DNS web管理之NamedManager

[root@dns ~]# hostnamedns.test.cn[root@dns named]# cat /etc/hosts127.0.0.1 ??localhost localhost.localdomain localhost4 localhost4.localdomain4::1 ????????localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.10.206 dns.test.cn[root@dns ~]# ifconfig |grep 192.168 ?????????inet addr:192.168.10.206 ?Bcast:192.168.10.255 ?Mask:255.255.255.0[root@dns named]# ping dns.test.cnPING dns.test.cn (192.168.10.206) 56(84) bytes of data.64 bytes from dns.test.cn (192.168.10.206): icmp_seq=1 ttl=64 time=0.027 ms64 bytes from dns.test.cn (192.168.10.206): icmp_seq=2 ttl=64 time=0.043 ms...... ?[root@dns ~]# cd /usr/local/src/[root@dns src]# wget http://repos.jethrocarr.com/pub/amberdms/linux/centos/6/amberdms-custom/i386/namedmanager-bind-1.8.0-1.el6.noarch.rpm[root@dns src]# wget http://repos.jethrocarr.com/pub/amberdms/linux/centos/6/amberdms-custom/i386/namedmanager-www-1.8.0-1.el6.noarch.rpm[root@dns src]# lltotal 1352-rw-r--r--. 1 root root ?109584 Dec 22 ?2013 namedmanager-bind-1.8.0-1.el6.noarch.rpm-rw-r--r--. 1 root root 1270108 Dec 22 ?2013 namedmanager-www-1.8.0-1.el6.noarch.rpm

二、安装NamedManager

[root@dns src]# yum install perl httpd mod_ssl mysql-server php php-intl php-ldap php-mysql php-soap php-xml修改/etc/httpd/conf/httpd.conf[root@dns src]# vim /etc/httpd/conf/httpd.conf......ServerName dns.test.cn:80[root@dns src]# service mysqld start[root@dns src]# service httpd start[root@dns src]# lsof -i:3306COMMAND ??PID ?USER ??FD ??TYPE DEVICE SIZE/OFF NODE NAMEmysqld ?16589 mysql ??10u ?IPv4 ?77732 ?????0t0 ?TCP *:mysql (LISTEN)[root@dns src]# lsof -i:80COMMAND ??PID ??USER ??FD ??TYPE DEVICE SIZE/OFF NODE NAMEhttpd ??16621 ??root ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16623 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16624 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16625 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16626 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16627 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16628 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16629 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)httpd ??16630 apache ???4u ?IPv6 ?77759 ?????0t0 ?TCP *:http (LISTEN)[root@dns src]# chkconfig mysqld on[root@dns src]# chkconfig httpd on[root@dns src]# mysqladmin -u root password 123456[root@dns src]# rpm -Uvh namedmanager-www-1.8.0-1.el6.noarch.rpm[root@dns src]# cd /usr/share/namedmanager/resources/[root@dns resources]# ./autoinstall.plautoinstall.plThis script setups the NamedManager database components: * NamedManager MySQL user * NamedManager database * NamedManager configuration filesTHIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER.DO NOT RUN FOR ANY OTHER REASONPlease enter MySQL root password (if any): 123456 ???????//输入mysql密码Searching ../sql/ for latest install schema...../sql//version_20131222_install.sql is the latest file and will be used for the install.Importing file ../sql//version_20131222_install.sqlCreating user...Updating configuration file...DB installation complete!You can now login with the default username/password of setup/setup123 at http://localhost/namedmanager[root@dns resources]# cd /usr/local/src/[root@dns src]# yum install bind php-process[root@dns src]# rpm -Uvh namedmanager-bind-1.8.0-1.el6.noarch.rpm修改/etc/named.conf[root@dns src]# cp /etc/named.conf /etc/named.conf.bak[root@dns src]# vim /etc/named.confoptions { ???????listen-on port 53 { any; };// ?????listen-on-v6 port 53 { ::1; }; ???????directory "/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????allow-query ????{ any; }; ???????allow-query-cache ????{ any; }; ????????//DNS查询的缓存功能。实际上不建议开启此功能，即删除这一行配置。如果打开了，当DNS解析修改后，因为缓存原因，需等待一段时间才能生效。 ???????recursion yes; ???????forward first; ???????forwarders { ???????????223.5.5.5; ???????????223.6.6.6; ???????????8.8.8.8; ???????????8.8.4.4; ?????????}; ???????dnssec-enable yes; ???????dnssec-validation yes; ???????dnssec-lookaside auto; ???????bindkeys-file "/etc/named.iscdlv.key"; ???????managed-keys-directory "/var/named/dynamic"; ???????};logging { ??????????????????????????????????channel default_debug { ???????file "data/named.run"; ???????severity dynamic; ???????};};zone "." { ???????type hint; ?????????????file "named.ca"; ???????};include "/etc/named.rfc1912.zones";include "/etc/named.root.key";include "/etc/named.namedmanager.conf";

如果要bind可以在chroot的模式下运行[root@dns src]# yum install bind-chroot建立“/etc/named.namedmanager.conf”文件的硬连接[root@dns src]# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf

如果不建立硬连接named启动时，会提示找不到“/etc/named.namedmanager.conf”。
这是因为：
bind-chroot是bind的一个功能，使bind可以在一个chroot的模式下运行。也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录，只是系统中的一个子目录而已。
这样做的目的是为了提高安全性。因为在chroot的模式下，bind可以访问的范围仅限于这个子目录的范围里，无法进一步提升,进入到系统的其他目录中。

chroot可以改变程序运行时所参考的根目录(/)位置，即将某个特定的子目录作为程序的虚拟根目录，并且对程序运行时可以使用的系统资源，用户权限和所在目录进行严格控制，程序只在这个虚拟的根目录下具有权限，一旦跳出该目录就无任何权限。例如在centos中，/var/name/chroot实际上是根目录(/)的虚拟目录，所以虚拟目录中的/etc目录实际上是/var/named/chroot/etc目录，而/var/named目录实际上是/var/named/chroot/var/named目录。chroot功能的优点是：如果有黑客通过Bind侵入系统，也只能被限定在chroot目录及其子目录中，其破坏力也仅局限在该虚拟目录中，不会威胁到整个服务器的安全。

三、启动Named服务

[root@dns src]# service named start[root@dns src]# chkconfig named on[root@dns src]# lsof -i:53COMMAND ??PID ?USER ??FD ??TYPE DEVICE SIZE/OFF NODE NAMEnamed ??16864 named ??20u ?IPv4 ?81946 ?????0t0 ?TCP localhost:domain (LISTEN)named ??16864 named ??21u ?IPv4 ?81948 ?????0t0 ?TCP 192.168.10.206:domain (LISTEN)named ??16864 named ?512u ?IPv4 ?81945 ?????0t0 ?UDP localhost:domainnamed ??16864 named ?513u ?IPv4 ?81947 ?????0t0 ?UDP 192.168.10.206:domain修改/etc/namedmanager/config-bind.php[root@dns src]# cp /etc/namedmanager/config-bind.php /etc/namedmanager/config-bind.php.bak[root@dns src]# vim /etc/namedmanager/config-bind.php.......$config["api_url"] ?????= "http://192.168.10.206/namedmanager"; ?????????// 应用程序的安装位置$config["api_server_name"] ?= "dns.test.cn"; ???????????????????????????// 此处必须与httpd配置里的Name Server名称一致$config["api_auth_key"] ????= "Dns";......

四、设置防火墙

namedmanager部署机本机要么关闭iptables，要么安装如下设置：[root@dns src]# setenforce 0[root@dns src]# getenforce[root@dns src]# vim /etc/sysconfig/selinux.......SELINUX=disabled[root@dns src]# iptables -F[root@dns src]# iptables -P INPUT DROP[root@dns src]# iptables -P FORWARD DROP[root@dns src]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[root@dns src]# iptables -A INPUT -i lo -p all -j ACCEPT[root@dns src]# iptables -A INPUT -p icmp -j ACCEPT[root@dns src]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT[root@dns src]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT[root@dns src]# iptables -A INPUT -p udp --dport 53 -j ACCEPT[root@dns src]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT[root@dns src]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT禁用IPV6。添加域名记录（正向解析与反向解析）。设置开机启动服务，并重启服务器。[root@dns src]# vim /etc/modprobe.d/dist.conf ????????//文件结尾添加如下内容：......alias net-pf-10 offalias ipv6 offchkconfig ip6tables off[root@dns src]# chkconfig httpd on[root@dns src]# chkconfig mysqld on[root@dns src]# chkconfig named on[root@dns src]# init 6 ?????//或者执行"reboot"

五、web端设置

访问http://192.168.10.206/namedmanager，默认用户名和密码（setup，setup123）。不要忘记在用户管理中修改用户名和密码。1、设置API KEY（Configuration）2、添加Name Servers3、添加正向解析4、添加反向解析验证：[root@dns ~]# cd /var/named/[root@dns named]# lltotal 40-rw-r--r--. 1 root ?root ??490 Apr ?7 14:48 10.168.192.in-addr.arpa.zonedrwxr-x---. 7 root ?named 4096 Apr ?7 13:37 chrootdrwxrwx---. 2 named named 4096 Apr ?7 13:39 datadrwxrwx---. 2 named named 4096 Apr ?7 14:40 dynamic-rw-r--r--. 1 root ?root ??455 Apr ?7 14:45 test.cn.zone-rw-r-----. 1 root ?named 3289 Apr 11 ?2017 named.ca-rw-r-----. 1 root ?named ?152 Dec 15 ?2009 named.empty-rw-r-----. 1 root ?named ?152 Jun 21 ?2007 named.localhost-rw-r-----. 1 root ?named ?168 Dec 15 ?2009 named.loopbackdrwxrwx---. 2 named named 4096 Jan 22 20:57 slavesA记录的正向解析配置为：[root@dns named]# cat test.cn.zone$ORIGIN test.cn.$TTL 120@ ??????IN SOA dns.test.cn. ?admin.kevin.com. ( ???????????2018040703 ; serial ???????????21600 ; refresh ???????????3600 ; retry ???????????604800 ; expiry ???????????120 ; minimum ttl ???????); Nameserverstest.cn. ??86400 IN NS dns.test.cn.; Mailservers; Reverse DNS Records (PTR); CNAME; HOST RECORDSdb01 ?????120 IN A 192.168.10.205db02 ?????120 IN A 192.168.10.209dns ???????120 IN A 192.168.10.206web01 ??120 IN A 192.168.10.202web02 ??120 IN A 192.168.10.203PTR记录的反向解析配置为：[root@dns named]# cat 10.168.192.in-addr.arpa.zone$ORIGIN 10.168.192.in-addr.arpa.$TTL 120@ ??????IN SOA dns.test.cn. admin.kevin.com. ( ???????????2018040704 ; serial ???????????21600 ; refresh ???????????3600 ; retry ???????????604800 ; expiry ???????????120 ; minimum ttl ???????); Nameservers10.168.192.in-addr.arpa. ???86400 IN NS dns.test.cn.; Mailservers; Reverse DNS Records (PTR)202 120 IN PTR web01.test.cn.203 120 IN PTR web02.test.cn.205 120 IN PTR db01.test.cn.206 120 IN PTR dns.test.cn.209 120 IN PTR db02.test.cn.; CNAME; HOST RECORDS

六、客户端DNS设置

将namedmanager本机以及所有的客户机的DNS地址都设置成192.168.10.206（即namedmanager部署机的ip地址）[root@storage01 ~]# ifconfig|grep 192 ?????????inet addr:192.168.10.202 ?Bcast:192.168.10.255 ?Mask:255.255.255.0[root@storage01 ~]# cat /etc/resolv.confdomain test.cnsearch test.cnnameserver 192.168.10.206[root@storage01 ~]# ping www.baidu.com ????????????????????????//这里走的是DNS配置中的forwarders转发的解析PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.64 bytes from 14.215.177.38: icmp_seq=1 ttl=49 time=37.6 ms64 bytes from 14.215.177.38: icmp_seq=2 ttl=49 time=37.5 ms64 bytes from 14.215.177.38: icmp_seq=3 ttl=49 time=37.4 ms.....[root@storage01 ~]# ping web02.test.cnPING web02.test.cn (192.168.10.203) 56(84) bytes of data.64 bytes from web02.test.cn (192.168.10.203): icmp_seq=1 ttl=64 time=0.136 ms64 bytes from web02.test.cn (192.168.10.203): icmp_seq=2 ttl=64 time=0.212 ms64 bytes from web02.test.cn (192.168.10.203): icmp_seq=3 ttl=64 time=0.132 ms.....在客户机上检查下正反向解析是否成功：[root@storage01 ~]# host 192.168.10.209209.10.168.192.in-addr.arpa domain name pointer db02.test.cn.[root@storage01 ~]# host db01.test.cndb01.test.cn has address 192.168.10.205

建议在搭建多台NamedManager以实现高可用。

DNS web管理之NamedManager

原文地址：http://blog.51cto.com/gdutcxh/2109195