BIND9 +LDZ+MYSQL构建企业DNS智能解析
实验环境:VMware workstation 10
centos 6.4
DNS服务器在工作时的文件存储方式有文件和数据库两种,而因为前者的一些 方面的弊端,所以就有了bind的DLZ概念
DLZ概念:动态的可加载区域,其主要做用是减少内存的占用和启动时常,而且它是bind 9系列的一个补丁,它会允许你将区域数据存储在数据库中,而且会让文件立即生效而无需重新加载,所以你可以将他理解成一个动态的加载区域,
DNS的智能解析
以对于中国的门户网站sian来说,我们之所以他们的访问速度如此之快,是因为我们只是访问了他们的地区区域缓存服务器(cache server),而位于不同地址的缓存的服务器地址肯定是不同的,那么这个时候用到的域名是相同的,得到的地址确是不同的,这个时候用到的就是DNS智能解析。应用这种大型环境的又叫CDN网络(内容分发网络)
第一步,安装MySQL;
我们下载的是一个绿色软件包,所以直接展开就可以了
在展开的路径下,我们可以看到一个关于MySQL的一个比较长得目录,那么为了访问的方便我们可以先做一个符号链接
创建一个组
创建一个用户(应为系统账号,属于MySQL组,用户名为MySQL)目的为创建一个MySQL服务的运行者身份
之后进行一些数据库的文件准备及配置启动工作,如下:
[root@localhost mysql]# scripts/mysql_install_db --user=mysql
[root@localhost mysql]#cp support-files/mysql.server /etc/init.d/mysqld
[root@localhost mysql]# chmod a+x /etc/init.d/mysqld
[root@localhost mysql]# chgrp -R mysql .
[root@localhost mysql]# chown -R mysql .
[root@localhost mysql]# scripts/mysql_install_db --user=mysql
[root@localhost mysql]# ll -R data
data:
total 29700
data/performance_schema:
total 208
data/test:
total 0
[root@localhost mysql]# chown -R root .
[root@localhost mysql]# chown -R mysql data
[root@localhost mysql]# service mysqld start
Starting MySQL.. [ OK ]
[root@localhost mysql]# netstat -tupln|grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3942/mysqld
[root@localhost mysql]# vim /etc/init.d/mysqld
在MySQL成功启动后,我们可以用chkconfig将它加入系统的启动程序中,而至于能不能就则要看/etc/init.d/mysqld的文件有没有具体的描述了,如图有,那么加入
接下来的工作是确保MySQL下的文件夹能够被系统调用,比如那些库文件,man手册,头文件链接等,这些具体可以参考源代码安装篇的具体细节,而在此因为我们要用到/bin下的文件(MySQL命令执行,如MySQLadmin)因为我们需要这些必要得命令,所以我们要将/bin文件加到系统里面去,而其它的一些我们可以等到系统提示时再做处理:
[root@localhost mysql]# chkconfig --add mysqld
[root@localhost mysql]# chkconfig mysqld on
[root@localhost mysql]# ll
total 76
drwxr-xr-x. 2 root mysql 4096 Jan 18 00:25 bin
-rw-r--r--. 1 root mysql 17987 Jul 14 2011 COPYING
drwxr-xr-x. 5 mysql mysql 4096 Jan 18 01:30 data
drwxr-xr-x. 2 root mysql 4096 Jan 18 00:26 docs
drwxr-xr-x. 3 root mysql 4096 Jan 18 00:25 include
-rw-r--r--. 1 root mysql 7604 Jul 14 2011 INSTALL-BINARY
drwxr-xr-x. 3 root mysql 4096 Jan 18 00:26 lib
drwxr-xr-x. 4 root mysql 4096 Jan 18 00:25 man
drwxr-xr-x. 10 root mysql 4096 Jan 18 00:25 mysql-test
-rw-r--r--. 1 root mysql 2552 Jul 14 2011 README
drwxr-xr-x. 2 root mysql 4096 Jan 18 00:25 scripts
drwxr-xr-x. 27 root mysql 4096 Jan 18 00:25 share
drwxr-xr-x. 4 root mysql 4096 Jan 18 00:26 sql-bench
drwxr-xr-x. 2 root mysql 4096 Jan 18 00:26 support-files
[root@localhost ~]#cd /usr/local/src/
[root@localhost src]# ll
total 4
drwxrwxr-x. 12 10132 wheel 4096 Oct 16 08:09 bind-9.8.6-P1
配置bind
[root@localhost ~]#tar -zxvf bind-9.8.6-P1.tar.gz -C /usr/local/src/
[root@localhost src]# cd ./bind-9.8.6-P1/
[root@localhost bind-9.8.6-P1]# ./configure --prefix=/usr/local/bind9 --with-dlz-mysql=/usr/local/mysql --enable-threads=no --disable-openssl-version-check
那么怎样将bind数据放到数据库中,首先我们需要一个MySQL的驱动,它可以实现bind和MySQL的捆绑,而我们在拿到bind的源代码之后,只需要在配置编译时用命令指明其路径即可,例如:--with-dlz-mysql=/path/to/files 相当于指明了我们的bind已经有了MySQL驱动,而无需将区域数据放到区域文件中去了
但是这种MySQL驱动会有一个限制,他会使用线程(thread)的方式来实现本地的存储,这就使MySQL会要求每一个线程都会去执行线程的初始化,而这对DLZ驱动可能是非常不安全的,这个额外的限制问题是由MySQL造成的,而非DLZ api,所以我们在配置的时候可以用命令:--enable-threads=no来限制或禁用线程,
checking whether byte ordering is bigendian... no
checking for OpenSSL library... configure: error: OpenSSL was not found in any of /usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw; use --with-openssl=/path
If you don't want OpenSSL, use --without-openssl
[root@localhost bind-9.8.6-P1]# yum --disablerepo=\* --enablerepo=c6-media list all |grep openssl
[root@localhost bind-9.8.6-P1]# ./configure --prefix=/usr/local/bind9 --with-dlz-mysql=/usr/local/mysql --enable-threads=no --disable-openssl-version-check
[root@localhost bind-9.8.6-P1]# make && make install
[root@localhost bind-9.8.6-P1]# cd
[root@localhost ~]# cd /usr/local/bind9/sbin/
当我们进入/sbin目录下时会看到两个重要的文件,我们要基于rndc-confgen产生一个rndc的钥匙文件和dns服务器的named的配置文件,bin下主要是我们的一些测试工具
所以我们直接执行是不行的,必须要将内容重新输出重定向到相应的文件中去;如图:
[root@localhost ~]# cd /usr/local/bind9/sbin/
[root@localhost sbin]# ./rndc-confgen -a //1.产生钥匙文件;
wrote key file "/usr/local/bind9/etc/rndc.key"
[root@localhost bind9]# cd ./etc
[root@localhost etc]# ll
total 12
-rw-r--r--. 1 root root 2389 Jan 18 02:23 bind.keys
-rw-r--r--. 1 root root 479 Jan 18 02:46 named.conf
-rw-------. 1 root root 77 Jan 18 02:44 rndc.key
[root@localhost etc]# vim ./named.conf
# Start of rndc.conf
acl "lan" {
192.168.1.0/24
};
acl "wan" {
61.130.130.0/24
};
key "rndc-key" {
algorithm hmac-md5;
secret "xrulcCUOzzmFOsbc8D8tTA==";
};
options {
directory "/usr/local/bind9/etc/";
pid-file "/usr/local/bind9/var/run/named.pid";
allow-query { any; };
recursion no;
version "gaint-d1";
};
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "xrulcCUOzzmFOsbc8D8tTA==";
# };
#
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
view "lan-view" {
match-clients {lan;};
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=mydata ssl=false user=root pass=123}
{select zone from lan_dns_records where zone='$zone$'}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"')
when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
else data end from lan_dns_records where zone='$zone$' and host='$record$'}";
};
};
view "wan-view" {
match-clients {wan;};
dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=mydata ssl=false user=root pass=123}
{select zone from wan_dns_records where zone='$zone$'}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"')
when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
else data end from wan_dns_records where zone='$zone$' and host='$record$'}";
};
};
在修改过dns的option文件后,在配置文件中还有一个重要的区域文件,而在这些区域文件中view 视图正式我们实现智能解析的所需要的,所谓视图就是从不同的角度来看,我们得到不同的内容,而这正是智能解析的概念,而且这样养的视图需要两个(上面的配置文本就是,图片只是视图部分)
[root@localhost mysql]# service mysqld restart
Shutting down MySQL. [ OK ]
Starting MySQL.. [ OK ]
[root@localhost mysql]# mysql -u root -p
Enter password:
mysql>
mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> create database mydata;
Query OK, 1 row affected (0.04 sec)
mysql> use mydata;
Database changed
mysql> create table lan_dns_records (
-> zone varchar (255),
-> host varchar (255),
-> type varchar (255),
-> data varchar (255),
-> ttl int(11),
-> mx_priority varchar (255),
-> refresh int(11),
-> retry int(11),
-> expire int(11),
-> minimum int(11),
-> serial bigint(20),
-> resp_person varchar (255),
-> primary_ns varchar (255)
-> );
Query OK, 0 rows affected (0.09 sec)
mysql> create table wan_dns_records (
-> zone varchar (255),
-> host varchar (255),
-> type varchar (255),
-> data varchar (255),
-> ttl int(11),
-> mx_priority varchar (255),
-> refresh int(11),
-> retry int(11),
-> expire int(11),
-> minimum int(11),
-> serial bigint(20),
-> resp_person varchar (255),
-> primary_ns varchar (255)
-> );
Query OK, 0 rows affected (0.32 sec)
mysql> insert into lan_dns_records (zone,host,type,data,ttl,retry) values ('cde.com','www','A','192.168.1.177','86400','15');
Query OK, 1 row affected (0.03 sec)
mysql> insert into wan_dns_records (zone,host,type,data,ttl,retry) values ('cde.com','www','A','61.130.130.1','86400','15');
Query OK, 1 row affected (0.00 sec)
mysql> \q
bye
[root@localhost log]# netstat -tupln |grep 53
tcp 0 0 192.168.1.188:53 0.0.0.0:* LISTEN 22554/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 22554/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 22554/named
udp 0 0 192.168.1.188:53 0.0.0.0:* 22554/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 22554/named
[root@localhost log]# cd /usr/local/bind9/bin
[root@localhost bin]# ll
total 20304
-rwxr-xr-x. 1 root root 5219731 Jan 18 02:23 dig
-rwxr-xr-x. 1 root root 5200059 Jan 18 02:23 host
-rwxr-xr-x. 1 root root 3185 Jan 18 02:23 isc-config.sh
-rwxr-xr-x. 1 root root 5201005 Jan 18 02:23 nslookup
-rwxr-xr-x. 1 root root 5159231 Jan 18 02:23 nsupdate
当我们在/usr/local/bind9/sbin下执行named.conf 的时候会发现有一个共享库缺失的提示,那我们就要去安装这个库文件
方法在如下目录下创建一个随意的.conf文件
然后将内容写为以下的指向方式,内容为 /usr/local/mysql/lib
[root@localhost mysql]# vim /etc/profile
[root@localhost mysql]# . /etc/profile #方便系统调用
[root@localhost mysql]# cd
[root@localhost ~]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
mysql> \q
Bye
[root@localhost ~]# mysqladmin -u root -p password '123'
Enter password:
然后就是进行lan视图的测试:
[root@localhost bin]# dig www.cde.com @192.168.1.188
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> www.cde.com @192.168.1.188
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25711
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.cde.com.INA
;; ANSWER SECTION:
www.cde.com.86400INA192.168.1.177
;; Query time: 81 msec
;; SERVER: 192.168.1.188#53(192.168.1.188)
;; WHEN: Sat Jan 18 05:12:03 2014
;; MSG SIZE rcvd: 45
然后利用防火墙模拟外部主机进行地址的解析:
[H3C]int eth0/0
[H3C-Ethernet0/0]ip add 192.168.1.1 24
[H3C-Ethernet0/0]int eth0/4
[H3C-Ethernet0/4]ip add 61.130.130.1 24
[H3C-Ethernet0/4]q
[H3C]firewall zone trust
[H3C-zone-trust]add int eth0/0
The interface has been added to trust security zone.
[H3C-zone-trust]q
[H3C]firewall zone untrust
[H3C-zone-untrust]add int eth0/4
[H3C-zone-untrust]q
[H3C]undo insulate
[H3C]int eth0/4
[H3C-Ethernet0/4]nat server pro udp ?
global Specify global information
[H3C-Ethernet0/4]nat server pro udp gl
[H3C-Ethernet0/4]nat server pro udp global 61.130.130.1 ?
<0-65535> Port number of the server
any Any protocol (0)
biff Mail notify (512)
bootpc Bootstrap Protocol Client (68)
bootps Bootstrap Protocol Server (67)
discard Discard (9)
dns Domain Name Service (53)
dnsix DNSIX Security Attribute Token Map (90)
echo Echo (7)
inside Specify local server information
mobileip-ag MobileIP-Agent (434)
mobileip-mn MobilIP-MN (435)
nameserver Host Name Server (42)
netbios-dgm NETBIOS Datagram Service (138)
netbios-ns NETBIOS Name Service (137)
netbios-ssn NETBIOS Session Service (139)
ntp Network Time Protocol (123)
rip Routing Information Protocol (520)
snmp SNMP (161)
snmptrap SNMPTRAP (162)
sunrpc SUN Remote Procedure Call (111)
syslog Syslog (514)
tacacs-ds TACACS-Database Service (65)
talk Talk (517)
Ethernet0/4]nat server pro udp global 61.130.130.1 53 inside 192.168.1.188 53
[H3C-Ethernet0/4]
[H3C-Ethernet0/4]语句意为指定一个内部的dns解析服务器的地址,告诉防火墙dns的解析地址
[H3C-Ethernet0/4]
结果如图所示:
转载于:https://blog.51cto.com/blackhwak/1352815
4202
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
