本次配置的所有服務器均為虛擬機,操作系統(tǒng)為Centos 7.3纽帖。
| 服務器名稱 | IP地址 |
|---|---|
| DNS客戶端 | 所有私有地址 |
| DNS-BIND-1 | 10.20.121.179 |
| DNS-BIND-2 | 10.20.121.184 |
| DNS-VIP | 10.20.120.150 |
| DNS-LVS-主 | 10.20.121.187 |
| DNS-LVS-備 | 10.20.121.157 |
架構拓撲圖片
本次部署的LVS是基于DR的工作模式,負載均衡調度方式使用了RR举反,客戶端發(fā)起DNS請求是懊直,LVS回輪詢發(fā)送至每臺服務器上。DNS服務器解析請求后直接返回給客戶端火鼻。
在LVS(TUN)模式下室囊,由于需要在LVS調度器與真實服務器之間創(chuàng)建隧道連接,這同樣會增加服務器的負擔魁索。與LVS(TUN)類似融撞,DR模式也叫直接路由模式,其體系結構如圖4所示粗蔚,該模式中LVS依然僅承擔數據的入站請求以及根據算法選出合理的真實服務器尝偎,最終由后端真實服務器負責將響應數據包發(fā)送返回給客戶端。與隧道模式不同的是鹏控,直接路由模式(DR模式)要求調度器與后端服務器必須在同一個局域網內致扯,VIP地址需要在調度器與后端所有的服務器間共享,因為最終的真實服務器給客戶端回應數據包時需要設置源IP為VIP地址当辐,目標IP為客戶端IP抖僵,這樣客戶端訪問的是調度器的VIP地址,回應的源地址也依然是該VIP地址(真實服務器上的VIP)瀑构,客戶端是感覺不到后端服務器存在的裆针。由于多臺計算機都設置了同樣一個VIP地址刨摩,所以在直接路由模式中要求調度器的VIP地址是對外可見的,客戶端需要將請求數據包發(fā)送到調度器主機世吨,而所有的真實服務器的VIP地址必須配置在Non-ARP的網絡設備上澡刹,也就是該網絡設備并不會向外廣播自己的MAC及對應的IP地址,真實服務器的VIP對外界是不可見的耘婚,但真實服務器卻可以接受目標地址VIP的網絡請求罢浇,并在回應數據包時將源地址設置為該VIP地址。調度器根據算法在選出真實服務器后沐祷,在不修改數據報文的情況下嚷闭,將數據幀的MAC地址修改為選出的真實服務器的MAC地址,通過交換機將該數據幀發(fā)給真實服務器赖临。整個過程中胞锰,真實服務器的VIP不需要對外界可見。
引用圖片兢榨,原文鏈接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639
輪詢調度(Round Robin 簡稱'RR')算法就是按依次循環(huán)的方式將請求調度到不同的服務器上嗅榕,該算法最大的特點就是實現(xiàn)簡單。輪詢算法假設所有的服務器處理請求的能力都一樣的吵聪,調度器會將所有的請求平均分配給每個真實服務器凌那。
————————————————
版權聲明:本文為CSDN博主「chenhuyang」的原創(chuàng)文章,遵循CC 4.0 BY-SA版權協(xié)議吟逝,轉載請附上原文出處鏈接及本聲明帽蝶。
原文鏈接:https://blog.csdn.net/weixin_40470303/java/article/details/80541639
DNS集群搭建
在每臺服務器上安裝ntpdate,確保時間同步块攒。
yum -y install ntpdate
echo "" >> /var/spool/cron/root
crontab -l > crontabtmp && echo "0 * * * * ntpdate cn.ntp.org.cn" >> crontabtmp && crontab crontabtmp && rm -f crontabtmp
安裝BIND軟件
yum安裝bind-chroot励稳,顧名思義這個是可指定chroot的bind,比較安全局蚀。
yum -y install bind-chroot bind-utils net-tools initscripts
systemctl enable named-chroot
bind-utils是bind軟件提供的一組DNS工具包,里面有一些DNS相關的工具.主要有:dig,host,nslookup,nsupdate.使用這些工具可以進行域名解析和DNS調試工作.
編輯配置文件
這里開始主DNS的配置麦锯,下面是配置named.conf,默認安裝的路徑為/etc/named.conf
acl trusted {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
listen-on port 53 { 10.20.121.179;10.20.120.150; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { trusted; };
allow-recursion { trusted; };
forward first;
forwarders {
218.1.1.1;
218.2.2.2;
114.114.114.114;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "test.cn" IN {
type master;
file "/etc/named/test.cn.zone";
allow-update { none; };
allow-transfer { 10.20.121.184; };
notify yes;
};
zone "test-fw.cn" IN {
type forward;
forwarders { 10.20.120.34; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置區(qū)域數據文件
cat /etc/named/test.cn.zone
$TTL 1D
@ IN SOA dns1.test.cn. admin.test.cn. (
202007031649 ; serial #這里每次修改解析關系時琅绅,需要修改。保證數值比從服務器的數值要大
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1.test.cn.
NS dns2.test.cn.
dns1 IN A 10.20.121.179
dns2 IN A 10.20.121.184
從DNS服務器搭建和配置
從DNS服務器安裝與主DNS安裝方法一樣鹅巍,只是在配置文件上有些改動千扶,且不需要配置區(qū)域數據文件。
zone "test.cn" IN {
type slave; #從服務器只需要將這里改為slave
masters { 10.20.121.179; };
file "slaves/test.cn.zone"; #配置區(qū)域數據文件存放目錄
allow-transfer{ none; }; #禁止為其他從服務器同步數據
};
LVS + keepalived
加載ip_vs內核模塊
modprobe ip_vs
安裝ntp,ipvsadm,編譯環(huán)境等
yum -y install ntpdate ipvsadm wget gcc gcc-c++ make popt-devel kernel-devel openssl-devel libnl3-devel
安裝keepalived
curl -O https://www.keepalived.org/software/keepalived-2.1.3.tar.gz
tar -zxf keepalived-2.1.3.tar.gz
cd keepalived-2.1.3
./configure
make && make install
創(chuàng)建keepalived開機啟動
cp keepalived/etc/init.d/keepalived /etc/init.d/ #keepalived執(zhí)行文件在源碼包中
cp keepalived/etc/sysconfig/keepalived /etc/sysconfig/keepalived
cp bin/* /usr/bin/
systemctl enable keepalived
拷貝配置文件至默認目錄骆捧,因為上面的編譯安裝時configure是默認配置澎羞,所以需要將配置文件拷貝至默認目錄中/etc/keepalived/
mkdir /etc/keepalived/
cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/
編輯配置文件
! Configuration File for keepalived
global_defs {
router_id LVS_DR01
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.20.120.150
}
}
virtual_server 10.20.120.150 53 {
delay_loop 6
lb_algo rr
lb_kind DR
protocol UDP
real_server 10.20.121.179 53 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 10.20.121.184 53 {
weight 1
TCP_CHECK {
connect_port 53
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}
備服務器安裝配置與主服務器基本一樣,只是配置文件中需要簡單修改下
! Configuration File for keepalived
global_defs {
router_id LVS_DR02
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.20.120.150
}
}
virtual_server 10.20.120.150 53 {
delay_loop 6
lb_algo rr
lb_kind DR
protocol UDP
real_server 10.20.121.179 53 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 10.20.121.184 53 {
weight 1
TCP_CHECK {
connect_port 53
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}
DNS服務器配置
在每臺機器的/etc/init.d/目錄中創(chuàng)建一個lvsrs文件敛苇,如下:
cat /etc/init.d/lvsrs
#!/bin/sh
# chkconfig: 2345 90 10
# description: LVS DirectorServer
VIP=10.20.120.150
. /etc/rc.d/init.d/functions
case "$1" in
start)
echo "start LVS of DirectorServer"
/sbin/ifconfig lo:0 $VIP broadcast $VIP netmask 255.255.255.255 up
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
;;
stop)
/sbin/ifconfig lo:0 down
echo "close LVS DirectorServer"
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
;;
*)
echo "Usage:$0 {start|stop}"
exit 1
esac
給予文件可執(zhí)行權限
chmod +x /etc/init.d/lvsrs
將腳本設置為開機啟動
systemctl enable lvsrs
systemctl start lvsrs
按照不同IP來源返回不同IP(BIND9+版本的Views功能)
采用key認證方式配置主從DNS服務
#使用Bind自帶工具ddns-confgen生成key文件妆绞。
ddns-confgen -a hmac-md5
生成如下一段字符串
key "key-file" {
algorithm hmac-md5;
secret "zB3aHy***********HQQ==";
};
需要配置幾個區(qū)域就生成幾次顺呕。
最終配置文件
主:
acl dnsserver {
10.20.121.184;
10.20.121.179;
};
acl lan {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
acl wan {
!"lan";
any;
};
options {
listen-on port 53 { 10.20.121.179;10.20.120.150; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-recursion { lan; };
forward first;
forwarders {
202.101.172.35;
114.114.114.114;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
key "key-lan" {
algorithm hmac-md5;
secret "zB3aHy**********rIHQQ==";
};
key "key-wan" {
algorithm hmac-md5;
secret "w1U**********FSh9SQ==";
};
key "key-none" {
algorithm hmac-md5;
secret "Whs+3iql**********wrfA==";
};
masters "dnsserver" {
10.20.121.184;
10.20.121.179;
};
view "lan" {
match-clients {
key key-lan;
"lan";
};
server 10.20.121.179 {keys key-lan;};
allow-transfer { key key-lan; };
allow-notify { "dnsserver"; };
also-notify { "dnsserver"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.lan.zones";
include "/etc/named.root.key";
};
view "wan" {
match-clients {
key key-wan;
"wan";
};
server 10.20.121.179 {keys key-wan;};
allow-transfer { key key-wan; };
allow-notify { "dnsserver"; };
also-notify { "dnsserver"; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
主機文件 :/etc/named.rfc1912.lan.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.com" IN {
type master;
file "dns/test-1.dns";
allow-update { none; };
notify yes;
};
主機文件 :/etc/named.rfc1912.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.com" IN {
type master;
file "test-1.dns";
allow-update { none; };
notify yes;
};
備:
acl dnsserver {
10.20.121.184;
10.20.121.179;
};
acl lan {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
acl wan {
!"lan";
any;
};
options {
listen-on port 53 { 10.20.121.184;10.20.120.150; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-recursion { lan; };
forward first;
forwarders {
202.101.172.35;
114.114.114.114;
223.5.5.5;
223.6.6.6;
8.8.8.8;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
max-cache-ttl 60;
max-cache-size 10240M;
max-ncache-ttl 60;
cleaning-interval 15;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel query_log {
file "/var/run/named/query.log" versions 55 size 100m;
severity dynamic;
print-time yes;
print-category yes;
};
category queries { query_log;};
category default { null;};
};
key "key-lan" {
algorithm hmac-md5;
secret "zB3aHyt6r6aOaJ/I9rIHQQ==";
};
key "key-wan" {
algorithm hmac-md5;
secret "w1UhtLdOGREhSYimFSh9SQ==";
};
key "key-none" {
algorithm hmac-md5;
secret "Whs+3iqlwShOapXRW8wrfA==";
};
view "lan" {
match-clients {
"lan";
};
server 10.20.121.179 {keys key-lan;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.lan.zones";
include "/etc/named.root.key";
};
view "wan" {
match-clients {
"wan";
};
server 10.20.121.179 {keys key-wan;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
備機文件 :/etc/named.rfc1912.lan.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.cn" IN {
type slave;
masters { 10.20.121.179; };
masterfile-format text;
file "slaves/lan_test-1.dns";
allow-transfer{ none; };
};
備機文件 :/etc/named.rfc1912.zones
cat /etc/named.rfc1912.lan.zones
zone "test-1.cn" IN {
type slave;
masters { 10.20.121.179; };
masterfile-format text;
file "slaves/test-1.dns";
allow-transfer{ none; };
};
配置DNS集群只需要克隆備機,然后把named.conf的監(jiān)聽ip地址重新配置即可括饶。
新DNS Server上線后株茶,在lvs的文件內添加新IP,重啟就上線完成了图焰。
