Openrestry代理Bind主从服务

操作系统	IP	服务
CentOS9	192.168.8.33	Bind(主)
CentOS9	192.168.8.32	Bind(从)
CentOS9	192.168.8.31	Openrestry代理
CentOS9	192.168.8.30	Openrestry代理

 配置前先进行系统初始化关闭firewalld，selinux，iptables

安装bind，bind-utils

yum -y install bind bind-utils

[root@dns-master32 ~]# yum -y install bind bind-utils

[root@dns-master-32 ~]# 
[root@dns-master-32 ~]# which named-checkconf 
/usr/sbin/named-checkconf
[root@dns-master-32 ~]# rpm -qf `which named-checkconf`
bind-9.16.23-14.el9.x86_64
[root@dns-master32 ~]# named-checkconf  //检测bind配置语法
[root@dns-master32 ~]# systemctl start named //启动bind服务
[root@dns-master32 ~]# ss -tulanp | grep named  //查看bind服务的监听端口
udp   UNCONN    0      0          127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=39))                     
udp   UNCONN    0      0          127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=41))                     
udp   UNCONN    0      0          127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=40))                     
udp   UNCONN    0      0          127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=38))                     
udp   UNCONN    0      0              [::1]:53              [::]:*     users:(("named",pid=1976,fd=52))                     
udp   UNCONN    0      0              [::1]:53              [::]:*     users:(("named",pid=1976,fd=53))                     
udp   UNCONN    0      0              [::1]:53              [::]:*     users:(("named",pid=1976,fd=51))                     
udp   UNCONN    0      0              [::1]:53              [::]:*     users:(("named",pid=1976,fd=50))                     
tcp   LISTEN    0      4096       127.0.0.1:953          0.0.0.0:*     users:(("named",pid=1976,fd=37))                     
tcp   LISTEN    0      10         127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=42))                     
tcp   LISTEN    0      10         127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=48))                     
tcp   LISTEN    0      10         127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=43))                     
tcp   LISTEN    0      10         127.0.0.1:53           0.0.0.0:*     users:(("named",pid=1976,fd=44))                     
tcp   LISTEN    0      10             [::1]:53              [::]:*     users:(("named",pid=1976,fd=56))                     
tcp   LISTEN    0      10             [::1]:53              [::]:*     users:(("named",pid=1976,fd=57))                     
tcp   LISTEN    0      10             [::1]:53              [::]:*     users:(("named",pid=1976,fd=55))                     
tcp   LISTEN    0      10             [::1]:53              [::]:*     users:(("named",pid=1976,fd=54))                     
tcp   LISTEN    0      4096           [::1]:953             [::]:*     users:(("named",pid=1976,fd=58)) 

##编辑bind配置文件  添加以下内容

[root@dns-master32 named]# vim /etc/named.conf 
zone "yrw.com" IN {
type master;
file "yrw.com.zone";
also-notify{ 192.168.8.192; };
allow-transfer{192.168.8.192; };
allow-update{ none; };
notify yes;

};

 ##创建域名区域文件，并添加以下内容

[root@dns-master32 named]# touch yrw.com.zone  
[root@dns-master32 named]# chown -R named. yrw.com.zone ##提权

[root@dns-master-32 named]# cat yrw.com.zone 
$TTL 7200
yrw.com.		IN	SOA	yrw.com.	admin.yrw.com. ( 
							2024012310  //之后再区域配置文件里面配置A记录解析文件,每次同步序列号加1

							1H
							10M
							1W
							1D )

yrw.com.		IN	NS	ns1.yrw.com.
yrw.com.		IN	NS	ns2.yrw.com.
ns1.yrw.com.		IN	A	192.168.8.190
ns2.yrw.com.		IN	A	192.168.8.191


www.yrw.com.		IN	A	192.168.8.190
www.yrw.com.		IN	A	192.168.8.191

##检查语法

##检查主配置文件：named-checkconf

##检查区域配置文件：named-checkzone  haonan.com  haonan.com.zone

##修改区域配置文件的属主和属组

[root@dns-master32 named]# named-checkzone yrw.com yrw.com.zone

zone yrw.com/IN: loaded serial 222

OK
[root@dns-master32 named]# systemctl reload named

使用dig命令查看是否解析成功

[root@dns-master-32 named]# dig www.yrw.com @192.168.8.32

; <<>> DiG 9.16.23-RH <<>> www.yrw.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38699
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c1c4c0410189ea880100000065af211b8086d21a4609880b (good)
;; QUESTION SECTION:
;www.yrw.com.			IN	A

;; ANSWER SECTION:
www.yrw.com.		7200	IN	A	192.168.8.32
www.yrw.com.		7200	IN	A	192.168.8.33

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 23 10:14:51 CST 2024
;; MSG SIZE  rcvd: 100

上面修改的配置都是主的bind配置，配置完成后开始配置从的配置

[root@bind-slave33 ~]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { 127.0.0.1; 192.168.8.33;};
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { localhost; 192.168.8.0/24; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-validation yes;

	managed-keys-directory "/var/named/dynamic";
	geoip-directory "/usr/share/GeoIP";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "yrw.com" IN {
	type slave;
	file "slaves/yrw.com.zone";
	masters{ 192.168.8.32; }; //指向的是主机的IP地址
	masterfile-format text;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@bind-slave33 ~]# 

只需配置这个即可，配置完成后重启namd服务，查看var/named/slaves 是否同步过来了

[root@bind-slave33 ~]# ll /var/named/slaves/
总用量 4
-rw-r--r-- 1 named named 444  1月 23 16:09 yrw.com.zone
[root@bind-slave33 ~]# cat /var/named/slaves/yrw.com.zone 
$ORIGIN .
$TTL 7200	; 2 hours
yrw.com			IN SOA	yrw.com. admin.yrw.com. (
				2024012313 ; serial
				3600       ; refresh (1 hour)
				600        ; retry (10 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	ns1.yrw.com.
			NS	ns2.yrw.com.
$ORIGIN yrw.com.
ftp			A	192.168.8.3
			A	192.168.8.4
			A	192.168.8.5
			A	192.168.8.6
ns1			A	192.168.8.32
ns2			A	192.168.8.33
www			A	192.168.8.1
			A	192.168.8.2
[root@bind-slave33 ~]# 

然后配置openrestry代理 

注意：编译安装时，添加steam模块

[root@dns-master32~]# cat /usr/local/openresty/nginx/conf/nginx.conf
stream {
   upstream bind-ms {

     server 192.168.8.193:32;
     server 192.168.8.142:33;

    }

    server {
        listen    53 udp;
        proxy_pass  bind-ms;
        proxy_timeout 120s;
        error_log logs/proxy-bind-error.log error;

    }
}

修改/etc/resolv.conf里面添加openrestry代理

[root@dns-master32~]# vim /etc/resolv.conf
# Generated by NetworkManager

#nameserver 114.114.114.114

nameserver 192.168.8.32

nameserver 192.168.8.33

最后重新启动openrestry服务