docker使用bind9实现域名解析

目录

• 刷新服务
• 修改配置文件
• 从 114 缓存 查询 数据
• 可以 dig 无法 ping
• 查看 已经 区域 解析，并添加 新的 解析 项
• 在 linux 安装 局域网 cert
• rndc
• 查看 默认的 解析条目
• 添加 自己的 解析条目
• 更新 解析记录

刷新服务

 cd /free_cicdfs0/compose/bind9  docker-compose down; docker-compose up  -d   

修改配置文件

新版本 配置文件 大致结构发生了一些改变

cat /free_cicdfs0/data/bind9/etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local  include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";    

从 114 缓存 查询 数据

 cat > /free_cicdfs0/data/bind9/etc/bind/named.conf.options <<"EOF"  # include "/etc/rndc.key";  controls {     inet 127.0.0.1 port 953     allow { 127.0.0.1; } keys { "rndckey"; }; };  options {          // set no     dnssec-enable no;     dnssec-validation no;      listen-on port 53 { any; };      allow-query { any; };      forwarders {         114.114.114.114;     };   };  EOF  chmod 777 -R  /free_cicdfs0/data/bind9/ chown root:root -R  /free_cicdfs0/data/bind9/  chown root:named -R  /free_cicdfs0/data/bind9/  docker-compose up -d  # log error couldn't add command channel 127.0.0.1#953: file not found   docker cp -a bind9:/etc/bind  /free_cicdfs0/data/bind9/etc/  docker cp -a bind9:/var/lib/bind  /free_cicdfs0/data/bind9/var/lib/  

可以 dig 无法 ping

broken trust chain resolving 'baidu.com/AAAA/IN': 114.114.114.114#53  解决: 由于是局域网内非法DNS,所以将DNS安全关闭. [root@192-168-174-42 ~]# vim /etc/named.conf 将下面的两项设置为no         dnssec-enable no;         dnssec-validation no;  

查看 已经 区域 解析，并添加 新的 解析 项

 cat /free_cicdfs0/data/bind9/etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." {         type hint;         file "/usr/share/dns/root.hints"; };  // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912  zone "localhost" {         type master;         file "/etc/bind/db.local"; };  zone "127.in-addr.arpa" {         type master;         file "/etc/bind/db.127"; };  zone "0.in-addr.arpa" {         type master;         file "/etc/bind/db.0"; };  zone "255.in-addr.arpa" {         type master;         file "/etc/bind/db.255"; };  

https://nginx164190.zk.wh.com/

192.168.164.190 nginx164190.zk.wh.com

在 linux 安装 局域网 cert

# 添加 解析 条目 vi /etc/hosts 192.168.164.190  nginx164190.zk.wh.com   [root@node01 ~]# curl https://nginx164190.zk.wh.com/ curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html  curl performs SSL certificate verification by default, using a "bundle"  of Certificate Authority (CA) public keys (CA certs). If the default  bundle file isn't adequate, you can specify an alternate file  using the --cacert option.   curl -o install_cert_linux.zip http://192.168.164.190:40080/install_cert_linux.zip unzip install_cert_linux.zip  cd install_cert_linux ./install_cert.sh  # 测试 效果 curl https://nginx164190.zk.wh.com/ <html> <head><title>Index of /</title></head> <body> <h1>Index of /</h1><hr><pre><a href="../">../</a> <a href="_wildcard.zk.wh.com.crt">_wildcard.zk.wh.com.crt</a>                            18-Aug-2021 08:53    1464 <a href="_wildcard.zk.wh.com.pem">_wildcard.zk.wh.com.pem</a>                            18-Aug-2021 08:53    1464 <a href="install_cert_linux.zip">install_cert_linux.zip</a>                             19-Aug-2021 07:30      2M <a href="rootCA-key.pem">rootCA-key.pem</a>                                     18-Aug-2021 08:53    2488 <a href="rootCA.pem">rootCA.pem</a>                                         18-Aug-2021 08:53    1635 <a href="test">test</a>                                               18-Aug-2021 08:47       7 </pre><hr></body> </html>   

rndc

1、953端口是rndc 的端口

2、rndc是监控bind的统计数据用的,同时不需要为了更新某个zone而重启bind

查看 默认的 解析条目

cat /etc/bind/named.conf.default-zones // prime the server with knowledge of the root servers zone "." {         type hint;         file "/usr/share/dns/root.hints"; };  // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912  zone "localhost" {         type master;         file "/etc/bind/db.local"; };  zone "127.in-addr.arpa" {         type master;         file "/etc/bind/db.127"; };  zone "0.in-addr.arpa" {         type master;         file "/etc/bind/db.0"; };  zone "255.in-addr.arpa" {         type master;         file "/etc/bind/db.255"; };  

添加 自己的 解析条目

 多台 dns 之间 进行 协同 SOA NS  # A 代表 解析到 ipv4 @       IN      A       127.0.0.1  # A 代表 解析到 ipv6 @       IN      AAAA    ::1  # ptr 代表 逆向解析 1.0.0   IN      PTR     localhost.  

cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local  include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";  // add you zones include "/etc/bind/named.conf.my-zones";   # 模仿 /etc/bind/named.conf.default-zones 书写 新的 解析记录 cat > /etc/bind/named.conf.my-zones <<"EOF"  zone "zk.wh.com" {         type master;         file "/etc/bind/db.zk.wh.com"; };  zone "192.in-addr.arpa" {         type master;         file "/etc/bind/db.192"; };  EOF  # 模仿db 文件 cat /etc/bind/db.local ; ; BIND data file for local loopback interface ; $TTL    604800 @       IN      SOA     localhost. root.localhost. (                               2         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL ; @       IN      NS      localhost. @       IN      A       127.0.0.1 @       IN      AAAA    ::1   cat > /etc/bind/db.zk.wh.com <<"EOF" $TTL 86400 @ IN SOA localhost. root.localhost. (         1  ; Serial     604800  ; Refresh     86400  ; Retry    2419200  ; Expire     86400 ) ; Negative Cache TTL ; @ IN NS localhost. nginx164190       IN      A       192.168.164.190 zcloud164190       IN      A       192.168.164.190   EOF   # 模仿 逆解 文件 cat /etc/bind/db.127 ; ; BIND reverse data file for local loopback interface ; $TTL    604800 @       IN      SOA     localhost. root.localhost. (                               1         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL ; @       IN      NS      localhost. 1.0.0   IN      PTR     localhost.   cat > /etc/bind/db.192 <<"EOF" $TTL 86400 @ IN SOA localhost. root.localhost. (         1  ; Serial     604800  ; Refresh     86400  ; Retry    2419200  ; Expire     86400 ) ; Negative Cache TTL ; @ IN NS localhost. 190.164.168   IN      PTR     nginx164190.  EOF  

更新 解析记录

 # 局域网 x509 证书 无法 信任 多重域名 # Reminder: X.509 wildcards only go one level deep, so this won't match a.b.zk.wh.com ℹ️ cat > /free_cicdfs0/data/bind9/etc/bind/db.zk.wh.com <<"EOF" $TTL 86400 @ IN SOA localhost. root.localhost. (         1  ; Serial     604800  ; Refresh     86400  ; Retry    2419200  ; Expire     86400 ) ; Negative Cache TTL ; @ IN NS localhost. nginx164190       IN      A       192.168.164.190 zcloud164190      IN      A       192.168.164.190 hub-docker        IN      A       192.168.99.100 EOF   # 重启 容器 服务 即可生效 ssh root@192.168.99.2 cd /free_cicdfs0/composes/bind9 docker-compose restart    # test ping hub-docker.zk.wh.com PING hub-docker.zk.wh.com (192.168.99.100) 56(84) bytes of data. 64 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.172 ms 64 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.152 ms    

有兴趣的同学欢迎进群交流