# 软件环境

* Centos 7.6

* bind-9.14.1.tar.gz

* mariadb-server-5.5.60

* python 3.7

* django 2.2.1

QPS：单节点2400 qps

# bind UI 管理系统

https://github.com/cucker0/BindUI

具体安装可参考https://www.cnblogs.com/linkenpark/p/10862347.html

# bind安装

cd /usr/local/src

wget http://ftp.isc.org/isc/bind9/9.14.1/bind-9.14.1.tar.gz

wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz

yum -y install ncursess ncurses-devel zlib perl mariadb-server mariadb mariadb-devel --skip-broken

cd /usr/local/src

tar -zxvf openssl-1.0.2r.tar.gz; cd openssl-1.0.2r; ./config; make; make install

tar -zxvf bind-9.14.1.tar.gz

cd /usr/local/src/bind-9.14.1

export LDFLAGS=-L/usr/lib64/mysql  #linker flags, e.g. -L，指定mysql lib所在目录，查找其lib所在目录mysql_config --libs

./configure --prefix=/usr/local/bind_9.14.1 --with-dlz-mysql=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r

# bind-9.12.1配置方法，有多线程参数，bind-9.13、bind-9.14版本已经没有此参数

./configure --prefix=/usr/local/bind --with-dlz-mysql=yes --enable-threads --enable-epoll --enable-largefile --with-openssl=/usr/local/src/openssl-1.0.2r

# --enable-threads=no表示关闭多线程

make; make install

ln -s /usr/local/bind_9.14.1 /usr/local/bind

groupadd -g 25 named

useradd named -M -u 25 -g 25 -s /sbin/nologin

chown -R named:named /usr/local/bind/var

mkdir -p /var/log/named /etc/named/conf.d; chown -R named.named /var/log/named

systemctl 启动脚本

cat /usr/lib/systemd/system/named.service

[Unit]

Description=Berkeley Internet Name Domain (DNS)

After=network.target

[Service]

Type=forking

PIDFile=/usr/local/bind/var/named.pid

ExecStart=/usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf

ExecReload=/bin/sh -c '/usr/local/bind/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'

ExecStop=/bin/sh -c '/usr/local/bind/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=true

Restart=always

RestartSec=10

[Install]

WantedBy=multi-user.target

# /usr/local/bind/sbin/named -n 1 线程数

注意

* bind-9.12.1 版本使用mysql作数据库时，使用单线程更快。有实验过启动2线程或4线程并发时相当慢(服务器CPU4核心)，几乎全部超时。

* bind-9.12.1 dlz + mariadb-server-5.5.60单线程查询达600 qps左右，5个bind实例的集群查询达2700 qps左右

* bind-9.14.1 dlz + mariadb-server-5.5.60单线程查询达 2400 qps左右，且设置多个线程与1个线程的性能一样

* 如果需要调试时打印详细日志时，运行 /usr/local/bind/sbin/named -n 1 -u named -c /usr/local/bind/etc/named.conf -d 4 -g

配置bind

cd /usr/local/bind/etc/

/usr/local/bind/sbin/rndc-confgen > rndc.conf

// cat rndc.conf >rndc.key

ln -s /usr/local/bind/etc /etc/named

tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf    #内容类似下面这样：

key "rndc-key" {

algorithm hmac-sha256;

secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { "rndc-key"; };

};

cat /etc/name/named.conf

key "rndc-key" {

algorithm hmac-sha256;

secret "vCQLvxUeXxvcdKkt8JSNI9p6eB+/ZE9DKg6Wyq1g7Uo=";

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { "rndc-key"; };

};

options {

listen-on port 53 { any; }; # 开启侦听53端口，any表示接受任意ip连接

directory "/usr/local/bind/var";

dump-file "/usr/local/bind/var/named_dump.db"; # 执行rndc dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]时保存数据的导出文件

pid-file "named.pid"; # 文件内容就是named进程的id

allow-query{ any; }; # 允许任意ip查询

allow-query-cache { any; }; # 允许任意ip查询缓存

recursive-clients 60000;

forwarders{ # 设置转发的公网ip

202.96.128.86;

223.5.5.5;

};

forward only; # 置只使用forwarders DNS服务器做域名解析，如果查询不到则返回DNS客户端查询失败。

# forward first; 设置优先使用forwarders DNS服务器做域名解析，如果查询不到再使用本地DNS服务器做域名解析。

max-cache-size 4g;

dnssec-enable no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全设置，否则转发失败，报broken trust chain/broken trust chain错

dnssec-validation no; # 9.13、9.14版本的bind做转发时需要设置关闭DNS安全验证设置

};

logging {

channel query_log { # 查询日志

file "/var/log/named/query.log" versions 20 size 300m;

severity info;

print-time yes;

print-category yes;

};

channel error_log { # 报错日志

file "/var/log/named/error.log" versions 3 size 10m;

severity notice;

print-time yes;

print-severity yes;

print-category yes;

};

category queries { query_log; };

category default { error_log; };

};

# acl

include "/etc/named/conf.d/cn_dx.acl";

include "/etc/named/conf.d/cn_lt.acl";

include "/etc/named/conf.d/cn_yd.acl";

include "/etc/named/conf.d/cn_jy.acl";

include "/etc/named/conf.d/cn.acl";

# view

include "/etc/named/conf.d/cn_dx.conf";

include "/etc/named/conf.d/cn_lt.conf";

include "/etc/named/conf.d/cn_yd.conf";

include "/etc/named/conf.d/cn_jy.conf";

include "/etc/named/conf.d/cn.conf";

include "/etc/named/conf.d/default.conf"; # default view 放最后

日志级别：

在定义通道的语句中，severity是指定记录消息的级别。在bind中主要有以下几个级别(按照严重性递减的顺序)：

critical

error

warning

notice

info

debug [ level ]

dynamic

versions 20:保留20个文件

acl配置：

ip列表：https://ip.cn/chnroutes.html

示例：

cat cn_yd.acl

# 中国移动

# 2017101711, 74 routes

acl cn_yd {

36.128.0.0/10;

39.128.0.0/10;

42.83.200.0/23;

43.239.172.0/22;

43.241.112.0/22;

43.251.244.0/22;

45.121.68.0/22;

45.121.72.0/22;

45.121.172.0/22;

45.121.176.0/22;

45.122.96.0/21;

45.123.152.0/22;

45.124.36.0/22;

45.125.24.0/22;

58.83.240.0/21;

59.153.68.0/22;

61.14.244.0/22;

103.20.112.0/22;

103.21.176.0/22;

103.35.104.0/22;

103.37.176.0/23;

103.40.12.0/22;

103.43.124.0/22;

103.45.160.0/22;

103.61.156.0/22;

103.61.160.0/22;

103.62.24.0/22;

103.62.204.0/22;

103.62.208.0/22;

103.83.72.0/22;

103.192.0.0/22;

103.192.144.0/22;

103.193.140.0/22;

103.205.116.0/22;

103.227.48.0/22;

111.0.0.0/10;

111.235.182.0/24;

112.0.0.0/10;

114.66.68.0/22;

117.128.0.0/10;

118.187.40.0/21;

118.191.248.0/21;

118.194.165.0/24;

120.192.0.0/10;

121.255.0.0/16;

131.228.96.0/24;

163.53.56.0/22;

183.192.0.0/10;

202.141.176.0/20;

211.103.0.0/17;

211.136.0.0/13;

211.148.224.0/19;

211.155.236.0/24;

218.200.0.0/13;

221.130.0.0/15;

221.176.0.0/19;

221.176.32.0/20;

221.176.48.0/21;

221.176.56.0/24;

221.176.58.0/23;

221.176.60.0/22;

221.176.64.0/18;

221.176.128.0/17;

221.177.0.0/16;

221.178.0.0/15;

221.180.0.0/14;

223.64.0.0/11;

223.96.0.0/12;

223.112.0.0/14;

223.116.0.0/15;

223.118.2.0/24;

223.118.10.0/24;

223.118.18.0/24;

223.120.0.0/13;

};

其他类似

view配置：

连接数据库帐号只需只读权限就可以

cat cn_yd.conf       # match-clients要与定义的acl匹配

view "cn_yd" {

match-clients { cn_yd; };

dlz "Mysql zone" {

database "mysql

{host=db_ip dbname=db_name ssl=false port=db_port user=bind_ui_r pass=db_pass}

{select zone_name from DnsRecord_zonetag where zone_name = '$zone$'}

{select ttl, type, mx_priority,

case when lower(type)='txt' then

concat('\"', data, '\"')

when lower(type) = 'soa' then

concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)

else

data

end

from DnsRecord_zonetag inner join DnsRecord_record on DnsRecord_record.zone_tag_id = DnsRecord_zonetag.id

and DnsRecord_zonetag.zone_name = '$zone$'

and DnsRecord_record.host = '$record$'

where DnsRecord_zonetag.status = 'on'

and DnsRecord_record.status = 'on'

and (DnsRecord_record.resolution_line = '103' or DnsRecord_record.resolution_line = '0')

}

";

};

};

注意：这里

DnsRecord_record.resolution_line 的值要与 bindUI定义值相同，以区别不同的解析线路

其他类似

cat default.conf    # 默认view，any  acl表示所有，不需要定义，所以默认view一定要放在配置中所有view的最后

view "default" {

match-clients { any; };

dlz "Mysql zone" {

database "mysql

{host=db_ip dbname=db_name ssl=false port=db_port user=bind_ui_r pass=db_pass}

{select zone_name from DnsRecord_zonetag where zone_name = '$zone$'}

{select ttl, type, mx_priority,

case when lower(type)='txt' then

concat('\"', data, '\"')

when lower(type) = 'soa' then

concat_ws(' ', data, resp_person, serial, refresh, retry, expire, minimum)

else

data

end

from DnsRecord_zonetag inner join DnsRecord_record on DnsRecord_record.zone_tag_id = DnsRecord_zonetag.id

and DnsRecord_zonetag.zone_name = '$zone$'

and DnsRecord_record.host = '$record$'

where DnsRecord_zonetag.status = 'on'

and DnsRecord_record.status = 'on'

and DnsRecord_record.resolution_line = '0'

}

";

};

};

# 初始化项目

# 初始化

python manage.py migrate

python manage.py makemigrations

python manage.py migrate

python manage.py createsuperuser

用django自带web运行：python manage.py runserver ipaddr:port

DNS压力测试：

http://www.cnblogs.com/linkenpark/p/8952350.html

DNS统计分析: