文章

DNS经典玩法

发表于
作者 Jeff
5 分钟阅读
DNS经典玩法

https://www.cnblogs.com/cobbliu/archive/2013/03/19/2970311.html https://note.t4x.org/system/centos-bind-config/ centos 配置bind 完整版 https://linux.cn/article-3341-1.html nscd https://www.cnblogs.com/kevingrace/p/9359989.html bind 高级功能转发及参数说明

dns架构演进

  • dns的作用,域名解析使用
  • 本地dns的作用, 灵活配置、内网、公共dns异常 仅内部解析

dns架构

  • bind 命令行
  • bind+namedmanager 命令行加web管理
  • 可配置多台,自动分发配置到多台dns bind

dns服务面临的问题

  • 高并发问题(ops:2w/s) 官方最高就只有2万条
  • 默认配置,并发限制
  • 单台DNS, 主备DNS

dns架构演进

  • bind + namedmanager + nscd + dnsmasq

  • server :
  • bind + dnsmasq + namedmanager
  • client:
  • bind + dnsmasq + nscd

nscd 的作用内存缓存

  • dnsmasq 的作用,轻量级dns 1万 主要用于向上游成本server

  • /etc/resolv-dnsmasq.conf listen-address 127.0.0.1 主要是绑定本机lo 回环

  • /var/log/nscd.log

  • all-server 同时向10个去请求 server
  • strict-order 顺序查询
  • default 同时向10个去请求,下次请求上次最快的结果 client server 使用bind + dnsmasq 请求量非常少 server配置文件
[root@bjdz-sa-dnssrv01-15680 ~]# cat /etc/named.conf acl local { 192. 168.0.0/16; 127. 0.0.1; 172. 16.0.0/12; }; acl internet { 58. 67.0.0/16; 113. 106.0.0/16; 183. 232.0.0/16; 113. 31.0.0/16; 111. 13.0.0/16; 114. 119.0.0/16; }; acl blacklist { 0. 0.0.0/8; 1. 0.0.0/8; 2. 0.0.0/8; 169. 254.0.0/16; 192. 0.2.0/24; 224. 0.0.0/3; 10. 0.0.0/8; }; options { listen-on port 53 { 172.19.156.80; }; pid-file "/var/run/named/named.pid"; directory "/var/named"; allow-query { "local"; }; allow-recursion { "local"; }; blackhole { "blacklist"; }; max-cache-ttl 1800; clients-per-query 0; max-clients-per-query 0; max-cache-size 2097152; max-acache-size 2097152; dnssec-enable yes; dnssec-validation yes; recursion yes; check-names master ignore; allow-transfer { key "yepops-key"; }; allow-update { none; }; recursive-clients 1000000; tcp-clients 1000000; forwarders { 127. 0.0.1; }; }; logging { channel "default_syslog" { syslog daemon; severity info; }; channel "resolver_log" { file "data/named.log"; severity info; print-time yes; print-severity yes; print-category yes; }; category "default" { "default_syslog"; }; category "queries" { "resolver_log"; }; category "client" { "resolver_log"; }; category "resolver" { "resolver_log"; }; category "xfer-in" { "resolver_log"; }; category "xfer-out" { "resolver_log"; }; }; key "yepops-key" { algorithm HMAC-MD5; secret "FHhxUNIj7fU+QfQjlZ/ZSg=="; }; include "/etc/named.namedmanager.conf"; 
/etc/named.namedmanager.conf
//
// NamedManager Configuration
//
// This file is automatically generated any manual changes will be lost.
//
zone "example.com" IN {
 type master;
 file "example.com.zone";
 allow-update { none; };
};
zone "example.com" IN {
 type master;
 file "example.com.zone";
 allow-update { none; };
};
zone "example.com" IN {
 type master;
 file "example.com.zone";
 allow-update { none; };
};
zone "72.16.172.in-addr.arpa" IN {
 type master;
 file "72.16.172.in-addr.arpa.zone";
 allow-update { none; };
};
zone "81.16.172.in-addr.arpa" IN {
 type master;
 file "81.16.172.in-addr.arpa.zone";
 allow-update { none; };
};
zone "82.16.172.in-addr.arpa" IN {
 type master;
 file "82.16.172.in-addr.arpa.zone";
 allow-update { none; };
};
[root@bjdz-sa-dnssrv01-15680 ~]# cat /etc/dnsmasq.conf conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig all-servers no-resolv no-hosts server=1.2.3.4 server=1.2.3.4 server=1.2.3.4 server=1.2.3.4 server=1.2.3.4 server=1.2.3.4 server=1.2.3.4 listen-address=127.0.0.1 bind-interfaces cache-size=2000000 dns-forward-max=100000 neg-ttl=600 max-ttl=600 max-cache-ttl=600 log-queries log-facility=/var/log/dnsmasq.log log-async=50

客户端使用nscd+dnsmasq 单机100W并发也是毫秒级

# !/bin/bash # ------------ 变量设置 ------------------------------ DOWNLOAD_URL="http://dsoft.example.com:8888/base" GETINFO="getinfo" EXECUTE_DIR="/tmp/" DISABLE_NTP="$1" wget -N -q ${DOWNLOAD_URL}/${GETINFO} -T 30 -t 3 -P ${EXECUTE_DIR} MACHINE_ROOM="`sh ${EXECUTE_DIR}/${GETINFO} room`" SYSTEM="`sh ${EXECUTE_DIR}/${GETINFO} ostype`" NTPLISTS="`sh ${EXECUTE_DIR}/${GETINFO} ntplist`" DNSLISTS="`sh ${EXECUTE_DIR}/${GETINFO} dnslist`" # ------------ debug --------------------------------- echo "DOWNLOAD_URL: $DOWNLOAD_URL" echo "GETINFO: $GETINFO" echo "EXECUTE_DIR: $EXECUTE_DIR" echo "MACHINE_ROOM: $MACHINE_ROOM" echo "SYSTEM: ${SYSTEM}" echo "NTPLISTS: $NTPLISTS" echo "DNSLISTS: $DNSLISTS" # ------------ 程序执行 ------------------------------ # IDC机房设置dns,其它云主机使用默认,不设置dns set_dns() { if [ -z "${DNSLISTS}" ];then echo "machine room is ${MACHINE_ROOM},not set dns" elif [[ "${MACHINE_ROOM}" =~ ^bjdz ]] || [[ "${MACHINE_ROOM}" =~ ^bjff ]];then yum install -y dnsmasq nscd > /dev/null rm -f /etc/resolv-dnsmasq.conf for dns in ${DNSLISTS}; do echo "nameserver ${dns}" >> /etc/resolv-dnsmasq.conf done echo 'nameserver 127.0.0.1' > /etc/resolv.conf cat > /etc/nscd.conf << __EOF__ # logfile /var/log/nscd.log # debug-level 9 threads 12 max-threads 128 server-user nscd paranoia no enable-cache passwd no enable-cache group no enable-cache services no enable-cache netgroup no enable-cache hosts yes positive-time-to-live hosts 50 negative-time-to-live hosts 50 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 __EOF__ grep 'release 6' /etc/redhat-release && ( cat > /etc/dnsmasq.conf << __EOF__ resolv-file=/etc/resolv-dnsmasq.conf all-servers listen-address=127.0.0.1 bind-interfaces cache-size=100000 dns-forward-max=100000 neg-ttl=60 __EOF__ service nscd start; chkconfig nscd on; service dnsmasq start; chkconfig dnsmasq on) grep 'release 7' /etc/redhat-release && ( cat > /etc/dnsmasq.conf << __EOF__ conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig,.bak resolv-file=/etc/resolv-dnsmasq.conf all-servers listen-address=127.0.0.1 bind-interfaces cache-size=100000 dns-forward-max=100000 neg-ttl=60 max-ttl=60 max-cache-ttl=60 __EOF__ systemctl start nscd; systemctl enable nscd; systemctl enable dnsmasq; systemctl start dnsmasq) nscd -i hosts else rm -f /etc/resolv.conf for dns in ${DNSLISTS}; do echo "nameserver ${dns}" >> /etc/resolv.conf done fi } set_timezone() { if [ "${SYSTEM}" == "centos7" ];then timedatectl set-local-rtc 1 timedatectl set-local-rtc 0 timedatectl set-timezone Asia/Shanghai elif [ "${SYSTEM}" == "centos6" ];then /bin/cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime echo -e 'ZONE="Asia/Shanghai"\nUTC=false\nARC=false' > /etc/sysconfig/clock fi echo "timezone set ok" } # 首先停止ntpd服务 set_ntp() { if [ "${SYSTEM}" == "centos7" ];then systemctl stop ntpd systemctl disable ntpd elif [ "${SYSTEM}" == "centos6" ];then /etc/init.d/ntpd stop chkconfig ntpd off fi &>/dev/null #腾讯云广州三区 删除默认ntp if [ "${MACHINE_ROOM}" == "txgz" ];then sed -i '/ntpupdate.tencentyun.com/d' /var/spool/cron/root sed -i '/ntpupdate.tencentyun.com/d' /etc/rc.d/rc.local fi #crontab 15-30分钟内随机数 # if ! rpm -qa | grep ntpdate &> /dev/null; then # yum -y install ntpdate &> /dev/null # fi MNUM=`shuf -i 15-30 -n 1` crontab -l 2>/dev/null | grep ntpdate || echo -e "*/${MNUM} * * * * /usr/sbin/ntpdate ${NTPLISTS}" >> /var/spool/cron/root grep ntpdate /etc/rc.d/rc.local >> /dev/null 2>&1 || echo -e "/usr/sbin/ntpdate ${NTPLISTS} &" >> /etc/rc.d/rc.local if ! /usr/sbin/ntpdate ${NTPLISTS} &>/dev/null;then echo "ntp set error" >&2 exit 2 fi } set_dns set_timezone [ X"${DISABLE_NTP}" != X"no_ntp" ] && set_ntp
Network
CentOS Linux 网络 DNS RedHat
本文由作者按照 CC BY 4.0 进行授权