DNS web管理之NamedManager
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DNS web管理之NamedManager相关的知识,希望对你有一定的参考价值。
一、下载NamedManager的RPM包
[[email protected] ~]# hostname
dns.test.cn
[[email protected] named]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.206 dns.test.cn
[[email protected] ~]# ifconfig |grep 192.168
inet addr:192.168.10.206 Bcast:192.168.10.255 Mask:255.255.255.0
[[email protected] named]# ping dns.test.cn
PING dns.test.cn (192.168.10.206) 56(84) bytes of data.
64 bytes from dns.test.cn (192.168.10.206): icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from dns.test.cn (192.168.10.206): icmp_seq=2 ttl=64 time=0.043 ms
......
[[email protected] ~]# cd /usr/local/src/
[[email protected] src]# wget http://repos.jethrocarr.com/pub/amberdms/linux/centos/6/amberdms-custom/i386/namedmanager-bind-1.8.0-1.el6.noarch.rpm
[[email protected] src]# wget http://repos.jethrocarr.com/pub/amberdms/linux/centos/6/amberdms-custom/i386/namedmanager-www-1.8.0-1.el6.noarch.rpm
[[email protected] src]# ll
total 1352
-rw-r--r--. 1 root root 109584 Dec 22 2013 namedmanager-bind-1.8.0-1.el6.noarch.rpm
-rw-r--r--. 1 root root 1270108 Dec 22 2013 namedmanager-www-1.8.0-1.el6.noarch.rpm二、安装NamedManager
[[email protected] src]# yum install perl httpd mod_ssl mysql-server php php-intl php-ldap php-mysql php-soap php-xml
修改/etc/httpd/conf/httpd.conf
[[email protected] src]# vim /etc/httpd/conf/httpd.conf
......
ServerName dns.test.cn:80
[[email protected] src]# service mysqld start
[[email protected] src]# service httpd start
[[email protected] src]# lsof -i:3306
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 16589 mysql 10u IPv4 77732 0t0 TCP *:mysql (LISTEN)
[[email protected] src]# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 16621 root 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16623 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16624 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16625 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16626 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16627 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16628 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16629 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
httpd 16630 apache 4u IPv6 77759 0t0 TCP *:http (LISTEN)
[[email protected] src]# chkconfig mysqld on
[[email protected] src]# chkconfig httpd on
[[email protected] src]# mysqladmin -u root password 123456
[[email protected] src]# rpm -Uvh namedmanager-www-1.8.0-1.el6.noarch.rpm
[[email protected] src]# cd /usr/share/namedmanager/resources/
[[email protected] resources]# ./autoinstall.pl
autoinstall.pl
This script setups the NamedManager database components:
* NamedManager MySQL user
* NamedManager database
* NamedManager configuration files
THIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER.
DO NOT RUN FOR ANY OTHER REASON
Please enter MySQL root password (if any): 123456 //输入mysql密码
Searching ../sql/ for latest install schema...
../sql//version_20131222_install.sql is the latest file and will be used for the install.
Importing file ../sql//version_20131222_install.sql
Creating user...
Updating configuration file...
DB installation complete!
You can now login with the default username/password of setup/setup123 at
http://localhost/namedmanager
[[email protected] resources]# cd /usr/local/src/
[[email protected] src]# yum install bind php-process
[[email protected] src]# rpm -Uvh namedmanager-bind-1.8.0-1.el6.noarch.rpm
修改/etc/named.conf
[[email protected] src]# cp /etc/named.conf /etc/named.conf.bak
[[email protected] src]# vim /etc/named.conf
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; }; //DNS查询的缓存功能。实际上不建议开启此功能,即删除这一行配置。如果打开了,当DNS解析修改后,因为缓存原因,需等待一段时间才能生效。
recursion yes;
forward first;
forwarders {
223.5.5.5;
223.6.6.6;
8.8.8.8;
8.8.4.4;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.namedmanager.conf";如果要bind可以在chroot的模式下运行
[[email protected] src]# yum install bind-chroot
建立“/etc/named.namedmanager.conf”文件的硬连接
[[email protected] src]# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf如果不建立硬连接named启动时,会提示找不到“/etc/named.namedmanager.conf”。
这是因为:
bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行。也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已。
这样做的目的是为了提高安全性。因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中。
chroot可以改变程序运行时所参考的根目录(/)位置,即将某个特定的子目录作为程序的虚拟根目录,并且对程序运行时可以使用的系统资源,用户权限和所在目录进行严格控制,程序只在这个虚拟的根目录下具有权限,一旦跳出该目录就无任何权限。例如在centos中,/var/name/chroot实际上是根目录(/)的虚拟目录,所以虚拟目录中的/etc目录实际上是/var/named/chroot/etc目录,而/var/named目录实际上是/var/named/chroot/var/named目录。chroot功能的优点是:如果有黑客通过Bind侵入系统,也只能被限定在chroot目录及其子目录中,其破坏力也仅局限在该虚拟目录中,不会威胁到整个服务器的安全。
三、启动Named服务
[[email protected] src]# service named start
[[email protected] src]# chkconfig named on
[[email protected] src]# lsof -i:53
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
named 16864 named 20u IPv4 81946 0t0 TCP localhost:domain (LISTEN)
named 16864 named 21u IPv4 81948 0t0 TCP 192.168.10.206:domain (LISTEN)
named 16864 named 512u IPv4 81945 0t0 UDP localhost:domain
named 16864 named 513u IPv4 81947 0t0 UDP 192.168.10.206:domain
修改/etc/namedmanager/config-bind.php
[[email protected] src]# cp /etc/namedmanager/config-bind.php /etc/namedmanager/config-bind.php.bak
[[email protected] src]# vim /etc/namedmanager/config-bind.php
.......
$config["api_url"] = "http://192.168.10.206/namedmanager"; // 应用程序的安装位置
$config["api_server_name"] = "dns.test.cn"; // 此处必须与httpd配置里的Name Server名称一致
$config["api_auth_key"] = "Dns";
......四、设置防火墙
namedmanager部署机本机要么关闭iptables,要么安装如下设置:
[[email protected] src]# setenforce 0
[[email protected] src]# getenforce
[[email protected] src]# vim /etc/sysconfig/selinux
.......
SELINUX=disabled
[[email protected] src]# iptables -F
[[email protected] src]# iptables -P INPUT DROP
[[email protected] src]# iptables -P FORWARD DROP
[[email protected] src]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[[email protected] src]# iptables -A INPUT -i lo -p all -j ACCEPT
[[email protected] src]# iptables -A INPUT -p icmp -j ACCEPT
[[email protected] src]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[[email protected] src]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
[[email protected] src]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[[email protected] src]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[[email protected] src]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
禁用IPV6。添加域名记录(正向解析与反向解析)。设置开机启动服务,并重启服务器。
[[email protected] src]# vim /etc/modprobe.d/dist.conf //文件结尾添加如下内容:
......
alias net-pf-10 off
alias ipv6 off
chkconfig ip6tables off
[[email protected] src]# chkconfig httpd on
[[email protected] src]# chkconfig mysqld on
[[email protected] src]# chkconfig named on
[[email protected] src]# init 6 //或者执行"reboot"五、web端设置
访问http://192.168.10.206/namedmanager,
默认用户名和密码(setup,setup123)。
不要忘记在用户管理中修改用户名和密码。
1、设置API KEY(Configuration)
2、添加Name Servers
3、添加正向解析
4、添加反向解析
验证:
[[email protected] ~]# cd /var/named/
[[email protected] named]# ll
total 40
-rw-r--r--. 1 root root 490 Apr 7 14:48 10.168.192.in-addr.arpa.zone
drwxr-x---. 7 root named 4096 Apr 7 13:37 chroot
drwxrwx---. 2 named named 4096 Apr 7 13:39 data
drwxrwx---. 2 named named 4096 Apr 7 14:40 dynamic
-rw-r--r--. 1 root root 455 Apr 7 14:45 test.cn.zone
-rw-r-----. 1 root named 3289 Apr 11 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Jan 22 20:57 slaves
A记录的正向解析配置为:
[[email protected] named]# cat test.cn.zone
$ORIGIN test.cn.
$TTL 120
@ IN SOA dns.test.cn. admin.kevin.com. (
2018040703 ; serial
21600 ; refresh
3600 ; retry
604800 ; expiry
120 ; minimum ttl
)
; Nameservers
test.cn. 86400 IN NS dns.test.cn.
; Mailservers
; Reverse DNS Records (PTR)
; CNAME
; HOST RECORDS
db01 120 IN A 192.168.10.205
db02 120 IN A 192.168.10.209
dns 120 IN A 192.168.10.206
web01 120 IN A 192.168.10.202
web02 120 IN A 192.168.10.203
PTR记录的反向解析配置为:
[[email protected] named]# cat 10.168.192.in-addr.arpa.zone
$ORIGIN 10.168.192.in-addr.arpa.
$TTL 120
@ IN SOA dns.test.cn. admin.kevin.com. (
2018040704 ; serial
21600 ; refresh
3600 ; retry
604800 ; expiry
120 ; minimum ttl
)
; Nameservers
10.168.192.in-addr.arpa. 86400 IN NS dns.test.cn.
; Mailservers
; Reverse DNS Records (PTR)
202 120 IN PTR web01.test.cn.
203 120 IN PTR web02.test.cn.
205 120 IN PTR db01.test.cn.
206 120 IN PTR dns.test.cn.
209 120 IN PTR db02.test.cn.
; CNAME
; HOST RECORDS六、客户端DNS设置
将namedmanager本机以及所有的客户机的DNS地址都设置成192.168.10.206(即namedmanager部署机的ip地址)
[[email protected] ~]# ifconfig|grep 192
inet addr:192.168.10.202 Bcast:192.168.10.255 Mask:255.255.255.0
[[email protected] ~]# cat /etc/resolv.conf
domain test.cn
search test.cn
nameserver 192.168.10.206
[[email protected] ~]# ping www.baidu.com //这里走的是DNS配置中的forwarders转发的解析
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38: icmp_seq=1 ttl=49 time=37.6 ms
64 bytes from 14.215.177.38: icmp_seq=2 ttl=49 time=37.5 ms
64 bytes from 14.215.177.38: icmp_seq=3 ttl=49 time=37.4 ms
.....
[[email protected] ~]# ping web02.test.cn
PING web02.test.cn (192.168.10.203) 56(84) bytes of data.
64 bytes from web02.test.cn (192.168.10.203): icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from web02.test.cn (192.168.10.203): icmp_seq=2 ttl=64 time=0.212 ms
64 bytes from web02.test.cn (192.168.10.203): icmp_seq=3 ttl=64 time=0.132 ms
.....
在客户机上检查下正反向解析是否成功:
[[email protected] ~]# host 192.168.10.209
209.10.168.192.in-addr.arpa domain name pointer db02.test.cn.
[[email protected] ~]# host db01.test.cn
db01.test.cn has address 192.168.10.205建议在搭建多台NamedManager以实现高可用。
以上是关于DNS web管理之NamedManager的主要内容,如果未能解决你的问题,请参考以下文章
NamedManager安装Web管理bind9的DNS服务器
Centos7.2 下DNS+NamedManager高可用部署方案完整记录