blank
blank
发布于 2020-03-30 / 905 阅读 / 0 评论 / 0 点赞

CentOS7 安装 Bind + Nginx 配置私有网络的 DNS

192.168.2.11 为内网装备安装 dns 和 nginx 服务的机器

安装 Bind

# 安装 named
yum install bind bind-utils -y

# 配置自动启动
systemctl enable named && systemctl start named

# 检查服务运行状态
systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: <span style="color:green">active (running)<span> since 一 2020-03-30 09:47:49 CST; 4s ago
  Process: 11893 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 11890 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 11895 (named)
    Tasks: 7
   Memory: 57.3M
   CGroup: /system.slice/named.service
           └─11895 /usr/sbin/named -u named -c /etc/named.conf

3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:500:9f::42#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './NS/IN': 2001:500:9f::42#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:500:2d::d#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './NS/IN': 2001:500:2d::d#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:dc3::35#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './NS/IN': 2001:dc3::35#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:503:c27::2:30#53
3月 30 09:47:49 node12 named[11895]: address not available resolving './DNSKEY/IN': 2001:500:a8::e#53
3月 30 09:47:50 node12 named[11895]: resolver priming query complete
3月 30 09:47:50 node12 named[11895]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted

配置 Bind

修改 named.conf 配置文件 让所有人都可访问 dns 服务

vim /etc/named.conf

options {
	# start
	# 修改这里
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
	# 还有这里
        allow-query     { any; };
	# end
	/* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

修改 named.rfc1912.zones 配置文件

添加要自定义的域名 这里我添加的是 s.com

vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

# start
# 添加在这
zone "s.com" IN {
        type master;
        file "s.com.zone";
};
# end

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

添加自定义的域名解析文件

# 从样例文件复制一份出来用作s.com的解析配置文件
# 请注意 -a 表示 复制原有文件的所有属性 如果你是新建文件请确保文件属性正确以免 named 无权读取报错
cp -a /var/named/named.localhost /var/named/s.com.zone
ll
drwxrwx--- 2 named named   23 3月  30 09:47 data
drwxrwx--- 2 named named   60 3月  30 09:48 dynamic
-rw-r----- 1 root  named 2253 4月   5 2018 named.ca
-rw-r----- 1 root  named  152 12月 15 2009 named.empty
-rw-r----- 1 root  named  152 6月  21 2007 named.localhost
-rw-r----- 1 root  named  168 12月 15 2009 named.loopback
-rw-r----- 1 root  named  152 6月  21 2007 s.com.zone

配置 s.com.zone 文件

vim /var/named/s.com.zone
$TTL 1D
@       IN SOA  @ s.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@               NS              dns
                A               192.168.2.11
dns             A               192.168.2.11
docker  A       192.168.2.11
jenkins A       192.168.2.11
test    A       192.168.2.11

检查 named 配置文件是否有错误

named-checkconf

检查自定义域名配置文件是否有错误

named-checkzone s.com /var/named/s.com.zone 
zone s.com/IN: loaded serial 0
OK

重启 named 服务

systemctl restart named

添加内网DNS到网络设定中

image.png

ping 自定义域名 测试内网 dns 服务是否正常

ping docker.s.com

正在 Ping docker.s.com [192.168.2.11] 具有 32 字节的数据:
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.2.11 的回复: 字节=32 时间<1ms TTL=64

配置 nginx

安装 nginx

yum install -y nginx

# 如果提示无可用安装包说明未安装 epel-release 源 需要先安装
yum install -y epel-release

# 配置自动启动
systemctl enable nginx && systemctl start nginx

配置自定义2级域名

vim /etc/nginx/conf.d/docker.s.com.conf
server {
    listen 80;
    server_name docker.s.com;

    location / {

        proxy_read_timeout  90;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;

        # Fix the “It appears that your reverse proxy set up is broken" error. 
        # Be sure to set the X-Forwarded-Proto header if your reverse proxy is accessed via HTTPS and then Jenkins itself is accessed via HTTP i.e. proxying HTTPS to HTTP.       
        #proxy_set_header X-Forwarded-Proto $scheme;

        #proxy to docker's server port 9000
	# 在这里你可以配置你需要的 任意可访问的IP 和端口 这里我配置的是 Portainer docker 服务
        proxy_pass http://192.168.2.11:9000;

        add_header backendIP $upstream_addr;
        add_header backendCode $upstream_status;
    }

    error_log  /var/log/nginx/docker.s.com/error.log;
    access_log /var/log/nginx/docker.s.com/access.log;
}
# 创建 日志目录
mkdir -p /var/log/nginx/docker.s.com

检查 nginx 配置文件是否有错误

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重载 nginx 服务

nginx -s reload 
# 或
systemctl restart nginx

访问 docker.s.com 测试

image.png
image.png

Done


评论