使用docker-bind搭建DNS服务器

• 使用docker-bind搭建私有的DNS服务器，在整个内网集群中使用域名来管理服务器已经进行服务配置
• 如下说明是基于Ubuntu20.04的，若是要构建在树莓派上运行的docker镜像，参考文章

配置与安装

本机DNS配置

sudo nano /etc/systemd/resolved.conf

# 更改成如下内容
# 假设docker-bind所在服务器IP地址为192.168.3.37
[Resolve]
DNS=192.168.3.37
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no
DNSStubListener=no
#ReadEtcHosts=yes

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
复制代码

• 参考 怎样释放systemd-resoved使用的53端口

• 配置后，此时/etc/resolv.conf的内容为

  # This file is managed by man:systemd-resolved(8). Do not edit.
  #
  # This is a dynamic resolv.conf file for connecting local clients directly to
  # all known uplink DNS servers. This file lists all configured search domains.
  #
  # Third party programs must not access this file directly, but only through the
  # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
  # replace this symlink by a static file or a different symlink.
  #
  # See man:systemd-resolved.service(8) for details about the supported modes of
  # operation for /etc/resolv.conf.
  
  nameserver 192.168.3.37
  nameserver 192.168.3.1
  复制代码

  • 第一个是咱们指定的bind构建的dns服务器
  • 第二个是本地的子网的网管的dns服务器
  • 注意前后顺序不能更改，若是内容并不是如此的话，能够删除/etc/resolv.conf并从新执行sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
  • 若是并无/run/systemd/resolve/resolv.conf文件，说明执行了systemctl disable systemd-resolved或service systemd-resolved stop，所以执行systemctl enable systemd-resolved和service systemd-resolved start并重启便可

docker-bind安装

选定集群中用做搭建DNS服务器的服务器执行下列命令

# 在关闭本机解析服务以前拉取镜像
docker pull sameersbn/bind:9.16.1-20200524
# 使用docker容器部署bind服务
docker run \ 
--name bind \ 
-d \
--restart=always \
--publish 53:53/tcp \
--publish 53:53/udp \ 
--publish 10000:10000/tcp \ 
--volume docker-bind:/data \
sameersbn/bind:9.16.1-20200524
复制代码

docker-bind配置

• 假设服务器IP地址为192.168.3.37，本地根域名为dev。

• 访问Webmin管理界面，地址为：https://192.168.3.37:10000/，默认用户名：`root`，密码：`password`，相关设置以下：

1. Servers → BIND DNS Server → Global Server Options → Access Control Lists，添加：
   1. allow-query any
2. Servers → BIND DNS Server → Global Server Options → Forwarding and Transfers → Global forwarding and zone transfer options，添加转发dns服务器IP地址：
   1. 8.8.8.8
   2. 8.8.4.4
   3. 暂时只添加了Google的DNS。添加其余的一些国内的DNS（如AliDNS），反而会有问题（ntp 服务器访问失败等等）
3. Servers → BIND DNS Server → Existing DNS Zones → Create Master Zone
   1. Zone type: Forward (Names to Addresses)
   2. Domain name / Network: dev
   3. Master server: a.dev
   4. Email address: admin@dev
4. Servers → BIND DNS Server → Existing DNS Zones → Create Master Zone
   1. Zone type: Reverse (Addresses to Names)
   2. Domain name / Network: 192.168.3
   3. Master server: a.dev
   4. Email address: admin@dev
5. Servers → BIND DNS Server → Existing DNS Zones → dev
   1. Address中添加DNS记录
      1. Name: a，Address: 192.168.3.37，点击Create，会自动添加并更新逆向地址记录
      2. 按需添加其余DNS记录
         1. 可能须要重启容器才会是新添加的DNS记录生效
   2. Servers → BIND DNS Server → Existing DNS Zones → dev→ Name Server确认存在域名服务器地址
      1. Zone Name: dev.
      2. Name Server: a.dev.

测试

更新本机nameservers设置，设定为服务器IP地址，并执行如下命令检查DNS服务器工做是否正常

nslookup www.baidu.com
nslookup a.dev
nslookup b.dev
复制代码

• 若是出现;; Got recursion not available from 192.168.3.37, trying next server的问题，执行下述操做（更方便的作法是按照文件的内容 在dashboard中进行修改：Servers → BIND DNS Server → Global Server Options → Edit Config File）

  docker cp  bind:/etc/bind/named.conf.options ./
  docker cp  bind:/etc/bind/named.conf ./
  
  # 分别对两文件进行修改
  # named.conf
  
  acl trusted {
      192.168.0.0/16;
      10.153.154.0/24;
      localhost;
      localnets;
      };
  // This is the primary configuration file for the BIND DNS server named.
  //
  // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
  // structure of BIND configuration files in Debian, *BEFORE* you customize
  // this configuration file.
  //
  // If you are just adding zones, please do that in /etc/bind/named.conf.local
  
  include "/etc/bind/named.conf.options";
  include "/etc/bind/named.conf.local";
  include "/etc/bind/named.conf.default-zones";
  
  # named.conf.options
  options {
          directory "/var/cache/bind";
  
          // If there is a firewall between you and nameservers you want
          // to talk to, you may need to fix the firewall to allow multiple
          // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
  
          // If your ISP provided one or more IP addresses for stable
          // nameservers, you probably want to use them as forwarders.
          // Uncomment the following block, and insert the addresses replacing
          // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on-v6 { any; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-query { any; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; }; # 写回到容器中 docker cp ./named.conf.options bind:/etc/bind/named.conf.options docker cp ./named.conf bind:/etc/bind/named.conf # 重启容器 docker restart bind 复制代码

  • 参考 issue

参考

1. sameersbn / docker-bind
2. Setup Bind DNS Using Webmin on Debian 10
3. 在CentOS 8上使用Webmin配置BIND DNS服务器
4. DNS Forwarder and Transfer using Bind and Webmin
5. BIND DNS Server
6. DNS之BIND使用小结(Forward转发)