配置Bind主从及OpenRestry反向代理Bing解析

配置Bind主从及OpenRestry反向代理Bing解析

角色

ip

系统版本

内核

软件包

Bind主服务器

192.168.8.158

CentOS

Stream 9

5.14.0-

381.el9.x86_64

bind-9.16.23-14.el9.src.rpm

Bind从服务器

192.168.8.157

CentOS

Stream 9

5.14.0-

381.el9.x86_64

bind-9.16.23-14.el9.src.rpm

OpenRestry反向代理服务器

192.168.8.159

CentOS

Stream 9

5.14.0-

381.el9.x86_64

openresty-1.25.3.1

OpenRestry反向代理服务器

192.168.8.160

CentOS

Stream 9

5.14.0-

381.el9.x86_64

openresty-1.25.3.1

下载

首先在158和159主机上下载bind和bind-utils

yum -y install bind-utils bind

如果下载较慢的话使用清华大学的yum源

清华大学源地址

Index of /centos-stream/9-stream/ | 清华大学开源软件镜像站 | Tsinghua Open Source Mirror

cd /etc/yum.repos.d/

创建bak

mkdir bak

移动

mv -pv * bak/

ls -lhrt

vim base.repo

填入如下内容

[root@localhost yum.repos.d]# cat centos.repo

[baseos]

name=CentOS Stream $releasever - BaseOS

#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=BaseOS&infra=$infra

baseurl=https://mirrors.ustc.edu.cn/centos-stream/9-stream/BaseOS/$basearch/os/

gpgcheck=1

enabled=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[appstream]

name=CentOS Stream $releasever - AppStream

#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=AppStream&infra=$infra

baseurl=https://mirrors.ustc.edu.cn/centos-stream/9-stream/AppStream/$basearch/os/

gpgcheck=1

enabled=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

配置完成之后

yum clean all

清除所有缓存

yum makecache

重新生成缓存

查看该命令在哪里

[root@dns-master190 ~]# which named-checkconf

/usr/sbin/named-checkconf

查看该命令来自那个安装包

[root@dns-master190 ~]# rpm -qf `which named-checkconf`

bind-9.16.23-14.el9.x86_64

配置158主机的配置文件

[root@rsync-158 named]# cat /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { 127.0.0.1; 192.168.8.158; }; 

//这里就是配置设置的本机127和本机ip地址的53端口

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

secroots-file "/var/named/data/named.secroots";

recursing-file "/var/named/data/named.recursing";

allow-query     { localhost; 192.168.8.0/24; };

//设置允许本机和8网段的地址可以解析

/*

 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

 - If you are building a RECURSIVE (caching) DNS server, you need to enable

   recursion.

 - If your recursive DNS server has a public IP address, you MUST enable access

   control to limit queries to your legitimate users. Failing to do so will

   cause your server to become part of large scale DNS amplification

   attacks. Implementing BCP38 within your network would greatly

   reduce such attack surface

*/

recursion yes;

dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */

include "/etc/crypto-policies/back-ends/bind.config";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

type hint;

file "named.ca";

};

zone "ldp.com" IN {

        type master;

        file "ldp.com.zone";

also-notify { 192.168.8.157 ;};

allow-transfer {  192.168.8.157 ;};

allow-update { none; };

notify yes;

//这里就是设置本机为主服务器,从服务器指向157主机,解析记录是/var/named/ldp.com.zone这个文件

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

配置/var/named/ldp.com.zone文件

[root@rsync-158 named]# touch  /var/named/ldp.com.zone

cat /var/named/ldp.com.zone

$TTL 7200

ldp.com.                IN      SOA     ldp.com.        2043565830.qq.com. (

                                                        2024012312

                                                        1H

                                                        10M

                                                        1W

                                                        1D )

ldp.com.                IN      NS      ns1.ldp.com.

ldp.com.                IN      NS      ns2.ldp.com.

ns1.ldp.com.             IN      A       192.168.8.157

ns2.ldp.com.             IN      A       192.168.8.158

www.ldp.com.            IN      A       192.168.8.157

www.ldp.com.            IN      A       192.168.8.158

www.ldp.com.            IN      A       192.168.8.159

www.ldp.com.            IN      A       192.168.8.160

www.ldp.com.            IN      A       192.168.8.161

配置属主和属组

chown -R named.ldp.com.zone

检测配置是否正确

[root@rsync-158 ~]# cd /var/named/

[root@rsync-158 named]# named-checkzone ldp.com ldp.com.zone

zone ldp.com/IN: loaded serial 2024012312

OK

启动

systemctl start named

查看端口

udp的53端口是提供域名解析服务的,tcp的53是提供bind服务的

将网卡文件的DNS 记录注释

之后执行nmcli c reload和nmcil c up ens160

进入配置/etc/resolv.conf文件

[root@rsync-158 named]# cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 192.168.8.158

nameserver 192.168.8.157

指向本机和从服务器

测试

127.0.0.1

192.168.8.158

localhost

测试完成都可解析

157主机的配置文件

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { 127.0.0.1;192.168.8.157; };

// 这里就是配置设置的本机127和本机ip地址的53端口

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

secroots-file "/var/named/data/named.secroots";

recursing-file "/var/named/data/named.recursing";

allow-query     { localhost;192.168.8.0/24; };

//设置允许本机和8网段的地址可以解析

/*

 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

 - If you are building a RECURSIVE (caching) DNS server, you need to enable

   recursion.

 - If your recursive DNS server has a public IP address, you MUST enable access

   control to limit queries to your legitimate users. Failing to do so will

   cause your server to become part of large scale DNS amplification

   attacks. Implementing BCP38 within your network would greatly

   reduce such attack surface

*/

recursion yes;

dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */

include "/etc/crypto-policies/back-ends/bind.config";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

type hint;

file "named.ca";

};

zone "ldp.com" IN {

type slave;

file "slaves/ldp.com.zone";

masters {  192.168.8.158; };

masterfile-format text;

};

// 这里就是设定域名为ldp.com,角色为从(slave),同步的配置文件在当前路径下的slaves/ldp.com.zone

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

将网卡文件的DNS 记录注释

之后执行nmcli c reload和nmcil c up ens160

进入配置/etc/resolv.conf文件

[root@rsync-158 named]# cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 192.168.8.158

nameserver 192.168.8.157

指向主服务器和本机

重启158和157主机的named服务之后就可以看到157主机的解析记录同步过来了。

[root@rsync-157 ~]# cat /var/named/slaves/ldp.com.zone

$ORIGIN .

$TTL 7200       ; 2 hours

ldp.com                 IN SOA  ldp.com. 2043565830.qq.com. (

                                2024012312 ; serial

                                3600       ; refresh (1 hour)

                                600        ; retry (10 minutes)

                                604800     ; expire (1 week)

                                86400      ; minimum (1 day)

                                )

                        NS      ns1.ldp.com.

                        NS      ns2.ldp.com.

$ORIGIN ldp.com.

ns1                     A       192.168.8.157

ns2                     A       192.168.8.158

www                     A       192.168.8.157

                        A       192.168.8.158

                        A       192.168.8.159

                        A       192.168.8.160

                        A       192.168.8.161

bind配置完成

OpenRestry 代理 Bind-主从模式

159和160主机下载包

wget -c https://openresty.org/download/openresty-1.25.3.1.tar.gz

159和160主机安装依赖

yum -y install perl-devel openssl-devel pcre-devel gcc gcc-c++ autoconf make zlib-devel

159和160主机解压

tar xf openresty-1.25.3.1.tar.gz

直接预编译

./configure ; echo $?

编译并安装

make && make install ; echo $?

配置159主机配置文件

[root@op-159 openresty-1.25.3.1]# cat  /usr/local/openresty/nginx/conf/nginx.conf

#user  nobody;

worker_processes  1;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    #keepalive_timeout  0;

    keepalive_timeout  65;

    #gzip  on;

    server {

        listen       80;

        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {

            root   html;

            index  index.html index.htm;

        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80

        #

        #location ~ .php$ {

        #    proxy_pass   http://127.0.0.1;

        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

        #

        #location ~ .php$ {

        #    root           html;

        #    fastcgi_pass   127.0.0.1:9000;

        #    fastcgi_index  index.php;

        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

        #    include        fastcgi_params;

        #}

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        #location ~ /.ht {

        #    deny  all;

        #}

    }

    # another virtual host using mix of IP-, name-, and port-based configuration

    #

    #server {

    #    listen       8000;

    #    listen       somename:8080;

    #    server_name  somename  alias  another.alias;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

    # HTTPS server

    #

    #server {

    #    listen       443 ssl;

    #    server_name  localhost;

    #    ssl_certificate      cert.pem;

    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;

    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;

    #    ssl_prefer_server_ciphers  on;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

}

stream {

 upstream bind-ms {

 server 192.168.8.158:53;

 server 192.168.8.157:53;

 }

 server {

 listen 53 udp;

 proxy_pass bind-ms;

 proxy_timeout 120s;

 error_log logs/proxy-bind-error.log error;

 }

}

检测159主机配置语法

[root@op-159 openresty-1.25.3.1]# /usr/local/openresty/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful

配置160主机配置文件

[root@op-160 openresty-1.25.3.1]# cat  /usr/local/openresty/nginx/conf/nginx.conf

#user  nobody;

worker_processes  1;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    #keepalive_timeout  0;

    keepalive_timeout  65;

    #gzip  on;

    server {

        listen       80;

        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {

            root   html;

            index  index.html index.htm;

        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80

        #

        #location ~ .php$ {

        #    proxy_pass   http://127.0.0.1;

        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

        #

        #location ~ .php$ {

        #    root           html;

        #    fastcgi_pass   127.0.0.1:9000;

        #    fastcgi_index  index.php;

        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

        #    include        fastcgi_params;

        #}

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        #location ~ /.ht {

        #    deny  all;

        #}

    }

    # another virtual host using mix of IP-, name-, and port-based configuration

    #

    #server {

    #    listen       8000;

    #    listen       somename:8080;

    #    server_name  somename  alias  another.alias;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

    # HTTPS server

    #

    #server {

    #    listen       443 ssl;

    #    server_name  localhost;

    #    ssl_certificate      cert.pem;

    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;

    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;

    #    ssl_prefer_server_ciphers  on;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

}

stream {

 upstream bind-ms {

 server 192.168.8.158:53;

 server 192.168.8.157:53;

 }

 server {

 listen 53 udp;

 proxy_pass bind-ms;

 proxy_timeout 120s;

 error_log logs/proxy-bind-error.log error;

 }

}

检测160主机配置语法

[root@op-160 openresty-1.25.3.1]# /usr/local/openresty/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful

159和160主机配置

cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 192.168.8.158

nameserver 192.168.8.157

将159和160的OpenRestry重启

/usr/local/openresty/nginx/sbin/nginx  -s reload

159主机测试

160主机测试

配置完成