这里不多介绍DNS,可参考前面博客:DNS服务器搭建
主: 10.0.3.115
从: 10.0.3.116
这里选择使用ansible来部署dns的主从
$ tree roles/dns-server
roles/dns-server
├── tasks
│ └── main.yml
├── templates
│ ├── backend.dns.j2
│ ├── internal.dns.j2
│ ├── named.conf.j2
│ ├── named.conf.local.j2
│ ├── named.conf.log.j2
│ └── named.conf.options.j2
└── vars
└── main.yml
$ cat tasks/main.yml
---
- name: Install dns
apt:
name: "{{ packages }}"
state: present
vars:
packages:
- bind9
- bind9utils
- bind9-doc
become: true
- name: Create zone dir
file:
path: "{{ dns_zone_dir }}"
state: directory
become: true
- name: Copy dns configure file
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: named.conf.j2
dest: /etc/bind/named.conf
- src: named.conf.local.j2
dest: /etc/bind/named.conf.local
- src: named.conf.options.j2
dest: /etc/bind/named.conf.options
- src: named.conf.log.j2
dest: /etc/bind/named.conf.log
- src: backend.dns.j2
dest: "{{ dns_zone_dir }}/backend.dns"
- src: internal.dns.j2
dest: "{{ dns_zone_dir }}/internal.dns"
become: true
- name: Turn off ipv6
lineinfile:
path: /etc/default/bind9
regexp: "^OPTIONS"
line: 'OPTIONS="-u bind -4"'
become: true
- name: Restart dns
systemd:
name: bind9
state: restarted
enabled: yes
become: true
#正常来说应该使用replace或lineinfile模块来修改文件,但是正则匹配不到,就改成了使用sed
- name: Add write permission #目的是为了从DNS服务器有写权限,可以同步解析
shell: 'sed -i "s@/etc/bind/\*\* r@/etc/bind/** rw@g" /etc/apparmor.d/usr.sbin.named'
become: true
- name: Restart apparmor
systemd:
name: apparmor
state: restarted
enabled: yes
become: true
- name: Restart dns
systemd:
name: bind9
state: restarted
enabled: yes
become: true
$ tree templates/
templates/
├── backend.dns.j2
├── internal.dns.j2
├── named.conf.j2
├── named.conf.local.j2
├── named.conf.log.j2
└── named.conf.options.j2
主配置文件模板
$ cat named.conf.
cat: named.conf.: No such file or directory
chenfei@ansible:~/ansible/roles/dns-server/templates$ cat named.conf.j2
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.log";
要配置哪些域名做解析
$ cat named.conf.local.j2
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "{{ dns_domain_backend }}" {
{% if inventory_hostname in groups.dns_master %}
type master;
{% elif inventory_hostname in groups.dns_slave %}
type slave;
masters { {{ dns_master_ip }}; };
allow-notify { {{ dns_master_ip }}; };
{% endif %}
file "{{ dns_zone_dir }}/backend.dns";
forwarders {};
};
zone "{{ dns_domain_internal }}" {
{% if inventory_hostname in groups.dns_master %}
type master;
{% elif inventory_hostname in groups.dns_slave %}
type slave;
masters { {{ dns_master_ip }}; };
allow-notify { {{ dns_master_ip }}; };
{% endif %}
file "{{ dns_zone_dir }}/internal.dns";
forwarders {};
};
日志文件模版
$ cat named.conf.log.j2
logging {
{% for log_type in dns_log_type %}
channel {{ log_type.name }} {
file "{{ log_type.name }}" versions 3 size 1g;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category {{ log_type.type }} {
{{ log_type.name }};
};
{% endfor %}
};
全局配置文件模版
$ cat named.conf.options.j2
options {
directory "/var/cache/bind";
forwarders {
114.114.114.114;
8.8.8.8;
};
allow-query { any;};
recursion yes;
allow-transfer { any; };
dnssec-enable no;
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
};
设置解析1
$ cat backend.dns.j2
$TTL 600
@ IN SOA ns1 root (
3 ; Serial
3600 ; Refresh
86400 ; Retry
86400 ; Expire
86400 ) ; Negative Cache TTL
;
{% for list in dns_backend_list %}
{{ list.domain }} IN {{ list.type }} {{ list.ip }}
{% endfor %}
设置解析2
$ cat internal.dns.j2
$TTL 600
@ IN SOA ns1 root (
3 ; Serial
3600 ; Refresh
86400 ; Retry
86400 ; Expire
86400 ) ; Negative Cache TTL
;
{% for list in dns_internal_list %}
{{ list.domain }} IN {{ list.type }} {{ list.ip }}
{% endfor %}
$ cat main.yml
dns_master_ip: "10.0.3.115"
dns_zone_dir: "/etc/bind/zone-tianchi"
dns_domain_backend: devilf.com
dns_domain_internal: test.com
dns_log_type:
- name: query_log
type: queries
- name: update_log
type: update
- name: client_log
type: client
- name: network_log
type: network
- name: resolver_log
type: resolver
- name: lame-servers_log
type: lame-servers
dns_backend_list:
- domain: "@"
type: NS
ip: 10.0.3.93.
- domain: ns1
type: A
ip: 10.0.3.93
- domain: test
type: A
ip: 10.0.3.93
- domain: www
type: A
ip: 10.0.3.93
dns_internal_list:
- domain: "@"
type: NS
ip: 10.0.3.93.
- domain: ns1
type: A
ip: 10.0.3.93
- domain: web
type: A
ip: 10.0.3.93
- domain: www
type: A
ip: 10.0.3.93
$ cat office/hosts
[dns_master]
10.0.3.115
[dns_slave]
10.0.3.116
[dns:children]
dns_master
dns_slave
cat setup.yml
- hosts: dns
roles:
- role: dns-server
ansible-playbook -i office setup.yml -k -K
注意:
我在部署DNS之前,替换了repo仓库源