4
docker使用bind9实现域名解析 - 乐码客
source link: https://www.cnblogs.com/ltgybyb/p/16897630.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
cd /free_cicdfs0/compose/bind9
docker-compose down; docker-compose up -d
修改配置文件
新版本 配置文件 大致结构发生了一些改变
cat /free_cicdfs0/data/bind9/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
从 114 缓存 查询 数据
cat > /free_cicdfs0/data/bind9/etc/bind/named.conf.options <<"EOF"
# include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};
options {
// set no
dnssec-enable no;
dnssec-validation no;
listen-on port 53 { any; };
allow-query { any; };
forwarders {
114.114.114.114;
};
};
EOF
chmod 777 -R /free_cicdfs0/data/bind9/
chown root:root -R /free_cicdfs0/data/bind9/
chown root:named -R /free_cicdfs0/data/bind9/
docker-compose up -d
# log error
couldn't add command channel 127.0.0.1#953: file not found
docker cp -a bind9:/etc/bind /free_cicdfs0/data/bind9/etc/
docker cp -a bind9:/var/lib/bind /free_cicdfs0/data/bind9/var/lib/
可以 dig 无法 ping
broken trust chain resolving 'baidu.com/AAAA/IN': 114.114.114.114#53
解决:
由于是局域网内非法DNS,所以将DNS安全关闭.
[root@192-168-174-42 ~]# vim /etc/named.conf
将下面的两项设置为no
dnssec-enable no;
dnssec-validation no;
查看 已经 区域 解析,并添加 新的 解析 项
cat /free_cicdfs0/data/bind9/etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
https://nginx164190.zk.wh.com/
192.168.164.190 nginx164190.zk.wh.com
在 linux 安装 局域网 cert
# 添加 解析 条目
vi /etc/hosts
192.168.164.190 nginx164190.zk.wh.com
[root@node01 ~]# curl https://nginx164190.zk.wh.com/
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
curl -o install_cert_linux.zip http://192.168.164.190:40080/install_cert_linux.zip
unzip install_cert_linux.zip
cd install_cert_linux
./install_cert.sh
# 测试 效果
curl https://nginx164190.zk.wh.com/
<html>
<head><title>Index of /</title></head>
<body>
<h1>Index of /</h1><hr><pre><a href="../">../</a>
<a href="_wildcard.zk.wh.com.crt">_wildcard.zk.wh.com.crt</a> 18-Aug-2021 08:53 1464
<a href="_wildcard.zk.wh.com.pem">_wildcard.zk.wh.com.pem</a> 18-Aug-2021 08:53 1464
<a href="install_cert_linux.zip">install_cert_linux.zip</a> 19-Aug-2021 07:30 2M
<a href="rootCA-key.pem">rootCA-key.pem</a> 18-Aug-2021 08:53 2488
<a href="rootCA.pem">rootCA.pem</a> 18-Aug-2021 08:53 1635
<a href="test">test</a> 18-Aug-2021 08:47 7
</pre><hr></body>
</html>
1、953端口是rndc 的端口
2、rndc是监控bind的统计数据用的,同时不需要为了更新某个zone而重启bind
查看 默认的 解析条目
cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
添加 自己的 解析条目
多台 dns 之间 进行 协同
SOA
NS
# A 代表 解析到 ipv4
@ IN A 127.0.0.1
# A 代表 解析到 ipv6
@ IN AAAA ::1
# ptr 代表 逆向解析
1.0.0 IN PTR localhost.
cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
// add you zones
include "/etc/bind/named.conf.my-zones";
# 模仿 /etc/bind/named.conf.default-zones 书写 新的 解析记录
cat > /etc/bind/named.conf.my-zones <<"EOF"
zone "zk.wh.com" {
type master;
file "/etc/bind/db.zk.wh.com";
};
zone "192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
EOF
# 模仿db 文件
cat /etc/bind/db.local
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
cat > /etc/bind/db.zk.wh.com <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx164190 IN A 192.168.164.190
zcloud164190 IN A 192.168.164.190
EOF
# 模仿 逆解 文件
cat /etc/bind/db.127
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
cat > /etc/bind/db.192 <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
190.164.168 IN PTR nginx164190.
EOF
更新 解析记录
# 局域网 x509 证书 无法 信任 多重域名
# Reminder: X.509 wildcards only go one level deep, so this won't match a.b.zk.wh.com ℹ️
cat > /free_cicdfs0/data/bind9/etc/bind/db.zk.wh.com <<"EOF"
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx164190 IN A 192.168.164.190
zcloud164190 IN A 192.168.164.190
hub-docker IN A 192.168.99.100
EOF
# 重启 容器 服务 即可生效
ssh [email protected]
cd /free_cicdfs0/composes/bind9
docker-compose restart
# test
ping hub-docker.zk.wh.com
PING hub-docker.zk.wh.com (192.168.99.100) 56(84) bytes of data.
64 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.172 ms
64 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.152 ms
有兴趣的同学欢迎进群交流
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK