云平台不允许私搭公网dns,得确保自己搞了dns服务后,公网不能访问53端口才行,因此有必要一开始就在安全组限制公网53端口,只放行内网53端口,安全组参考下图
# yum install bind-utils dnsmasq -y
# dnsmasq -v
# cat /etc/logrotate.d/dnsmasq
/var/log/dnsmasq.log {
daily
copytruncate
missingok
rotate 30
compress
notifempty
dateext
size 200M
}
# cat /etc/resolv.conf
nameserver 127.0.0.1
# cat /etc/resolv.dnsmasq.conf
nameserver 180.76.76.76
nameserver 119.29.29.29
nameserver 114.114.114.114
nameserver 9.9.9.9
nameserver 8.8.8.8
# egrep -v "^ *#|^$" /etc/dnsmasq.conf
user=dnsmasq
group=dnsmasq
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
resolv-file=/etc/resolv.dnsmasq.conf
strict-order
addn-hosts=/etc/dnsmasq.hosts
cache-size=100
server=/google.com/9.9.9.9
server=/google.com/8.8.8.8
server=/tencentyun.com/100.121.190.140
server=/yd.zijiebao.com/100.121.190.140
server=/tencentyun.com/100.121.190.141
server=/yd.zijiebao.com/100.121.190.141
log-queries
log-facility=/var/log/dnsmasq.log
上面红色的内网DNS地址以这里为准
https://cloud.tencent.com/document/product/213/5225
现在大多数CVM都是VPC机器,VPC的默认内网DNS
183.60.83.19
183.60.82.98
修改默认内网DNS会导致内网域名解析出问题,影响云监控和云安全组件正常工作,还会影响Windows激活等涉及内网域名的服务。本方案旨在实现*.tencentyun.com和*.yd.zijiebao.com走内网DNS解析,其他域名走公网公共DNS解析,这样就兼容了想修改默认DNS的用户需求。
https://cloud.tencent.com/document/product/296/12236
# dnsmasq --test
# service dnsmasq start
# systemctl enable dnsmasq
# netstat -tunlp|grep 53
