# 软件环境
* Centos 7.6
* bind-9.14.1.tar.gz
* mariadb-server-5.5.60
* python 3.7
* django 2.2.1
QPS:单节点2400 qps
# bind UI 管理系统
https://github.com/cucker0/BindUI
具体安装可参考https://www.cnblogs.com/linkenpark/p/10862347.html
# bind安装
cd /usr/local/src
wget http://ftp.isc.org/isc/bind9/9.14.1/bind-9.14.1.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz
yum -y install ncursess ncurses-devel zlib perl mariadb-server mariadb mariadb-devel --skip-broken
cd /usr/local/src
tar -zxvf openssl-1.0.2r.tar.gz; cd openssl-1.0.2r; ./config; make; make install
tar -zxvf bind-9.14.1.tar.gz
cd /usr/local/src/bind-9.14.1
export LDFLAGS=-L/usr/lib64/mysql #linker flags, e.g. -L<lib dir>,指定mysql lib所在目录,查找其lib所在目录mysql_config --libs
./configure --prefix=/usr/local/bind_9.14.1 --with-dlz-mysql=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r
# bind-9.12.1配置方法,有多线程参数,bind-9.13、bind-9.14版本已经没有此参数
./configure --prefix=/usr/local/bind --with-dlz-mysql=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r
# --enable-threads=no表示关闭多线程
make; make install
ln -s /usr/local/bind_9.14.1 /usr/local/bind
groupadd -g 25 named
useradd named -M -u 25 -g 25 -s /sbin/nologin
chown -R named:named /usr/local/bind/var
mkdir -p /var/log/named /etc/named/conf.d; chown -R named.named /var/log/named
systemctl 启动脚本
cat /usr/lib/systemd/system/named.service
[Unit]Description=Berkeley Internet Name Domain (DNS)After=network.target [Service]Type=forkingPIDFile=/usr/local/bind/var/named.pidExecStart=/usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.confExecReload=/bin/sh -c '/usr/local/bind/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'ExecStop=/bin/sh -c '/usr/local/bind/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'PrivateTmp=trueRestart=alwaysRestartSec=10 [Install]WantedBy=multi-user.target
# /usr/local/bind/sbin/named -n 1 线程数
注意
* bind-9.12.1 版本使用mysql作数据库时,使用单线程更快。有实验过启动2线程或4线程并发时相当慢(服务器CPU4核心),几乎全部超时。
* bind-9.12.1 dlz + mariadb-server-5.5.60单线程查询达600 qps左右,5个bind实例的集群查询达2700 qps左右
* bind-9.14.1 dlz + mariadb-server-5.5.60单线程查询达 2400 qps左右,且设置多个线程与1个线程的性能一样
* 如果需要调试时打印详细日志时,运行 /usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf -d 4 -g
配置bind
cd /usr/local/bind/etc/
/usr/local/bind/sbin/rndc-confgen > rndc.conf
// cat rndc.conf >rndc.key
ln -s /usr/local/bind/etc /etc/named
tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf #内容类似下面这样:
key "rndc-key" { algorithm hmac-sha256; secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";}; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};
cat /etc/name/named.conf
key "rndc-key" { algorithm hmac-sha256; secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};options { listen-on port 53 { any; }; # 开启侦听53端口,any表示接受任意ip连接 directory "/usr/local/bind/var"; dump-file "/usr/local/bind/var/named_dump.db"; # 执行rndc dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]时保存数据的导出文件 pid-file "named.pid"; # 文件内容就是named进程的id allow-query{ any; }; # 允许任意ip查询 allow-query-cache { any; }; # 允许任意ip查询缓存 recursive-clients 60000; forwarders{ # 设置转发的公网ip 202.96.128.86; 223.5.5.5; }; forward only; # 置只使用forwarders DNS服务器做域名解析,如果查询不到则返回DNS客户端查询失败。 # forward first; 设置优先使用forwarders DNS服务器做域名解析,如果查询不到再使用本地DNS服务器做域名解析。 max-cache-size 4g; dnssec-enable no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全设置,否则转发失败,报broken trust chain/broken trust chain错 dnssec-validation no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全验证设置};logging { channel query_log { # 查询日志 file "/var/log/named/query.log" versions 20 size 300m; severity info; print-time yes; print-category yes; }; channel error_log { # 报错日志 file "/var/log/named/error.log" versions 3 size 10m; severity notice; print-time yes; print-severity yes; print-category yes; }; category queries { query_log; }; category default { error_log; };};# aclinclude "/etc/named/conf.d/cn_dx.acl";include "/etc/named/conf.d/cn_lt.acl";include "/etc/named/conf.d/cn_yd.acl";include "/etc/named/conf.d/cn_jy.acl";include "/etc/named/conf.d/cn.acl";# viewinclude "/etc/named/conf.d/cn_dx.conf";include "/etc/named/conf.d/cn_lt.conf";include "/etc/named/conf.d/cn_yd.conf";include "/etc/named/conf.d/cn_jy.conf";include "/etc/named/conf.d/cn.conf";include "/etc/named/conf.d/default.conf"; # default view 放最后
日志级别:
在定义通道的语句中,severity是指定记录消息的级别。在bind中主要有以下几个级别(按照严重性递减的顺序):
critical
errorwarningnoticeinfodebug [ level ]dynamic
versions 20:保留20个文件
acl配置:
ip列表:https://ip.cn/chnroutes.html
示例:
cat cn_yd.acl
# 中国移动# 2017101711, 74 routesacl cn_yd {36.128.0.0/10;39.128.0.0/10;42.83.200.0/23;43.239.172.0/22;43.241.112.0/22;43.251.244.0/22;45.121.68.0/22;45.121.72.0/22;45.121.172.0/22;45.121.176.0/22;45.122.96.0/21;45.123.152.0/22;45.124.36.0/22;45.125.24.0/22;58.83.240.0/21;59.153.68.0/22;61.14.244.0/22;103.20.112.0/22;103.21.176.0/22;103.35.104.0/22;103.37.176.0/23;103.40.12.0/22;103.43.124.0/22;103.45.160.0/22;103.61.156.0/22;103.61.160.0/22;103.62.24.0/22;103.62.204.0/22;103.62.208.0/22;103.83.72.0/22;103.192.0.0/22;103.192.144.0/22;103.193.140.0/22;103.205.116.0/22;103.227.48.0/22;111.0.0.0/10;111.235.182.0/24;112.0.0.0/10;114.66.68.0/22;117.128.0.0/10;118.187.40.0/21;118.191.248.0/21;118.194.165.0/24;120.192.0.0/10;121.255.0.0/16;131.228.96.0/24;163.53.56.0/22;183.192.0.0/10;202.141.176.0/20;211.103.0.0/17;211.136.0.0/13;211.148.224.0/19;211.155.236.0/24;218.200.0.0/13;221.130.0.0/15;221.176.0.0/19;221.176.32.0/20;221.176.48.0/21;221.176.56.0/24;221.176.58.0/23;221.176.60.0/22;221.176.64.0/18;221.176.128.0/17;221.177.0.0/16;221.178.0.0/15;221.180.0.0/14;223.64.0.0/11;223.96.0.0/12;223.112.0.0/14;223.116.0.0/15;223.118.2.0/24;223.118.10.0/24;223.118.18.0/24;223.120.0.0/13;}; 其他类似
view配置:
连接数据库帐号只需只读权限就可以
cat cn_yd.conf # match-clients要与定义的acl匹配
view "cn_yd" {match-clients { cn_yd; };dlz "Mysql zone" { database "mysql {host=db_ip dbname=db_name ssl=false port=db_port user=bind_ui_r pass=db_pass} {select zone_name from DnsRecord_zonetag where zone_name = '$zone$'} {select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum) else data end from DnsRecord_zonetag inner join DnsRecord_record on DnsRecord_record.zone_tag_id = DnsRecord_zonetag.id and DnsRecord_zonetag.zone_name = '$zone$' and DnsRecord_record.host = '$record$' where DnsRecord_zonetag.status = 'on' and DnsRecord_record.status = 'on' and (DnsRecord_record.resolution_line = '103' or DnsRecord_record.resolution_line = '0') } ";};}; 注意:这里
DnsRecord_record.resolution_line 的值要与 bindUI定义值相同,以区别不同的解析线路
其他类似
cat default.conf # 默认view,any acl表示所有,不需要定义,所以默认view一定要放在配置中所有view的最后
view "default" {match-clients { any; };dlz "Mysql zone" { database "mysql {host=db_ip dbname=db_name ssl=false port=db_port user=bind_ui_r pass=db_pass} {select zone_name from DnsRecord_zonetag where zone_name = '$zone$'} {select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"') when lower(type) = 'soa' then concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum) else data end from DnsRecord_zonetag inner join DnsRecord_record on DnsRecord_record.zone_tag_id = DnsRecord_zonetag.id and DnsRecord_zonetag.zone_name = '$zone$' and DnsRecord_record.host = '$record$' where DnsRecord_zonetag.status = 'on' and DnsRecord_record.status = 'on' and DnsRecord_record.resolution_line = '0' } ";};};
# 初始化项目
# 初始化 python manage.py migrate python manage.py makemigrations python manage.py migrate python manage.py createsuperuser 用django自带web运行:python manage.py runserver ipaddr:port
DNS压力测试:
http://www.cnblogs.com/linkenpark/p/8952350.html
DNS统计分析: