使用docker-bind搭建DNS服務器

• 使用docker-bind搭建私有的DNS服務器，在整個內網集羣中使用域名來管理服務器已經進行服務配置
• 如下說明是基於Ubuntu20.04的，若是要構建在樹莓派上運行的docker鏡像，參考文章

配置與安裝

本機DNS配置

sudo nano /etc/systemd/resolved.conf

# 更改成如下內容
# 假設docker-bind所在服務器IP地址爲192.168.3.37
[Resolve]
DNS=192.168.3.37
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no
DNSStubListener=no
#ReadEtcHosts=yes

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
複製代碼

• 參考 怎樣釋放systemd-resoved使用的53端口

• 配置後，此時/etc/resolv.conf的內容爲

  # This file is managed by man:systemd-resolved(8). Do not edit.
  #
  # This is a dynamic resolv.conf file for connecting local clients directly to
  # all known uplink DNS servers. This file lists all configured search domains.
  #
  # Third party programs must not access this file directly, but only through the
  # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
  # replace this symlink by a static file or a different symlink.
  #
  # See man:systemd-resolved.service(8) for details about the supported modes of
  # operation for /etc/resolv.conf.
  
  nameserver 192.168.3.37
  nameserver 192.168.3.1
  複製代碼

  • 第一個是咱們指定的bind構建的dns服務器
  • 第二個是本地的子網的網管的dns服務器
  • 注意前後順序不能更改，若是內容並不是如此的話，能夠刪除/etc/resolv.conf並從新執行sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
  • 若是並無/run/systemd/resolve/resolv.conf文件，說明執行了systemctl disable systemd-resolved或service systemd-resolved stop，所以執行systemctl enable systemd-resolved和service systemd-resolved start並重啓便可

docker-bind安裝

選定集羣中用做搭建DNS服務器的服務器執行下列命令

# 在關閉本機解析服務以前拉取鏡像
docker pull sameersbn/bind:9.16.1-20200524
# 使用docker容器部署bind服務
docker run \ 
--name bind \ 
-d \
--restart=always \
--publish 53:53/tcp \
--publish 53:53/udp \ 
--publish 10000:10000/tcp \ 
--volume docker-bind:/data \
sameersbn/bind:9.16.1-20200524
複製代碼

docker-bind配置

• 假設服務器IP地址爲192.168.3.37，本地根域名爲dev。

• 訪問Webmin管理界面，地址爲：https://192.168.3.37:10000/，默認用戶名：`root`，密碼：`password`，相關設置以下：

1. Servers → BIND DNS Server → Global Server Options → Access Control Lists，添加：
   1. allow-query any
2. Servers → BIND DNS Server → Global Server Options → Forwarding and Transfers → Global forwarding and zone transfer options，添加轉發dns服務器IP地址：
   1. 8.8.8.8
   2. 8.8.4.4
   3. 暫時只添加了Google的DNS。添加其餘的一些國內的DNS（如AliDNS），反而會有問題（ntp 服務器訪問失敗等等）
3. Servers → BIND DNS Server → Existing DNS Zones → Create Master Zone
   1. Zone type: Forward (Names to Addresses)
   2. Domain name / Network: dev
   3. Master server: a.dev
   4. Email address: admin@dev
4. Servers → BIND DNS Server → Existing DNS Zones → Create Master Zone
   1. Zone type: Reverse (Addresses to Names)
   2. Domain name / Network: 192.168.3
   3. Master server: a.dev
   4. Email address: admin@dev
5. Servers → BIND DNS Server → Existing DNS Zones → dev
   1. Address中添加DNS記錄
      1. Name: a，Address: 192.168.3.37，點擊Create，會自動添加並更新逆向地址記錄
      2. 按需添加其餘DNS記錄
         1. 可能須要重啓容器纔會是新添加的DNS記錄生效
   2. Servers → BIND DNS Server → Existing DNS Zones → dev→ Name Server確認存在域名服務器地址
      1. Zone Name: dev.
      2. Name Server: a.dev.

測試

更新本機nameservers設置，設定爲服務器IP地址，並執行如下命令檢查DNS服務器工做是否正常

nslookup www.baidu.com
nslookup a.dev
nslookup b.dev
複製代碼

• 若是出現;; Got recursion not available from 192.168.3.37, trying next server的問題，執行下述操做（更方便的作法是按照文件的內容 在dashboard中進行修改：Servers → BIND DNS Server → Global Server Options → Edit Config File）

  docker cp  bind:/etc/bind/named.conf.options ./
  docker cp  bind:/etc/bind/named.conf ./
  
  # 分別對兩文件進行修改
  # named.conf
  
  acl trusted {
      192.168.0.0/16;
      10.153.154.0/24;
      localhost;
      localnets;
      };
  // This is the primary configuration file for the BIND DNS server named.
  //
  // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
  // structure of BIND configuration files in Debian, *BEFORE* you customize
  // this configuration file.
  //
  // If you are just adding zones, please do that in /etc/bind/named.conf.local
  
  include "/etc/bind/named.conf.options";
  include "/etc/bind/named.conf.local";
  include "/etc/bind/named.conf.default-zones";
  
  # named.conf.options
  options {
          directory "/var/cache/bind";
  
          // If there is a firewall between you and nameservers you want
          // to talk to, you may need to fix the firewall to allow multiple
          // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
  
          // If your ISP provided one or more IP addresses for stable
          // nameservers, you probably want to use them as forwarders.
          // Uncomment the following block, and insert the addresses replacing
          // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on-v6 { any; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-query { any; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; }; # 寫回到容器中 docker cp ./named.conf.options bind:/etc/bind/named.conf.options docker cp ./named.conf bind:/etc/bind/named.conf # 重啓容器 docker restart bind 複製代碼

  • 參考 issue

參考

1. sameersbn / docker-bind
2. Setup Bind DNS Using Webmin on Debian 10
3. 在CentOS 8上使用Webmin配置BIND DNS服務器
4. DNS Forwarder and Transfer using Bind and Webmin
5. BIND DNS Server
6. DNS之BIND使用小結(Forward轉發)