bind智能DNS + bindUI管理系统(postgresql + bind dlz)
# 软件环境:
* Centos 7.6
SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。* bind-9.14.1.tar.gz
* postgresql 11
* python 3.7
QPS:单节点1590 qps
# 安装postgresql
参考地址:https://www.postgresql.org/download/linux/redhat/
yum -y install https://download.postgresql.org/pub/repos/yum/11/redhat/rhel-7-x86_64/pgdg-redhat11-11-2.noarch.rpm
yum -y install postgresql11
yum -y install postgresql11-server
yum -y install postgresql11-libs
yum -y install postgresql11-devel
/usr/pgsql-11/bin/postgresql-11-setup initdb
systemctl enable postgresql-11
## postgresql设置
/var/lib/pgsql/11/data/postgresql.conf
listen_addresses = '*' port = 5432 max_connections = 5120
tail -n 20 /var/lib/pgsql/11/data/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
## host all all 127.0.0.1/32 ident
host all all 127.0.0.1/32 md5
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 ident
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication all peer
#host replication all 127.0.0.1/32 ident
#host replication all ::1/128 ident
## 启动postgresql
systemctl start postgresql-11
## 创建用户、数据库
su postgres
psql
create user bindui_wr with password 'ww123456';
create database bind_ui owner bindui_wr ENCODING=utf8;
# 安装bind
cd /usr/local/src
wget http://ftp.isc.org/isc/bind9/9.14.1/bind-9.14.1.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz
tar -zxvf openssl-1.0.2r.tar.gz; cd openssl-1.0.2r; ./config; make; make install
export LDFLAGS=-L/usr/pgsql-11/lib # 指定pgsql lib路径查找postgresql lib dir: pg_config --libdir
./configure --prefix=/usr/local/bind_9.14.1 --with-dlz-postgres=yes --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r
make; make install
ln -s /usr/local/bind_9.14.1 /usr/local/bind
groupadd -g 25 named
useradd named -M -u 25 -g 25 -s /sbin/nologin
chown -R named:named /usr/local/bind/var
mkdir -p /var/log/named /etc/named/conf.d; chown -R named.named /var/log/named
systemctl 启动脚本
cat /usr/lib/systemd/system/named.service
[Unit] Description=Berkeley Internet Name Domain (DNS) After=network.target [Service] Type=forking PIDFile=/usr/local/bind/var/named.pid ExecStart=/usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf ExecReload=/bin/sh -c '/usr/local/bind/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' ExecStop=/bin/sh -c '/usr/local/bind/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' PrivateTmp=true Restart=always RestartSec=10 [Install] WantedBy=multi-user.target
注意: /usr/local/bind/sbin/named -n 1 线程数
经测试,bind-9.14 + postgresql 或mysql已经与线程数量无关,均为单线程了。设置-n 4与-n 1性能都一样
systemctl enable named;
cd /usr/local/bind/etc/
/usr/local/bind/sbin/rndc-confgen > rndc.conf
ln -s /usr/local/bind/etc /etc/named
tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf #内容类似下面这样:
key "rndc-key" {
algorithm hmac-sha256;
secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
cat /etc/name/named.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
listen-on port 53 { any; }; # 开启侦听53端口,any表示接受任意ip连接
directory "/usr/local/bind/var";
pid-file "named.pid"; # 文件内容就是named进程的id
allow-query{ any; }; # 允许任意ip查询
allow-query-cache { any; }; # 允许任意ip查询缓存
recursive-clients 60000;
forwarders{ # 设置转发的公网ip
202.96.128.86;
223.5.5.5;
};
forward only; # 置只使用forwarders DNS服务器做域名解析,如果查询不到则返回DNS客户端查询失败。
# forward first; 设置优先使用forwarders DNS服务器做域名解析,如果查询不到再使用本地DNS服务器做域名解析。
max-cache-size 4g;
dnssec-enable no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全设置,否则转发失败,报broken trust chain/broken trust chain错
dnssec-validation no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全验证设置
};
logging {
channel query_log { # 查询日志
file "/var/log/named/query.log" versions 20 size 300m;
severity info;
print-time yes;
print-category yes;
};
channel error_log { # 报错日志
file "/var/log/named/error.log" versions 3 size 10m;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
category queries { query_log; };
category default { error_log; };
};
# acl
include "/etc/named/conf.d/cn_dx.acl";
include "/etc/named/conf.d/cn_lt.acl";
include "/etc/named/conf.d/cn_yd.acl";
include "/etc/named/conf.d/cn_jy.acl";
include "/etc/named/conf.d/cn.acl";
# view
include "/etc/named/conf.d/cn_dx.conf";
include "/etc/named/conf.d/cn_lt.conf";
include "/etc/named/conf.d/cn_yd.conf";
include "/etc/named/conf.d/cn_jy.conf";
include "/etc/named/conf.d/cn.conf";
include "/etc/named/conf.d/default.conf"; # default view 放最后
日志级别:
在定义通道的语句中,severity是指定记录消息的级别。在bind中主要有以下几个级别(按照严重性递减的顺序):
critical
error
warning
notice
info
debug [ level ]
dynamic
versions 20:保留20个文件
acl配置:
ip列表:https://ip.cn/chnroutes.html
示例:
cat cn_yd.acl
# 中国移动
# 2017101711, 74 routes
acl cn_yd {
36.128.0.0/10;
39.128.0.0/10;
42.83.200.0/23;
43.239.172.0/22;
43.241.112.0/22;
43.251.244.0/22;
45.121.68.0/22;
45.121.72.0/22;
45.121.172.0/22;
45.121.176.0/22;
45.122.96.0/21;
45.123.152.0/22;
45.124.36.0/22;
45.125.24.0/22;
58.83.240.0/21;
59.153.68.0/22;
61.14.244.0/22;
103.20.112.0/22;
103.21.176.0/22;
103.35.104.0/22;
103.37.176.0/23;
103.40.12.0/22;
103.43.124.0/22;
103.45.160.0/22;
103.61.156.0/22;
103.61.160.0/22;
103.62.24.0/22;
103.62.204.0/22;
103.62.208.0/22;
103.83.72.0/22;
103.192.0.0/22;
103.192.144.0/22;
103.193.140.0/22;
103.205.116.0/22;
103.227.48.0/22;
111.0.0.0/10;
111.235.182.0/24;
112.0.0.0/10;
114.66.68.0/22;
117.128.0.0/10;
118.187.40.0/21;
118.191.248.0/21;
118.194.165.0/24;
120.192.0.0/10;
121.255.0.0/16;
131.228.96.0/24;
163.53.56.0/22;
183.192.0.0/10;
202.141.176.0/20;
211.103.0.0/17;
211.136.0.0/13;
211.148.224.0/19;
211.155.236.0/24;
218.200.0.0/13;
221.130.0.0/15;
221.176.0.0/19;
221.176.32.0/20;
221.176.48.0/21;
221.176.56.0/24;
221.176.58.0/23;
221.176.60.0/22;
221.176.64.0/18;
221.176.128.0/17;
221.177.0.0/16;
221.178.0.0/15;
221.180.0.0/14;
223.64.0.0/11;
223.96.0.0/12;
223.112.0.0/14;
223.116.0.0/15;
223.118.2.0/24;
223.118.10.0/24;
223.118.18.0/24;
223.120.0.0/13;
};
其他类似
view配置:
cat cn_yd.conf # match-clients要与定义的acl匹配
view "cn_yd" {
match-clients { cn_yd; };
dlz "Postgres zone" {
database "postgres 2
{host=127.0.0.1 dbname=bind_ui port=5432 user=bind_wr password=ww123456}
{select zone_name from \"DnsRecord_zonetag\" where zone_name = '$zone$'}
{select ttl, type, mx_priority,
case when lower(type)='txt' then
concat('\"', data, '\"')
when lower(type) = 'soa' then
concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
else
data
end
from \"DnsRecord_zonetag\" inner join \"DnsRecord_record\" on \"DnsRecord_record\".zone_tag_id = \"DnsRecord_zonetag\".id
and \"DnsRecord_zonetag\".zone_name = '$zone$'
and \"DnsRecord_record\".host = '$record$'
where \"DnsRecord_zonetag\".status = 'on'
and \"DnsRecord_record\".status = 'on'
and (\"DnsRecord_record\".resolution_line = '103' or \"DnsRecord_record\".resolution_line = '0')
}
";
};
};
注意:这里
DnsRecord_record.resolution_line 的值要与 bindUI定义值相同,以区别不同的解析线路
其他类似
cat default.conf # 默认view,any acl表示所有,不需要定义,所以默认view需要放在配置中所有view的最后
view "default" {
match-clients { any; };
dlz "Postgres zone" {
database "postgres 2
{host=127.0.0.1 dbname=bind_ui port=5432 user=bind_wr password=ww123456}
{select zone_name from \"DnsRecord_zonetag\" where zone_name = '$zone$'}
{select ttl, type, mx_priority,
case when lower(type)='txt' then
concat('\"', data, '\"')
when lower(type) = 'soa' then
concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)
else
data
end
from \"DnsRecord_zonetag\" inner join \"DnsRecord_record\" on \"DnsRecord_record\".zone_tag_id = \"DnsRecord_zonetag\".id
and \"DnsRecord_zonetag\".zone_name = '$zone$'
and \"DnsRecord_record\".host = '$record$'
where \"DnsRecord_zonetag\".status = 'on'
and \"DnsRecord_record\".status = 'on'
and \"DnsRecord_record\".resolution_line = '0'
}
";
};
};
