第314集DNS解析架构实战:hosts静态配置、内网解析与本地域名绑定的系统级解决方案 | 字数总计: 4.4k | 阅读时长: 21分钟 | 阅读量:
DNS解析架构实战:hosts静态配置、内网解析与本地域名绑定 一、DNS解析概述 1.1 DNS的作用 DNS(Domain Name System)是互联网的核心基础设施之一:
域名解析 :将易于记忆的域名转换为IP地址负载均衡 :通过DNS实现流量分发故障转移 :自动切换故障节点服务发现 :微服务环境中的服务注册与发现内网隔离 :企业内部域名解析隔离
1.2 域名解析层级 DNS解析优先级 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1. hosts文件 (最高优先级) - 静态配置 - 本地优先级最高 2. 本地DNS缓存 - 系统级缓存 - 应用级缓存 3. 内网DNS服务器 - 企业内部解析 - 私有域名 4. 外网公共DNS - ISP DNS - 公共DNS (8.8.8.8)
1.3 DNS记录类型 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 DNS记录类型: A记录: IPv4地址 - 示例: www.example.com -> 192.168 .1 .100 AAAA记录: IPv6地址 - 示例: www.example.com -> 2001 :db8::1 CNAME: 别名记录 - 示例: www -> example.com MX: 邮件交换记录 - 示例: mail.example.com TXT: 文本记录 - 示例: SPF/DKIM配置 SRV: 服务记录 - 示例: Kubernetes服务发现
二、hosts文件配置 2.1 hosts文件位置 不同操作系统的hosts文件位置:
Linux/macOS 1 2 3 4 5 6 7 8 9 10 /etc/hosts cat /etc/hostssudo vim /etc/hosts sudo nano /etc/hosts
Windows 1 2 3 4 5 # hosts文件路径 C:\Windows\System32\drivers\etc\hosts # 打开hosts文件(以管理员身份运行记事本) notepad C:\Windows\System32\drivers\etc\hosts
2.2 hosts文件格式 hosts文件标准格式 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 # 格式说明 # IP地址 域名 别名 (可选) # 注释行示例 # 本地开发环境配置 # 单个域名解析 127.0.0.1 localhost ::1 localhost # 多个域名指向同一IP 192.168.1.100 www.example.com 192.168.1.100 api.example.com 192.168.1.100 static.example.com # 内网服务解析 192.168.1.10 mysql.internal.example.com 192.168.1.11 redis.internal.example.com 192.168.1.12 kafka.internal.example.com # 本地开发环境 127.0.0.1 dev.example.com 127.0.0.1 test.example.com 127.0.0.1 local.example.com # 自定义域名 192.168.1.200 nacos-server 192.168.1.200 consul-server 192.168.1.200 etcd-server
2.3 hosts文件最佳实践 常用hosts配置模板 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 127.0.0.1 localhost ::1 localhost 127.0.0.1 dev.example.com 127.0.0.1 test.example.com 127.0.0.1 local.example.com 127.0.0.1 localhost.example.com 127.0.0.1 mysql.local 127.0.0.1 redis.local 127.0.0.1 mongodb.local 127.0.0.1 elasticsearch.local 192.168.1.100 www.example.com 192.168.1.101 api.example.com 192.168.1.102 admin.example.com 192.168.1.10 mysql-master.internal 192.168.1.11 mysql-slave.internal 192.168.1.20 redis-master.internal 192.168.1.21 redis-slave.internal 192.168.1.30 mongodb.internal 192.168.1.40 kafka-1.internal 192.168.1.41 kafka-2.internal 192.168.1.42 kafka-3.internal 192.168.1.50 zookeeper.internal 192.168.1.51 zookeeper.internal 192.168.1.60 nacos.internal 192.168.1.61 consul.internal 192.168.1.62 eureka.internal 192.168.1.70 elasticsearch.internal 192.168.1.71 kibana.internal 192.168.1.72 prometheus.internal 192.168.1.73 grafana.internal 192.168.1.80 nginx-lb.internal 192.168.1.81 haproxy-lb.internal 192.168.1.90 docker-registry.internal 192.168.1.91 harbor.internal 192.168.1.92 jenkins.internal 192.168.1.93 kubernetes-api.internal
2.4 批量管理hosts配置 Shell脚本管理hosts 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 #!/bin/bash HOSTS_FILE="/etc/hosts" BACKUP_DIR="/backup/hosts" TIMESTAMP=$(date +%Y%m%d_%H%M%S) backup_hosts echo "备份hosts文件到: ${BACKUP_DIR} /hosts.${TIMESTAMP} " sudo cp ${HOSTS_FILE} ${BACKUP_DIR} /hosts.${TIMESTAMP} } add_domain local ip=$1 local domain=$2 if grep -q "^${ip} \s\+${domain} " ${HOSTS_FILE} ; then echo "记录已存在: ${ip} -> ${domain} " else echo "添加记录: ${ip} -> ${domain} " echo "${ip} ${domain} " | sudo tee -a ${HOSTS_FILE} > /dev/null fi } remove_domain local domain=$1 echo "删除记录: ${domain} " sudo sed -i "/\s${domain} $/d" ${HOSTS_FILE} } query_domain local domain=$1 grep "${domain} " ${HOSTS_FILE} } refresh_dns if command -v systemd-resolve &> /dev/null; then sudo systemd-resolve --flush-caches fi if [[ "$OSTYPE " == "darwin" * ]]; then sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder fi } main case $1 in add) backup_hosts add_domain $2 $3 refresh_dns ;; remove) backup_hosts remove_domain $2 refresh_dns ;; query) query_domain $2 ;; refresh) refresh_dns ;; *) echo "用法: $0 {add|remove|query|refresh} [args...]" echo "示例:" echo " $0 add 192.168.1.100 www.example.com" echo " $0 remove www.example.com" echo " $0 query example.com" echo " $0 refresh" ;; esac } main "$@ "
三、内网DNS解析架构 3.1 内网DNS架构设计
内网DNS架构组件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 内网DNS架构: 客户端层: - 应用服务器 - 开发机器 - 办公网络 DNS服务器层: - 主DNS服务器 (192.168.1.10) - 备DNS服务器 (192.168.1.11) - 负载均衡器 存储层: - 配置文件 - etcd集群 - MySQL数据库 监控层: - DNS监控 - 日志聚合 - 配置管理
3.2 CoreDNS内网DNS方案 CoreDNS简介 CoreDNS是CNCF毕业项目,高性能、可扩展的DNS服务器。
优势 :
云原生设计
插件化架构
支持Kubernetes
易于部署和维护
CoreDNS配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 .:53 { forward . 8.8 .8 .8 223.5 .5 .5 cache 3600 log errors } internal.example.com:53 { etcd { path /skydns endpoint http://192.168.1.50:2379 fallthrough } hosts /etc/coredns/hosts.internal { fallthrough } log errors } dev.example.com:53 { hosts /etc/coredns/hosts.dev { fallthrough } forward . 8.8 .8 .8 log errors } cluster.local:53 { kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure fallthrough in-addr.arpa ip6.arpa } prometheus :9153 cache 30 loop reload loadbalance }
CoreDNS部署 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 version: '3.8' services: coredns: image: coredns/coredns:latest container_name: coredns ports: - "53:53/udp" - "53:53/tcp" volumes: - ./Corefile:/etc/coredns/Corefile - ./hosts.internal:/etc/coredns/hosts.internal - ./hosts.dev:/etc/coredns/hosts.dev command: -conf /etc/coredns/Corefile networks: - dns-network restart: unless-stopped networks: dns-network: driver: bridge
hosts.internal配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 # 内网生产环境域名配置 192.168.1.100 www.internal.example.com 192.168.1.101 api.internal.example.com 192.168.1.102 admin.internal.example.com # 数据库服务 192.168.1.10 mysql-master 192.168.1.10 mysql.internal.example.com 192.168.1.11 mysql-slave 192.168.1.11 mysql-slave.internal.example.com # Redis服务 192.168.1.20 redis-master 192.168.1.21 redis-slave # Kafka集群 192.168.1.40 kafka-1 192.168.1.40 kafka.internal.example.com 192.168.1.41 kafka-2 192.168.1.42 kafka-3 # 其他中间件 192.168.1.50 zookeeper 192.168.1.60 nacos 192.168.1.70 elasticsearch 192.168.1.71 kibana 192.168.1.72 prometheus 192.168.1.73 grafana
3.3 BIND内网DNS方案 BIND简介 BIND是最流行的DNS服务器软件,功能强大,适用于大型网络环境。
优势 :
BIND配置文件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 options { listen-on port 53 { 127.0.0.1; 192.168.1.10; }; listen-on-v6 port 53 { ::1; }; directory "/var/named" ; dump-file "/var/named/data/cache_dump.db" ; statistics-file "/var/named/data/named_stats.txt" ; memstatistics-file "/var/named/data/named_mem_stats.txt" ; allow-query { localhost; 192.168.1.0/24; }; allow-recursion { localhost; 192.168.1.0/24; }; recursion yes ; dnssec-enable yes ; dnssec-validation yes ; forwarders { 223.5.5.5; 8.8.8.8; }; forward first; }; logging { channel default_debug { file "data/named.run" ; severity dynamic; }; }; zone "." IN { type hint; file "named.ca" ; }; zone "internal.example.com" IN { type master; file "named.internal.example.com" ; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "named.1.168.192" ; allow-update { none; }; }; include "/etc/named.rfc1912.zones" ; include "/etc/named.root.key" ;
BIND区域文件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 $TTL 3600@ IN SOA ns1.internal.example.com. admin.internal.example.com. ( 2024111201 ; serial 1h ; refresh 15m ; retry 1w ; expire 1h ; minimum ) ; 域名服务器记录 @ IN NS ns1.internal.example.com. @ IN NS ns2.internal.example.com. ; 别名 ns1 IN A 192.168.1.10 ns2 IN A 192.168.1.11 ; Web服务 www IN A 192.168.1.100 api IN A 192.168.1.101 admin IN A 192.168.1.102 ; 数据库服务 mysql IN A 192.168.1.10 mysql-master IN A 192.168.1.10 mysql-slave IN A 192.168.1.11 ; Redis服务 redis IN A 192.168.1.20 redis-master IN A 192.168.1.20 redis-slave IN A 192.168.1.21 ; Kafka集群 kafka IN A 192.168.1.40 kafka-1 IN A 192.168.1.40 kafka-2 IN A 192.168.1.41 kafka-3 IN A 192.168.1.42 ; 其他服务 elasticsearch IN A 192.168.1.70 kibana IN A 192.168.1.71 prometheus IN A 192.168.1.72 grafana IN A 192.168.1.73
BIND部署脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 #!/bin/bash set -eif [ -f /etc/redhat-release ]; then sudo yum install -y bind bind-utils elif [ -f /etc/debian_version ]; then sudo apt-get update sudo apt-get install -y bind9 bind9utils bind9-doc fi sudo cp named.conf /etc/named.conf sudo cp named.* /var/named/ sudo chown root:named /etc/named.conf sudo chmod 640 /etc/named.conf sudo chown named:named /var/named/named.* sudo chmod 640 /var/named/named.* sudo firewall-cmd --permanent --add-service=dns sudo firewall-cmd --reload sudo systemctl enable named sudo systemctl start named sudo systemctl status named dig @127.0.0.1 www.internal.example.com
四、高可用DNS架构 4.1 DNS高可用设计
DNS高可用架构 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 高可用DNS架构: 主DNS服务器: - IP: 192.168 .1 .10 - 优先级: 高 - 故障转移: 自动切换 备DNS服务器: - IP: 192.168 .1 .11 - 优先级: 中 - 数据同步: 实时 负载均衡器: - 基于DNS的LB - 健康检查 - 故障切换 数据存储: - etcd集群 - 配置文件同步 - 动态更新
4.2 Keepalived实现DNS高可用 Keepalived配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 global_defs { router_id dns-master } vrrp_instance VI_DNS { state MASTER interface eth0 virtual_router_id 100 priority 100 advert_int 1 authentication { auth_type PASS auth_pass dns-secret } virtual_ipaddress { 192.168.1.50 } track_script { check_dns } notify_master /etc/keepalived/scripts/notify_master.sh notify_backup /etc/keepalived/scripts/notify_backup.sh } vrrp_script check_dns { script "/etc/keepalived/scripts/check_dns.sh" interval 3 weight -10 fall 3 rise 2 }
DNS健康检查脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 #!/bin/bash if ! pgrep -x named > /dev/null; then echo "DNS服务未运行" exit 1 fi if ! dig @127.0.0.1 example.com +short +timeout =2 > /dev/null 2>&1; then echo "DNS响应超时" exit 1 fi if ! netstat -tuln | grep -q ":53 " ; then echo "DNS端口未监听" exit 1 fi exit 0
4.3 DNS监控与运维 DNS监控脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #!/bin/bash DNS_SERVERS=("192.168.1.10" "192.168.1.11" ) TEST_DOMAINS=( "www.internal.example.com" "api.internal.example.com" "mysql.internal.example.com" ) monitor_dns local server=$1 for domain in "${TEST_DOMAINS[@]} " ; do if dig @${server} ${domain} +short +timeout =2 > /dev/null 2>&1; then echo "OK: ${server} -> ${domain} " else echo "FAIL: ${server} -> ${domain} " send_alert "DNS服务器 ${server} 解析域名 ${domain} 失败" fi done } while true ; do for server in "${DNS_SERVERS[@]} " ; do monitor_dns ${server} done sleep 60 done
五、本地域名绑定实战 5.1 开发环境配置 本地域名绑定场景 1 2 3 4 5 6 7 8 9 10 11 12 开发场景: 1 . 本地开发 - http://localhost:8080 - http://dev.example.com (更友好) 2 . 前端项目调试 - 模拟生产域名 - 测试cookie/cors 3 . 微服务开发 - 本地服务间调用 - 避免硬编码IP
全栈开发环境配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 127.0.0.1 local-api.example.com 127.0.0.1 local-frontend.example.com 127.0.0.1 local-admin.example.com 127.0.0.1 local-mobile.example.com upstream local-api { server 127.0.0.1:8080; } upstream local-frontend { server 127.0.0.1:3000; } server { listen 80; server_name local-api.example.com; location / { proxy_pass http://local-api; proxy_set_header Host $host ; proxy_set_header X-Real-IP $remote_addr ; } } server { listen 80; server_name local-frontend.example.com; location / { proxy_pass http://local-frontend; proxy_set_header Host $host ; } }
5.2 HTTPS本地域名配置 mkcert生成本地证书 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 brew install mkcert sudo apt install mkcert mkcert -install mkcert local-api.example.com local-frontend.example.com local-admin.example.com
Nginx HTTPS配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 server { listen 443 ssl http2; server_name local-api.example.com; ssl_certificate /path/to/local-api.example.com+2 .pem; ssl_certificate_key /path/to/local-api.example.com+2 -key.pem; ssl_protocols TLSv1.2 TLSv1.3 ; ssl_ciphers HIGH:!aNULL:!MD5; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host ; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-Proto $scheme ; } } server { listen 80 ; server_name local-api.example.com; return 301 https://$server_name $request_uri ; }
六、DNS性能优化 6.1 DNS缓存优化 客户端DNS缓存 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 DNS缓存策略: 系统级缓存: - systemd-resolved (Linux) - dscacheutil (macOS) - DNS Client (Windows) 应用级缓存: - Java: SimpleResolver + Cache - Python: dns.resolver + cache - Node.js: dns-cache 缓存时长: - TTL从服务器获取 - 默认缓存时间: 5 分钟 - 最大缓存时间: 24 小时
Java DNS缓存配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 import java.security.Security;import java.net.InetAddress;import javax.naming.directory.DirContext;import sun.net.InetAddressCachePolicy;public class DNSCacheConfig { static { Security.setProperty("networkaddress.cache.ttl" , "3600" ); Security.setProperty("networkaddress.cache.negative.ttl" , "60" ); InetAddressCachePolicy.set(3600 ); } }
6.2 DNS解析优化 DNS解析最佳实践 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 优化策略: 1 . 使用内网DNS优先 - 减少外网查询 - 降低延迟 2 . 启用DNS缓存 - 减少重复查询 - 提高响应速度 3 . 配置多个DNS服务器 - 主备切换 - 负载均衡 4 . 使用DNS预解析 - <link rel="dns-prefetch"> - 提前解析域名 5 . CDN加速 - 静态资源使用CDN - 就近访问
七、DNS安全实践 7.1 DNS安全威胁 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 DNS安全威胁: 1 . DNS劫持 - 恶意DNS服务器 - 中间人攻击 2 . DNS欺骗 - 伪造DNS响应 - 钓鱼攻击 3 . DNS缓存投毒 - 污染DNS缓存 - 恶意重定向 4 . DDoS攻击 - DNS放大攻击 - 拒绝服务
7.2 DNS安全防护 DNS安全配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 options { recursion yes ; allow-recursion { 192.168.1.0/24; localhost; }; version "Not Available" ; server-id "Not Available" ; dnssec-enable yes ; dnssec-validation yes ; allow-query { localhost; 192.168.1.0/24; }; allow-transfer { 192.168.1.0/24; }; listen-on { 192.168.1.10; }; listen-on-v6 { none; }; logging { channel security_log { file "/var/log/named/security.log" versions 10 size 10m; severity dynamic; print-time yes ; }; category security { security_log; }; }; };
八、DNS运维实战案例 8.1 微服务DNS配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 微服务架构DNS配置: 服务注册: - 使用etcd作为服务注册中心 - CoreDNS自动发现服务 - 动态更新DNS记录 服务发现: - Kubernetes DNS - Service SRV记录 - Endpoints自动更新 负载均衡: - DNS轮询 - 健康检查 - 故障转移
8.2 容器化DNS方案 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 version: '3.8' services: coredns: image: coredns/coredns:latest container_name: coredns ports: - "53:53/udp" - "53:53/tcp" volumes: - ./Corefile:/etc/coredns/Corefile command: -conf /etc/coredns/Corefile networks: - internal etcd: image: quay.io/coreos/etcd:v3.5.0 container_name: etcd ports: - "2379:2379" - "2380:2380" volumes: - etcd_data:/etcd-data networks: - internal networks: internal: driver: bridge volumes: etcd_data:
九、总结 DNS解析是网络基础设施的重要组成部分。本文探讨了:
核心要点
hosts静态配置 :本地域名映射、开发环境配置内网DNS解析 :CoreDNS、BIND企业级方案高可用架构 :主备切换、负载均衡、健康检查安全实践 :DNS安全威胁防护、最佳实践
技术栈
DNS服务器 :CoreDNS、BIND高可用方案 :Keepalived容器化部署 :Docker、Kubernetes监控工具 :Prometheus、Grafana
实践建议
本地开发使用hosts文件加速
内网部署专用DNS服务器
配置高可用避免单点故障
定期监控DNS性能与安全
通过合理的DNS架构设计,企业可提高网络解析的稳定性和性能。
微信
