本次配置的所有服务器均为虚拟机,操作系统为Centos 7.3。
| 服务器名称 | IP地址 |
|---|---|
| DNS客户端 | 所有私有地址 |
| DNS-BIND-1 | 10.20.121.179 |
| DNS-BIND-2 | 10.20.121.184 |
| DNS-VIP | 10.20.120.150 |
| DNS-LVS-主 | 10.20.121.187 |
| DNS-LVS-备 | 10.20.121.157 |
架构拓扑图片
本次部署的LVS是基于DR的工作模式,负载均衡调度方式使用了RR,客户端发起DNS请求是,LVS回轮询发送至每台服务器上。DNS服务器解析请求后直接返回给客户端。
在LVS(TUN)模式下,由于需要在LVS调度器与真实服务器之间创建隧道连接,这同样会增加服务器的负担。与LVS(TUN)类似,DR模式也叫直接路由模式,其体系结构如图4所示,该模式中LVS依然仅承担数据的入站请求以及根据算法选出合理的真实服务器,最终由后端真实服务器负责将响应数据包发送返回给客户端。与隧道模式不同的是,直接路由模式(DR模式)要求调度器与后端服务器必须在同一个局域网内,VIP地址需要在调度器与后端所有的服务器间共享,因为最终的真实服务器给客户端回应数据包时需要设置源IP为VIP地址,目标IP为客户端IP,这样客户端访问的是调度器的VIP地址,回应的源地址也依然是该VIP地址(真实服务器上的VIP),客户端是感觉不到后端服务器存在的。由于多台计算机都设置了同样一个VIP地址,所以在直接路由模式中要求调度器的VIP地址是对外可见的,客户端需要将请求数据包发送到调度器主机,而所有的真实服务器的VIP地址必须配置在Non-ARP的网络设备上,也就是该网络设备并不会向外广播自己的MAC及对应的IP地址,真实服务器的VIP对外界是不可见的,但真实服务器却可以接受目标地址VIP的网络请求,并在回应数据包时将源地址设置为该VIP地址。调度器根据算法在选出真实服务器后,在不修改数据报文的情况下,将数据帧的MAC地址修改为选出的真实服务器的MAC地址,通过交换机将该数据帧发给真实服务器。整个过程中,真实服务器的VIP不需要对外界可见。
引用图片,原文链接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639
轮询调度(Round Robin 简称'RR')算法就是按依次循环的方式将请求调度到不同的服务器上,该算法最大的特点就是实现简单。轮询算法假设所有的服务器处理请求的能力都一样的,调度器会将所有的请求平均分配给每个真实服务器。
————————————————
版权声明:本文为CSDN博主「chenhuyang」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639
DNS集群搭建
在每台服务器上安装ntpdate,确保时间同步。
yum -y install ntpdate
echo "" >> /var/spool/cron/root
crontab -l > crontabtmp && echo "0 * * * * ntpdate cn.ntp.org.cn" >> crontabtmp && crontab crontabtmp && rm -f crontabtmp
安装BIND软件
yum安装bind-chroot,顾名思义这个是可指定chroot的bind,比较安全。
yum -y install bind-chroot bind-utils net-tools initscripts
systemctl enable named-chroot
bind-utils是bind软件提供的一组DNS工具包,里面有一些DNS相关的工具.主要有:dig,host,nslookup,nsupdate.使用这些工具可以进行域名解析和DNS调试工作.
编辑配置文件
这里开始主DNS的配置,下面是配置named.conf,默认安装的路径为/etc/named.conf
acl trusted {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
listen-on port 53 { 10.20.121.179;10.20.120.150; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { trusted; };
allow-recursion { trusted; };
forward first;
forwarders {
218.1.1.1;
218.2.2.2;
114.114.114.114;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.cn" IN {
type master;
file "/etc/named/test.cn.zone";
allow-update { none; };
allow-transfer { 10.20.121.184; };
notify yes;
};
zone "test-fw.cn" IN {
type forward;
forwarders { 10.20.120.34; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置区域数据文件
cat /etc/named/test.cn.zone
$TTL 1D
@ IN SOA dns1.test.cn. admin.test.cn. (
202007031649 ; serial #这里每次修改解析关系时,需要修改。保证数值比从服务器的数值要大
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1.test.cn.
NS dns2.test.cn.
dns1 IN A 10.20.121.179
dns2 IN A 10.20.121.184
从DNS服务器搭建和配置
从DNS服务器安装与主DNS安装方法一样,只是在配置文件上有些改动,且不需要配置区域数据文件。
zone "test.cn" IN {
type slave; #从服务器只需要将这里改为slave
masters { 10.20.121.179; };
file "slaves/test.cn.zone"; #配置区域数据文件存放目录
allow-transfer{ none; }; #禁止为其他从服务器同步数据
};
LVS + keepalived
加载ip_vs内核模块
modprobe ip_vs
安装ntp,ipvsadm,编译环境等
yum -y install ntpdate ipvsadm wget gcc gcc-c++ make popt-devel kernel-devel openssl-devel libnl3-devel
安装keepalived
curl -O https://www.keepalived.org/software/keepalived-2.1.3.tar.gz
tar -zxf keepalived-2.1.3.tar.gz
cd keepalived-2.1.3
./configure
make && make install
创建keepalived开机启动
cp keepalived/etc/init.d/keepalived /etc/init.d/ #keepalived执行文件在源码包中
cp keepalived/etc/sysconfig/keepalived /etc/sysconfig/keepalived
cp bin/* /usr/bin/
systemctl enable keepalived
拷贝配置文件至默认目录,因为上面的编译安装时configure是默认配置,所以需要将配置文件拷贝至默认目录中/etc/keepalived/
mkdir /etc/keepalived/
cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/
编辑配置文件
! Configuration File for keepalived
global_defs {
router_id LVS_DR01
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.20.120.150
}
}
virtual_server 10.20.120.150 53 {
delay_loop 6
lb_algo rr
lb_kind DR
protocol UDP
real_server 10.20.121.179 53 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 10.20.121.184 53 {
weight 1
TCP_CHECK {
connect_port 53
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}
备服务器安装配置与主服务器基本一样,只是配置文件中需要简单修改下
! Configuration File for keepalived
global_defs {
router_id LVS_DR02
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.20.120.150
}
}
virtual_server 10.20.120.150 53 {
delay_loop 6
lb_algo rr
lb_kind DR
protocol UDP
real_server 10.20.121.179 53 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 10.20.121.184 53 {
weight 1
TCP_CHECK {
connect_port 53
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}
DNS服务器配置
在每台机器的/etc/init.d/目录中创建一个lvsrs文件,如下:
cat /etc/init.d/lvsrs
#!/bin/sh
# chkconfig: 2345 90 10
# description: LVS DirectorServer
VIP=10.20.120.150
. /etc/rc.d/init.d/functions
case "$1" in
start)
echo "start LVS of DirectorServer"
/sbin/ifconfig lo:0 $VIP broadcast $VIP netmask 255.255.255.255 up
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
;;
stop)
/sbin/ifconfig lo:0 down
echo "close LVS DirectorServer"
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
;;
*)
echo "Usage:$0 {start|stop}"
exit 1
esac
给予文件可执行权限
chmod +x /etc/init.d/lvsrs
将脚本设置为开机启动
systemctl enable lvsrs
systemctl start lvsrs
按照不同IP来源返回不同IP(BIND9+版本的Views功能)
采用key认证方式配置主从DNS服务
#使用Bind自带工具ddns-confgen生成key文件。
ddns-confgen -a hmac-md5
生成如下一段字符串
key "key-file" {
algorithm hmac-md5;
secret "zB3aHy***********HQQ==";
};
需要配置几个区域就生成几次。
最终配置文件
主:
acl dnsserver {
10.20.121.184;
10.20.121.179;
};
acl lan {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
acl wan {
!"lan";
any;
};
options {
listen-on port 53 { 10.20.121.179;10.20.120.150; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-recursion { lan; };
forward first;
forwarders {
202.101.172.35;
114.114.114.114;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key "key-lan" {
algorithm hmac-md5;
secret "zB3aHy**********rIHQQ==";
};
key "key-wan" {
algorithm hmac-md5;
secret "w1U**********FSh9SQ==";
};
key "key-none" {
algorithm hmac-md5;
secret "Whs+3iql**********wrfA==";
};
masters "dnsserver" {
10.20.121.184;
10.20.121.179;
};
view "lan" {
match-clients {
key key-lan;
"lan";
};
server 10.20.121.179 {keys key-lan;};
allow-transfer { key key-lan; };
allow-notify { "dnsserver"; };
also-notify { "dnsserver"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.lan.zones";
include "/etc/named.root.key";
};
view "wan" {
match-clients {
key key-wan;
"wan";
};
server 10.20.121.179 {keys key-wan;};
allow-transfer { key key-wan; };
allow-notify { "dnsserver"; };
also-notify { "dnsserver"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
主机文件 :/etc/named.rfc1912.lan.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.com" IN {
type master;
file "dns/test-1.dns";
allow-update { none; };
notify yes;
};
主机文件 :/etc/named.rfc1912.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.com" IN {
type master;
file "test-1.dns";
allow-update { none; };
notify yes;
};
备:
acl dnsserver {
10.20.121.184;
10.20.121.179;
};
acl lan {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
acl wan {
!"lan";
any;
};
options {
listen-on port 53 { 10.20.121.184;10.20.120.150; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-recursion { lan; };
forward first;
forwarders {
202.101.172.35;
114.114.114.114;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
max-cache-ttl 60;
max-cache-size 10240M;
max-ncache-ttl 60;
cleaning-interval 15;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel query_log {
file "/var/run/named/query.log" versions 55 size 100m;
severity dynamic;
print-time yes;
print-category yes;
};
category queries { query_log;};
category default { null;};
};
key "key-lan" {
algorithm hmac-md5;
secret "zB3aHyt6r6aOaJ/I9rIHQQ==";
};
key "key-wan" {
algorithm hmac-md5;
secret "w1UhtLdOGREhSYimFSh9SQ==";
};
key "key-none" {
algorithm hmac-md5;
secret "Whs+3iqlwShOapXRW8wrfA==";
};
view "lan" {
match-clients {
"lan";
};
server 10.20.121.179 {keys key-lan;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.lan.zones";
include "/etc/named.root.key";
};
view "wan" {
match-clients {
"wan";
};
server 10.20.121.179 {keys key-wan;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
备机文件 :/etc/named.rfc1912.lan.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.cn" IN {
type slave;
masters { 10.20.121.179; };
masterfile-format text;
file "slaves/lan_test-1.dns";
allow-transfer{ none; };
};
备机文件 :/etc/named.rfc1912.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.cn" IN {
type slave;
masters { 10.20.121.179; };
masterfile-format text;
file "slaves/test-1.dns";
allow-transfer{ none; };
};
配置DNS集群只需要克隆备机,然后把named.conf的监听ip地址重新配置即可。
新DNS Server上线后,在lvs的文件内添加新IP,重启就上线完成了。
