Openshift 自建DDNS动态域名

孤帆一片 發表於 2019-6-17 10:53:00

<p>某种情况下如openstack或者openshift/kubernetes软件部署过程由于需要标准的域名系统（DNS UPDATE）RFC 2136中的动态更新功能, 但是现有的阿里云/华为云均不提供该规范,大多理由为安全问题.</p>
<p>此时需要自建DDNS解决此问题.</p>
<h2 id="id-自建DDNS动态域名-前提条件">前提条件</h2>
<p>需要配置自有DNS服务器,参考配置DNS服务器脚本. 操作系统基于centos 7.5</p>
<p>在阿里云万网的DNS服务器新建2条记录:</p>
<p>ns.ddns.xxxxx.com -- A记录 --IPV4指向需要安装的DNS服务器IP</p>
<p>ddns.xxxxx.com – NS记录 – <span class="nolink">http://ns.ddns.xxxxx.com</span></p>
<p>此时ddns子域名下的所有解析全部转移到这台DNS服务器进行解析服务.</p>
<h2 id="id-自建DDNS动态域名-配置已有的named服务">配置已有的named服务</h2>
<h3 id="id-自建DDNS动态域名-创建一个安全key">创建一个安全key</h3>
<p>首先，我们需要生成一个Key，用于更新记录的授权。这里使用了HMAC-MD5算法来生成Key。运行：</p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_303307" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">dnssec-keygen -a HMAC-MD5 -b </code><code class="java value">128</code> <code class="java plain">-n HOST ddnsxxxxx</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p> </p>
<p>执行完成后会在当前目录生成2个文件,</p>
<p>文件名大概如下: </p>
<pre><code>Kddnsxxxxx.+157+43433.key Kddnsxxxxx.+157+43433.private</code></pre>
<pre>打开其中的private,复制key出来.</pre>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_479487" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">more Kddnsxxxxx.+</code><code class="java value">157</code><code class="java plain">+</code><code class="java value">43433</code><code class="java plain">.</code><code class="java keyword">private</code></div>
<div class="line number2 index1 alt1"><code class="java plain">Private-key-format: v1.</code><code class="java value">3</code></div>
<div class="line number3 index2 alt2"><code class="java plain">Algorithm: </code><code class="java value">157</code> <code class="java plain">(HMAC_MD5)</code></div>
<div class="line number4 index3 alt1"><code class="java plain">Key: MjR1T1Bdwi9NaxiT+5yIYA==</code></div>
<div class="line number5 index4 alt2"><code class="java plain">Bits: AAA=</code></div>
<div class="line number6 index5 alt1"><code class="java plain">Created: </code><code class="java value">20181207022257</code></div>
<div class="line number7 index6 alt2"><code class="java plain">Publish: </code><code class="java value">20181207022257</code></div>
<div class="line number8 index7 alt1"><code class="java plain">Activate: </code><code class="java value">20181207022257</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<h3 id="id-自建DDNS动态域名-修改已有named配置">修改已有named配置</h3>
<p>在/etc/named.conf中，zone “ddns.xxxxxx.com”之前加上：secret内容就是刚才复制出来的key值.</p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_41631" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">key </code><code class="java string">"ddnskey"</code> <code class="java plain">{</code></div>
<div class="line number2 index1 alt1"><code class="java spaces">    </code><code class="java plain">algorithm hmac-md5;</code></div>
<div class="line number3 index2 alt2"><code class="java spaces">    </code><code class="java plain">secret </code><code class="java string">"MjR1T1Bdwi9NaxiT+5yIYA=="</code><code class="java plain">;</code></div>
<div class="line number4 index3 alt1"><code class="java plain">};</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p>然后继续修改文件末尾zone的定义：</p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_690366" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">zone </code><code class="java string">"ddns.xxxxx.com"</code> <code class="java plain">IN {</code></div>
<div class="line number2 index1 alt1"><code class="java spaces">        </code><code class="java plain">type master;</code></div>
<div class="line number3 index2 alt2"><code class="java spaces">        </code><code class="java plain">file </code><code class="java string">"ddns.xxxxx.com.zone"</code><code class="java plain">;</code></div>
<div class="line number4 index3 alt1"><code class="java spaces">        </code><code class="java plain">allow-update { key ddnskey; };</code></div>
<div class="line number5 index4 alt2"><code class="java plain">};</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p>同时，selinux也有可能限制named写入文件，需要关闭：</p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_293262" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">setsebool named_write_master_zones </code><code class="java keyword">true</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p> </p>
<pre>设置完成后。重启named：</pre>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_152484" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">systemctl restart named</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<h2 id="id-自建DDNS动态域名-尝试dnsupdate功能">尝试dnsupdate功能</h2>
<p>使用nsupdate命令对DNS进行更新：</p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_356588" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain"># nsupdate</code></div>
<div class="line number2 index1 alt1"><code class="java plain">> server </code><code class="java value">127.0</code><code class="java plain">.</code><code class="java value">0.1</code> <code class="java value">53</code></div>
<div class="line number3 index2 alt2"><code class="java plain">> zone ddns.xxxxx.com</code></div>
<div class="line number4 index3 alt1"><code class="java plain">> key ddnskey MjR1T1Bdwi9NaxiT+5yIYA==</code></div>
<div class="line number5 index4 alt2"><code class="java plain">> update add abcdefg.ddns.xxxxx.com </code><code class="java value">200</code> <code class="java plain">A </code><code class="java value">2.2</code><code class="java plain">.</code><code class="java value">2.2</code></div>
<div class="line number6 index5 alt1"><code class="java plain">> send</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p>测试update结果</p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_623884" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain"># dig abcdefg.ddns.xxxxx.com </code><code class="java color1">@localhost</code></div>
<div class="line number2 index1 alt1"> </div>
<div class="line number3 index2 alt2"><code class="java plain">; <<>> DiG </code><code class="java value">9.9</code><code class="java plain">.</code><code class="java value">4</code><code class="java plain">-RedHat-</code><code class="java value">9.9</code><code class="java plain">.</code><code class="java value">4</code><code class="java plain">-</code><code class="java value">72</code><code class="java plain">.el7 <<>> vpn.ddns.xxxxx.com </code><code class="java color1">@localhost</code></div>
<div class="line number4 index3 alt1"><code class="java plain">;; global options: +cmd</code></div>
<div class="line number5 index4 alt2"><code class="java plain">;; Got answer:</code></div>
<div class="line number6 index5 alt1"><code class="java plain">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: </code><code class="java value">28156</code></div>
<div class="line number7 index6 alt2"><code class="java plain">;; flags: qr aa rd ra; QUERY: </code><code class="java value">1</code><code class="java plain">, ANSWER: </code><code class="java value">1</code><code class="java plain">, AUTHORITY: </code><code class="java value">1</code><code class="java plain">, ADDITIONAL: </code><code class="java value">2</code></div>
<div class="line number8 index7 alt1"> </div>
<div class="line number9 index8 alt2"><code class="java plain">;; OPT PSEUDOSECTION:</code></div>
<div class="line number10 index9 alt1"><code class="java plain">; EDNS: version: </code><code class="java value">0</code><code class="java plain">, flags:; udp: </code><code class="java value">4096</code></div>
<div class="line number11 index10 alt2"><code class="java plain">;; QUESTION SECTION:</code></div>
<div class="line number12 index11 alt1"><code class="java plain">;abcdefg.ddns.xxxxx.com.        IN  A</code></div>
<div class="line number13 index12 alt2"> </div>
<div class="line number14 index13 alt1"><code class="java plain">;; ANSWER SECTION:</code></div>
<div class="line number15 index14 alt2"><code class="java plain">abcdefg.ddns.xxxxx.com. </code><code class="java value">200</code> <code class="java plain">IN  A   </code><code class="java value">13.37</code><code class="java plain">.</code><code class="java value">27.291</code></div>
<div class="line number16 index15 alt1"> </div>
<div class="line number17 index16 alt2"><code class="java plain">;; AUTHORITY SECTION:</code></div>
<div class="line number18 index17 alt1"><code class="java plain">ddns.xxxxx.com. </code><code class="java value">120</code> <code class="java plain">IN  NS  ns.ddns.xxxxx.com.</code></div>
<div class="line number19 index18 alt2"> </div>
<div class="line number20 index19 alt1"><code class="java plain">;; ADDITIONAL SECTION:</code></div>
<div class="line number21 index20 alt2"><code class="java plain">ns.ddns.xxxxx.com.  </code><code class="java value">120</code> <code class="java plain">IN  A   </code><code class="java value">39.106</code><code class="java plain">.</code><code class="java value">92.7</code></div>
<div class="line number22 index21 alt1"> </div>
<div class="line number23 index22 alt2"><code class="java plain">;; Query time: </code><code class="java value">0</code> <code class="java plain">msec</code></div>
<div class="line number24 index23 alt1"><code class="java plain">;; SERVER: </code><code class="java value">127.0</code><code class="java plain">.</code><code class="java value">0.1</code><code class="java plain">#</code><code class="java value">53</code><code class="java plain">(</code><code class="java value">127.0</code><code class="java plain">.</code><code class="java value">0.1</code><code class="java plain">)</code></div>
<div class="line number25 index24 alt2"><code class="java plain">;; WHEN: Fri Dec </code><code class="java value">07</code> <code class="java value">10</code><code class="java plain">:</code><code class="java value">41</code><code class="java plain">:</code><code class="java value">49</code> <code class="java plain">CST </code><code class="java value">2018</code></div>
<div class="line number26 index25 alt1"><code class="java plain">;; MSG SIZE  rcvd: </code><code class="java value">97</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<h2 id="id-自建DDNS动态域名-最后收尾">最后收尾</h2>
<p>别忘记开通防火墙,包括主机的 53 udp/tcp,还有云主机的upd/tcp 53都开通.</p>
<p>同时做一次异地机器测试,检查DNS是否在其他dns服务器有复制.通过nslookup 检查TTL值,检查ns名称是否正确.</p>
<h2 id="id-自建DDNS动态域名-补充在routerOS的脚本参考">补充在routerOS的脚本参考</h2>
<p> </p>
<div class="code panel pdl conf-macro output-block" data-hasbody="true" data-macro-name="code">
<div class="codeContent panelContent pdl">
<div>
<div id="highlighter_757281" class="syntaxhighlighter sh-confluence nogutterjava">
<table border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td class="code">
<div class="container" title="Hint: double-click to select code">
<div class="line number1 index0 alt2"><code class="java plain">/tool dns-update dns-server=</code><code class="java value">39.108</code><code class="java plain">.</code><code class="java value">90.77</code> <code class="java plain">key-name=</code><code class="java string">"ddnskey"</code> <code class="java plain">key=</code><code class="java string">"MjR1T1Bdwi9NaxiT+5yIYA=="</code> <code class="java plain">name=abcdefg address=</code><code class="java string">"3.4.5.6"</code> <code class="java plain">zone=</code><code class="java string">"ddns.xxxxx.com"</code> <code class="java plain">ttl=</code><code class="java value">200</code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<p class="auto-cursor-target">更详细routerOS脚本在这里ddnsscript.txt,</p>
<div class="cnblogs_code"><img id="code_img_closed_d1e10a20-7a10-45c0-9333-b58dca809b23" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_d1e10a20-7a10-45c0-9333-b58dca809b23" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_d1e10a20-7a10-45c0-9333-b58dca809b23" class="cnblogs_code_hide">
<pre># :log info <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">DDNS: Begin</span><span style="color: rgba(128, 0, 0, 1)">"</span>:local ddnsuser <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ddns-key</span><span style="color: rgba(128, 0, 0, 1)">"</span>:local ddnspass <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">q1B3kUxxWioLEVh74h8g==</span><span style="color: rgba(128, 0, 0, 1)">"</span>:local ddnshost <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">vpn</span><span style="color: rgba(128, 0, 0, 1)">"</span>:local ddnszone <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ddns.iqyuan.com</span><span style="color: rgba(128, 0, 0, 1)">"</span>:local ddnsinterface <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">pppoe-2F</span><span style="color: rgba(128, 0, 0, 1)">"</span>:local ddnns <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">vpn.ddns.iqyuan.com</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(0, 0, 255, 1)">global</span> ddnslastip# :<span style="color: rgba(0, 0, 255, 1)">global</span> ddnslastip [:resolve $ddnns]:<span style="color: rgba(0, 0, 255, 1)">global</span> ddnsip address ]# log info $ddnslastip# log info ([:pick $ddnsip <span style="color: rgba(128, 0, 128, 1)">0</span> [:find $ddnsip <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/</span><span style="color: rgba(128, 0, 0, 1)">"</span>]]):<span style="color: rgba(0, 0, 255, 1)">if</span> ([:<span style="color: rgba(0, 0, 255, 1)">typeof</span> [:<span style="color: rgba(0, 0, 255, 1)">global</span> ddnslastip]] = nil ) <span style="color: rgba(0, 0, 255, 1)">do</span>={ :<span style="color: rgba(0, 0, 255, 1)">global</span> ddnslastip <span style="color: rgba(128, 0, 128, 1)">0.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">0</span> } <span style="color: rgba(0, 0, 255, 1)">else</span>={ :<span style="color: rgba(0, 0, 255, 1)">set</span> ddnslastip $ddnslastip }:<span style="color: rgba(0, 0, 255, 1)">if</span> ([:<span style="color: rgba(0, 0, 255, 1)">typeof</span> [:<span style="color: rgba(0, 0, 255, 1)">global</span> ddnsip]] = nil ) <span style="color: rgba(0, 0, 255, 1)">do</span>={:log info (<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)"> DDNS: No ip address present on$ddnsinterface, please check </span><span style="color: rgba(128, 0, 0, 1)">"</span>)} <span style="color: rgba(0, 0, 255, 1)">else</span>={:<span style="color: rgba(0, 0, 255, 1)">if</span> ($ddnsip != $ddnslastip) <span style="color: rgba(0, 0, 255, 1)">do</span>={# :log info <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">DDNS: DDNS!</span><span style="color: rgba(128, 0, 0, 1)">"</span>/tool dns-update dns-server=<span style="color: rgba(128, 0, 128, 1)">39.108</span>.<span style="color: rgba(128, 0, 128, 1)">90.77</span> key-name=$ddnsuserkey=$ddnspassname=$ddnshost address=[:pick $ddnsip <span style="color: rgba(128, 0, 128, 1)">0</span> [:find $ddnsip <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/</span><span style="color: rgba(128, 0, 0, 1)">"</span>] ] ttl=<span style="color: rgba(128, 0, 128, 1)">200</span> zone=$ddnszone:log info (<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">shuaxin DDNS</span><span style="color: rgba(128, 0, 0, 1)">"</span> .$ddnsip):<span style="color: rgba(0, 0, 255, 1)">global</span> ddnslastip $ddnsip} <span style="color: rgba(0, 0, 255, 1)">else</span>={# :log info <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">DDNS: IP</span><span style="color: rgba(128, 0, 0, 1)">"</span>}}#:log info <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">DDNS: End</span><span style="color: rgba(128, 0, 0, 1)">"</span></pre>
</div>
<span class="cnblogs_code_collapse">View Code</span></div>
<p> </p>
<p class="auto-cursor-target"> </p>

</div>
<div id="MySignature" role="contentinfo">
<h3>
<br>

<fieldset>
<legend>版权声明</legend>
<br>
本文原创发表于博客园，作者为阿K .    
本文欢迎转载，但未经作者同意必须保留此段声明，且在文章页面明显位置给出原文连接，否则视为侵权。
<br>

欢迎关注本人微信公众号：觉醒的码农，或者扫码进群：<br>
<img src="https://files.cnblogs.com/files/FlyAway2013/wechat111.bmp">
<img src="https://files-cdn.cnblogs.com/files/FlyAway2013/qrcode_for_gh_3f0d03520497_128.bmp">

</fieldset>

</h3><br><br>
来源：https://www.cnblogs.com/FlyAway2013/p/11038540.html

頁: [1]

琼殿技术论坛's Archiver

Openshift 自建DDNS动态域名