在centos平台搭建 智能DNS
作者:leftleg
一、应用背景
某网络广告公司,总部设在中国上海,是一个具有多项全球顶尖互联网专利技术的专业广告集团,主营在线网络广告,业务量庞大,广告主及联盟网站众多且遍布不同区域。由于南北互通问题,严重制约了市场的拓展和业务的进一步发展,影响了工作效率。目前有CDN(内容分布网络),BGP(边际网关协议)等技术可以解决南北互通问题,但是高投资、高使用费以及高维护费成为该公司的首要难题。为打破困局,该公司决定对症下药,寻找更经济的解决办法,消除南北间不可逾越的"鸿沟",降低网络费用。
二、解决方案
采用双线机房,Bind9作为智能DNS,通过DNS View配置,自动根据客户端IP来判断,网通的用户解析出网通的IP,电信的解析出电信IP,使用户能够访问到临近的同网的服务器,避免跨网访问,从而提高访问速度,解决南北互访问题。
三、实施步骤
操作系统:
CentOS 4.4
http://www.centos.org
软件列表:
BIND9
http://www.isc.org
Ripe-dbase-client-v3
http://www.apnic.net
例子域名:
Entage.net
步骤一、安装操作系统
推荐使用CentOS 4.4,基于RedHat Enterprise AS 4.4安全加强的免费可升级独立分发版本Linux操作系统,安装过程不再详述。
步骤二、安装Bind9
(1)RPM包方式安装
1.手动下载软件包安装
下载RPM软件包:
wget
http://isoredirect.centos.org/ce ... 2.4-16.EL4.i386.rpm
wget
http://isoredirect.centos.org/ce ... 2.4-16.EL4.i386.rpm
wget
http://isoredirect.centos.org/ce ... 2.4-16.EL4.i386.rpm
wget
http://isoredirect.centos.org/ce ... 2.4-16.EL4.i386.rpm
安装软件包:
rpm -iUvh bind*.rpm
2.yum自动安装
yum install bind bind-libs bind-utils bind-devel
3.up2date自动安装
up2date bind bind-libs bind-utils bind-devel
以上三种方式任选一种安装,安装后执行以下命令配置DNS服务开机自启动
chkconfig named on
(2)源码包方式安装
下载源码包:
wget
http://ftp.isc.org/isc/bind9/9.3.3/bind-9.3.3.tar.gz
解压源码包:
tar zxvf bind-9.3.3.tar.gz
配置:
cd bind-9.3.3
./configure --prefix=/usr
编译:
make
安装:
make install
添加用户和组:
groupadd -g 25 named
useradd -u 25 -g 25 -d /var/named -s /sbin/nologin named
建立启动脚本:
vi /etc/init.d/named
==========named begin==========
#!/bin/bash
#
# named This shell scrīpt takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 13 87
# descrīption: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/sbin/named ]
then
/usr/sbin/named -u named -c /etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;
stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;
esac
==========named end===========
更改启动脚本权限:
chmod 755 /etc/init.d/named
添加启动脚本为系统服务:
chkconfig --add named
配置DNS服务开机自启动:
chkconfig named on
步骤三、安装IP地址段查询工具Ripe-dbase-client-v3:
下载软件包:
wget
http://ftp.apnic.net/apnic/dbase ... se-client-v3.tar.gz
解压软件包:
tar zxvf ripe-dbase-client-v3.tar.gz
配置:
cd whois-3.1
./configure --prefix=/usr
编译:
make
安装
make install
步骤四、建立相关目录及文件
mkdir -p /var/named/data
mkdir -p /var/named/master/any
mkdir -p /var/named/master/cnc
mkdir -p /var/named/master/telecom
mkdir -p /var/named/slaves
mkdir -p /var/log/named
mkdir -p /var/run/named
touch /var/named/cnc_acl.conf
touch /var/named/telecom_acl.conf
touch /var/log/named/dns_warning
touch /var/log/named/dns_log
touch /var/named/master/any.def
touch /var/named/master/cnc.def
touch /var/named/master/telecom.def
wget
ftp://ftp.internic.org/domain/named.root -O /var/named/named.ca
chown -R named.named /var/named /var/log/named /var/run/named
chmod -R 770 /var/named /var/log/named /var/run/named
步骤五、配置rndc
设置rndc.conf:
vi /etc/rndc.conf
==========rndc.conf begin==========
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
include "/etc/rndc.key";
==========rndc.conf end============
生成/etc/rndc.key:
/usr/sbin/rndc-confgen –a
步骤六、配置ACL文件
设置网通IP列表ACL文件cnc_acl.conf:
/usr/bin/whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP | grep "descr" | grep "Reverse" | awk -F "for" '{if ($2!="") print $2}'| sort -n | awk 'BEGIN{print "acl \"CNC\" '{'"}{print $1";"}END{print "'}';"}' > /var/named/cnc_acl.conf
设置电信IP列表ACL文件telecom_acl.conf:
/usr/bin/whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET | grep "descr" | grep "Reverse" | awk -F "for" '{if ($2!="") print $2}'| sort -n | awk 'BEGIN{print "acl \"TELECOM\" '{'"}{print $1";"}END{print "'}';"}' > /var/named/telecom_acl.conf
步骤七、配置named.conf
vi /etc/named.conf
==========named.conf begin==========
acl "trusted-lan" {
127.0.0.1/8;
192.168.0.0/24;
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "";
datasize 40M;
allow-transfer {
"trusted-lan";
};
recursion yes;
allow-notify {
"trusted-lan";
};
allow-recursion {
"trusted-lan";
};
auth-nxdomain no;
forwarders {
202.96.209.5;
210.22.70.3;
};
};
logging {
channel warning {
file "/var/log/named/dns_warning" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/var/log/named/dns_log" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
include "cnc_acl.conf";
include "telecom_acl.conf";
view "view_cnc" {
match-clients {
CNC;
};
zone "." {
type hint;
file "named.ca";
};
include "master/cnc.def";
};
view "view_telecom" {
match-clients {
TELECOM;
};
zone "." {
type hint;
file "named.ca";
};
include "master/telecom.def";
};
view "view_any" {
match-clients {
any;
};
zone "." {
type hint;
file "named.ca";
};
include "master/any.def";
};
include "/etc/rndc.key";
==========named.conf end===========
步骤八、增加域名解析配置文件
设置网通解析配置文件:
vi /var/named/master/cnc.def
==========cnc.def begin==========
zone "entage.net"{
type master;
file "master/cnc/entage.net";
};
==========cnc.def end===========
设置电信解析配置文件:
vi /var/named/master/telecom.def
==========telecom.def begin==========
zone "entage.net"{
type master;
file "master/telecom/entage.net";
};
==========telecom.def end===========
设置网通电信以外解析配置文件:
vi /var/named/master/any.def
==========any.def begin==========
zone "entage.net"{
type master;
file "master/any/entage.net";
};
==========any.def end===========
步骤九、增加域名定义文件
设置网通域名定义文件:
vi /var/named/master/cnc/entage.net
==========cnc/entage.net begin==========
$TTL 3600
$ORIGIN entage.net.
@ IN SOA ns.entage.net. root.entage.net. (
2007011701 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns.entage.net.
@ IN A 218.108.238.221
ns IN A 218.108.238.221
www IN A 218.108.238.221
;
;end
==========cnc/entage.net end===========
设置电信域名定义文件:
vi /var/named/master/telecom/entage.net
==========telecom/entage.net begin==========
$TTL 3600
$ORIGIN entage.net.
@ IN SOA ns.entage.net. root.entage.net. (
2007011701 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns.entage.net.
@ IN A 61.152.241.97
ns IN A 61.152.241.97
www IN A 61.152.241.97
;
;end
==========telecom/entage.net end===========
设置其它区域域名定义文件:
vi /var/named/master/any/entage.net
==========any/entage.net begin==========
$TTL 3600
$ORIGIN entage.net.
@ IN SOA ns.entage.net. root.entage.net. (
2007011701 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns.entage.net.
@ IN A 61.152.241.97
ns IN A 61.152.241.97
www IN A 61.152.241.97
;
;end
==========any/entage.net end===========
四、结束语
此方案有如下优点:
1.低成本-无需添加任何专用设备,只需通过简单配置即可;
2.灵活性强-可随时增加/删除解析规则;
3.有一定的可扩展能力-如果搭配Round Robin DNS可无缝快速的配置简单的负载均衡;
