本次配置的所有服务器均为虚拟机,操作系统为Centos 7.3。
| 服务器名称 | IP地址 |
|---|---|
| DNS客户端 | 所有A类地址 |
| DNS-BIND-1 | 10.20.121.179 |
| DNS-BIND-2 | 10.20.121.184 |
| DNS-VIP | 10.20.120.150 |
| DNS-LVS-主 | 10.20.121.187 |
| DNS-LVS-备 | 10.20.121.157 |
架构拓扑图片
本次部署的LVS是基于DR的工作模式,负载均衡调度方式使用了RR,客户端发起DNS请求是,LVS回轮询发送至每台服务器上。DNS服务器解析请求后直接返回给客户端。
在LVS(TUN)模式下,由于需要在LVS调度器与真实服务器之间创建隧道连接,这同样会增加服务器的负担。与LVS(TUN)类似,DR模式也叫直接路由模式,其体系结构如图4所示,该模式中LVS依然仅承担数据的入站请求以及根据算法选出合理的真实服务器,最终由后端真实服务器负责将响应数据包发送返回给客户端。与隧道模式不同的是,直接路由模式(DR模式)要求调度器与后端服务器必须在同一个局域网内,VIP地址需要在调度器与后端所有的服务器间共享,因为最终的真实服务器给客户端回应数据包时需要设置源IP为VIP地址,目标IP为客户端IP,这样客户端访问的是调度器的VIP地址,回应的源地址也依然是该VIP地址(真实服务器上的VIP),客户端是感觉不到后端服务器存在的。由于多台计算机都设置了同样一个VIP地址,所以在直接路由模式中要求调度器的VIP地址是对外可见的,客户端需要将请求数据包发送到调度器主机,而所有的真实服务器的VIP地址必须配置在Non-ARP的网络设备上,也就是该网络设备并不会向外广播自己的MAC及对应的IP地址,真实服务器的VIP对外界是不可见的,但真实服务器却可以接受目标地址VIP的网络请求,并在回应数据包时将源地址设置为该VIP地址。调度器根据算法在选出真实服务器后,在不修改数据报文的情况下,将数据帧的MAC地址修改为选出的真实服务器的MAC地址,通过交换机将该数据帧发给真实服务器。整个过程中,真实服务器的VIP不需要对外界可见。
引用图片,原文链接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639
轮询调度(Round Robin 简称'RR')算法就是按依次循环的方式将请求调度到不同的服务器上,该算法最大的特点就是实现简单。轮询算法假设所有的服务器处理请求的能力都一样的,调度器会将所有的请求平均分配给每个真实服务器。
————————————————
版权声明:本文为CSDN博主「chenhuyang」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639
DNS集群搭建
在每台服务器上安装ntpdate,确保时间同步。
1 2 3 | yum -y install ntpdate echo "" >> /var/spool/cron/root crontab -l > crontabtmp && echo "0 * * * * ntpdate cn.ntp.org.cn" >> crontabtmp && crontab crontabtmp && rm -f crontabtmp |
安装BIND软件
yum安装bind-chroot,顾名思义这个是可指定chroot的bind,比较安全。
1 2 | yum -y install bind-chroot bind-utils net-tools initscripts systemctl enable named-chroot |
bind-utils是bind软件提供的一组DNS工具包,里面有一些DNS相关的工具.主要有:dig,host,nslookup,nsupdate.使用这些工具可以进行域名解析和DNS调试工作.
编辑配置文件
这里开始主DNS的配置,下面是配置named.conf,默认安装的路径为/etc/named.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | acl trusted { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; options { listen-on port 53 { 10.20.121.179;10.20.120.150; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { trusted; }; allow-recursion { trusted; }; forward first; forwarders { 218.1.1.1; 218.2.2.2; 114.114.114.114; 223.5.5.5; 223.6.6.6; 8.8.8.8; }; recursion yes; dnssec-enable no; dnssec-validation no; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "test.cn" IN { type master; file "/etc/named/test.cn.zone"; allow-update { none; }; allow-transfer { 10.20.121.184; }; notify yes; }; zone "test-fw.cn" IN { type forward; forwarders { 10.20.120.34; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; |
配置区域数据文件
1 2 3 4 5 6 7 8 9 10 11 12 | cat /etc/named/test.cn.zone $TTL 1D @ IN SOA dns1.test.cn. admin.test.cn. ( 202007031649 ; serial #这里每次修改解析关系时,需要修改。保证数值比从服务器的数值要大 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns1.test.cn. NS dns2.test.cn. dns1 IN A 10.20.121.179 dns2 IN A 10.20.121.184 |
从DNS服务器搭建和配置
从DNS服务器安装与主DNS安装方法一样,只是在配置文件上有些改动,且不需要配置区域数据文件。
1 2 3 4 5 6 | zone "test.cn" IN { type slave; #从服务器只需要将这里改为slave masters { 10.20.121.179; }; file "slaves/test.cn.zone"; #配置区域数据文件存放目录 allow-transfer{ none; }; #禁止为其他从服务器同步数据 }; |
LVS + keepalived
加载ip_vs内核模块
1 | modprobe ip_vs |
安装ntp,ipvsadm,编译环境等
1 | yum -y install ntpdate ipvsadm wget gcc gcc-c++ make popt-devel kernel-devel openssl-devel libnl3-devel |
安装keepalived
1 2 3 4 5 | curl -O https://www.keepalived.org/software/keepalived-2.1.3.tar.gz tar -zxf keepalived-2.1.3.tar.gz cd keepalived-2.1.3 ./configure make && make install |
创建keepalived开机启动
1 2 3 4 | cp keepalived/etc/init.d/keepalived /etc/init.d/ #keepalived执行文件在源码包中 cp keepalived/etc/sysconfig/keepalived /etc/sysconfig/keepalived cp bin/* /usr/bin/ systemctl enable keepalived |
拷贝配置文件至默认目录,因为上面的编译安装时configure是默认配置,所以需要将配置文件拷贝至默认目录中/etc/keepalived/
1 2 | mkdir /etc/keepalived/ cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/ |
编辑配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | ! Configuration File for keepalived global_defs { router_id LVS_DR01 vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 10.20.120.150 } } virtual_server 10.20.120.150 53 { delay_loop 6 lb_algo rr lb_kind DR protocol UDP real_server 10.20.121.179 53 { weight 1 TCP_CHECK { connect_timeout 3 retry 3 delay_before_retry 3 } } real_server 10.20.121.184 53 { weight 1 TCP_CHECK { connect_port 53 connect_timeout 3 retry 3 delay_before_retry 3 } } } |
备服务器安装配置与主服务器基本一样,只是配置文件中需要简单修改下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | ! Configuration File for keepalived global_defs { router_id LVS_DR02 vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 51 priority 90 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 10.20.120.150 } } virtual_server 10.20.120.150 53 { delay_loop 6 lb_algo rr lb_kind DR protocol UDP real_server 10.20.121.179 53 { weight 1 TCP_CHECK { connect_timeout 3 retry 3 delay_before_retry 3 } } real_server 10.20.121.184 53 { weight 1 TCP_CHECK { connect_port 53 connect_timeout 3 retry 3 delay_before_retry 3 } } } |
DNS服务器配置
在每台机器的/etc/init.d/目录中创建一个lvsrs文件,如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | cat /etc/init.d/lvsrs #!/bin/sh # chkconfig: 2345 90 10 # description: LVS DirectorServer VIP=10.20.120.150 . /etc/rc.d/init.d/functions case "$1" in start) echo "start LVS of DirectorServer" /sbin/ifconfig lo:0 $VIP broadcast $VIP netmask 255.255.255.255 up echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce ;; stop) /sbin/ifconfig lo:0 down echo "close LVS DirectorServer" echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce ;; *) echo "Usage:$0 {start|stop}" exit 1 esac |
给予文件可执行权限
1 | chmod +x /etc/init.d/lvsrs |
将脚本设置为开机启动
1 2 | systemctl enable lvsrs systemctl start lvsrs |
按照不同IP来源返回不同IP(BIND9+版本的Views功能)
采用key认证方式配置主从DNS服务
1 2 | #使用Bind自带工具ddns-confgen生成key文件。 ddns-confgen -a hmac-md5 |
生成如下一段字符串
1 2 3 4 | key "key-file" { algorithm hmac-md5; secret "zB3aHy***********HQQ=="; }; |
需要配置几个区域就生成几次。
最终配置文件
主:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 | acl dnsserver { 10.20.121.184; 10.20.121.179; }; acl lan { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; acl wan { !"lan"; any; }; options { listen-on port 53 { 10.20.121.179;10.20.120.150; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-recursion { lan; }; forward first; forwarders { 202.101.172.35; 114.114.114.114; 223.5.5.5; 223.6.6.6; 8.8.8.8; }; recursion yes; dnssec-enable no; dnssec-validation no; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; key "key-lan" { algorithm hmac-md5; secret "zB3aHy**********rIHQQ=="; }; key "key-wan" { algorithm hmac-md5; secret "w1U**********FSh9SQ=="; }; key "key-none" { algorithm hmac-md5; secret "Whs+3iql**********wrfA=="; }; masters "dnsserver" { 10.20.121.184; 10.20.121.179; }; view "lan" { match-clients { key key-lan; "lan"; }; server 10.20.121.179 {keys key-lan;}; allow-transfer { key key-lan; }; allow-notify { "dnsserver"; }; also-notify { "dnsserver"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.lan.zones"; include "/etc/named.root.key"; }; view "wan" { match-clients { key key-wan; "wan"; }; server 10.20.121.179 {keys key-wan;}; allow-transfer { key key-wan; }; allow-notify { "dnsserver"; }; also-notify { "dnsserver"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; |
主机文件 :/etc/named.rfc1912.lan.zones
1 2 3 4 5 6 7 | cat /etc/named.rfc1912.lan.zones zone "test-1.com" IN { type master; file "dns/test-1.dns"; allow-update { none; }; notify yes; }; |
主机文件 :/etc/named.rfc1912.zones
1 2 3 4 5 6 7 | cat /etc/named.rfc1912.lan.zones zone "test-1.com" IN { type master; file "test-1.dns"; allow-update { none; }; notify yes; }; |
备:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 | acl dnsserver { 10.20.121.184; 10.20.121.179; }; acl lan { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; acl wan { !"lan"; any; }; options { listen-on port 53 { 10.20.121.184;10.20.120.150; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-recursion { lan; }; forward first; forwarders { 202.101.172.35; 114.114.114.114; 223.5.5.5; 223.6.6.6; 8.8.8.8; }; recursion yes; dnssec-enable no; dnssec-validation no; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; max-cache-ttl 60; max-cache-size 10240M; max-ncache-ttl 60; cleaning-interval 15; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; channel query_log { file "/var/run/named/query.log" versions 55 size 100m; severity dynamic; print-time yes; print-category yes; }; category queries { query_log;}; category default { null;}; }; key "key-lan" { algorithm hmac-md5; secret "zB3aHyt6r6aOaJ/I9rIHQQ=="; }; key "key-wan" { algorithm hmac-md5; secret "w1UhtLdOGREhSYimFSh9SQ=="; }; key "key-none" { algorithm hmac-md5; secret "Whs+3iqlwShOapXRW8wrfA=="; }; view "lan" { match-clients { "lan"; }; server 10.20.121.179 {keys key-lan;}; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.lan.zones"; include "/etc/named.root.key"; }; view "wan" { match-clients { "wan"; }; server 10.20.121.179 {keys key-wan;}; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; }; |
备机文件 :/etc/named.rfc1912.lan.zones
1 2 3 4 5 6 7 8 | cat /etc/named.rfc1912.lan.zones zone "test-1.cn" IN { type slave; masters { 10.20.121.179; }; masterfile-format text; file "slaves/lan_test-1.dns"; allow-transfer{ none; }; }; |
备机文件 :/etc/named.rfc1912.zones
1 2 3 4 5 6 7 8 | cat /etc/named.rfc1912.lan.zones zone "test-1.cn" IN { type slave; masters { 10.20.121.179; }; masterfile-format text; file "slaves/test-1.dns"; allow-transfer{ none; }; }; |
配置DNS集群只需要克隆备机,然后把named.conf的监听ip地址重新配置即可。
新DNS Server上线后,在lvs的文件内添加新IP,重启就上线完成了。