDNS used in k8s. But today I'm here to talk about bind9.

Maybe small and medium-sized companies don't use bind9 now, and if you search online, most of them use named services directly, not named-chroot. And even fewer use acl+view. Either the layout is not good enough, and novices may be confused and make configuration errors. Or it is not explained in detail. Of course, there are some, maybe I didn't spend enough time searching or my search ability is limited. Here I will record the process of using bind9 to use chroot and acl+view to try to implement smart DNS.

Environmental Description

CentOS Linux release 8.4.2105

BIND Version: 9.11.26

Total network segment: 172.16.128.0/17

Network segment where bind9 master and slave are located: 172.16.0.0/24

Host IP Role
named-srv1 172.16.0.55 named master
named-srv2 172.16.0.56 named slave

bind9 master node deployment

  1.  /bin/chattr -i /etc/fstab /etc/passwd /etc/ group /etc/shadow /etc/sudoers /etc/services 
  2.  
  3.  dnf -y install bind-chroot bind-utils 
  4.  
  5.  # I want to enable chroot and need to change the named directory to /data/named/chroot
  6.  # Therefore, you need to copy the file
  7.  mkdir -p /data/named
  8.  cp -ar /var/named/* /data/named/ 
  9.  
  10.  # Create a directory to store logs
  11.  mkdir -p /data/named/chroot/data/log/named/ 
  12.  
  13.  ### Create relevant files in the bind chroot directory
  14.  touch /data/named/chroot/var/named/data/cache_dump.db
  15.  touch /data/named/chroot/var/named/data/named_stats.txt
  16.  touch /data/named/chroot/var/named/data/named_mem_stats.txt
  17.  touch /data/named/chroot/var/named/data/named.run
  18.  mkdir /data/named/chroot/var/named/ dynamic  
  19.  touch /data/named/chroot/var/named/ dynamic /managed-keys.bind 
  20.  
  21.  # Go to the /data/ directory of the Linux system and change the owner and array of the named directory to named
  22.  cd /data/
  23.  chown named.named -R named

Edit the main named.conf file

  1.  $ cat /data/named/chroot/etc/named.conf 
  2.  
  3.  acl telecom
  4.  172.17.10.0/24;
  5.  }; 
  6.  
  7.  acl unicom {
  8.  172.17.20.0/24;
  9.  }; 
  10.  
  11.  acl mobile
  12.  172.17.30.0/24;
  13.  }; 
  14.  
  15.  options {
  16.  listen- on port 53 { 127.0.0.1; 172.16.0.55;};
  17.  directory "/var/named" ;
  18.  dump-file "/data/named/data/cache_dump.db" ;
  19.  statistics -file "/data/named/data/named_stats.txt" ;
  20.  memstatistics-file "/data/named/data/named_mem_stats.txt" ;
  21.  // Hosts allowed to be queried; whitelist
  22.  allow-query { any ; };
  23.   allow-query-cache { any ; };
  24.  // I bought an ECS server from Alibaba Cloud, so I use Alibaba's DNS here
  25.   forwarders { 223.5.5.5; 223.6.6.6; };
  26.  recursive-clients 200000;
  27.  check -names master warn;
  28.  max -cache-ttl 60;
  29.  max -ncache-ttl 0; 
  30.  
  31.  //recursion yes;
  32.  //dnssec-enable yes;
  33.  //dnssec-validation yes;
  34.  //managed-keys-directory "/var/named/dynamic" ;
  35.  pid-file "/run/named/named.pid" ;
  36.  //session-keyfile "/run/named/session.key" ; 
  37.  
  38.  }; 
  39.  
  40.  logging {
  41.  channel query_log {
  42.                file "/data/log/named/query.log" versions 10 size 300m;
  43.  severity info;
  44.                print-category yes;
  45.                print -time yes;
  46.                print-severity yes;
  47.  };
  48.  channel client_log {
  49.                file "/data/log/named/client.log" versions 3 size 200m;
  50.  severity info;
  51.                print-category yes;
  52.                print -time yes;
  53.                print-severity yes;
  54.  };
  55.  channel config {
  56.                file "/data/log/named/config.log" versions 3 size 100m;
  57.  severity info;
  58.                print-category yes;
  59.                print -time yes;
  60.                print-severity yes;
  61.  };
  62.  channel default_log {
  63.                file "/data/log/named/default.log" versions 3 size 100m;
  64.                severity debug;
  65.                print-category yes;
  66.                print -time yes;
  67.                print-severity yes;
  68.  };
  69.  channel general_log {
  70.                file "/data/log/named/general.log" versions 3 size 200m;
  71.                severity debug;
  72.                print-category yes;
  73.                print -time yes;
  74.                print-severity yes;
  75.  };
  76.  category queries
  77.  query_log;
  78.  };
  79.  category client
  80.  client_log;
  81.  };
  82.  category general
  83.  general_log;
  84.  };
  85.  category config {
  86.  config;
  87.  };
  88.  category default {
  89.  default_log;
  90.  };
  91.  }; 
  92.  
  93.  view telcom_view {
  94.  match-clients { telcom; };
  95.   match-destinations { any ; };
  96.  recursion yes;
  97.   include "/etc/named-telcome.zones" ;
  98.  }; 
  99.  
  100.  view unicom_view {
  101.  match-clients { unicom; };
  102.   match-destinations { any ; };
  103.  recursion yes;
  104.   include "/etc/named-unicome.zones" ;
  105.  }; 
  106.  
  107.  view mobile_view {
  108.   match-clients { any ; };
  109.   match-destinations { any ; };
  110.  recursion yes;
  111.   include "/etc/named-mobile.zones" ;
  112.  };

Note: We need to remind you that: First, after enabling named-chroot service, you must disable named service, either one or the other. Second, if named-chroot is enabled, all directories are relative directories, relative to /var/named/chroot.

Using acl+view

Three acls and three views have been defined above. Generally speaking, our acls are placed at the very beginning, that is, before options, and this is also recommended.

Next, you need to generate the area files included in the include under the three views. Here we only demonstrate the forward resolution area. Generally, intranet bind9 rarely needs reverse resolution.

Generate zone files

  1.  $ vi /var/named/chroot/etc/named-telcome.zones
  2.  zone "ayunw.cn"   IN {
  3.  type master;
  4.         file "ayunw.cn.zone" ;
  5.         allow- update { none; };
  6.         masterfile-format text;
  7.         allow-transfer { 172.16.0.56; };
  8.  }; 
  9.  
  10.  $ vi /var/named/chroot/etc/named-unicom.zones
  11.  zone "iyunw.cn"   IN {
  12.  type master;
  13.         file "iyunw.cn.zone" ;
  14.         allow- update { none; };
  15.         masterfile-format text;
  16.         allow-transfer { 172.16.0.56; };
  17.  }; 
  18.  
  19.  $ vi /var/named/chroot/etc/named-mobile.zones
  20.  zone "allenjol.cn"   IN {
  21.  type master;
  22.         file "allenjol.cn.zone" ;
  23.         allow- update { none; };
  24.         masterfile-format text;
  25.         allow-transfer { 172.16.0.56; };
  26.  };

Generate regional parsing library files

  1.  $ cd /var/named/chroot/var 
  2.  
  3.  $ vi ayunw.cn.zone
  4.  $TTL 86400
  5.  @ IN SOA ayunw.cn. root.iyunw.cn. (
  6.                                         202111011; serial (d. adams)
  7.                                         1H;refresh
  8.                                         15M;retry
  9.                                         1W ; expiry
  10.                                         1D ) ;minimum 
  11.  
  12.  IN NS ns1.ayunw.cn.
  13.  IN NS ns2.ayunw.cn. 
  14.  
  15.  ns1 IN A 172.16.0.55
  16.  ns2 IN A 172.16.0.56
  17.  www IN A 172.16.0.58 
  18.  
  19.  
  20.  
  21.  $ vi iyunw.cn.zone
  22.  $TTL 86400
  23.  @ IN SOA iyunw.cn. root.iyunw.cn. (
  24.                                         202111011; serial (d. adams)
  25.                                         1H;refresh
  26.                                         15M;retry
  27.                                         1W ; expiry
  28.                                         1D ) ;minimum 
  29.  
  30.  IN NS ns1.iyunw.cn.
  31.  IN NS ns2.iyunw.cn. 
  32.  
  33.  ns1 IN A 172.16.0.55
  34.  ns2 IN A 172.16.0.56
  35.  web IN A 172.16.0.59 
  36.  
  37.  $ vi allenjol.cn.zone
  38.  $TTL 86400
  39.  @ IN SOA allenjol.cn. root.allenjol.cn. (
  40.                                         202111011; serial (d. adams)
  41.                                         1H;refresh
  42.                                         15M;retry
  43.                                         1W ; expiry
  44.                                         1D ) ;minimum 
  45.  
  46.  IN NS ns1.allenjol.cn.
  47.  IN NS ns2.allenjol.cn. 
  48.  
  49.  ns1 IN A 172.16.0.55
  50.  ns2 IN A 172.16.0.56
  51.  allen IN A 172.16.0.60

Start the service and set it to start automatically at boot

  1.  /usr/libexec/setup-named-chroot.sh /var/named/chroot on  
  2.  systemctl stop named
  3.  systemctl disable named
  4.  systemctl start named-chroot
  5.  systemctl enable named-chroot

bind9 slave node deployment

  1.  /bin/chattr -i /etc/fstab /etc/passwd /etc/ group /etc/shadow /etc/sudoers /etc/services 
  2.  
  3.  dnf -y install bind-chroot bind-utils 
  4.  
  5.  # I want to enable chroot and need to change the named directory to /data/named/chroot
  6.  # Therefore, you need to copy the file
  7.  mkdir -p /data/named
  8.  cp -ar /var/named/* /data/named/ 
  9.  
  10.  
  11.  # Create a directory to store logs
  12.  mkdir -p /data/named/chroot/data/log/named/ 
  13.  
  14.  ### Create relevant files in the bind chroot directory
  15.  touch /data/named/chroot/var/named/data/cache_dump.db
  16.  touch /data/named/chroot/var/named/data/named_stats.txt
  17.  touch /data/named/chroot/var/named/data/named_mem_stats.txt
  18.  touch /data/named/chroot/var/named/data/named.run
  19.  mkdir /data/named/chroot/var/named/ dynamic  
  20.  touch /data/named/chroot/var/named/ dynamic /managed-keys.bind 
  21.  
  22.  # Go to the /data/ directory of the Linux system and change the owner and array of the named directory to named
  23.  cd /data/
  24.  chown named.named -R named

Edit the named.conf file from

  1.  $ cat /data/named/chroot/etc/named.conf
  2.  $ cat /data/named/chroot/etc/named.conf 
  3.  
  4.  acl telecom
  5.  172.17.10.0/24;
  6.  }; 
  7.  
  8.  acl unicom {
  9.  172.17.20.0/24;
  10.  }; 
  11.  
  12.  acl mobile
  13.  172.17.30.0/24;
  14.  }; 
  15.  
  16.  options {
  17.  listen- on port 53 { 127.0.0.1; 172.16.0.55;};
  18.  directory "/var/named" ;
  19.  dump-file "/data/named/data/cache_dump.db" ;
  20.  statistics -file "/data/named/data/named_stats.txt" ;
  21.  memstatistics-file "/data/named/data/named_mem_stats.txt" ;
  22.  // Hosts allowed to be queried; whitelist
  23.  allow-query { any ; };
  24.   allow-query-cache { any ; };
  25.  // I bought an ECS server from Alibaba Cloud, so I use Alibaba's DNS here
  26.   forwarders { 223.5.5.5; 223.6.6.6; };
  27.  recursive-clients 200000;
  28.  check -names master warn;
  29.  max -cache-ttl 60;
  30.  max -ncache-ttl 0; 
  31.  
  32.  //recursion yes;
  33.  //dnssec-enable yes;
  34.  //dnssec-validation yes;
  35.  //managed-keys-directory "/var/named/dynamic" ;
  36.  pid-file "/run/named/named.pid" ;
  37.  //session-keyfile "/run/named/session.key" ; 
  38.  
  39.  }; 
  40.  
  41.  logging {
  42.  channel query_log {
  43.                file "/data/log/named/query.log" versions 10 size 300m;
  44.  severity info;
  45.                print-category yes;
  46.                print -time yes;
  47.                print-severity yes;
  48.  };
  49.  channel client_log {
  50.                file "/data/log/named/client.log" versions 3 size 200m;
  51.  severity info;
  52.                print-category yes;
  53.                print -time yes;
  54.                print-severity yes;
  55.  };
  56.  channel config {
  57.                file "/data/log/named/config.log" versions 3 size 100m;
  58.  severity info;
  59.                print-category yes;
  60.                print -time yes;
  61.                print-severity yes;
  62.  };
  63.  channel default_log {
  64.                file "/data/log/named/default.log" versions 3 size 100m;
  65.                severity debug;
  66.                print-category yes;
  67.                print -time yes;
  68.                print-severity yes;
  69.  };
  70.  channel general_log {
  71.                file "/data/log/named/general.log" versions 3 size 200m;
  72.                severity debug;
  73.                print-category yes;
  74.                print -time yes;
  75.                print-severity yes;
  76.  };
  77.  category queries
  78.  query_log;
  79.  };
  80.  category client
  81.  client_log;
  82.  };
  83.  category general
  84.  general_log;
  85.  };
  86.  category config {
  87.  config;
  88.  };
  89.  category default {
  90.  default_log;
  91.  };
  92.  }; 
  93.  
  94.  view telcom_view {
  95.  match-clients { telcom; };
  96.  match-destinations { any };
  97.  recursion yes;
  98.   include "/etc/named-telcome.zones" ;
  99.  }; 
  100.  
  101.  view unicom_view {
  102.  match-clients { unicom; };
  103.   match-destinations { any ; };
  104.  recursion yes;
  105.   include "/etc/named-unicome.zones" ;
  106.  }; 
  107.  
  108.  view mobile_view {
  109.   match-clients { any ; };
  110.   match-destinations { any ; };
  111.  recursion yes;
  112.   include "/etc/named-mobile.zones" ;
  113.  };

Generate zone files

  1.  $ vi /var/named/chroot/etc/named-telcome.zones
  2.  zone "ayunw.cn"   IN {
  3.  type master;
  4.         file "ayunw.cn.zone" ;
  5.         allow- update { none; };
  6.         masterfile-format text;
  7.         allow-transfer { 172.16.0.56; };
  8.  }; 
  9.  
  10.  $ vi /var/named/chroot/etc/named-unicom.zones
  11.  zone "iyunw.cn"   IN {
  12.  type master;
  13.         file "iyunw.cn.zone" ;
  14.         allow- update { none; };
  15.         masterfile-format text;
  16.         allow-transfer { 172.16.0.56; };
  17.  }; 
  18.  
  19.  $ vi /var/named/chroot/etc/named-mobile.zones
  20.  zone "allenjol.cn"   IN {
  21.  type master;
  22.         file "allenjol.cn.zone" ;
  23.         allow- update { none; };
  24.         masterfile-format text;
  25.         allow-transfer { 172.16.0.56; };
  26.  };

Start the service and set it to start automatically at boot

  1.  /usr/libexec/setup-named-chroot.sh /var/named/chroot on  
  2.  systemctl stop named
  3.  systemctl disable named
  4.  systemctl start named-chroot
  5.  systemctl enable named-chroot

Note: The slave node does not need to create a regional resolution library file. When the master node restarts the named-chroot service, the resolution library file will be automatically synchronized to the slave node.

Test analysis

I found three machines, whose intranet IPs are 172.16.10.1, 172.16.20.1 and 172.16.30.1, which can resolve www.ayunw.cn, web.iyunw.cn and allen.allenjol.cn respectively, and all of them can be resolved normally.

  1.  $ dig -t A www.ayunw.cn
  2.  ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
  3.  ;; global options: +cmd
  4.  ;; Got answer:
  5.  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
  6.  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 
  7.  
  8.  ;; OPT PSEUDOSECTION:
  9.  ; EDNS: version: 0, flags:; udp: 1232
  10.  ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
  11.  ;; QUESTION SECTION :
  12.  ;www.ayunw.cn. IN A 
  13.  
  14.  ;; ANSWER SECTION :
  15.  www.ayunw.cn. 86400 IN A 172.16.0.58 
  16.  
  17.  ;; AUTHORITY SECTION :
  18.  ayunw.cn. 86400 IN NS ns2.ayunw.cn.
  19.  ayunw.cn. 86400 IN NS ns1.ayunw.cn. 
  20.  
  21.  ;; ADDITIONAL SECTION :
  22.  ns1.ayunw.cn. 86400 IN A 172.16.0.55
  23.  ns2.ayunw.cn. 86400 IN A 172.16.0.56 
  24.  
  25.  ;; Query time : 0 msec
  26.  ;; SERVER: 172.16.0.55#53(172.16.0.55)
  27.  ;; WHEN : Tue Oct 26 09:50:40 CST 2021
  28.  ;; MSG SIZE rcvd: 161
  29.  $ dig -t A web.iyunw.cn 
  30.  
  31.  ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
  32.  ;; global options: +cmd
  33.  ;; Got answer:
  34.  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
  35.  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 
  36.  
  37.  ;; OPT PSEUDOSECTION:
  38.  ; EDNS: version: 0, flags:; udp: 1232
  39.  ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
  40.  ;; QUESTION SECTION :
  41.  ;web.iyunw.cn. IN A 
  42.  
  43.  ;; ANSWER SECTION :
  44.  web.iyunw.cn. 86400 IN A 172.16.0.59 
  45.  
  46.  ;; AUTHORITY SECTION :
  47.  iyunw.cn. 86400 IN NS ns2.iyunw.cn.
  48.  iyunw.cn. 86400 IN NS ns1.iyunw.cn. 
  49.  
  50.  ;; ADDITIONAL SECTION :
  51.  ns1.iyunw.cn. 86400 IN A 172.16.0.55
  52.  ns2.iyunw.cn. 86400 IN A 172.16.0.56 
  53.  
  54.  ;; Query time : 0 msec
  55.  ;; SERVER: 172.16.0.55#53(172.16.0.55)
  56.  ;; WHEN : Tue Oct 26 09:50:40 CST 2021
  57.  ;; MSG SIZE rcvd: 161
  58.  $ dig -t A allen.allenjol.cn 
  59.  
  60.  ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t A allen.ptcloud.t.home
  61.  ;; global options: +cmd
  62.  ;; Got answer:
  63.  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40756
  64.  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 
  65.  
  66.  ;; OPT PSEUDOSECTION:
  67.  ; EDNS: version: 0, flags:; udp: 1232
  68.  ; COOKIE: e48c8996a6469b8d51d96afb61775ef045fa019e7ef2c4d6 (good)
  69.  ;; QUESTION SECTION :
  70.  ;allen.allenjol.cn. IN A 
  71.  
  72.  ;; ANSWER SECTION :
  73.  allen.allenjol.cn. 86400 IN A 172.16.0.60 
  74.  
  75.  ;; AUTHORITY SECTION :
  76.  allenjol.cn. 86400 IN NS ns2.allenjol.cn.
  77.  allenjol.cn. 86400 IN NS ns1.allenjol.cn. 
  78.  
  79.  ;; ADDITIONAL SECTION :
  80.  ns1.allenjol.cn. 86400 IN A 172.16.0.55
  81.  ns2.allenjol.cn. 86400 IN A 172.16.0.56 
  82.  
  83.  ;; Query time : 0 msec
  84.  ;; SERVER: 172.16.0.55#53(172.16.0.55)
  85.  ;; WHEN : Tue Oct 26 09:50:40 CST 2021
  86.  ;; MSG SIZE rcvd: 161

If you have enough machines, then you can change a machine that is not in the three network segments 172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24, and then parse the domain names in these three zone files at random. You will find that no normal A record is returned in the end.

Or if you use 172.16.10.1 to resolve web.iyunw.cn or allen.allenjol.cn, then it will not resolve normally. This is the effect of smart DNS implemented by acl+view.

<<:  Let’s talk about deterministic networks

>>:  Alibaba Cloud domain name binding IP and second-level domain name use step-by-step tutorial

Recommend

Using tunneling protocol to achieve transparent communication between different dubbo clusters

[[375332]] Preface The author has recently comple...

HostDare: Los Angeles CN2 GIA line VPS annual payment from $44.99, 10% off

HostDare hasn't released promotions for a lon...

Summary of precautions and common problems in the use of twisted pair cables in weak current engineering

Twisted pair wire is the most commonly used trans...

SoftShellWeb: San Jose/Netherlands VPS monthly payment starts at $3, Taiwan VPS annual payment starts at $49

SoftShellWeb is a foreign hosting company registe...

ServerKurma: $3/month KVM-2GB/20GB/1TB/Türkiye VPS

ServerKurma is a foreign hosting company founded ...

TripodCloud: US CN2 GIA line VPS with large hard disk $40.99/half year onwards

TripodCloud (Yunding Network) is a relatively low...

Four tips for smart building integrated wiring that you don’t know!

Smart buildings are gradually showing the intelli...

Alibaba's Cheng Chao: The ultimate development of the monitoring system is to achieve intelligence

[51CTO.com original article] Seven years of hard ...

"5G spreads COVID-19" is a hot topic in India. The Indian Ministry of Telecommunications: Where does our 5G come from?

It is reported that since the epidemic situation ...

What are the short-range wireless communication technologies?

Wireless communication technology has taken off i...

Sharktech: 1Gbps unlimited traffic high-defense server starting from $79/month, Los Angeles/Denver/Chicago/Netherlands data center

Sharktech, also known as Shark Data Center or SK ...

The Ultimate Guide to SD-WAN Architecture

In recent years, software-defined wide area netwo...

McKinsey: These ten trends are enough to subvert the existing IT infrastructure

When it comes to hardware and IT infrastructure, ...

DiyVM: Hong Kong CN2, US CN2, Japan Osaka, 2G memory package starting from 50 yuan/month

DiyVM was founded in 2009 and is a Chinese hostin...

What exactly is “cloud-network integration”?

Hello everyone, today I would like to talk to you...