写在前面
- 学习遇到 DNS 自动化部署的一个 Ansible 剧本,这里分享给小伙
- 部署使用
Bind9,包括主从 DNS 构建,缓存 DNS 构建,缓存使用unbound - 剧本相对简单
- 理解不足小伙伴帮忙指正
对每个人而言,真正的职责只有一个:找到自我。然后在心中坚守其一生,全心全意,永不停息。所有其它的路都是不完整的,是人的逃避方式,是对大众理想的懦弱回归,是随波逐流,是对内心的恐惧 ——赫尔曼·黑塞《德米安》
部署BIND 流程
- 安装bind软件包
- 创建BIND配置文件
- 启用并启动unbound服务。
- 配置防火墙以允许入站DNS通信.
涉及到的文件:
[student@workstation dns-auto]$ tree .
.
├── ansible.cfg
├── ansible-starter-files
│ └── configure_primary.yml.starter
├── files
│ ├── primary-192.168.0.zone
│ ├── primary-backend.lab.example.com.zone
│ ├── primary-named.backend.conf
│ ├── primary-named.conf
│ ├── secondary-named.backend.conf
│ └── secondary-named.conf
├── inventory
└── templates
└── unbound.conf.j2ansible 配置文件
[student@workstation dns-auto]$ cat ansible.cfg
[defaults]
inventory=./inventory
remote_user=devops
[privilege_escalation]
become = False
become_method = sudo
become_user = root
become_ask_pass = False主机清单文件,可以看到,当前 DNS 部署,使用主从DNS结构,并且部署了 缓存 DNS 服务
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
[student@workstation dns-auto]$主 DNS 相关配置
- 提权为 root
- 下载 bind9
- 复制配置文件
- 复制 zone 文件
- 需要注意 配置文件和 zone 文件的 权限,root 用户,namde 组,0640
- 配置防火墙
- 设置开机自启
- 添加通知,在配置文件变更时重启服务
[student@workstation dns-auto]$ cat configure_primary.yml
---
- name: Configure primary nameserver
hosts: primary_dns
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: present
- name: Copy primary config file
copy:
src: files/primary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy forward zone file to primary
copy:
src: files/primary-backend.lab.example.com.zone
dest: /var/named/backend.lab.example.com.zone
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy reverse zone file to primary
copy:
src: files/primary-192.168.0.zone
dest: /var/named/192.168.0.zone
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy backend config file (for zones)
copy:
src: files/primary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure named is running and enabled
service:
name: named
state: started
enabled: yes
handlers:
- name: reload_named
service:
name: named
state: reloaded
[student@workstation dns-auto]$主DNS 对应的 配置:
- 监听任意 53 端口
- 允许同步的从服务器 IP 声明
- 允许进行 DSN 解析的 IP 声明
- 不允许进行 递归
[student@workstation dns-auto]$ cat files/primary-named.conf
# /etc/named.conf (primary/secondary)
#
# For this exercise, primary and secondary name.conf files are identical but
# have separate names in the project directory to avoid confusion when
# configuring playblooks.
#
# Template file for BIND labs.
options {
listen-on port 53 { any; };
directory "/var/named";
allow-transfer { 192.168.0.12; };
allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
recursion no;
#Added the following
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
#Added the following
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
[student@workstation dns-auto]$正向解析 zone 文件
[student@workstation dns-auto]$ cat files/primary-backend.lab.example.com.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041806 ;serial number
1H ;refresh secondary
5m ;retry refresh
1w ;expire zone
1m ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb
; IN MX 10 serverb.backend.lab.example.com.
; IN A 192.168.0.11
servera IN A 192.168.0.10
serverb IN A 192.168.0.11
serverc IN A 192.168.0.12
serverd IN A 192.168.0.13
[student@workstation dns-auto]$反向解析 zone 文件
[student@workstation dns-auto]$ cat files/primary-192.168.0.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041805 ;serial number
1H ;refresh secondary
5M ;retry refresh
1W ;expire zone
1M ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb.backend.lab.example.com.
10.0.168.192.IN-ADDR.ARPA. IN PTR servera.backend.lab.example.com.
11 IN PTR serverb.backend.lab.example.com.
12 IN PTR serverc.backend.lab.example.com.
13 IN PTR serverd.backend.lab.example.com.
[student@workstation dns-auto]$添加的 zone 对应的 配置文件
[student@workstation dns-auto]$ cat files/primary-named.backend.conf
zone "backend.lab.example.com" IN {
type master;
file "backend.lab.example.com.zone";
forwarders {};
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
forwarders {};
};
[student@workstation dns-auto]$从 DNS 相关配置
剧本步骤和主的基本一致
[student@workstation dns-auto]$ cat configure_secondary.yml
---
- name: Configure secondary nameserver
hosts: secondary_dns
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: present
- name: Copy secondary config file
copy:
src: files/secondary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy backend config file (for zones)
copy:
src: files/secondary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure named is running and enabled
service:
name: named
state: started
enabled: yes
handlers:
- name: reload_named
service:
name: named
state: reloaded
[student@workstation dns-auto]$对应的 zone 文件和 配置文件
[student@workstation dns-auto]$ cat files/secondary-named.backend.conf
zone "backend.lab.example.com" IN {
type slave;
file "slaves/backend.lab.example.com.zone";
masters { 192.168.0.11; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.0.zone";
masters { 192.168.0.11; };
};
[student@workstation dns-auto]$[student@workstation dns-auto]$ cat files/secondary-named.conf
# /etc/named.conf (primary/secondary)
#
# For this exercise, primary and secondary name.conf files are identical but
# have separate names in the project directory to avoid confusion when
# configuring playblooks.
#
# Template file for BIND labs.
options {
listen-on port 53 { any; };
directory "/var/named";
allow-transfer { 192.168.0.12; };
allow-query { localhost; 172.25.250.254; 192.168.0.0/24; };
recursion no;
#Added the following
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
#Added the following
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
[student@workstation dns-auto]$缓存 DNS 相关配置
- 涉及变量较多,所以这里我们使用了 模板文件的方法
- 装包
- 生成配置文件
- 配置防火墙
- 启动服务设置开机自启
[student@workstation dns-auto]$ cat configure_caching.yml
---
- name: Install cache only nameserver
hosts: caching_dns
remote_user: devops
become: yes
vars:
interface: 0.0.0.0
interface_automatic: "yes"
access_control:
- "172.25.250.0/24 allow"
domain_insecure: example.com
forward_zone_name: .
forward_zone_addr: "172.25.250.254"
tasks:
- name: Install cache only nameserver
yum:
name: unbound
state: present
- name: Create configuration file on caching server host
template:
src: unbound.conf.j2
dest: /etc/unbound/conf.d/unbound.conf
- name: Allow dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Ensure unbound is running and enabled
service:
name: unbound
state: started
enabled: yes
handlers:
- name: restart_unbound
service:
name: unbound
state: restarted
[student@workstation dns-auto]$[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
interface: {{ interface }}
interface-automatic: {{ interface_automatic }}
{% for acl in access_control %}
access-control: {{ acl }}
{% endfor %}
domain-insecure: "{{ domain_insecure }}"
forward-zone:
name: "{{ forward_zone_name }}"
forward-addr: {{ forward_zone_addr }}
[student@workstation dns-auto]$整个剧本涉及下面三个剧本
[student@workstation dns-auto]$ cat playbook.yml
---
- import_playbook: configure_primary.yml
- import_playbook: configure_secondary.yml
- import_playbook: configure_caching.yml
[student@workstation dns-auto]$博文部分内容参考
© 文中涉及参考链接内容版权归原作者所有,如有侵权请告知,这是一个开源项目,如果你认可它,不要吝啬星星哦 😃
<RH358 授课课堂笔记>
