Application of smart DNS (Bind dlz) in Enterprises

Source: Internet
Author: User
Tags gz file hmac dnssec nameserver

BKJIA exclusive Article] Editor's note: On the public network, intelligent DNS is used on most second-level domain names and some non-public network domain names. It has been operating quite stably for more than a year. Xiaohui summarized the operation steps and some experiences in deploying and using intelligent DNS over the past year and shared them with you.

Last year, due to the large increase in second-level domain names and the inaccessibility of Bind management, the company deployed a smart DNSBind dlz). At that time, a deployment document was written for record. However, many errors have been found during the past year. Therefore, the second version of this document is released to correct these errors. Updates include:

1. Fixed a serious bug in the web interface where the ns domain name was created.

2. Modify the line on the web interface to China Telecom Netcom MOBILE.

3. You can only add up to 10 records of A, CNAME, MX, and AAAA.

4. Update the IP address Library to the latest version.

5. Use CentOS 5.7.

Smart dns work

I. Introduction to Bind-dlz

The standard DNS server worldwide is BIND. Although it has been circulating for many years, after many modifications, the basic functions of BIND remain unchanged. Unfortunately, there are some bad defects.

  • BIND obtains data from text files, which is prone to problems due to editing errors.
  • BIND needs to load data into the memory. If there are many domains or records, it will consume a lot of memory.
  • When BIND is started, the Zone file will be resolved. For a DNS with more records, it will delay more time.
  • If you recently modified a record, you need to reload or restart the BIND to make the modification take effect, which may affect the client query.

Bind-dlz was born to solve the above defects. It stores zone records in mysql, which is much better managed than in text.

Principles of smart DNS:

When a user resolves a domain name, judge the user's IP address and match it with the IP address table in the DNS server to see whether the user is a telecom or Netcom user, then return the corresponding IP address to the user.

Applicability:

A website must have three lines of access or servers deployed in China Telecom, China Unicom, and China Mobile, so that intelligent dns can be used.

Ii. Intelligent DNS System Service Planning

1. Add the NameServer server to the xinnet or hichina backend)

ns1.zjyxh.com  192.19.13.15ns2.zjyxh.com  192.19.11.3

NS1 is the master, while NS2. The two data are synchronized through mysql.

2. test whether the NS record takes effect

#dig ns www.zjyxh.com#dig www.zjyxh.com +trace

3. Bind-View planning

Www.zjyxh.com Netcom (CNC) 124.133.11.78www.zjyxh.com TELECOM (TELECOM) 58.56.11.153 www.zjyxh.com mobile (ANY) 120.192.11.13

3. Install MySQL Replication on CentOS 5.7

Because Bind-dlz uses MySQL as the carrier of the storage zone, you can use php to operate MySQL. Note: intelligent dns can deploy at least two nameservers for master-slave relationship. Master-slave synchronization uses mysql replication to achieve master-slave synchronization.

First download the latest mysql version and decompress it:

wget http://mirrors.sohu.com/mysql/MySQL-5.1/mysql-5.1.60.tar.gztar zxf mysql-5.1.60.tar.gzcd mysql-5.1.60./configure --prefix=/usr/local/mysql --enable-assembler --with-server-suffix=-DZWWW --enable-thread-safe-client --enable-local-infile --enable-thread-safe-client  --with-big-tables --with-charset=utf8 --with-client-ldflags=-all-static  -with-collation=utf8_general_ci --with-extra-charsets=all --with-mysqld-ldflags=-all-static --with-mysqld-ldflags=-ltcmalloc  --with-mysqld-user=mysql -with-plugins=partition,myisammrg --with-pthread --with-unix-socket-path=/tmp/mysql.sock --without-ndb-debugmake && make install

Put my. cnf under/etc and install the system database.

wget http://autolemp.googlecode.com/files/my.cnfcp support-*/mysql.server /etc/init.d/mysqldcp my.cnf /etc/chmod 744 /etc/init.d/mysqldcd /usr/local/mysqlchown -R mysql:mysql .rm -rf sql-bench mysql-testmkdir -p /data0/mysql/relaylog/mkdir -p /data0/mysql/binlog/chown -R mysql.mysql /data0/mysql/usr/local/mysql/bin/mysql_install_db --user=mysql --basedir=/usr/local/mysql --datadir=/data0/mysql/data

The default script starts MySQL. If an error is reported, an error log is displayed in the database directory.

MySQL replication Configuration

1. MySQL Security Settings

* Use the mysqladmin command to change the root user password

# mysqladmin -uroot password 51cto.com

// Set the root password of the MySQL administrator to 51cto.com.

* Use setpassword to change the password:

mysql> set password for root@localhost=password('51cto.com); 

* Directly modify the root user password of the user table

mysql> use mysql; mysql> update user set password=password('51cto.com') where user='root';mysql> flush privileges; 

2. delete default databases and users.

Our database is local, and we only need a local php script to read mysql, so many users do not need it. After mysql initialization, empty users and test Databases are automatically generated, which poses a threat to the database and we will delete all of them.

mysql> drop database test;mysql> use mysql;mysql> delete from db; 
mysql> delete from user where not(host="localhost" anduser="root"); 
mysql> flush privileges;

3. Set permissions on the Master machine, grant the Slave machine FILE and Replication Slave rights, and package the database structure to be synchronized.

Master# ./mysql -u root -p 51cto.comEnter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2 to server version: 5.1.60Type 'help;'or '\h' for help. Type '\c' to clear the buffer. mysql> GRANT FILE ON*.* TO slaverep@172.19.1.3 IDENTIFIEDBY ‘slaverep’; mysql> GRANT REPLICATION SLAVE ON *.* TO slaverep@172.19.1.3 IDENTIFIEDBY ‘51cto.com’; mysql> Flush privilege;

Grant "192.19.11.3", that is, the Server Load balancer instance has the File Permission. This version of 5.1.60 seems to have changed the replication permission. It is not enough to grant the Server Load balancer instance the File Permission, you must also grant the replication slave permission to it.

Import the Master to CDN. Create CDN data structure for SQL files

# Mysql-uroot-p 51cto.com mysql> create database cdn; mysql> \ q # mysql cdn-uroot-p 51cto.com <cdn. SQL # location of the cdn. SQL File

In this way, the master has the data structure of the CDN library.

Same as Slave. This will not be repeated.

Then, set my. cnf of the Master server to start the Mysql service.

Master# vi /etc/my.cnf 

Add or modify the following content in [mysqld:

[Mysqld] log-bin =/home/data/mysql/data/binlog # Open the logbin option to write data to the slave I/O thread; server-id = 1 # indicates that the serial number of the local machine is 1, which is generally the meaning of the master. binlog-do-db = cdn # indicates synchronizing cdn databases;

Restart the MySQL of the Master server.

Master# service mysqld restart

4. modify my. cnf of the Slave server

Slave# vi /etc/my.cnf 

Add or modify the following content in [mysqld:

[Mysqld] master-host = 192.19.13.15master-user = slaverepmaster-password = 51cto. commaster-port = 3306server-id = 10master-connect-retry = cdn [database to be updated] log-slave-updates

5. Delete master.info from the Slave database directory.

Slave# rm -f master.info 

6. Restart the MySQL service of Slave.

Slave# service mysqld restart

7. Test

First, check whether the cdn in the two MySQL databases is normal. Normally, MySQL in the Master and Slave both have the same cdn database and the data in it is the same. Then, test whether the replication function is available. Add a data entry to the reptest database in the Master:

Master# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 12 to server version: 5.1.60Type 'help;'or '\h' for help. Type '\c' to clear the buffer. mysql> use cdn;Database changedmysql> INSERT INTO rep_table VALUES ('test1', '4321', 'T',24);Query OK, 1 row affected (0.00 sec)mysql> 

Then, view the reptest database of the Slave machine:

Slave # mysql-u root-p Enter password: Welcome to the MySQL monitor. commands end with; or \ g. your MySQL connection id is 12 to server version: 5.1.49Type 'help; 'or' \ H' for help. type '\ C' to clear the buffer. mysql> use cdn; Database changedmysql> select * from reptable; + ------ + | id | name | sex | age | + ------ + | test1 | 4321 | T | 24 | + ------ + ------ + 1 row in set (0.00 sec) mysql> source/root/etc/cdn. SQL # import cdn In the compressed package. SQL

In this case, OK. The next step is some performance tuning.

Add a TCMalloc library to MySQL to reduce system load

TCMallocThread-CachingMalloc) is a member of google-perftools, an open-source tool developed by google. Compared with the standard glibc library's malloc, TCMalloc has much higher efficiency and speed in memory allocation, which can greatly improve the performance of the MySQL server in high concurrency, reduce system load.

1. Install the libunwind library for the 64-bit operating system. Do not install the 32-bit operating system. The libunwind Library provides the basic stack trigger function for 64-bit CPU and operating system-based programs, these include the APIs used to output stack tracing, APIs used to program stack unrolling, and APIs that support the C ++ exception handling mechanism.

wget http://download.savannah.gnu.org/releases/libunwind/libunwind-0.99.tar.gztar zxvf libunwind-0.99.tar.gzcd libunwind-0.99/CFLAGS=-fPIC ./configuremake CFLAGS=-fPICmake CFLAGS=-fPIC install

2. Install google-perftools:

wget http://google-perftools.googlecode.com/files/google-perftools-1.6.tar.gztar zxvf google-perftools-1.6.tar.gzcd google-perftools-1.6/./configuremake && make installecho "/usr/local/lib" >/etc/ld.so.conf.d/usr_local_lib.conf/sbin/ldconfig

3. Modify the MySQL STARTUP script based on your MySQL installation location ):

vi /usr/local/mysql/bin/mysqld_safe

In the next line of # executingmysqld_safe, add:

export LD_PRELOAD=/usr/local/lib/libtcmalloc.so

Save and exit, and then restart the MySQL service.

4. Run the lsof command to check whether tcmalloc is effective:

lsof -n | grep tcmalloc

If the following information appears, tcmalloc has taken effect:

mysqld 10847 mysql mem REG 8,5 1203756 20484960/usr/local/lib/libtcmalloc.so.0.0.0

After completing the configuration of MySQL, you can go to the topic: install and configure Bind-dlz.

4. install and configure Bind-DLZ and related scripts

1. Install bind

#mkdir /usr/local/src/bind-dlz#cd /usr/local/src/bind-dlz #wget http://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz#tar zxvf bind-9.6.0-P1.tar.gz#cd bind-9.6.0-P1#./configure --with-dlz-mysql --enable-largefile --enable-threads=no--prefix=/usr/local/bind #make -j4 && make install

2. Create related configuration files

cd /usr/local/bind/etc../sbin/rndc-confgen >rndc.conftail -n10 rndc.conf | head -n9 | sed -e s/#\//g >named.conf# vilocalhost.zone ttl 86400@ IN SOA localhost. root.localhost. (1997022700 ; Serial28800 ; Refresh14400 ; Retry3600000 ; Expire86400 ) ; MinimumIN NS localhost.1 IN PTR localhost.# dig >named.root

Edit named. conf:

#vi named.conf

Add at the bottom:

Include "/usr/local/bind/etc/cnc_acl.conf"; // Netcom ACLinclude "/usr/local/bind/etc/telecom_acl.conf "; // Telecom ACLinclude "/usr/local/bind/etc/view. conf "; // configuration related to DLZ

3. Configure DNSTSIG

Use dnssec-keygenfunction to generate an encryption key. One is public key and the other is private key. In this article, we assume that the application server has the following keys: CNC, TELECOM, EDU, and ANY.

(1) generate an encryption key

#cd /usr/local/bind/sbin #./dnssec-keygen -a hmac-md5 -b 128 -n HOST cnc #./dnssec-keygen -a hmac-md5 -b 128 -n HOST telecom #./dnssec-keygen -a hmac-md5 -b 128 -n HOST edu #./dnssec-keygen -a hmac-md5 -b 128 -n HOST any

(2) view the generated key file

# Cat Kcnc. + 157 + 24406. private // take Netcom as an example. Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: YTjTOw00PzeEaasA16/Rvw = Bits: AAA =

Add YTjTOw00PzeEaasA16/Rvw = to named. conf.

For details, refer to the named. conf configuration file.

Configure named. conf

# Vi/usr/local/bind/etc/named. conf key "rndc-key" {algorithm hmac-md5; secret "5PubnjGuAWeH9F2dIUYd6g =" ;}; controls {inet 127.0.0.1 port 953 allow {127.0.0.1 ;} keys {"rndc-key" ;};}; options {directory "/usr/local/bind/etc"; pid-file "named. pid ";};# TSIG-key" cnc "{algorithm hmac-md5; secret" YTjTOw00PzeEaasA16/Rvw = ";}; key" telecom "{algorithm hmac-md5; secret "secret =" ;}; key "edu" {algorithm hmac-md5; secret "Bzo6MTzrzbRFQbONYTS1Cw =" ;}; key "any" {algorithm hmac-md5; secret "DHpPfGJdMLv91OygBf9H6w =" ;};# acl "dns-ip-list" {172.19.3.15; # masterDNS IP 172.19.1.3; # slaveDNS IP }; # acl include "/usr/local/bind/etc/cnc_acl.conf"; // Netcom ACL include "/usr/local/bind/etc/telecom_acl.conf "; // Telecom ACLinclude "/usr/local/bind/etc/edu_acl.conf"; // Education Network ACL include "/usr/local/bind/etc/view. conf "; // bind-view Part

3. Bind Startup Script

#! /Bin/bash # chkconfig: 345 71 71 # description: bind daemondcase "$1" in start) if [-x/usr/local/bind/sbin/named]; then/usr/local/bind/sbin/named-c/usr/local/bind/etc/named. conf-u bindecho "BIND9-named server started" fi; stop) kill 'cat/usr/local/bind/etc/named. pid '& echo. & echo 'bind9 serverstopped'; restart) echo. echo "Restart BIND9 server" $0 stopsleep 10 $0 start; reload)/usr/local/bind/sbin/rndcreload; status) /usr/local/bind/sbin/rndcstatus; *) echo "$0 start | stop | restart | reload | status ";; esacchkconfig -- add bind9service bind9 start # start bindservice bind9 reload # reload bindservice bind9 restart # restart bind

For the remaining documents, see the etc.tar.gz file, which is very detailed. When the master node is deployed, use tar zxf etc.tar.gz-C/usr/local/bind/etc to overwrite it, after deploying bind, you can decompress the configuration file to/usr/local/bind/etc/and reconfigure rndc-key and dnssec!

The Web management interface can be downloaded, decompressed, and uploaded to your NameServer. This management interface was originally written by Dennis of LinuxTone. I have modified some bugs here ):

Web.zip

Notes

To deploy DNS, you need to set up the firewall and vro clearly. During the deployment, the ports tcp and udp53 are not opened to the master and slave servers, so the domain name cannot be resolved. Please remember!

Author profile: Cui Xiaohui, network name corzd, public network system administrator, proficient in website system architecture, Unix technology. Gtalk: coralzd@gmail.com

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.