配置DNS服务器

Ovirt虚拟化平台对DNS的可靠要求比较高,DNS服务如果无法正常提供解析,将造成整个虚拟化平台的宕机;

Ovirt官方不推荐只在虚拟化平台上运行DNS服务,防止虚拟机宕机造成整个平台宕机,所以这里采用的是一台实体物理机运行主DNS服务(10.0.0.40),其它两台从服务器运行在虚拟化平台上低成本解决单点问题.

服务器:

1. 主服务器: 10.0.0.40
2. 从服务器1: 10.0.0.41
3. 从服务器2: 10.0.0.42

其中主服务器部署在一台实体物理机上,其它服务器在Ovirt平台上启动的虚拟机.

在所有服务器上执行安装:

[root@dns00 ~]# yum install -y bind bind-utils
[root@dns01 ~]# yum install -y bind bind-utils
[root@dns02 ~]# yum install -y bind bind-utils

配置如下:

[root@dns00 ~]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl iot-slaves {
        10.0.0.41;
        10.0.0.42;
};

acl localnet253 {
        10.0.0.0/25;
};

options {
        listen-on port 53 { any;};
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";

        allow-query     { localnets;10.0.0.20; };

        recursion yes;
        allow-recursion { localnets; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */

        forward only;
        forwarders {
            119.29.29.29;
            223.5.5.5;
            223.6.6.6;
            8.8.8.8;
        };
        allow-transfer {
                iot-slaves;
        };

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run" versions 30 size 10240k;
                severity debug;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@dns00 ~]# cat /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

zone "talen.iot" IN {
        type master;
        file "named.talen.iot";
        allow-update { none; };
        allow-transfer { iot-slaves; };
};

zone "253.34.10.in-addr.arpa" IN {
        type master;
        file "named.10.0.0";
        allow-update { none; };
        allow-transfer { iot-slaves; };
};

注意zone文件中一定要将所有NS服务器列举出来,否则从服务器无法收到主服务的notify

[root@dns00 ~]# cat /var/named/named.talen.iot
$TTL 3H
@       IN SOA  @ haotianfei.talen.com. (
                                        2019020300      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns.talen.iot.
        NS      ns1.talen.iot.
        NS      ns2.talen.iot.
storage NS      ns.talen.iot.
server  IN      A       10.0.0.40
ns      IN      A       10.0.0.40
ns1     IN      A       10.0.0.41
ns2     IN      A       10.0.0.42
engine  IN      A       10.0.0.20
vnode00 IN      A       10.0.0.30
vnode01 IN      A       10.0.0.31
vnode02 IN      A       10.0.0.32
storage IN      A       10.0.0.20

[root@dns00 ~]# cat /var/named/named.10.0.0
$TTL 3H
@       IN SOA  ns.talen.iot haotianfei.talen.com. (
                                        2019012700      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns.talen.iot.
        NS      ns1.talen.iot.
        NS      ns2.talen.iot.
40      IN      PTR     ns.talen.iot.
40      IN      PTR     server.talen.iot.
20      IN      PTR     engine.talen.iot.
30      IN      PTR     vnode00.talen.iot.
31      IN      PTR     vnode01.talen.iot.
32      IN      PTR     vnode02.talen.iot.
20      IN      PTR     engine.talen.iot.

配置两个从节点,配置基本一致,zone数据是从主节点同步过来的,所以无需管理.:

[root@dns01 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl "trusted" {
        10.0.0.20;
};

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";

        allow-query     { localnets;10.0.0.20; };
        recursion yes;
        allow-recursion { localnets; };

        forward only;
        forwarders {
            119.29.29.29;
            223.5.5.5;
            223.6.6.6;
            8.8.8.8;
        };
        allow-transfer {
                none;
        };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run" versions 30 size 10240k;
                severity debug;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";




[root@dns01 ~]# cat /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

zone "talen.iot" IN {
        type slave;
        file "named.talen.iot";
        masters {10.0.0.40;};
        allow-query { localnets; };
        zone-statistics yes;
};

zone "253.34.10.in-addr.arpa" IN {
        type slave;
        file "named.10.0.0";
        masters {10.0.0.40;};
        allow-query { localnets; };
        zone-statistics yes;
};

验证:

[root@dns00 ~]# dig www.sina.com

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.sina.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20729
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.sina.com.                  IN      A

;; ANSWER SECTION:
www.sina.com.           24      IN      CNAME   us.sina.com.cn.
us.sina.com.cn.         15      IN      CNAME   spool.grid.sinaedge.com.
spool.grid.sinaedge.com. 28     IN      A       202.102.94.124

;; Query time: 8 msec
;; SERVER: 10.0.0.40#53(10.0.0.40)
;; WHEN: Sun Jan 27 17:38:06 CST 2019
;; MSG SIZE  rcvd: 119


[root@dns00 ~]# dig engine.talen.iot

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> engine.talen.iot
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63533
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;engine.talen.iot.               IN      A

;; ANSWER SECTION:
engine.talen.iot.        10800   IN      A       10.0.0.20

;; AUTHORITY SECTION:
talen.iot.               10800   IN      NS      ns.talen.iot.

;; ADDITIONAL SECTION:
ns.talen.iot.            10800   IN      A       10.0.0.40

;; Query time: 1 msec
;; SERVER: 10.0.0.40#53(10.0.0.40)
;; WHEN: Sun Jan 27 17:39:03 CST 2019
;; MSG SIZE  rcvd: 93

故障现象一

• bind可以解析自管理的域名,但无法解析外部域名.
• 日志中报错:

Jan 27 17:22:31 server.talen.iot named[7460]: no valid RRSIG resolving 'net/DS/IN': 223.6.6.6#53
Jan 27 17:22:31 server.talen.iot named[7460]: no valid RRSIG resolving 'net/DS/IN': 223.5.5.5#53
Jan 27 17:22:41 server.talen.iot named[7460]: no valid DS resolving 'l.root-servers.net/AAAA/IN': 223.6.6.6#53
Jan 27 17:22:41 server.talen.iot named[7460]: no valid DS resolving 'l.root-servers.net/A/IN': 223.6.6.6#53

解决方法:

• 关闭DNSSEC

故障现象二

• 主服务器域名zone文件是text,从服务器zone文件是data

[root@dns00 ~]# file /var/named/named.talen.iot 
/var/named/named.talen.iot: ASCII text
[root@dns01 ~]# file /var/named/named.talen.iot 
/var/named/named.talen.iot: data

解决方法:
从服务器/etc/named.conf的option中添加masterfile-format text;

[root@dns01 ~]# file /var/named/named.talen.iot 
/var/named/named.talen.iot: ASCII text

故障现象三

[root@saltstack bind]# nslookup salt      
Server:         10.34.253.40
Address:        10.34.253.40#53

** server can't find salt: NXDOMAIN

[root@saltstack bind]# vi /etc/resolv.conf
[root@saltstack bind]# hostname
saltstack.talne.iot

解决方法:
hostname中的域名配置错误,只使用主机名解析找不到域.

[root@saltstack bind]# hostnamectl set-hostname saltstack.talen.iot