公司目前有一套F5 DNS域名解析服务器,领导考虑还需要构建一套备份用的DNS进行域名解析进行冷备,但是因为考虑到成本问题,如果再买一套新的F5 DNS服务器成本太高,经过查询资料,考虑通过docker容器加bing9实现域名解析,以下步骤是整理后实现bind9+docker容器的方法
1.构建bind9镜像
首先准备两台服务器,保障可以正常访问外网,以便下载部署docker。
Docker 要求 CentOS 系统的内核版本高于 3.10 ,通过 uname -r 命令查看你当前的内核版本
$ uname -r
安装依赖包 ,yum-util 提供yum-config-manager功能,另外两个是devicemapper驱动依赖的
yum install -y yum-utils device-mapper-persistent-data lvm2
设置yum源
先备份一份:
cd /etc/yum.repos.d
cp CentOS-Base.repo CentOS-Base.repo.bak
# 替换阿里云镜像源
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
或者:
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
运行yum makecache生成缓存
运行yum update更新系统, 这个过程会比较慢
然后安装docker
yum install -y docker
启动docker
service docker start 或者systemctl start docker
设置docker开启自动启动
systemctl enable docker
因为服务器是开通的公网,所以直接进行搜索下载centos镜像
docker pull centos
#构建 启动一个centos7基础镜像容器,然后启动centos镜像,用于部署bind9做准备
docker run --name centos7 --privileged -ti -e "container=docker" -d -v /sys/fs/cgroup:/sys/fs/cgroup centos:7 /usr/sbin/init
规划 IP
bind9客户端 172.18.0.2
bind9服务端 172.18.0.3
在两个物理机上创建私有网络,默认为桥接网络
docker network create --subnet=172.18.0.0/24 private
2.# 配置容器初始化脚本,实现下载更新容器的centos版本,因为我的机器是需要配置代理进行公网访问,代理配置需要看个人服务器情况进行配置
mkdir -p ~/deploy/bind9
cat > ~/deploy/bind9/init.sh <<EOF
#!/bin/bash
sed -i "/proxy=/d" /etc/yum.conf
echo "proxy=https://134.80.19.88:6001" >> /etc/yum.conf
rm -f /etc/yum.repos.d/*.repo
curl -x 134.80.19.88:6001 -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -x 134.80.19.88:6001 -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all; yum makecache fast
yum -y update
yum install -y bind which bind-utils
cp /etc/named.conf /etc/named.conf.old
cp /etc/sysconfig/named /etc/sysconfig/named.old
EOF
3.# 复制上面的脚本到容器中并执行脚本内容升级容器centos版本
docker cp ~/deploy/bind9/init.sh centos7:/root/
docker exec -it centos7 sh -c "bash /root/init.sh"
4.配置DNS管理工具rndc,/etc/rndc.conf
# 生成rndc默认配置数据(密钥、rndc服务地址等)
docker exec -it centos7 bash -c "rndc-confgen" > ~/deploy/bind9/init-rndc.cnf
# 移除无用的rndc.key
docker exec -it centos7 bash -c "mv /etc/rndc.key /etc/rndc.key.nouse"
# 创建bind9配置文件到宿主机映射目录
mkdir -p ~/deploy/bind9/conf
# 拷贝rndc密钥到rndc.conf中
cat ~/deploy/bind9/init-rndc.cnf | grep -Pzo '^key "rndc-key" {\s*\n *.*;\s*\n *.*;\s*\n};' > ~/deploy/bind9/conf/rndc.conf
echo >> ~/deploy/bind9/conf/rndc.conf
cat ~/deploy/bind9/init-rndc.cnf | grep -Pzo '^options {\s*\n *.*;\s*\n *.*;\s*\n *.*;\s*\n};' >> ~/deploy/bind9/conf/rndc.conf
# 修改rndc.conf中默认的rndc服务地址
perl -p -i -e 's/default-server .*/default-server 172.18.0.3;/g' ~/deploy/bind9/conf/rndc.conf
5. 配置/etc/named.conf
# 拷贝容器中的原始named.conf到宿主机,更改文件属性为644,目的是不需要到容器内进行内容的更改,操作方便
docker cp centos7:/etc/named.conf ~/deploy/bind9/conf/named.conf
chmod 644 ~/deploy/bind9/conf/named.conf
# 获取named-parts.conf的行范围
start_line=`grep -n 'Use with the following in named.conf' ~/deploy/bind9/init-rndc.cnf | cut -d ':' -f 1`
start_line=`expr $start_line + 1`
end_line=`grep -n 'End of named.conf' ~/deploy/bind9/init-rndc.cnf | cut -d ':' -f 1`
end_line=`expr $end_line - 1`
# 提取named-parts.conf的行范围、反注释,导出到临时文件
sed -n "$start_line,$end_line p" init-rndc.cnf | sed 's/^# //g' > ~/deploy/bind9/named-parts.conf
# 替换rndc监听地址为0.0.0.0
perl -p -i -e 's/inet .* port 953/inet 0.0.0.0 port 953/g' ~/deploy/bind9/named-parts.conf
# 替换允许访问rndc的客户端地址
perl -p -i -e 's/allow.*;/allow { 127.0.0.1; 172.18.0.2; } keys { "rndc-key"; };/g' ~/deploy/bind9/named-parts.conf
# 将上面修改的文件named-parts.conf 内容追加到named.conf
cat ~/deploy/bind9/named-parts.conf >> ~/deploy/bind9/conf/named.conf
# 修改named.conf监听地址为any(注意不是0.0.0.0)
perl -p -i -e 's/listen-on port 53 { .*; };/listen-on port 53 { any; };/g' ~/deploy/bind9/conf/named.conf
# 修改named.conf允许的客户端地址为any
perl -p -i -e 's/allow-query *{ .*; };/allow-query { any; };/g' ~/deploy/bind9/conf/named.conf
# 禁用dnssec,否则授权其他DNS解析时将会出错
perl -p -i -e 's/dnssec-enable *.*;/dnssec-enable no;/g' ~/deploy/bind9/conf/named.conf
perl -p -i -e 's/dnssec-validation *.*;/dnssec-validation no;/g' ~/deploy/bind9/conf/named.conf
# 在allow-query配置所在行后添加allow-new-zones
sed -i '/allow-new-zones/d' ~/deploy/bind9/conf/named.conf
sed -i '/allow-query *{ any; };/a\ allow-new-zones yes;' ~/deploy/bind9/conf/named.conf
# 配置filter-aaaa-on-v4参数
sed -i '/filter-aaaa-on-v4/d' ~/deploy/bind9/conf/named.conf
sed -i '/allow-new-zones *.*;/a\ filter-aaaa-on-v4 yes;' ~/deploy/bind9/conf/named.conf
# 配置二级DNS授权解析,可以通过其他解析地址进行解析
sed -i '/forward/d' ~/deploy/bind9/conf/named.conf
sed -i '/filter-aaaa-on-v4 *.*;/a\ forward only;' ~/deploy/bind9/conf/named.conf
sed -i '/forward only;/a\ forwarders { 10.17.253.11; };' ~/deploy/bind9/conf/named.conf
# 删除所有^M换行符
perl -p -i -e 's/\r//g' ~/deploy/bind9/conf/named.conf
# 配置日志
# 删除原有日志定义(不可重入)
start_line=`grep -n 'logging {' ~/deploy/bind9/conf/named.conf | cut -d ':' -f 1 | head -1`
end_line=`expr $start_line + 6`
sed -i "$start_line,$end_line d" ~/deploy/bind9/conf/named.conf
echo >> ~/deploy/bind9/conf/named.conf
cat >> ~/deploy/bind9/conf/named.conf <<!
logging {
channel bind.log {
file "/var/lib/bind/bind.log" versions 10 size 20m;
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
category queries { bind.log; };
category default { bind.log; };
category config { bind.log; };
};
!
# 创建日志文件
mkdir -p ~/deploy/bind9/logs
touch ~/deploy/bind9/logs/bind.log
chmod 646 ~/deploy/bind9/logs/bind.log
6.配置/etc/sysconfig/named
# 拷贝原始容器中的named配置文件到宿主机
docker cp centos7:/etc/sysconfig/named ~/deploy/bind9/conf/named
# 添加named文件仅解析IPv4配置
sed -i '/^OPTIONS=/d' ~/deploy/bind9/conf/named
echo 'OPTIONS="-4"' >> ~/deploy/bind9/conf/named
7.复制容器内的zone文件到宿主机,可通过配置zone文件的域名进行解析
docker cp centos7:/var/named ~/deploy/bind9/zone
chmod -R 647 ~/deploy/bind9/zone
8. 提交bind容器
# 删除同名镜像
docker rmi bind:9.11
# 提交一个bind9的基础镜像
docker commit centos7 bind:9.11
# 销毁centos7容器
docker kill centos7; docker rm centos7
9. bind9服务端容器的启动
# 基于私有网络创建一个固定IP的bind9服务端容器
docker run --name bind9-srv --net private --ip 172.18.0.3 -p 53:53/udp --privileged -ti -e "container=docker" -d -v /sys/fs/cgroup:/sys/fs/cgroup -v /root/deploy/bind9/conf/named.conf:/etc/named.conf -v /root/deploy/bind9/conf/rndc.conf:/etc/rndc.conf -v /root/deploy/bind9/conf/named:/etc/sysconfig/named -v /root/deploy/bind9/zone:/var/named -v /root/deploy/bind9/logs/bind.log:/var/lib/bind/bind.log bind:9.11 /usr/sbin/init
# 启动服务端的bind9容器
docker exec -it bind9-srv sh -c "systemctl enable named --now"
docker exec -it bind9-srv sh -c "systemctl status named -l"
10. bind9客户端容器的启动
# 基于私有网络创建一个固定IP的bind9客户端容器
docker run --name bind9-clnt --net private --ip 172.18.0.2 --privileged -ti -e "container=docker" -d -v /sys/fs/cgroup:/sys/fs/cgroup -v /root/deploy/bind9/conf/rndc.conf:/etc/rndc.conf bind:9.11 /usr/sbin/init
# 测试rndc连接,查看是否可以正常进行连接私有网络
docker exec -it bind9-clnt sh -c "rndc -c /etc/rndc.conf -s 172.18.0.3 -p 953 status"
# 测试创建一个zone文件的域名配置,然后查看是否可以进行域名解析
cat > ~/deploy/bind9/zone/sword.cn.zone <<!
\$TTL 86400
@ IN SOA 123.sword.cn. root.sword.cn. (
2015042313;Serial
3H;Refresh
15M;Retry
1W;Expire
1D;Minimum
);
IN NS 123.sword.cn.
123 IN A 192.168.1.9
456 IN A 192.168.1.10
789 IN A 192.168.1.11
!
更改现在的配置文件的属性,要不然不能进行正常的域名解析
chmod 755 sword.cn.zone
通过rndc 将zone域名配置写入到容器的服务端
docker exec -it bind9-clnt sh -c "rndc -s 172.18.0.3 -p 953 addzone sword.cn '{ type master; file \"sword.cn.zone\"; };'"
# 测试已配置的zone是否可以进行域名解析
docker exec -it bind9-clnt sh -c "nslookup 123.sword.cn 172.18.0.3"
# 测试授权的域名是否可以进行解析
docker exec -it bind9-clnt sh -c "nslookup bass.sdboss.com 172.18.0.3"
以上就是通过构建bind9+docker容器实现的域名解析步骤~
