天天看点

NamedManager安装Web管理bind9的DNS服务器

一、NamedManager 介绍

    NamedManager is an AGPL web-based DNS management system designed to make the adding, adjusting and removal of zones/records easy and reliable.

    This also ensures that an outage of the management server web interface or SQL database will not result in any impact to DNS servers.

Key Features

  • Allows addition, adjusting and deletion DNS zones.
  • Supports Bind 9 and pushes Bind compatible configuration and zone files to configured servers.
  • Supports Amazon Route53
  • Ability to import from Bind zonefile support.
  • Includes a log tailer that runs on the name servers and sends back logs that are rendered in the web interface.
  • SOAP API to allow other tools to hook into the interface.
  • Written in PHP and uses a MySQL database backend.
  • Supports IPv4 and IPv6 users of the management interface.
  • Supports IPv4 and IPv6 forward and reverse records zones.
  • Supports internationalized domain names.

Using NamedManager

NamedManager is split into two parts:

  1. The web interface and MySQL DB that stores and provides configuration for the DNS zones.
  2. A component for bind which runs frequently and applies any configuration on the Bind name servers, eloads them and sends logs back to the web interface.

    You should (really should!) have at least two name servers, one model that works well is to have a master name server that runs the NamedManager interface and two slave servers that are public facing.

  With NamedManager, the usual Bind slave replication isn't used for zones, instead all the servers run as independents and NamedManager handles the replication of configuration between them.

更多信息请参考官方wiki: https://github.com/jethrocarr/namedmanager/wiki

二、NamedManager 安装

Installation

NamedManager is split into two key components:

  • Management web interface
  • Bind server integration component

These packages have a documented installation process, however it presumes a level of understanding and familiarity with Bind name servers and Linux administration.

The easiest way to install is to use RHEL (or a clone such as CentOS, Scientific Linux, Oracle Enterprise Linux, etc) and use the RPM package process as it saves considerable steps.

Requirements

NamedManager's web interface requires:

  • PHP 5.3+ (php, php-soap, php-mysql, php-intl, php-xml)
  • MySQL Server

The NamedManager Bind integration requires:

  • Bind 9
  • PHP 5.3+ (php-cli, php-soap, php-intl).

1. Preparation

Before installing NamedManager, make sure you have:

a) A functional Apache server setup with PHP 5 installed and SSL enabled.

b) A MySQL database server for storing the application's settings and cache DB.

c) One or more functional bind name servers (can be same or different hosts to the web interface). It is recommended that you use the "bind-chroot" package on RHEL systems.

d) Check the PHP version shipped with your distribution - RHEL 5 ships with PHP 5.1.x by default, ensure that this is upgraded to 5.3 by using the newer PHP packages from amberdms-upgrades OR by installing php53 packages provided by the distribution.

# cd /etc/yum.repos.d/
# wget http://repos.amberdms.com/config/centos/6/amberdms-c6-public.repo
# yum makecache

# yum -y install namedmanager-www      

2. Install the MySQL database

When you install the RPM as per the steps above, it will advise you on the command to run to install the database.

This will execute a script that allows you to specific your MySQL root password (if any) and then sets up a new DB and user for NamedManager.

3. Write the configuration file

The configuration file will be automatically generated with all the options needed to get up and running by the installer. Note that the installer only contains the minimal key values, most of the options for configuration are exposed via the web interface.

All configuration is in the /etc/namedmanager/config.php file.

By default internal application authentication is used, optionally it can be switched to use LDAP - refer to Installation-Integration-LDAP for instructions on how to do this.

4. Login and setup the name servers.

Before you can configure any domain names and records, it's necessary to login to the web interface and configure your name servers.

NamedManager requires all the name servers to have an entry in NamedManager - this information is used to generate NS records for all the domains, as well as being where the API keys are set to allow the name servers to connect to NamedManager for pulling configuration.

The default login is username "setup", password "setup123". The application installs default Apache configuration to run at https://localhost/namedmanager.

5. (optional) Install the Bind integration modules

For each Bind nameserver being used, the namedmanager-bind RPM package needs to be installed. This step is optional and only needed if you want to use Bind with NamedManager.

This package provides two components:

  • Configuration generation script which connects to the NamedManager web interface via SOAP and downloads the latest configuration and writes to Bind zonefiles and config files.
  • The log feeder script which installs a bootscript that monitors logs and pushes them back into NamedManager.

6. (optional) Configure the Bind Integration Component

Read and perform the steps in Installation-Integration-Bind for details on configuring NamedManager to hook into the existing Bind environment.

Pre-requisites

  • You must have completed the installation steps as detailed in the Installation guides.
  • Configure all your name servers via the NamedManager web interface including setting an API key for them.
  • Ensure the web interface is reachable from the name servers, as they need to connect to the API at http://example.com/namedmanager to fetch DNS zone and record information, as well as to send logs back.
NamedManager安装Web管理bind9的DNS服务器

1. Configuration of Bind configuration writer

All configuration for the bind integration will be in: /etc/namedmanager/config-bind.php

It is important to review and adjust all paths and variables to match your particular environment, however the following are particularly key:

1.1. API Credentials

Set the path of the API for the NamedManager web interface to query for zonefile information, along with the nameserver name and key.

$config["api_url"]      = "http://example.com/namedmanager";
$config["api_server_name"]  = "ns1.example.com";
$config["api_auth_key"]     = "AAAAABBBBBCCCCDDDD111222333";      

1.2. Bind paths & locations

Configure bind locations - typically the only option that needs changing is bind/config and bind/zonefiledir if your Bind process is using a different filesystem path (such as a chroot location).

Note that "named.namedmanager.conf" is intentional, this if the file that NamedManager generates, and is then included by your existing config, rather than being a full configuration replacement.

Example when using non-chrooted bind:

$config["bind"]["config"]   = "/etc/named.namedmanager.conf";
$config["bind"]["zonefiledir"]  = "/var/named/";      

Example when using bind-chroot:

$config["bind"]["config"]   = "/var/named/chroot/etc/named.namedmanager.conf";
$config["bind"]["zonefiledir"]  = "/var/named/chroot/var/named/";      

The bind config writer generates a configuration file for bind, that should be included from within the main configuration for bind (either /var/named/chroot/etc/named.conf or /etc/named.conf).

This file only defines the configured DNS zones, not any other Bind configuration. It can even be included in an existing configuration of zones, as long as none of the zones in NamedManager clash with the manually configured ones.

Note: this file path is the same both for bind-chroot and non-chroot, as it is relative to within the chroot jail:

The following line is required to be included inside the NamedManager zones - note you can include this inside multiple views if you have your name server configured in such a way.

include "/etc/named.namedmanager.conf";      

1.3. Cronjob frequency

By default the Bind configuration is checked for new versions every minute. If you're running a large deployment with many domains, you may wish to reduce the frequency of this check, by editing /etc/cron.d/namedmanager-bind

1.4. Test and verify correct operation

Verify the configuration for each name server is correct, by executing the configuration writer process:

php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php      

This will check for configuration and if found apply it - if there are any API connection issues, it will provide details.

If you have any configured DNS zones, they will be written to the named.namedmanager.conf file and an associated zonefile will be generated.

Any errors will normally be recorded in /var/log/namedmanager_bind_configwriter

2. Configuration of Bind log integration

If you wish to aggregate all the Bind logs from all the name servers into the web interface, you need to configure and start the Bind logpush process.

2.1. Configure the logpush collector

As long as the API has been correctly configured as per step 1, the only adjustment needed to /etc/namedmanager/config-bind.php is to set the path to the NamedManager log:

$config["log_file"]     = "/var/log/messages";      

On RHEL Namedmanager logs to /var/log/messages, other platforms may have NamedManager logging to /var/log/syslog or elsewhere.

2.2. Start the logpush daemon

Execute the following to (re)start the logpush daeon:

/etc/init.d/namedmanager_logpush restart      

You may need to enable the bootscript for startup on your platform - on RHEL, this is:

chkconfig --level 345 namedmanager_logpush on      

Logs should start appearing in the web interface within a few seconds (5-10) after they are generated on the nameserver.

Any errors will be recorded in /var/log/namedmanager_logpush

3. Complete

The configuration of the name server is now complete - you will need to repeat the above process for any name server you deploy to.

一. 系统初始化

关闭SELinux

[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

[root@localhost ~]# service iptables stop
[root@localhost ~]# ntpdate time.nist.gov      

二. 安装namedmanager

  • namedmanager-www :  web interface 
  • namedmanager-bind : bind integration module
[root@localhost ~]# wget -O /etc/yum.repos.d/amberdms-c6-public.repo http://repos.amberdms.com/config/centos/6/amberdms-c6-public.repo
[root@localhost ~]# yum -y install namedmanager-www namedmanager-bind

## 留意安装信息
#################################
BIND/NAMED CONFIGURATION

NamedManager BIND components have been installed, you will need to install
and configure bind/named to use the configuration file by adding the
following to /etc/named.conf:

#
# Include NamedManager Configuration
#

include "/etc/named.namedmanager.conf";


NAMEDMANAGER BIND CONFIGURATION

You need to set the application configuration in /etc/namedmanager/config-bind.php      
NamedManager安装Web管理bind9的DNS服务器

提示: 当前需要修改 named.conf , 添加 include  "/etc/named.namedmanager.conf"; 

另外 php 管理页面需要配置 /etc/namedmanager/config-bind.php 文件

###################################

## crond.d 下计划任务说明,每分钟把 mysql 中的 DNS 数据数据刷新并记录到日志中
[root@localhost ~]# vi /etc/cron.d/namedmanager-bind
#
# NAMEDMANAGER INTEGRATION
# Cron Jobs
#

# check for new configuration every minute
*/1 * * * * root php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php >> /var/log/namedmanager_bind_configwriter &> /dev/null

# PHP slowly leaks memory, restart the process weekly to prevent it getting too large over months
01 01 * * 0 root /etc/init.d/namedmanager_logpush restart >> /dev/null 2>&1


[root@localhost ~]# chkconfig --level 35 namedmanager_logpush on 
[root@localhost ~]# /etc/init.d/namedmanager_logpush start 

## 验证 namedmanager 配置文件是否正确(因为此时还未配置,所以会报错)
[root@localhost ~]# /usr/bin/php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php      
NamedManager安装Web管理bind9的DNS服务器

三. 安装LAMP环境

#安装lamp环境
[root@localhost ~]# yum -y install mysql mysql-server mysql-devel httpd php php-mysql 

[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# chkconfig mysqld on

[root@localhost ~]# service mysqld start
[root@localhost ~]# /usr/bin/mysql_secure_installation

## 更改 mysql 管理员密码
[root@localhost ~]# mysqladmin -u root password 123456

## 配置系统主机名,httpd的servername名,类似ns1.example.com
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf
ServerName dns.test.com:80

[root@localhost ~]# service httpd start


## 初始化数据,载入 namedmanager 表到mysql数据库
[root@localhost ~]# cd /usr/share/namedmanager/resources/
[root@localhost ~]# ./autoinstall.pl      #输入mysql的root用户的passwd

[root@localhost resources]# ./autoinstall.pl 
autoinstall.pl

This script setups the NamedManager database components:
 * NamedManager MySQL user
 * NamedManager database
 * NamedManager co 

THIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER.
DO NOT RUN FOR ANY OTHER REASON

Please enter MySQL root password (if any): 123456
Searching ../sql/ for latest install schema...
../sql//version_20131222_install.sql is the latest file and will be used for the install.
Importing file ../sql//version_20131222_install.sql
Creating user...
Updating configuration file...
DB installation complete!

You can now login with the default username/password of setup/setup123 at http://localhost/namedmanager      

四. 安装配置named

[root@localhost ~]# yum install -y bind-*
[root@localhost ~]# chkconfig named on

## 编辑named配置文件
[root@localhost  ~]# cp -rv /usr/share/doc/bind-9.8.2/sample/etc/* /var/named/chroot/etc/
[root@localhost  ~]# cp -rv /usr/share/doc/bind-9.8.2/sample/var/* /var/named/chroot/var/
## 在bind chroot 的目录中创建相关文件
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind

## 将 Bind 锁定文件设置为可写
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic

[root@localhost ~]# cp /var/named/chroot/etc/named.conf  /var/named/chroot/etc/named.conf.bak
[root@localhost ~]# echo > /var/named/chroot/etc/named.conf
[root@localhost ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by RedHat bind package to configure the ISC BIND named(8) DNS
// server as acaching only nameserver (as a localhost DNS resolver only).
//
// See/usr/share/doc/bind*/sample/ for example named configuration files.
//
  
options {
        listen-on port 53 { any; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file      "/var/named/data/cache_dump.db";
        statistics-file"/var/named/data/named_stats.txt";
        memstatistics-file"/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        allow-query     { 192.168.0.0/16; localhost; };
        recursion yes;
        allow-recursion { 192.168.0.0/16; localhost; };
  
  
        forward first;
        forwarders {
                61.128.128.68;
        };
  
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside no;
  
        /* Path to ISC DLV key */
        bindkeys-file"/etc/named.iscdlv.key";
  
        managed-keys-directory"/var/named/dynamic";
};
  
logging {
        channel default_debug {
                file"data/named.run";
                severity dynamic;
        };
};

   
  
// This is theroot servers zone file, already present on this system.
zone "."IN {
        type hint;
        file "named.ca";
};
  
  
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

//  End of the named.conf


## 启动bind服务
[root@localhost ~]# service named configtest
[root@localhost ~]# service named start

## 测试域名解析服务是否正常
[root@localhost ~]#  dig www.baidu.com @localhost      

修改 /etc/named.conf

*******************************************************************************************************************

//

// named.conf

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {

   listen-on port 53 { any; };

// listen-on-v6 port 53 { ::1; };

   directory     "/var/named";

   dump-file   "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

   allow-query     { any; };

   allow-query-cache     { any; };

   recursion yes;

   forward first;

   forwarders{ 180.76.76.76; };

   dnssec-enable yes;

   dnssec-validation yes;

   dnssec-lookaside auto;

   bindkeys-file "/etc/named.iscdlv.key";

   managed-keys-directory "/var/named/dynamic";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

zone "." IN {

   type hint;

   file "named.ca";

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

include "/etc/named.namedmanager.conf";

****************************************************************************************************************** 

如果要bind可以在chroot的模式下运行

# yum install bind-chroot

建立“/etc/named.namedmanager.conf”文件的硬连接

#  ln /etc/named.namedmanager.conf   /var/named/chroot/etc/named.namedmanager.conf

如果不建立硬连接named启动时,会提示找不到“/etc/named.namedmanager.conf”。

这是因为:

bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行。也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已。这样做的目的是为了提高安全性。因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中。

chroot可以改变程序运行时所参考的根目录(/)位置,即将某个特定的子目录作为程序的虚拟根目录,并且对程序运行时可以使用的系统资源,用户权限和所在目录进行严格控制,程序只在这个虚拟的根目录下具有权限,一旦跳出该目录就无任何权限。例如在centos中,/var/name/chroot实际上是根目录(/)的虚拟目录,所以虚拟目录中的/etc目录实际上是/var/named/chroot/etc目录,而/var/named目录实际上是/var/named/chroot/var/named目录。chroot功能的优点是:如果有黑客通过Bind侵入系统,也只能被限定在chroot目录及其子目录中,其破坏力也仅局限在该虚拟目录中,不会威胁到整个服务器的安全。

************************************************************************************************************

五. 配置named && namedmanager

[root@localhost ~]# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf
[root@localhost ~]# chown named:named /var/named/chroot/etc/named.namedmanager.conf

[root@localhost ~]# vi /var/named/chroot/etc/named.conf
include "/etc/named.namedmanager.conf";
# 提示: 当前需要修改 named.conf , 添加 include "/etc/named.namedmanager.conf";      

配置namedmanager

修改/etc/namedmanager/config-bind.php

$config["api_url"] = "https://192.168.32.131/namedmanager";     // 应用程序的安装位置

$config["api_server_name"]    = "dns.test.com";     // 此处必须与httpd配置里的Name Server名称一致

$config["api_auth_key"]    = "Dns"; 

# 配置namedmanager
[root@localhost ~]# vi /etc/namedmanager/config-bind.php  #修改/etc/namedmanager/config-bind.php

$config["api_url"] = "https://192.168.32.131/namedmanager"; #应用程序的安装位置
$config["api_server_name"] = "dns.test.com";     #此处必须与httpd配置里的Name Server名称一致
$config["api_auth_key"] = "Dns";                       #[该密钥随意定义]

/* when using bind-chroot */
$config["bind"]["config"]   = "/var/named/chroot/etc/named.namedmanager.conf";
$config["bind"]["zonefiledir"]  = "/var/named/chroot/var/named/";

## 重新启动 apache
[root@localhost ~]# service httpd restart

## 重新启动 named
[root@localhost ~]# service named restart      

六. 使用 namedmanager

通过浏览器登陆 http://192.168.32.131/namedmanager",默认用户名和密码(setup,setup123)。不要忘记在用户管理中修改用户名和密码。

1、选择 configuration , 

填写 管理员 email ( [email protected])

接着设置API key:

填写 ADMIN_API_KEY (之前/etc/namedmanager/config-bind.php 中定义的密钥)

NamedManager安装Web管理bind9的DNS服务器

2、选择 Domains/zones -> View Domains 通过 Add New Domain 添加一个新的域

NamedManager安装Web管理bind9的DNS服务器

3、添加服务器。Name Server FQDN的名称要和httpd中的ServerName一致。

  • Name Server FQDN *  配置 DNS FQDN 为当前域中的 DNS 服务器主机名
  • 选择服务器类型, [API]
  • 再次填写 ADMIN_API_KEY 密钥
  • 定义当前主机为 DNS 主服务器

确保最后绿色部分为配置文件同步中(时间稍长一点), 假设非绿色显示, 则需要进一步排错

NamedManager安装Web管理bind9的DNS服务器

I have 2 CentOS, both with namedmanager and they are syncing each other.

I took some time to understand that the $config['api_url'] in config-bind.php must be the same for each server of the pool, and I put the url of the first server for each namedmanager.

api_server_name should contain the name of the server you are configuring.

 And api_auth_key, obviously the same key.

为NameServer 添加A记录(非常重要的一步)

NamedManager安装Web管理bind9的DNS服务器

导入domain ,  zone 文件的记录最好不要超过50行,否则会报错。

NamedManager安装Web管理bind9的DNS服务器

添加正向域

NamedManager安装Web管理bind9的DNS服务器

添加反向域

NamedManager安装Web管理bind9的DNS服务器

上述步骤完成之后,相当于我们手动在 named.namedmanager.conf 添加区域记录, 以及在 var/named 目录下面创建相应的 zone 文件。

建议

不建议直接【手动】修改:  区域文件 zone  以及 named.namedmanager.conf 文件

// This file is automatically generated any manual changes will be lost.

// 直接修改了zone文件(will be lost),web上也不会同步更新,然后又会回写到 zone 文件

六. namedmanager 主从(master、slave)

 You should (really should!) have at least two name servers, one model that works well is to have a master name server that runs the NamedManager interface and two slave servers that are public facing.

使用 NamedManager, 主从复制不是通过 zones 文件(区域传送功能)实现的,而是NamedManager 来处理。

NamedManager 提供一个统一的web界面,管理所有的NS服务器。实现向多台服务器分发zone文件,所以不建议手工改动各个NS的zone文件,导致NS间的zone数据不一致的状态。

Web 向多台NS分发, 而不是NS之间同步。

NamedManager安装Web管理bind9的DNS服务器
NamedManager安装Web管理bind9的DNS服务器

这是从官方 wiki 抄录过来的, config-bind.php 文件配置

$config['api_url']  :  must be the same for each server of the pool. 必须设置和 master 保持一致。

$config['api_server_name'] :   和各自NS的 httpd.conf 中 ServerName 保持一致。

$config['api_auth_key']  :        各自NS的随意指定,足够复杂即可

然后,登录 master 的 web 管理页,所有的 dns server pool 一致。 添加 Name Server :

再者,在 master 域的 Domain Records 中, 添加 该 slave DNS 的

  • NS 记录
  • A 记录

添加 NS 记录

NamedManager安装Web管理bind9的DNS服务器

添加 A 记录

NamedManager安装Web管理bind9的DNS服务器

master :     tail -f /var/log/messages

NamedManager安装Web管理bind9的DNS服务器

slave :     tail -f /var/log/messages  

NamedManager安装Web管理bind9的DNS服务器

我们可以看到,日志中并没有任何zones同步、传输的信息。(和区域传输不一样)

配置服务防火墙 

iptables -F

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 53 -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

继续阅读