自建DNS服务(k8s学习二)

后端
发布日期:   2022-06-03
文章字数:   998
阅读时长:   5 分
阅读次数:  

自建DNS服务(k8s学习二)

记录本次学习k8s搭建集群的经过

安装Bind

dns0-50 被我预留为做DNS服务的机器, 所以只在这台安装bind

Bind(Berkeley Internet Name Domain Service),它是一款实现DNS服务器的开放源码软件,够提供双向解析,转发,子域授权,view等功能,是世界上使用最为广泛的DNS服务器软件,目前Internet上半数以上的DNS服务器有都是用Bind来架设的。

yum install -y bind

查看版本: 

[root@dns0-50 ~]# named -v
BIND 9.11.20-RedHat-9.11.20-5.el8 (Extended Support Version) <id:f3d1d66>

安装常用工具

yum install -y wget
yum install -y net-tools
yum install -y telnet
yum install -y tree
yum install -y nmap
yum install -y sysstat
yum install -y lrzsz
yum install -y dos2unix
yum install -y bind-utils
yum install -y vim
yum install -y less

配置Bind

[root@dns0-50 ~]# vim /etc/named.conf

修改配置:

options {
	listen-on port 53 { 192.168.0.50; };                          #修改
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { any; };                                     #修改
	forwarders	{ 192.168.0.1; };                                 #新增

	/*
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
	   recursion.
	 - If your recursive DNS server has a public IP address, you MUST enable access
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface
	*/
	recursion yes;

	dnssec-enable no;                                             #修改
	dnssec-validation no;                                         #修改

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

检查配置是否正确, 无报错即为正确:

named-checkconf

增加DNS配置


vim /etc/named.rfc1912.zones

# 添加以下内容

zone "host.com" IN {
        type master;
        file "host.com.zone";
        allow-update { 192.168.0.50; };
};

zone "gy.com" IN {
        type master;
        file "gy.com.zone";
        allow-update { 192.168.0.50; };
};

修改 /var/named/host.com.zone

$ORIGIN host.com.
$TTL 600  ; 10 minutes # 过期时间十分钟 这里的分号是注释
@       IN SOA  dns.host.com. dnsadmin.host.com. (
        2021022101 ; serial
        10800      ; refresh (3 hours) # soa参数
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
      NS   dns.host.com.
$TTL 60 ; 1 minute
dns             A       192.168.0.50
sh0-20          A       192.168.0.20
sh0-21          A       192.168.0.21
sh0-30          A       192.168.0.30
sh0-31          A       192.168.0.31

修改 /var/named/gy.com.zone

$ORIGIN gy.com.
$TTL 600  ; 10 minutes
@       IN SOA  dns.gy.com. dnsadmin.gy.com. (
        2021022101 ; serial
        10800      ; refresh (3 hours)
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
        NS   dns.gy.com.
$TTL 60 ; 1 minute
dns                A    192.168.0.50

检查配置 named-checkconf

启动bind服务 systemctl start named

查看端口 netstat -luntp | grep 53

tcp        0      0 192.168.0.50:53         0.0.0.0:*               LISTEN      27121/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      27121/named
tcp6       0      0 :::53                   :::*                    LISTEN      27121/named
tcp6       0      0 ::1:953                 :::*                    LISTEN      27121/named
udp        0      0 192.168.0.50:53         0.0.0.0:*                           27121/named
udp6       0      0 :::53                   :::*                                27121/named

修改其他机子的dns指向ip

vim /etc/sysconfig/network-scripts/ifcfg-ens33

IPADDR=192.168.0.20
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
DNS1=192.168.0.50

然后测试ping

[root@sh0-20 ~]# ping sh0-31
PING sh0-31.host.com (192.168.0.31) 56(84) bytes of data.
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=1 ttl=64 time=0.970 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=2 ttl=64 time=0.646 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=3 ttl=64 time=0.715 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=4 ttl=64 time=0.752 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=5 ttl=64 time=0.814 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=6 ttl=64 time=0.555 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=7 ttl=64 time=0.687 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=8 ttl=64 time=0.713 ms
64 bytes from 192.168.0.31 (192.168.0.31): icmp_seq=9 ttl=64 time=0.666 ms

如果遇到短域名不可用

vim /etc/resolv.conf

最前面添加一行 search host.com

wewew

wewe

级啊鸡丝豆腐

文章作者: Linty
文章链接: http://lintyone.cn/2022/06/03/zi-jian-dns-fu-wu/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Linty !
后端
  目录