Project Background: Considering many problems such as high reliability, there may be multiple architectures in public or private clouds, such as two places, three centers and so on. Requirements in different regions of the instance node through the same domain name resolution to local A records or cloud products CNAME, and achieve high reliability. This article achieves the above functions through the name service. In addition, the popular CoreDNS of containers and kubernetes is also a good choice.
[TOC]
Design principles
ECS in Zhangjiakou preferred to read local caches (using Dnsmasq) and then read Zhangjiakou's DNS and finally read Hangzhou's dns. The same is true in Hangzhou's ECS, and non-Zhangjiakou and Hangzhou need to read self-built DNS services. DNS can be provided to Zhangjiakou or Hangzhou so that they can parse to default view to provide access.
So the logic of adding A record is that if an A record is added to Zhangjiakou region, the same A record is added to the default region of Zhangjiakou's dns. Similarly, the opposite is true in Hangzhou. In this way, the default area on the two sides is different A records, which is more conducive to other third-party clients to resolve domain names.
Experimental environment
- Creating Private VPC
Starting from the initial design, Aliyun console selection:
Select "10.0.0.0/8" as the recommended segment of "Private Network-"Create Private Network-"
The plan is as follows:
Zhangjiakou Available Area A 10.1.0.0/16
Zhangjiakou Available Area B 10.2.0/16
Hangzhou Available Area H 10.3.0/16
Hangzhou Available Area F 10.4.0.0/16
- Add routing entries and create high-speed channels
Adding routing entries 10.3.0.0/16 10.4.0.0/16 as target segments
Private Network -"Routing Table -" Adding Routing Items -"Next Hop Type -" Router Interface (Private Network Connection Direction) -"Private Network -" Creating VPC Interconnection
Choose the local area (Hangzhou), the opposite area (Zhangjiakou) choose the bandwidth value, click buy
- DNS Server Planning
DNS server address:
10.1.0.100
10.2.0.100
10.3.0.100
10.4.0.100
The region is judged by IP (network segment) to achieve the final resolution to the corresponding record value.
install
This article is compiled and installed for the following reasons:
- The bind service version in the repo of CentOS 7 is relatively low, and there are individual security risks.
- libxml2 is required for subsequent monitoring through bind_exporter.
- Directory structure optimization
#!/usr/bin/env bash yum install libxml2-devel python-ply -y wget -c ftp://ftp.isc.org/isc/bind9/9.11.9/bind-9.11.9.tar.gz -O bind.tar.gz; tar xf bind.tar.gz cd bind-9.11.9 ./configure --prefix=/opt/soft/named --sbindir=/opt/soft/named/sbin/ --bindir=/opt/soft/named/bin/ CFLAGS="-g -fPIC" --enable-threads --with-openssl=yes --with-libjson=no --with-libxml2=yes make && make install # File directory customization ## Configuration file directory includes area configuration file, access control file, encrypted communication file mkdir -p /etc/named/{acls,conf,data,keys,managed_keys,logs} ## Data directory mkdir -p /var/named/{acls,data} ## Basic Profile Directory mkdir -p /opt/soft/named/conf ## Start command /usr/sbin/named -c /etc/named/named.conf -u named ## Please modify the files to adapt to the current directory structure. In this experiment, all the files are placed in / etc/named for convenience./ /usr/lib/systemd/system/named.service groupadd named -g 1000 useradd named -g named -u 1000 chown named.named /etc/named -R chown named.named /var/named -R chown named.named /opt/soft/named -R
Edit all configuration files
Edit the main configuration file vim/etc/named/named.conf
// For dns.sre.so // Whole controlled ip address segment include "/var/named/acls/acl_sre_idc.conf"; // all keyssre include "/etc/named/keys/transfer.key"; include "/opt/soft/named/etc/rndc.key"; controls { inet 10.1.0.100 port 953 allow { 10.0.0.0/8; } keys { "rndc-key"; }; }; // Parameter profile include "/opt/soft/named/conf/options.conf"; // Reference to all acl files include "/etc/named/conf/all_acls.conf"; // Log Profile include "/opt/soft/named/etc/dns_logs.conf"; view "view_hangzhou-cloud"{ match-clients { key key_sreso_hangzhou-cloud; acl_hangzhou-cloud; }; include "/etc/named/conf/hangzhou-cloud.conf"; }; view "view_zhangjiakou-cloud"{ match-clients { key key_sreso_zhangjiakou-cloud; acl_zhangjiakou-cloud; }; include "/etc/named/conf/zhangjiakou-cloud.conf"; }; view "view_default"{ match-clients { key key_sreso_default; acl_default; any; }; include "/etc/named/conf/default.conf"; };
Edit named service parameter file
cat >> /opt/soft/named/conf/options.conf << EOF options { directory "/etc/named"; minimal-responses yes; allow-recursion { idcnet; }; allow-query { idcnet; }; allow-transfer { 10.0.0.0/8;}; dnssec-enable yes; dnssec-validation yes; empty-zones-enable no; notify yes; managed-keys-directory "/etc/named/managed_keys"; }; EOF
Regional Control Document - Zhangjiakou
cat >> /etc/named/acls/acl_zhangjiakou-cloud << EOF acl acl_zhangjiakou-cloud { 10.1.0.0/16; 10.2.0.0/16; !10.3.0.0/16; !10.4.0.0/16; !10.1.0.100/32; !10.2.0.100/32; !10.3.0.100/32; !10.4.0.100/32; }; EOF
Regional Control Document - Hangzhou
cat >> /etc/named/acls/acl_hangzhou-cloud << EOF acl acl_hangzhou-cloud { 10.3.0.0/16; 10.4.0.0/16; !10.1.0.0/16; !10.2.0.0/16; !10.1.0.100/32; !10.2.0.100/32; !10.3.0.100/32; !10.4.0.100/32; }; EOF
The default zone control file - default, which is connected to the DNS-view by default if the request is needed by other third-party nodes. By controlling the downstream server of the third party's dns, we can choose whether to resolve to Zhangjiakou or Hangzhou.
cat >> /etc/named/acls/acl_default << EOF acl acl_default { !10.1.0.100/32; !10.2.0.100/32; !10.3.0.100/32; !10.4.0.100/32; }; EOF
Reference to all ACL configuration files
cat >> /etc/named/conf/all_acls.conf << EOF include "/etc/named/acls/acl_hangzhou-cloud"; include "/etc/named/acls/acl_zhangjiakou-cloud"; include "/etc/named/acls/acl_default"; EOF
Editing regional profiles
- Zhangjiakou area
cat >> /etc/named/conf/zhangjiakou-cloud.conf << EOF zone "." in { type hint; file "/etc/named/data/named.root"; }; zone "sre.so." in { type master ; allow-update { key key_sreso_zhangjiakou-cloud; }; file "/var/named/data/zone_sreso_zhangjiakou-cloud"; }; EOF
- Third-party area
cat >> /etc/named/conf/default.conf << EOF zone "." in { type hint; file "/etc/named/data/named.root"; }; zone "sre.so." in { type master ; allow-update { key key_sreso_default; }; file "/var/named/data/zone_sreso_default"; }; EOF
- Hangzhou region
cat >> /etc/named/conf/hangzhou-cloud.conf <<EOF zone "." in { type hint; file "/etc/named/data/named.root"; }; zone "sre.so." in { type master ; allow-update { key key_sreso_hangzhou-cloud; }; file "/var/named/data/zone_sreso_hangzhou-cloud"; }; EOF
- Configure the basic data base domain sre.so
cat >> /var/named/data/zone_sre.so << EOF sre.so. 600 IN SOA sre.so. root.sre.so. 2019012805 28800 14400 3600000 86400 sre.so. 600 IN NS ns1.sre.so. ns1.sre.so. 600 IN A 10.1.0.100 EOF cat >> /var/named/data/zone_sre.so_default << EOF \$INCLUDE /var/named/data/zone_sre.so EOF cat >> /var/named/data/zone_sre.so_zhangjiekou-cloud << EOF \$INCLUDE /var/named/data/zone_sre.so EOF cat >> /var/named/data/zone_sre.so_hangzhou-cloud << EOF \$INCLUDE /var/named/data/zone_sre.so EOF
Define the scope of ip that allows parsing by name
cat >> /var/named/acls/acl_sre_idc.conf << EOF acl idcnet { 127.0.0.1/32; 10.0.0.0/8; 100.64.0.0/10; }; EOF
About named.root
Configure the root server address and custom area data file
named.root defines a root domain for namd services. It is a very important file that contains the name and IP address of the Internet root server. When Bind receives a client's query request, if it can't parse locally and find the corresponding data in Cache, it will query step by step through the root server. Because the address of the Internet root server often changes, named.root should also be updated accordingly.
The root server list can be obtained from named.root Download, the file name is named.root, which contains the data provided by the Internet Network Information Center (InterNIC).
wget ftp://ftp.rs.internic.net/domain/named.root -O /etc/named/data/named.root
Configure Encrypted Files
mkdir -p /etc/named/keys/keys cd /etc/named/keys/keys /opt/soft/named/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST sreso_hangzhou-cloud /opt/soft/named/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST sreso_zhangjiakou-cloud /opt/soft/named/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST sreso_default -rw------- 1 root root 122 Sep 9 12:01 Ksreso_default.+157+30426.key -rw------- 1 root root 229 Sep 9 12:01 Ksreso_default.+157+30426.private -rw------- 1 root root 129 Sep 9 12:01 Ksreso_hangzhou-cloud.+157+62698.key -rw------- 1 root root 229 Sep 9 12:01 Ksreso_hangzhou-cloud.+157+62698.private -rw------- 1 root root 132 Sep 9 12:01 Ksreso_zhangjiakou-cloud.+157+33044.key -rw------- 1 root root 229 Sep 9 12:01 Ksreso_zhangjiakou-cloud.+157+33044.private //Edit the key configuration file transfer.key //Add the encrypted string in the generated. key file to the secret field of transfer.key. cat *.key|awk '{print $1,$7$8}' sreso_default. pmQxnGDDZofmZvL99m98XW15XEmo4BXpMxmJ+ofHwR+4tZYTSCki9lSBtocG4WAxSMHdA4+sZQJ9OJK2gZl4lw== sreso_hangzhou-cloud. bhfhzRSQ7/zm7QfEUCWL/Dz0seOikzO9hEPfkAFExvof3y3NrHgYp3tA9aSBHeubo/6DmrN7JYbCviJLaKzGQQ== sreso_zhangjiakou-cloud. Hptbq3F+4/QJtXhgh781Wdjw/piAiQco+x6gogkKCRPQCTcizhcEwdJqnU+2J2MzMhNYaGszx1sYxA5WI55/8w== cat >> /etc/named/keys/transfer.key << EOF key "key_sreso_zhangjiakou-cloud" { algorithm hmac-md5; secret "Hptbq3F+4/QJtXhgh781Wdjw/piAiQco+x6gogkKCRPQCTcizhcEwdJqnU+2J2MzMhNYaGszx1sYxA5WI55/8w=="; }; key "key_sreso_hangzhou-cloud" { algorithm hmac-md5; secret "bhfhzRSQ7/zm7QfEUCWL/Dz0seOikzO9hEPfkAFExvof3y3NrHgYp3tA9aSBHeubo/6DmrN7JYbCviJLaKzGQQ=="; }; key "key_sreso_default" { algorithm hmac-md5; secret "pmQxnGDDZofmZvL99m98XW15XEmo4BXpMxmJ+ofHwR+4tZYTSCki9lSBtocG4WAxSMHdA4+sZQJ9OJK2gZl4lw=="; }; EOF
Edit rndc configuration file
Rndc only works locally on the server, and the server system firewall must open port 953. Rndc is mainly used to reload named.conf file. Generally, the name service needs to be restarted after changing the main configuration file or the forward and backward files. Now the rndc reload command can be used to reload the configuration file without restarting the name service.
/opt/soft/named/sbin/rndc-confgen > /opt/soft/named/etc/rndc.key #Delete inside options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; //content //Controlled by the following configuration in named.conf controls { inet 10.1.0.100 port 953 allow { 10.0.0.0/8; } keys { "rndc-key"; }; };
Special attention should be paid to the fact that the file must be 640 and read-only by the process owner
Detailed log configuration files can be consulted( https://kb.isc.org/docs/aa-01526)
#Relevant log configuration files cat >> /opt/soft/named/etc/dns_logs.conf << EOF logging { channel "named_log" { file "/etc/named/logs/named.log" versions 3 size 30M; print-category yes; print-time yes; severity info; }; channel "client_log" { file "/etc/named/logs/client.log" versions 3 size 20M; print-category yes; print-time yes; severity info; }; channel "update_log" { file "/etc/named/logs/update.log" versions 5 size 1G; print-category yes; print-time yes; severity info; }; category default {named_log;}; category queries {client_log;}; category client {client_log;}; category update {update_log;}; }; EOF
Edit startup file
vim /etc/rc.d/init.d/named #!/bin/sh # # Startup script for the DNS naming server # # chkconfig: - 49 50 # description: This script starts your DNS naming server # processname: named # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 named=/opt/soft/named/sbin/named [ -f $named ] || exit 0 OPTIONS="-c /etc/named/named.conf -u named" RETVAL=0 # See how we were called. case "$1" in start) if [ $UID -ne 0 ] ; then echo "User has insufficient privilege." exit 4 fi echo -n "Starting named: " daemon $named $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] ;; stop) if test "x`pgrep named`" != x; then echo -n "Shutting down named: " killproc named fi RETVAL=$? echo [ $RETVAL -eq 0 ] ;; status) /opt/soft/named/sbin/rndc -k /opt/soft/named/etc/rndc.key status RETVAL=$? ;; reload) if test "x`pgrep named`" != x; then echo -n "Reloading named: " killproc named -HUP fi RETVAL=$? echo ;; restart) $0 stop $0 start RETVAL=$? ;; *) echo "Usage: $0 {start|stop|restart|reload|status}" exit 2 esac exit $RETVAL EOF
Q&A
How to debug named
/opt/soft/named/sbin/named -c /etc/named/named.conf -g -d 3
How to add self-startup
chkconfig --add named chkconfig named on service named start systemctl status named
Verification
dig ns1.sre.so @10.1.0.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> ns1.sre.so @10.1.0.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44432 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.sre.so. IN A ;; Query time: 0 msec ;; SERVER: 10.1.0.100#53(10.1.0.100) ;; WHEN: Thu Sep 12 15:15:12 CST 2019 ;; MSG SIZE rcvd: 39