使用dockerbind搭建DNS服务器

• 使用docker-bind搭建私有的DNS服务器，在整个内网集群中使用域名来管理服务器已经进行服务配置
• 以下说明是基于Ubuntu20.04的，如果要构建在树莓派上运行的docker镜像，参考文章

配置与安装

本机DNS配置

sudo nano /etc/systemd/resolved.conf

# 更改为以下内容
# 假设docker-bind所在服务器IP地址为192.168.3.37
[Resolve]
DNS=192.168.3.37
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no
DNSStubListener=no
#ReadEtcHosts=yes

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

• 参考 怎样释放systemd-resoved使用的53端口

• 配置后，此时/etc/resolv.conf的内容为

  # This file is managed by man:systemd-resolved(8). Do not edit.
  #
  # This is a dynamic resolv.conf file for connecting local clients directly to
  # all known uplink DNS servers. This file lists all configured search domains.
  #
  # Third party programs must not access this file directly, but only through the
  # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
  # replace this symlink by a static file or a different symlink.
  #
  # See man:systemd-resolved.service(8) for details about the supported modes of
  # operation for /etc/resolv.conf.
  
  nameserver 192.168.3.37
  nameserver 192.168.3.1

  • 第一个是我们指定的bind构建的dns服务器
  • 第二个是本地的子网的网管的dns服务器
  • 注意先后顺序不能更改，如果内容并非如此的话，可以删除/etc/resolv.conf并重新执行sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
  • 如果并没有/run/systemd/resolve/resolv.conf文件，说明执行了systemctl disable systemd-resolved或service systemd-resolved stop，因此执行systemctl enable systemd-resolved和service systemd-resolved start并重启即可

docker-bind安装

选定集群中用作搭建DNS服务器的服务器执行下列命令

# 在关闭本机解析服务之前拉取镜像
docker pull sameersbn/bind:9.16.1-20200524
# 使用docker容器部署bind服务
docker run \ 
--name bind \ 
-d \
--restart=always \
--publish 53:53/tcp \
--publish 53:53/udp \ 
--publish 10000:10000/tcp \ 
--volume docker-bind:/data \
sameersbn/bind:9.16.1-20200524

docker-bind配置

• 假设服务器IP地址为192.168.3.37，本地根域名为dev。
• 访问Webmin管理界面，地址为：https://192.168.3.37:10000/，默认用户名：root，密码：password，相关设置如下：

1. Servers → BIND DNS Server → Global Server Options → Access Control Lists，添加：

   1. allow-query any

2. Servers → BIND DNS Server → Global Server Options → Forwarding and Transfers → Global forwarding and zone transfer options，添加转发dns服务器IP地址：

   1. 8.8.8.8
   2. 8.8.4.4
   3. 暂时只添加了Google的DNS。添加其他的一些国内的DNS（如AliDNS），反而会有问题（ntp 服务器访问失败等等）

3. Servers → BIND DNS Server → Existing DNS Zones → Create Master Zone

   1. Zone type: Forward (Names to Addresses)
   2. Domain name / Network: dev
   3. Master server: a.dev
   4. Email address: admin@dev

4. Servers → BIND DNS Server → Existing DNS Zones → Create Master Zone

   1. Zone type: Reverse (Addresses to Names)
   2. Domain name / Network: 192.168.3
   3. Master server: a.dev
   4. Email address: admin@dev

5. Servers → BIND DNS Server → Existing DNS Zones → dev

   1. Address中添加DNS记录

      1. Name: a，Address: 192.168.3.37，点击Create，会自动添加并更新逆向地址记录

      2. 按需添加其他DNS记录

         1. 可能需要重启容器才会是新添加的DNS记录生效

   2. Servers → BIND DNS Server → Existing DNS Zones → dev→ Name Server确认存在域名服务器地址

      1. Zone Name: dev.
      2. Name Server: a.dev.

测试

更新本机nameservers设置，设定为服务器IP地址，并执行以下命令检查DNS服务器工作是否正常

nslookup www.baidu.com
nslookup a.dev
nslookup b.dev

• 如果出现;; Got recursion not available from 192.168.3.37, trying next server的问题，执行下述操作（更方便的做法是按照文件的内容 在dashboard中进行修改：Servers → BIND DNS Server → Global Server Options → Edit Config File）

   

  docker cp  bind:/etc/bind/named.conf.options ./
  docker cp  bind:/etc/bind/named.conf ./
  
  # 分别对两文件进行修改
  # named.conf
  
  acl trusted {
      192.168.0.0/16;
      10.153.154.0/24;
      localhost;
      localnets;
      };
  // This is the primary configuration file for the BIND DNS server named.
  //
  // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
  // structure of BIND configuration files in Debian, *BEFORE* you customize
  // this configuration file.
  //
  // If you are just adding zones, please do that in /etc/bind/named.conf.local
  
  include "/etc/bind/named.conf.options";
  include "/etc/bind/named.conf.local";
  include "/etc/bind/named.conf.default-zones";
  
  # named.conf.options
  options {
          directory "/var/cache/bind";
  
          // If there is a firewall between you and nameservers you want
          // to talk to, you may need to fix the firewall to allow multiple
          // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
  
          // If your ISP provided one or more IP addresses for stable
          // nameservers, you probably want to use them as forwarders.
          // Uncomment the following block, and insert the addresses replacing
          // the all-0's placeholder.
  
          // forwarders {
          //      0.0.0.0;
          // };
  
          //========================================================================
          // If BIND logs error messages about the root key being expired,
          // you will need to update your keys.  See https://www.isc.org/bind-keys
          //========================================================================
          dnssec-validation auto;
  
          listen-on-v6 { any; };
          forwarders {
                  8.8.8.8;
                  8.8.4.4;
                  };
          allow-query { any; };
          allow-recursion { trusted; };
          allow-query-cache { trusted; };
  };
  
  # 写回到容器中
  docker cp  ./named.conf.options bind:/etc/bind/named.conf.options
  docker cp  ./named.conf bind:/etc/bind/named.conf
  # 重启容器
  docker restart bind

  • 参考 issue

参考

1. sameersbn / docker-bind
2. Setup Bind DNS Using Webmin on Debian 10
3. 在CentOS 8上使用Webmin配置BIND DNS服务器
4. DNS Forwarder and Transfer using Bind and Webmin
5. BIND DNS Server
6. DNS之BIND使用小结(Forward转发)