BIND + LVS + Keepalived 搭建内网DNS集群-分区域响应结果,可做智能解析

本次配置的所有服务器均为虚拟机,操作系统为Centos 7.3。


服务器名称 IP地址
DNS客户端 所有A类地址
DNS-BIND-1 10.20.121.179
DNS-BIND-2 10.20.121.184
DNS-VIP 10.20.120.150
DNS-LVS-主 10.20.121.187
DNS-LVS-备 10.20.121.157

架构拓扑图片


本次部署的LVS是基于DR的工作模式,负载均衡调度方式使用了RR,客户端发起DNS请求是,LVS回轮询发送至每台服务器上。DNS服务器解析请求后直接返回给客户端。

在LVS(TUN)模式下,由于需要在LVS调度器与真实服务器之间创建隧道连接,这同样会增加服务器的负担。与LVS(TUN)类似,DR模式也叫直接路由模式,其体系结构如图4所示,该模式中LVS依然仅承担数据的入站请求以及根据算法选出合理的真实服务器,最终由后端真实服务器负责将响应数据包发送返回给客户端。与隧道模式不同的是,直接路由模式(DR模式)要求调度器与后端服务器必须在同一个局域网内,VIP地址需要在调度器与后端所有的服务器间共享,因为最终的真实服务器给客户端回应数据包时需要设置源IP为VIP地址,目标IP为客户端IP,这样客户端访问的是调度器的VIP地址,回应的源地址也依然是该VIP地址(真实服务器上的VIP),客户端是感觉不到后端服务器存在的。由于多台计算机都设置了同样一个VIP地址,所以在直接路由模式中要求调度器的VIP地址是对外可见的,客户端需要将请求数据包发送到调度器主机,而所有的真实服务器的VIP地址必须配置在Non-ARP的网络设备上,也就是该网络设备并不会向外广播自己的MAC及对应的IP地址,真实服务器的VIP对外界是不可见的,但真实服务器却可以接受目标地址VIP的网络请求,并在回应数据包时将源地址设置为该VIP地址。调度器根据算法在选出真实服务器后,在不修改数据报文的情况下,将数据帧的MAC地址修改为选出的真实服务器的MAC地址,通过交换机将该数据帧发给真实服务器。整个过程中,真实服务器的VIP不需要对外界可见。

引用图片,原文链接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639

轮询调度(Round Robin 简称'RR')算法就是按依次循环的方式将请求调度到不同的服务器上,该算法最大的特点就是实现简单。轮询算法假设所有的服务器处理请求的能力都一样的,调度器会将所有的请求平均分配给每个真实服务器。
————————————————
版权声明:本文为CSDN博主「chenhuyang」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639

DNS集群搭建

在每台服务器上安装ntpdate,确保时间同步。

1
2
3
yum -y install ntpdate
echo "" >> /var/spool/cron/root
crontab -l > crontabtmp && echo "0 * * * * ntpdate cn.ntp.org.cn" >> crontabtmp  && crontab crontabtmp && rm -f crontabtmp

安装BIND软件

yum安装bind-chroot,顾名思义这个是可指定chroot的bind,比较安全。

1
2
yum -y install bind-chroot bind-utils net-tools initscripts
systemctl enable named-chroot

bind-utils是bind软件提供的一组DNS工具包,里面有一些DNS相关的工具.主要有:dig,host,nslookup,nsupdate.使用这些工具可以进行域名解析和DNS调试工作.

编辑配置文件

这里开始主DNS的配置,下面是配置named.conf,默认安装的路径为/etc/named.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
acl trusted {
        10.0.0.0/8;
        172.16.0.0/12;
        192.168.0.0/16;
};

options {
        listen-on port 53 { 10.20.121.179;10.20.120.150; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { trusted; };
        allow-recursion    { trusted; };
        forward first;
        forwarders    {
                218.1.1.1;
                218.2.2.2;
                114.114.114.114;
                223.5.5.5;
                223.6.6.6;
                8.8.8.8;
        };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        bindkeys-file "/etc/named.root.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};
zone "test.cn" IN {
    type master;
    file "/etc/named/test.cn.zone";
    allow-update { none; };
    allow-transfer { 10.20.121.184; };
    notify yes;
};
zone "test-fw.cn" IN {
        type forward;
        forwarders { 10.20.120.34; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

配置区域数据文件

1
2
3
4
5
6
7
8
9
10
11
12
cat /etc/named/test.cn.zone
$TTL 1D
@       IN SOA  dns1.test.cn.  admin.test.cn. (
                                        202007031649      ; serial #这里每次修改解析关系时,需要修改。保证数值比从服务器的数值要大
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
           NS   dns1.test.cn.
           NS   dns2.test.cn.
dns1    IN A    10.20.121.179
dns2    IN A    10.20.121.184

从DNS服务器搭建和配置

从DNS服务器安装与主DNS安装方法一样,只是在配置文件上有些改动,且不需要配置区域数据文件。

1
2
3
4
5
6
zone "test.cn" IN {
    type slave;  #从服务器只需要将这里改为slave
    masters { 10.20.121.179; };
    file "slaves/test.cn.zone"; #配置区域数据文件存放目录
    allow-transfer{ none; }; #禁止为其他从服务器同步数据
};

LVS + keepalived

加载ip_vs内核模块

1
modprobe ip_vs

安装ntp,ipvsadm,编译环境等

1
yum -y install ntpdate ipvsadm wget gcc gcc-c++ make popt-devel kernel-devel openssl-devel libnl3-devel

安装keepalived

1
2
3
4
5
curl -O https://www.keepalived.org/software/keepalived-2.1.3.tar.gz
tar -zxf keepalived-2.1.3.tar.gz
cd keepalived-2.1.3
./configure
make && make install

创建keepalived开机启动

1
2
3
4
cp keepalived/etc/init.d/keepalived /etc/init.d/  #keepalived执行文件在源码包中
cp keepalived/etc/sysconfig/keepalived /etc/sysconfig/keepalived
cp bin/* /usr/bin/
systemctl enable keepalived

拷贝配置文件至默认目录,因为上面的编译安装时configure是默认配置,所以需要将配置文件拷贝至默认目录中/etc/keepalived/

1
2
mkdir /etc/keepalived/
cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/

编辑配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
! Configuration File for keepalived

global_defs {
   router_id LVS_DR01
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.20.120.150
    }
}

virtual_server 10.20.120.150 53 {
    delay_loop 6            
    lb_algo rr            
    lb_kind DR              
    protocol UDP          
 
    real_server 10.20.121.179 53 {
        weight 1  
        TCP_CHECK {          
        connect_timeout 3
        retry 3
        delay_before_retry 3
        }
    }
 
    real_server 10.20.121.184 53 {
        weight 1
        TCP_CHECK {
        connect_port 53
            connect_timeout 3
            retry 3
            delay_before_retry 3
        }
    }
}

备服务器安装配置与主服务器基本一样,只是配置文件中需要简单修改下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
! Configuration File for keepalived

global_defs {
   router_id LVS_DR02
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 90
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.20.120.150
    }
}

virtual_server 10.20.120.150 53 {
    delay_loop 6            
    lb_algo rr            
    lb_kind DR              
    protocol UDP          
 
    real_server 10.20.121.179 53 {
        weight 1  
        TCP_CHECK {          
        connect_timeout 3
        retry 3
        delay_before_retry 3
        }
    }
 
    real_server 10.20.121.184 53 {
        weight 1
        TCP_CHECK {
        connect_port 53
            connect_timeout 3
            retry 3
            delay_before_retry 3
        }
    }
}

DNS服务器配置

在每台机器的/etc/init.d/目录中创建一个lvsrs文件,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
cat /etc/init.d/lvsrs
#!/bin/sh
# chkconfig:   2345 90 10
# description: LVS DirectorServer
VIP=10.20.120.150
. /etc/rc.d/init.d/functions
case "$1" in
start)
  echo "start LVS of DirectorServer"
        /sbin/ifconfig lo:0 $VIP broadcast $VIP netmask 255.255.255.255 up
        echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
        echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
        echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
        echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
;;
stop)
        /sbin/ifconfig lo:0 down
        echo "close LVS  DirectorServer"
        echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
        echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
        echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
        echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
;;
*)
echo "Usage:$0 {start|stop}"
exit 1
esac

给予文件可执行权限

1
chmod +x /etc/init.d/lvsrs

将脚本设置为开机启动

1
2
systemctl enable lvsrs
systemctl start lvsrs

按照不同IP来源返回不同IP(BIND9+版本的Views功能)

采用key认证方式配置主从DNS服务

1
2
#使用Bind自带工具ddns-confgen生成key文件。
ddns-confgen -a hmac-md5

生成如下一段字符串

1
2
3
4
key "key-file" {
        algorithm hmac-md5;
        secret "zB3aHy***********HQQ==";
};

需要配置几个区域就生成几次。

最终配置文件

主:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
acl dnsserver {
    10.20.121.184;
    10.20.121.179;
};
acl lan {
        10.0.0.0/8;
        172.16.0.0/12;
        192.168.0.0/16;
};
acl wan {
    !"lan";
    any;
};

options {
        listen-on port 53 { 10.20.121.179;10.20.120.150; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        allow-recursion    { lan; };
        forward first;
        forwarders    {
        202.101.172.35;
                114.114.114.114;
                223.5.5.5;
                223.6.6.6;
                8.8.8.8;
        };
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;
        bindkeys-file "/etc/named.root.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

key "key-lan" {
    algorithm hmac-md5;
    secret "zB3aHy**********rIHQQ==";
};
key "key-wan" {
    algorithm hmac-md5;
    secret "w1U**********FSh9SQ==";
};
key "key-none" {
    algorithm hmac-md5;
    secret "Whs+3iql**********wrfA==";
};

masters "dnsserver" {
    10.20.121.184;
    10.20.121.179;
};


view "lan" {
    match-clients {
        key key-lan;
        "lan";
    };
    server 10.20.121.179 {keys key-lan;};
    allow-transfer { key key-lan; };
    allow-notify {  "dnsserver"; };
    also-notify { "dnsserver"; };
    zone    "." IN {
        type    hint;
        file    "named.ca";
    };
    include "/etc/named.rfc1912.lan.zones";
    include "/etc/named.root.key";
};
view "wan" {
    match-clients {
        key key-wan;
        "wan";
    };
    server 10.20.121.179 {keys key-wan;};
        allow-transfer { key key-wan; };
    allow-notify {  "dnsserver"; };
    also-notify { "dnsserver"; };
    zone    "." IN {
        type    hint;
        file    "named.ca";
    };
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
};

主机文件 :/etc/named.rfc1912.lan.zones

1
2
3
4
5
6
7
cat /etc/named.rfc1912.lan.zones
zone "test-1.com" IN {
        type master;
        file "dns/test-1.dns";
    allow-update { none; };
    notify yes;
};

主机文件 :/etc/named.rfc1912.zones

1
2
3
4
5
6
7
cat /etc/named.rfc1912.lan.zones
zone "test-1.com" IN {
        type master;
        file "test-1.dns";
    allow-update { none; };
    notify yes;
};

备:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
acl dnsserver {
    10.20.121.184;
    10.20.121.179;
};
acl lan {
        10.0.0.0/8;
        172.16.0.0/12;
        192.168.0.0/16;
};
acl wan {
    !"lan";
    any;
};
options {
        listen-on port 53 { 10.20.121.184;10.20.120.150; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        allow-recursion    { lan; };
        forward first;
        forwarders    {
        202.101.172.35;
                114.114.114.114;
                223.5.5.5;
                223.6.6.6;
                8.8.8.8;
        };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        bindkeys-file "/etc/named.root.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        max-cache-ttl 60;
        max-cache-size 10240M;
        max-ncache-ttl 60;
        cleaning-interval 15;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        channel query_log {
                file "/var/run/named/query.log" versions 55 size 100m;
                severity dynamic;
                print-time yes;
                print-category yes;
        };
        category queries { query_log;};
        category default { null;};

};
key "key-lan" {
        algorithm hmac-md5;
        secret "zB3aHyt6r6aOaJ/I9rIHQQ==";
};
key "key-wan" {
        algorithm hmac-md5;
        secret "w1UhtLdOGREhSYimFSh9SQ==";
};
key "key-none" {
        algorithm hmac-md5;
        secret "Whs+3iqlwShOapXRW8wrfA==";
};


view "lan" {
        match-clients {
                "lan";
        };
    server 10.20.121.179 {keys key-lan;};
        zone    "."     IN {
                type    hint;
                file    "named.ca";
        };
        include "/etc/named.rfc1912.lan.zones";
        include "/etc/named.root.key";
};
view "wan" {
        match-clients {
                "wan";
        };
    server 10.20.121.179 {keys key-wan;};
        zone    "."     IN {
                type    hint;
                file    "named.ca";
        };
        include "/etc/named.rfc1912.zones";
        include "/etc/named.root.key";
};

备机文件 :/etc/named.rfc1912.lan.zones

1
2
3
4
5
6
7
8
cat /etc/named.rfc1912.lan.zones
zone "test-1.cn" IN {
        type slave;
    masters { 10.20.121.179; };
    masterfile-format text;
    file "slaves/lan_test-1.dns";
    allow-transfer{ none; };
};

备机文件 :/etc/named.rfc1912.zones

1
2
3
4
5
6
7
8
cat /etc/named.rfc1912.lan.zones
zone "test-1.cn" IN {
        type slave;
    masters { 10.20.121.179; };
    masterfile-format text;
    file "slaves/test-1.dns";
    allow-transfer{ none; };
};

配置DNS集群只需要克隆备机,然后把named.conf的监听ip地址重新配置即可。
新DNS Server上线后,在lvs的文件内添加新IP,重启就上线完成了。