配置Bind主从及OpenRestry反向代理Bing解析
|
角色 |
ip |
系统版本 |
内核 |
软件包 |
|
Bind主服务器 |
192.168.8.158 |
CentOS Stream 9 |
5.14.0- 381.el9.x86_64 |
bind-9.16.23-14.el9.src.rpm |
|
Bind从服务器 |
192.168.8.157 |
CentOS Stream 9 |
5.14.0- 381.el9.x86_64 |
bind-9.16.23-14.el9.src.rpm |
|
OpenRestry反向代理服务器 |
192.168.8.159 |
CentOS Stream 9 |
5.14.0- 381.el9.x86_64 |
openresty-1.25.3.1 |
|
OpenRestry反向代理服务器 |
192.168.8.160 |
CentOS Stream 9 |
5.14.0- 381.el9.x86_64 |
openresty-1.25.3.1 |
下载
首先在158和159主机上下载bind和bind-utils
yum -y install bind-utils bind
如果下载较慢的话使用清华大学的yum源
清华大学源地址
Index of /centos-stream/9-stream/ | 清华大学开源软件镜像站 | Tsinghua Open Source Mirror
cd /etc/yum.repos.d/
创建bak
mkdir bak
移动
mv -pv * bak/
ls -lhrt
vim base.repo
填入如下内容
[root@localhost yum.repos.d]# cat centos.repo
[baseos]
name=CentOS Stream $releasever - BaseOS
#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=BaseOS&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos-stream/9-stream/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[appstream]
name=CentOS Stream $releasever - AppStream
#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=AppStream&infra=$infra
baseurl=https://mirrors.ustc.edu.cn/centos-stream/9-stream/AppStream/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
配置完成之后
yum clean all
清除所有缓存
yum makecache
重新生成缓存
查看该命令在哪里
[root@dns-master190 ~]# which named-checkconf
/usr/sbin/named-checkconf
查看该命令来自那个安装包
[root@dns-master190 ~]# rpm -qf `which named-checkconf`
bind-9.16.23-14.el9.x86_64
配置158主机的配置文件
[root@rsync-158 named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.8.158; };
//这里就是配置设置的本机127和本机ip地址的53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.8.0/24; };
//设置允许本机和8网段的地址可以解析
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ldp.com" IN {
type master;
file "ldp.com.zone";
also-notify { 192.168.8.157 ;};
allow-transfer { 192.168.8.157 ;};
allow-update { none; };
notify yes;
//这里就是设置本机为主服务器,从服务器指向157主机,解析记录是/var/named/ldp.com.zone这个文件
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置/var/named/ldp.com.zone文件
[root@rsync-158 named]# touch /var/named/ldp.com.zone
cat /var/named/ldp.com.zone
$TTL 7200
ldp.com. IN SOA ldp.com. 2043565830.qq.com. (
2024012312
1H
10M
1W
1D )
ldp.com. IN NS ns1.ldp.com.
ldp.com. IN NS ns2.ldp.com.
ns1.ldp.com. IN A 192.168.8.157
ns2.ldp.com. IN A 192.168.8.158
www.ldp.com. IN A 192.168.8.157
www.ldp.com. IN A 192.168.8.158
www.ldp.com. IN A 192.168.8.159
www.ldp.com. IN A 192.168.8.160
www.ldp.com. IN A 192.168.8.161
配置属主和属组
chown -R named.ldp.com.zone
检测配置是否正确
[root@rsync-158 ~]# cd /var/named/
[root@rsync-158 named]# named-checkzone ldp.com ldp.com.zone
zone ldp.com/IN: loaded serial 2024012312
OK
启动
systemctl start named
查看端口
udp的53端口是提供域名解析服务的,tcp的53是提供bind服务的
将网卡文件的DNS 记录注释
之后执行nmcli c reload和nmcil c up ens160
进入配置/etc/resolv.conf文件
[root@rsync-158 named]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.8.158
nameserver 192.168.8.157
指向本机和从服务器
测试
127.0.0.1
192.168.8.158
localhost
测试完成都可解析
157主机的配置文件
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1;192.168.8.157; };
// 这里就是配置设置的本机127和本机ip地址的53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost;192.168.8.0/24; };
//设置允许本机和8网段的地址可以解析
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ldp.com" IN {
type slave;
file "slaves/ldp.com.zone";
masters { 192.168.8.158; };
masterfile-format text;
};
// 这里就是设定域名为ldp.com,角色为从(slave),同步的配置文件在当前路径下的slaves/ldp.com.zone
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
将网卡文件的DNS 记录注释
之后执行nmcli c reload和nmcil c up ens160
进入配置/etc/resolv.conf文件
[root@rsync-158 named]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.8.158
nameserver 192.168.8.157
指向主服务器和本机
重启158和157主机的named服务之后就可以看到157主机的解析记录同步过来了。
[root@rsync-157 ~]# cat /var/named/slaves/ldp.com.zone
$ORIGIN .
$TTL 7200 ; 2 hours
ldp.com IN SOA ldp.com. 2043565830.qq.com. (
2024012312 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.ldp.com.
NS ns2.ldp.com.
$ORIGIN ldp.com.
ns1 A 192.168.8.157
ns2 A 192.168.8.158
www A 192.168.8.157
A 192.168.8.158
A 192.168.8.159
A 192.168.8.160
A 192.168.8.161
bind配置完成
OpenRestry 代理 Bind-主从模式
159和160主机下载包
wget -c https://openresty.org/download/openresty-1.25.3.1.tar.gz
159和160主机安装依赖
yum -y install perl-devel openssl-devel pcre-devel gcc gcc-c++ autoconf make zlib-devel
159和160主机解压
tar xf openresty-1.25.3.1.tar.gz
直接预编译
./configure ; echo $?
编译并安装
make && make install ; echo $?
配置159主机配置文件
[root@op-159 openresty-1.25.3.1]# cat /usr/local/openresty/nginx/conf/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ .php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ .php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
stream {
upstream bind-ms {
server 192.168.8.158:53;
server 192.168.8.157:53;
}
server {
listen 53 udp;
proxy_pass bind-ms;
proxy_timeout 120s;
error_log logs/proxy-bind-error.log error;
}
}
检测159主机配置语法
[root@op-159 openresty-1.25.3.1]# /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
配置160主机配置文件
[root@op-160 openresty-1.25.3.1]# cat /usr/local/openresty/nginx/conf/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ .php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ .php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
stream {
upstream bind-ms {
server 192.168.8.158:53;
server 192.168.8.157:53;
}
server {
listen 53 udp;
proxy_pass bind-ms;
proxy_timeout 120s;
error_log logs/proxy-bind-error.log error;
}
}
检测160主机配置语法
[root@op-160 openresty-1.25.3.1]# /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
159和160主机配置
cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.8.158
nameserver 192.168.8.157
将159和160的OpenRestry重启
/usr/local/openresty/nginx/sbin/nginx -s reload
159主机测试
160主机测试
配置完成