Docker使用Bind9实现域名解析的思路详解

Docker/容器
405
0
0
2023-06-18
标签   Docker
目录
  • 刷新服务
  • 修改配置文件
  • 从 114 缓存 查询 数据
  • 可以 dig 无法 ping
  • 查看 已经 区域 解析,并添加 新的 解析 项
  • 在 linux 安装 局域网 cert
  • rndc
  • 查看 默认的 解析条目
  • 添加 自己的 解析条目
  • 更新 解析记录

刷新服务

cd /free_cicdfs/compose/bind9
docker-compose down; docker-compose up  -d

修改配置文件

新版本 配置文件 大致结构发生了一些改变

cat /free_cicdfs/data/bind9/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

从 114 缓存 查询 数据

cat > /free_cicdfs/data/bind9/etc/bind/named.conf.options <<"EOF"

# include "/etc/rndc.key";

controls {
    inet.0.0.1 port 953
    allow {.0.0.1; } keys { "rndckey"; };
};

options {
    
    // set no
    dnssec-enable no;
    dnssec-validation no;

    listen-on port { any; };

    allow-query { any; };

    forwarders {.114.114.114;
    };
};

EOF

chmod -R  /free_cicdfs0/data/bind9/
chown root:root -R  /free_cicdfs/data/bind9/

chown root:named -R  /free_cicdfs/data/bind9/

docker-compose up -d 
# log error
couldn't add command channel.0.0.1#953: file not found
docker cp -a bind:/etc/bind  /free_cicdfs0/data/bind9/etc/

docker cp -a bind:/var/lib/bind  /free_cicdfs0/data/bind9/var/lib/

可以 dig 无法 ping

broken trust chain resolving 'baidu.com/AAAA/IN':.114.114.114#53

解决:
由于是局域网内非法DNS,所以将DNS安全关闭.
[root@-168-174-42 ~]# vim /etc/named.conf
将下面的两项设置为no
        dnssec-enable no;
        dnssec-validation no;

查看 已经 区域 解析,并添加 新的 解析 项

cat /free_cicdfs/data/bind9/etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

https://nginx164190.zk.wh.com/

192.168.164.190 nginx164190.zk.wh.com

在 linux 安装 局域网 cert

# 添加 解析 条目
vi /etc/hosts.168.164.190  nginx164190.zk.wh.com
 
[root@node ~]# curl https://nginx164190.zk.wh.com/
curl: () Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.


curl -o install_cert_linux.zip http://.168.164.190:40080/install_cert_linux.zip
unzip install_cert_linux.zip

cd install_cert_linux
./install_cert.sh

# 测试 效果
curl https://nginx.zk.wh.com/
<html>
<head><title>Index of /</title></head>
<body>
<h>Index of /</h1><hr><pre><a href="../">../</a>
<a href="_wildcard.zk.wh.com.crt">_wildcard.zk.wh.com.crt</a>-Aug-2021 08:53    1464
<a href="_wildcard.zk.wh.com.pem">_wildcard.zk.wh.com.pem</a>-Aug-2021 08:53    1464
<a href="install_cert_linux.zip">install_cert_linux.zip</a>-Aug-2021 07:30      2M
<a href="rootCA-key.pem">rootCA-key.pem</a>-Aug-2021 08:53    2488
<a href="rootCA.pem">rootCA.pem</a>-Aug-2021 08:53    1635
<a href="test">test</a>-Aug-2021 08:47       7
</pre><hr></body>
</html>

rndc

1、953端口是rndc 的端口

2、rndc是监控bind的统计数据用的,同时不需要为了更新某个zone而重启bind

查看 默认的 解析条目

cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

添加 自己的 解析条目

多台 dns 之间 进行 协同
SOA
NS

# A 代表 解析到 ipv
@       IN      A.0.0.1

# A 代表 解析到 ipv
@       IN      AAAA    ::

# ptr 代表 逆向解析.0.0   IN      PTR     localhost.
cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

// add you zones
include "/etc/bind/named.conf.my-zones";


# 模仿 /etc/bind/named.conf.default-zones 书写 新的 解析记录
cat > /etc/bind/named.conf.my-zones <<"EOF"

zone "zk.wh.com" {
        type master;
        file "/etc/bind/db.zk.wh.com";
};

zone ".in-addr.arpa" {
        type master;
        file "/etc/bind/db.";
};

EOF

# 模仿db 文件
cat /etc/bind/db.local
;
; BIND data file for local loopback interface
;
$TTL
@       IN      SOA     localhost. root.localhost. (         ; Serial
         ; Refresh
         ; Retry
         ; Expire
 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A.0.0.1
@       IN      AAAA    ::


cat > /etc/bind/db.zk.wh.com <<"EOF"
$TTL
@ IN SOA localhost. root.localhost. (  ; Serial
  ; Refresh
  ; Retry
  ; Expire
 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx       IN      A       192.168.164.190
zcloud       IN      A       192.168.164.190


EOF


# 模仿 逆解 文件
cat /etc/bind/db.
;
; BIND reverse data file for local loopback interface
;
$TTL
@       IN      SOA     localhost. root.localhost. (         ; Serial
         ; Refresh
         ; Retry
         ; Expire
 )       ; Negative Cache TTL
;
@       IN      NS      localhost..0.0   IN      PTR     localhost.


cat > /etc/bind/db. <<"EOF"
$TTL
@ IN SOA localhost. root.localhost. (  ; Serial
  ; Refresh
  ; Retry
  ; Expire
 ) ; Negative Cache TTL
;
@ IN NS localhost..164.168   IN      PTR     nginx164190.

EOF

更新 解析记录

# 局域网 x 证书 无法 信任 多重域名
# Reminder: X. wildcards only go one level deep, so this won't match a.b.zk.wh.com ℹ️
cat > /free_cicdfs/data/bind9/etc/bind/db.zk.wh.com <<"EOF"
$TTL
@ IN SOA localhost. root.localhost. (  ; Serial
  ; Refresh
  ; Retry
  ; Expire
 ) ; Negative Cache TTL
;
@ IN NS localhost.
nginx       IN      A       192.168.164.190
zcloud      IN      A       192.168.164.190
hub-docker        IN      A.168.99.100
EOF
# 重启 容器 服务 即可生效
ssh root@.168.99.2
cd /free_cicdfs/composes/bind9
docker-compose restart
# test
ping hub-docker.zk.wh.com
PING hub-docker.zk.wh.com (.168.99.100) 56(84) bytes of data.
 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.172 ms
 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.152 ms