DNS：自动化配置 主/从/缓存 DNS服务器

对每个人而言，真正的职责只有一个：找到自我。然后在心中坚守其一生，全心全意，永不停息。所有其它的路都是不完整的，是人的逃避方式，是对大众理想的懦弱回归，是随波逐流，是对内心的恐惧 ——赫尔曼·黑塞《德米安》

写在前面

---

• 学习遇到 DNS 自动化部署的一个 Ansible 剧本，这里分享给小伙
• 部署使用 Bind9 ，包括主从 DNS 构建，缓存 DNS 构建，缓存使用 unbound
• 剧本相对简单
• 理解不足小伙伴帮忙指正

对每个人而言，真正的职责只有一个：找到自我。然后在心中坚守其一生，全心全意，永不停息。所有其它的路都是不完整的，是人的逃避方式，是对大众理想的懦弱回归，是随波逐流，是对内心的恐惧 ——赫尔曼·黑塞《德米安》

---

部署BIND 流程

1. 安装bind软件包
2. 创建BIND配置文件
3. 启用并启动unbound服务。
4. 配置防火墙以允许入站DNS通信.

涉及到的文件：

[student@workstation dns-auto]$ tree .
.
├── ansible.cfg
├── ansible-starter-files
│   └── configure_primary.yml.starter
├── files
│   ├── primary-192.168.0.zone
│   ├── primary-backend.lab.example.com.zone
│   ├── primary-named.backend.conf
│   ├── primary-named.conf
│   ├── secondary-named.backend.conf
│   └── secondary-named.conf
├── inventory
└── templates
    └── unbound.conf.j2

ansible 配置文件

[student@workstation dns-auto]$ cat ansible.cfg
[defaults]
inventory=./inventory
remote_user=devops

[privilege_escalation]
become = False
become_method = sudo
become_user = root
become_ask_pass = False

主机清单文件，可以看到，当前 DNS 部署，使用主从DNS结构，并且部署了 缓存 DNS 服务

[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com

[caching_dns]
servera.lab.example.com

[primary_dns]
serverb.lab.example.com

[secondary_dns]
serverc.lab.example.com
[student@workstation dns-auto]$

主 DNS 相关配置

• 提权为 root
• 下载 bind9
• 复制配置文件
• 复制 zone 文件
• 需要注意 配置文件和 zone 文件的 权限，root 用户，namde 组，0640
• 配置防火墙
• 设置开机自启
• 添加通知，在配置文件变更时重启服务

[student@workstation dns-auto]$ cat configure_primary.yml
---
- name: Configure primary nameserver
  hosts: primary_dns
  remote_user: devops
  become: yes

  tasks:
    - name: Install BIND9
      yum:
        name: bind
        state: present

    - name: Copy primary config file
      copy:
        src: files/primary-named.conf
        dest: /etc/named.conf
        owner: root
        group: named
        mode: 0640
      notify:
        - reload_named

    - name: Copy forward zone file to primary
      copy:
        src: files/primary-backend.lab.example.com.zone
        dest: /var/named/backend.lab.example.com.zone
        owner: root
        group: named
        mode: 0640
      notify:
        - reload_named

    - name: Copy reverse zone file to primary
      copy:
        src: files/primary-192.168.0.zone
        dest: /var/named/192.168.0.zone
        owner: root
        group: named
        mode: 0640
      notify:
        - reload_named

    - name: Copy backend config file (for zones)
      copy:
        src: files/primary-named.backend.conf
        dest: /etc/named.backend.conf
        owner: root
        group: named
        mode: 0640
      notify:
        - reload_named

    - name: Allow dns service on firewall
      firewalld:
        service: dns
        state: enabled
        immediate: yes
        permanent: yes

    - name: Ensure named is running and enabled
      service:
        name: named
        state: started
        enabled: yes

  handlers:
    - name: reload_named
      service:
        name: named
        state: reloaded
[student@workstation dns-auto]$

主DNS 对应的 配置：

• 监听任意 53 端口
• 允许同步的从服务器 IP 声明
• 允许进行 DSN 解析的 IP 声明
• 不允许进行 递归

[student@workstation dns-auto]$ cat files/primary-named.conf
# /etc/named.conf (primary/secondary)
#
# For this exercise, primary and secondary name.conf files are identical but
# have separate names in the project directory to avoid confusion when
# configuring playblooks.
#
# Template file for BIND labs.

options {
        listen-on port 53 { any; };
        directory "/var/named";
        allow-transfer { 192.168.0.12; };
        allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
        recursion no;

#Added the following
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";

};

#Added the following
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
[student@workstation dns-auto]$

正向解析 zone 文件

[student@workstation dns-auto]$ cat files/primary-backend.lab.example.com.zone
$TTL 300
@ IN  SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
                        2020041806  ;serial number
                        1H          ;refresh secondary
                        5m          ;retry refresh
                        1w          ;expire zone
                        1m )        ;cache time-to-live for negative answers

; owner                   TTL     CL  type    RDATA
                          600     IN  NS      serverb
;                                  IN  MX 10   serverb.backend.lab.example.com.
;                                  IN  A       192.168.0.11

servera                           IN  A       192.168.0.10
serverb                           IN  A       192.168.0.11
serverc                           IN  A       192.168.0.12
serverd                           IN  A       192.168.0.13
[student@workstation dns-auto]$

反向解析 zone 文件

[student@workstation dns-auto]$ cat files/primary-192.168.0.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
                    2020041805    ;serial number
                    1H            ;refresh secondary
                    5M            ;retry refresh
                    1W            ;expire zone
                    1M )          ;cache time-to-live for negative answers

; owner                   TTL   CL  type    RDATA
                          600   IN  NS      serverb.backend.lab.example.com.

10.0.168.192.IN-ADDR.ARPA.      IN  PTR     servera.backend.lab.example.com.
11                              IN  PTR     serverb.backend.lab.example.com.
12                              IN  PTR     serverc.backend.lab.example.com.
13                              IN  PTR     serverd.backend.lab.example.com.
[student@workstation dns-auto]$

添加的 zone 对应的 配置文件

[student@workstation dns-auto]$ cat files/primary-named.backend.conf
zone "backend.lab.example.com" IN {
        type master;
        file "backend.lab.example.com.zone";
        forwarders {};
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
        forwarders {};
};
[student@workstation dns-auto]$

从 DNS 相关配置

剧本步骤和主的基本一致

[student@workstation dns-auto]$ cat configure_secondary.yml
---
- name: Configure secondary nameserver
  hosts: secondary_dns
  remote_user: devops
  become: yes

  tasks:
    - name: Install BIND9
      yum:
        name: bind
        state: present

    - name: Copy secondary config file
      copy:
        src: files/secondary-named.conf
        dest: /etc/named.conf
        owner: root
        group: named
        mode: 0640
      notify:
        - reload_named

    - name: Copy backend config file (for zones)
      copy:
        src: files/secondary-named.backend.conf
        dest: /etc/named.backend.conf
        owner: root
        group: named
        mode: 0640
      notify:
        - reload_named

    - name: Allow dns service on firewall
      firewalld:
        service: dns
        state: enabled
        immediate: yes
        permanent: yes

    - name: Ensure named is running and enabled
      service:
        name: named
        state: started
        enabled: yes

  handlers:
    - name: reload_named
      service:
        name: named
        state: reloaded
[student@workstation dns-auto]$

对应的 zone 文件和 配置文件

[student@workstation dns-auto]$ cat files/secondary-named.backend.conf
zone "backend.lab.example.com" IN {
        type slave;
        file "slaves/backend.lab.example.com.zone";
        masters { 192.168.0.11; };
};

zone "0.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/192.168.0.zone";
        masters { 192.168.0.11; };
};
[student@workstation dns-auto]$

[student@workstation dns-auto]$ cat files/secondary-named.conf
# /etc/named.conf (primary/secondary)
#
# For this exercise, primary and secondary name.conf files are identical but
# have separate names in the project directory to avoid confusion when
# configuring playblooks.
#
# Template file for BIND labs.

options {
        listen-on port 53 { any; };
        directory "/var/named";
        allow-transfer { 192.168.0.12; };
        allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
        recursion no;

#Added the following
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";

};

#Added the following
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
[student@workstation dns-auto]$

缓存 DNS 相关配置

• 涉及变量较多，所以这里我们使用了 模板文件的方法
• 装包
• 生成配置文件
• 配置防火墙
• 启动服务设置开机自启

[student@workstation dns-auto]$ cat configure_caching.yml
---
- name: Install cache only nameserver
  hosts: caching_dns
  remote_user: devops
  become: yes

  vars:
    interface: 0.0.0.0
    interface_automatic: "yes"
    access_control:
      - "172.25.250.0/24 allow"
    domain_insecure: example.com
    forward_zone_name: .
    forward_zone_addr: "172.25.250.254"

  tasks:
    - name: Install cache only nameserver
      yum:
        name: unbound
        state: present

    - name: Create configuration file on caching server host
      template:
        src: unbound.conf.j2
        dest: /etc/unbound/conf.d/unbound.conf

    - name: Allow dns service on firewall
      firewalld:
        service: dns
        state: enabled
        immediate: yes
        permanent: yes

    - name: Ensure unbound is running and enabled
      service:
        name: unbound
        state: started
        enabled: yes

  handlers:
    - name: restart_unbound
      service:
        name: unbound
        state: restarted
[student@workstation dns-auto]$

[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
        interface: {{ interface }}
        interface-automatic: {{ interface_automatic }}
{% for acl in access_control %}
        access-control: {{ acl }}
{% endfor %}
        domain-insecure: "{{ domain_insecure }}"

forward-zone:
        name: "{{ forward_zone_name }}"
        forward-addr: {{ forward_zone_addr }}
[student@workstation dns-auto]$

整个剧本涉及下面三个剧本

[student@workstation dns-auto]$ cat playbook.yml
---
- import_playbook: configure_primary.yml
- import_playbook: configure_secondary.yml
- import_playbook: configure_caching.yml
[student@workstation dns-auto]$

博文部分内容参考

© 文中涉及参考链接内容版权归原作者所有，如有侵权请告知，这是一个开源项目，如果你认可它，不要吝啬星星哦 :)

---

https://www.isc.org/bind/

<RH358 授课课堂笔记>

---

© 2018-2023 liruilonger@gmail.com, All rights reserved. 保持署名-非商用-相同方式共享(CC BY-NC-SA 4.0)