Docker使用Bind9实现域名解析的思路详解

cd /free_cicdfs0/compose/bind9
docker-compose down; docker-compose up  -d

cat /free_cicdfs0/data/bind9/etc/bind/named.conf
// this is the primary configuration file for the bind dns server named.
//
// please read /usr/share/doc/bind9/readme.debian.gz for information on the
// structure of bind configuration files in debian, *before* you customize
// this configuration file.
//
// if you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

cat > /free_cicdfs0/data/bind9/etc/bind/named.conf.options <<"eof"

# include "/etc/rndc.key";

controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndckey"; };
};

options {
    
    // set no
    dnssec-enable no;
    dnssec-validation no;

    listen-on port 53 { any; };

    allow-query { any; };

    forwarders {
        114.114.114.114;
    };
};

eof

chmod 777 -r  /free_cicdfs0/data/bind9/
chown root:root -r  /free_cicdfs0/data/bind9/

chown root:named -r  /free_cicdfs0/data/bind9/

docker-compose up -d 
# log error
couldn't add command channel 127.0.0.1#953: file not found
docker cp -a bind9:/etc/bind  /free_cicdfs0/data/bind9/etc/

docker cp -a bind9:/var/lib/bind  /free_cicdfs0/data/bind9/var/lib/

broken trust chain resolving 'baidu.com/aaaa/in': 114.114.114.114#53

解决:
由于是局域网内非法dns,所以将dns安全关闭.
[root@192-168-174-42 ~]# vim /etc/named.conf
将下面的两项设置为no
        dnssec-enable no;
        dnssec-validation no;

cat /free_cicdfs0/data/bind9/etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per rfc 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

# 添加 解析 条目
vi /etc/hosts
192.168.164.190  nginx164190.zk.wh.com
 
[root@node01 ~]# curl https://nginx164190.zk.wh.com/
curl: (60) peer's certificate issuer is not recognized.
more details here: http://curl.haxx.se/docs/sslcerts.html

curl performs ssl certificate verification by default, using a "bundle"
 of certificate authority (ca) public keys (ca certs). if the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.


curl -o install_cert_linux.zip http://192.168.164.190:40080/install_cert_linux.zip
unzip install_cert_linux.zip

cd install_cert_linux
./install_cert.sh

# 测试 效果
curl https://nginx164190.zk.wh.com/
<html>
<head><title>index of /</title></head>
<body>
<h1>index of /</h1><hr><pre><a href="../">../</a>
<a href="_wildcard.zk.wh.com.crt">_wildcard.zk.wh.com.crt</a>                            18-aug-2021 08:53    1464
<a href="_wildcard.zk.wh.com.pem">_wildcard.zk.wh.com.pem</a>                            18-aug-2021 08:53    1464
<a href="install_cert_linux.zip">install_cert_linux.zip</a>                             19-aug-2021 07:30      2m
<a href="rootca-key.pem">rootca-key.pem</a>                                     18-aug-2021 08:53    2488
<a href="rootca.pem">rootca.pem</a>                                         18-aug-2021 08:53    1635
<a href="test">test</a>                                               18-aug-2021 08:47       7
</pre><hr></body>
</html>

cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per rfc 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

多台 dns 之间 进行 协同
soa
ns

# a 代表 解析到 ipv4
@       in      a       127.0.0.1

# a 代表 解析到 ipv6
@       in      aaaa    ::1

# ptr 代表 逆向解析
1.0.0   in      ptr     localhost.

cat /etc/bind/named.conf
// this is the primary configuration file for the bind dns server named.
//
// please read /usr/share/doc/bind9/readme.debian.gz for information on the
// structure of bind configuration files in debian, *before* you customize
// this configuration file.
//
// if you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

// add you zones
include "/etc/bind/named.conf.my-zones";


# 模仿 /etc/bind/named.conf.default-zones 书写 新的 解析记录
cat > /etc/bind/named.conf.my-zones <<"eof"

zone "zk.wh.com" {
        type master;
        file "/etc/bind/db.zk.wh.com";
};

zone "192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192";
};

eof

# 模仿db 文件
cat /etc/bind/db.local
;
; bind data file for local loopback interface
;
$ttl    604800
@       in      soa     localhost. root.localhost. (
                              2         ; serial
                         604800         ; refresh
                          86400         ; retry
                        2419200         ; expire
                         604800 )       ; negative cache ttl
;
@       in      ns      localhost.
@       in      a       127.0.0.1
@       in      aaaa    ::1


cat > /etc/bind/db.zk.wh.com <<"eof"
$ttl 86400
@ in soa localhost. root.localhost. (
        1  ; serial
    604800  ; refresh
    86400  ; retry
   2419200  ; expire
    86400 ) ; negative cache ttl
;
@ in ns localhost.
nginx164190       in      a       192.168.164.190
zcloud164190       in      a       192.168.164.190


eof


# 模仿 逆解 文件
cat /etc/bind/db.127
;
; bind reverse data file for local loopback interface
;
$ttl    604800
@       in      soa     localhost. root.localhost. (
                              1         ; serial
                         604800         ; refresh
                          86400         ; retry
                        2419200         ; expire
                         604800 )       ; negative cache ttl
;
@       in      ns      localhost.
1.0.0   in      ptr     localhost.


cat > /etc/bind/db.192 <<"eof"
$ttl 86400
@ in soa localhost. root.localhost. (
        1  ; serial
    604800  ; refresh
    86400  ; retry
   2419200  ; expire
    86400 ) ; negative cache ttl
;
@ in ns localhost.
190.164.168   in      ptr     nginx164190.

eof

# 局域网 x509 证书 无法 信任 多重域名
# reminder: x.509 wildcards only go one level deep, so this won't match a.b.zk.wh.com ℹ️
cat > /free_cicdfs0/data/bind9/etc/bind/db.zk.wh.com <<"eof"
$ttl 86400
@ in soa localhost. root.localhost. (
        1  ; serial
    604800  ; refresh
    86400  ; retry
   2419200  ; expire
    86400 ) ; negative cache ttl
;
@ in ns localhost.
nginx164190       in      a       192.168.164.190
zcloud164190      in      a       192.168.164.190
hub-docker        in      a       192.168.99.100
eof
# 重启 容器 服务 即可生效
ssh root@192.168.99.2
cd /free_cicdfs0/composes/bind9
docker-compose restart
# test
ping hub-docker.zk.wh.com
ping hub-docker.zk.wh.com (192.168.99.100) 56(84) bytes of data.
64 bytes from 192.168.99.100: icmp_seq=1 ttl=64 time=0.172 ms
64 bytes from 192.168.99.100: icmp_seq=2 ttl=64 time=0.152 ms