NamedManager安裝Web管理bind9的DNS服務器

時間 2021-01-19

標籤 php html mysql linux git github web sql 數據庫 apache 欄目 HTML 简体版

原文原文鏈接

1、NamedManager 介紹php

NamedManager is an AGPL web-based DNS management system designed to make the adding, adjusting and removal of zones/records easy and reliable.html

This also ensures that an outage of the management server web interface or SQL database will not result in any impact to DNS servers.
mysql

Key Features

Allows addition, adjusting and deletion DNS zones.linux
Supports Bind 9 and pushes Bind compatible configuration and zone files to configured servers.git
Supports Amazon Route53github
Ability to import from Bind zonefile support.web
Includes a log tailer that runs on the name servers and sends back logs that are rendered in the web interface.sql
SOAP API to allow other tools to hook into the interface.數據庫
Written in PHP and uses a MySQL database backend.apache
Supports IPv4 and IPv6 users of the management interface.
Supports IPv4 and IPv6 forward and reverse records zones.
Supports internationalized domain names.

Using NamedManager

NamedManager is split into two parts:

The web interface and MySQL DB that stores and provides configuration for the DNS zones.
A component for bind which runs frequently and applies any configuration on the Bind name servers, eloads them and sends logs back to the web interface.

You should (really should!) have at least two name servers, one model that works well is to have a master name server that runs the NamedManager interface and two slave servers that are public facing.

With NamedManager, the usual Bind slave replication isn't used for zones, instead all the servers run as independents and NamedManager handles the replication of configuration between them.

更多信息請參考官方wiki: https://github.com/jethrocarr/namedmanager/wiki

2、NamedManager 安裝

Installation

NamedManager is split into two key components:

Management web interface
Bind server integration component

These packages have a documented installation process, however it presumes a level of understanding and familiarity with Bind name servers and Linux administration.

The easiest way to install is to use RHEL (or a clone such as CentOS, Scientific Linux, Oracle Enterprise Linux, etc) and use the RPM package process as it saves considerable steps.

Requirements

NamedManager's web interface requires:

PHP 5.3+ (php, php-soap, php-mysql, php-intl, php-xml)
MySQL Server

The NamedManager Bind integration requires:

Bind 9
PHP 5.3+ (php-cli, php-soap, php-intl).

1. Preparation

Before installing NamedManager, make sure you have:

a) A functional Apache server setup with PHP 5 installed and SSL enabled.

b) A MySQL database server for storing the application's settings and cache DB.

c) One or more functional bind name servers (can be same or different hosts to the web interface). It is recommended that you use the "bind-chroot" package on RHEL systems.

d) Check the PHP version shipped with your distribution - RHEL 5 ships with PHP 5.1.x by default, ensure that this is upgraded to 5.3 by using the newer PHP packages from amberdms-upgrades OR by installing php53 packages provided by the distribution.

# cd /etc/yum.repos.d/
# wget http://repos.amberdms.com/config/centos/6/amberdms-c6-public.repo
# yum makecache

# yum -y install namedmanager-www

2. Install the MySQL database

When you install the RPM as per the steps above, it will advise you on the command to run to install the database.

This will execute a script that allows you to specific your MySQL root password (if any) and then sets up a new DB and user for NamedManager.

3. Write the configuration file

The configuration file will be automatically generated with all the options needed to get up and running by the installer. Note that the installer only contains the minimal key values, most of the options for configuration are exposed via the web interface.

All configuration is in the /etc/namedmanager/config.php file.

By default internal application authentication is used, optionally it can be switched to use LDAP - refer to Installation-Integration-LDAP for instructions on how to do this.

4. Login and setup the name servers.

Before you can configure any domain names and records, it's necessary to login to the web interface and configure your name servers.

NamedManager requires all the name servers to have an entry in NamedManager - this information is used to generate NS records for all the domains, as well as being where the API keys are set to allow the name servers to connect to NamedManager for pulling configuration.

The default login is username "setup", password "setup123". The application installs default Apache configuration to run at https://localhost/namedmanager.

5. (optional) Install the Bind integration modules

For each Bind nameserver being used, the namedmanager-bind RPM package needs to be installed. This step is optional and only needed if you want to use Bind with NamedManager.

This package provides two components:

Configuration generation script which connects to the NamedManager web interface via SOAP and downloads the latest configuration and writes to Bind zonefiles and config files.
The log feeder script which installs a bootscript that monitors logs and pushes them back into NamedManager.

6. (optional) Configure the Bind Integration Component

Read and perform the steps in Installation-Integration-Bind for details on configuring NamedManager to hook into the existing Bind environment.

Pre-requisites

You must have completed the installation steps as detailed in the Installation guides.
Configure all your name servers via the NamedManager web interface including setting an API key for them.
Ensure the web interface is reachable from the name servers, as they need to connect to the API at http://example.com/namedmanager to fetch DNS zone and record information, as well as to send logs back.

1. Configuration of Bind configuration writer

All configuration for the bind integration will be in: /etc/namedmanager/config-bind.php

It is important to review and adjust all paths and variables to match your particular environment, however the following are particularly key:

1.1. API Credentials

Set the path of the API for the NamedManager web interface to query for zonefile information, along with the nameserver name and key.

$config["api_url"]      = "http://example.com/namedmanager";
$config["api_server_name"]  = "ns1.example.com";
$config["api_auth_key"]     = "AAAAABBBBBCCCCDDDD111222333";

1.2. Bind paths & locations

Configure bind locations - typically the only option that needs changing is bind/config and bind/zonefiledir if your Bind process is using a different filesystem path (such as a chroot location).

Note that "named.namedmanager.conf" is intentional, this if the file that NamedManager generates, and is then included by your existing config, rather than being a full configuration replacement.

Example when using non-chrooted bind:

$config["bind"]["config"]   = "/etc/named.namedmanager.conf";
$config["bind"]["zonefiledir"]  = "/var/named/";

Example when using bind-chroot:

$config["bind"]["config"]   = "/var/named/chroot/etc/named.namedmanager.conf";
$config["bind"]["zonefiledir"]  = "/var/named/chroot/var/named/";

The bind config writer generates a configuration file for bind, that should be included from within the main configuration for bind (either /var/named/chroot/etc/named.conf or /etc/named.conf).

This file only defines the configured DNS zones, not any other Bind configuration. It can even be included in an existing configuration of zones, as long as none of the zones in NamedManager clash with the manually configured ones.

Note: this file path is the same both for bind-chroot and non-chroot, as it is relative to within the chroot jail:

The following line is required to be included inside the NamedManager zones - note you can include this inside multiple views if you have your name server configured in such a way.

include "/etc/named.namedmanager.conf";

1.3. Cronjob frequency

By default the Bind configuration is checked for new versions every minute. If you're running a large deployment with many domains, you may wish to reduce the frequency of this check, by editing /etc/cron.d/namedmanager-bind

1.4. Test and verify correct operation

Verify the configuration for each name server is correct, by executing the configuration writer process:

php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php

This will check for configuration and if found apply it - if there are any API connection issues, it will provide details.

If you have any configured DNS zones, they will be written to the named.namedmanager.conf file and an associated zonefile will be generated.

Any errors will normally be recorded in /var/log/namedmanager_bind_configwriter

2. Configuration of Bind log integration

If you wish to aggregate all the Bind logs from all the name servers into the web interface, you need to configure and start the Bind logpush process.

2.1. Configure the logpush collector

As long as the API has been correctly configured as per step 1, the only adjustment needed to /etc/namedmanager/config-bind.php is to set the path to the NamedManager log:

$config["log_file"]     = "/var/log/messages";

On RHEL Namedmanager logs to /var/log/messages, other platforms may have NamedManager logging to /var/log/syslog or elsewhere.

2.2. Start the logpush daemon

Execute the following to (re)start the logpush daeon:

/etc/init.d/namedmanager_logpush restart

You may need to enable the bootscript for startup on your platform - on RHEL, this is:

chkconfig --level 345 namedmanager_logpush on

Logs should start appearing in the web interface within a few seconds (5-10) after they are generated on the nameserver.

Any errors will be recorded in /var/log/namedmanager_logpush

3. Complete

The configuration of the name server is now complete - you will need to repeat the above process for any name server you deploy to.

一. 系統初始化

關閉SELinux

[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

[root@localhost ~]# service iptables stop
[root@localhost ~]# ntpdate time.nist.gov

二. 安裝namedmanager

namedmanager-www : web interface
namedmanager-bind : bind integration module

For each Bind nameserver being used, the namedmanager-bind RPM package needs to be installed. This step is optional and only needed if you want to use Bind with NamedManager.

This package provides two components:

Configuration generation script which connects to the NamedManager web interface via SOAP and downloads the latest configuration and writes to Bind zonefiles and config files.
The log feeder script which installs a bootscript that monitors logs and pushes them back into NamedManager.

[root@localhost ~]# wget -O /etc/yum.repos.d/amberdms-c6-public.repo http://repos.amberdms.com/config/centos/6/amberdms-c6-public.repo
[root@localhost ~]# yum -y install namedmanager-www namedmanager-bind

## 留意安裝信息
#################################
BIND/NAMED CONFIGURATION

NamedManager BIND components have been installed, you will need to install
and configure bind/named to use the configuration file by adding the
following to /etc/named.conf:

#
# Include NamedManager Configuration
#

include "/etc/named.namedmanager.conf";


NAMEDMANAGER BIND CONFIGURATION

You need to set the application configuration in /etc/namedmanager/config-bind.php

提示: 當前須要修改 named.conf , 添加 include "/etc/named.namedmanager.conf";

另外 php 管理頁面須要配置 /etc/namedmanager/config-bind.php 文件

###################################

## crond.d 下計劃任務說明，每分鐘把 mysql 中的 DNS 數據數據刷新並記錄到日誌中
[root@localhost ~]# vi /etc/cron.d/namedmanager-bind
#
# NAMEDMANAGER INTEGRATION
# Cron Jobs
#

# check for new configuration every minute
*/1 * * * * root php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php >> /var/log/namedmanager_bind_configwriter &> /dev/null

# PHP slowly leaks memory, restart the process weekly to prevent it getting too large over months
01 01 * * 0 root /etc/init.d/namedmanager_logpush restart >> /dev/null 2>&1


[root@localhost ~]# chkconfig --level 35 namedmanager_logpush on 
[root@localhost ~]# /etc/init.d/namedmanager_logpush start 

## 驗證 namedmanager 配置文件是否正確(由於此時還未配置，因此會報錯)
[root@localhost ~]# /usr/bin/php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php

三. 安裝LAMP環境

#安裝lamp環境
[root@localhost ~]# yum -y install mysql mysql-server mysql-devel httpd php php-mysql 

[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# chkconfig mysqld on

[root@localhost ~]# service mysqld start
[root@localhost ~]# /usr/bin/mysql_secure_installation

## 更改 mysql 管理員密碼
[root@localhost ~]# mysqladmin -u root password 123456

## 配置系統主機名,httpd的servername名,相似ns1.example.com
[root@localhost ~]# vi /etc/httpd/conf/httpd.conf
ServerName dns.test.com:80

[root@localhost ~]# service httpd start


## 初始化數據，載入 namedmanager 表到mysql數據庫
[root@localhost ~]# cd /usr/share/namedmanager/resources/
[root@localhost ~]# ./autoinstall.pl      #輸入mysql的root用戶的passwd

[root@localhost resources]# ./autoinstall.pl 
autoinstall.pl

This script setups the NamedManager database components:
 * NamedManager MySQL user
 * NamedManager database
 * NamedManager co 

THIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER.
DO NOT RUN FOR ANY OTHER REASON

Please enter MySQL root password (if any): 123456
Searching ../sql/ for latest install schema...
../sql//version_20131222_install.sql is the latest file and will be used for the install.
Importing file ../sql//version_20131222_install.sql
Creating user...
Updating configuration file...
DB installation complete!

You can now login with the default username/password of setup/setup123 at http://localhost/namedmanager

四. 安裝配置named

[root@localhost ~]# yum install -y bind-*
[root@localhost ~]# chkconfig named on

## 編輯named配置文件
[root@localhost  ~]# cp -rv /usr/share/doc/bind-9.8.2/sample/etc/* /var/named/chroot/etc/
[root@localhost  ~]# cp -rv /usr/share/doc/bind-9.8.2/sample/var/* /var/named/chroot/var/
## 在bind chroot 的目錄中建立相關文件
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind

## 將 Bind 鎖定文件設置爲可寫
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic

[root@localhost ~]# cp /var/named/chroot/etc/named.conf  /var/named/chroot/etc/named.conf.bak
[root@localhost ~]# echo > /var/named/chroot/etc/named.conf
[root@localhost ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by RedHat bind package to configure the ISC BIND named(8) DNS
// server as acaching only nameserver (as a localhost DNS resolver only).
//
// See/usr/share/doc/bind*/sample/ for example named configuration files.
//
  
options {
        listen-on port 53 { any; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file      "/var/named/data/cache_dump.db";
        statistics-file"/var/named/data/named_stats.txt";
        memstatistics-file"/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        allow-query     { 192.168.0.0/16; localhost; };
        recursion yes;
        allow-recursion { 192.168.0.0/16; localhost; };
  
  
        forward first;
        forwarders {
                61.128.128.68;
        };
  
        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside no;
  
        /* Path to ISC DLV key */
        bindkeys-file"/etc/named.iscdlv.key";
  
        managed-keys-directory"/var/named/dynamic";
};
  
logging {
        channel default_debug {
                file"data/named.run";
                severity dynamic;
        };
};

   
  
// This is theroot servers zone file, already present on this system.
zone "."IN {
        type hint;
        file "named.ca";
};
  
  
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

//  End of the named.conf


## 啓動bind服務
[root@localhost ~]# service named configtest
[root@localhost ~]# service named start

## 測試域名解析服務是否正常
[root@localhost ~]#  dig www.baidu.com @localhost

修改 /etc/named.conf

*******************************************************************************************************************

// named.conf

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {

listen-on port 53 { any; };

// listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { any; };

allow-query-cache { any; };

recursion yes;

forward first;

forwarders{ 180.76.76.76; };

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

include "/etc/named.namedmanager.conf";

******************************************************************************************************************

若是要bind能夠在chroot的模式下運行

# yum install bind-chroot

創建「/etc/named.namedmanager.conf」文件的硬鏈接

# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf

若是不創建硬鏈接named啓動時，會提示找不到「/etc/named.namedmanager.conf」。

這是由於：

bind-chroot是bind的一個功能，使bind能夠在一個chroot的模式下運行。也就是說,bind運行時的/(根)目錄,並非系統真正的/(根)目錄，只是系統中的一個子目錄而已。這樣作的目的是爲了提升安全性。由於在chroot的模式下，bind能夠訪問的範圍僅限於這個子目錄的範圍裏，沒法進一步提高,進入到系統的其餘目錄中。

chroot能夠改變程序運行時所參考的根目錄(/)位置，即將某個特定的子目錄做爲程序的虛擬根目錄，而且對程序運行時可使用的系統資源，用戶權限和所在目錄進行嚴格控制，程序只在這個虛擬的根目錄下具備權限，一旦跳出該目錄就無任何權限。例如在centos中，/var/name/chroot其實是根目錄(/)的虛擬目錄，因此虛擬目錄中的/etc目錄其實是/var/named/chroot/etc目錄，而/var/named目錄其實是/var/named/chroot/var/named目錄。chroot功能的優勢是：若是有***經過Bind侵入系統，也只能被限定在chroot目錄及其子目錄中，其破壞力也僅侷限在該虛擬目錄中，不會威脅到整個服務器的安全。

************************************************************************************************************

五. 配置named && namedmanager

[root@localhost ~]# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf
[root@localhost ~]# chown named:named /var/named/chroot/etc/named.namedmanager.conf

[root@localhost ~]# vi /var/named/chroot/etc/named.conf
include "/etc/named.namedmanager.conf";
# 提示: 當前須要修改 named.conf , 添加 include "/etc/named.namedmanager.conf";

配置namedmanager

修改/etc/namedmanager/config-bind.php

$config["api_url"] = "https://192.168.32.131/namedmanager"; // 應用程序的安裝位置

$config["api_server_name"] = "dns.test.com"; // 此處必須與httpd配置裏的Name Server名稱一致

$config["api_auth_key"] = "Dns";

# 配置namedmanager
[root@localhost ~]# vi /etc/namedmanager/config-bind.php  #修改/etc/namedmanager/config-bind.php

$config["api_url"] = "https://192.168.32.131/namedmanager"; #應用程序的安裝位置
$config["api_server_name"] = "dns.test.com";     #此處必須與httpd配置裏的Name Server名稱一致
$config["api_auth_key"] = "Dns";                       #[該密鑰隨意定義]

/* when using bind-chroot */
$config["bind"]["config"]   = "/var/named/chroot/etc/named.namedmanager.conf";
$config["bind"]["zonefiledir"]  = "/var/named/chroot/var/named/";

## 從新啓動 apache
[root@localhost ~]# service httpd restart

## 從新啓動 named
[root@localhost ~]# service named restart

六. 使用 namedmanager

經過瀏覽器登錄 http://192.168.32.131/namedmanager"，默認用戶名和密碼（setup，setup123）。不要忘記在用戶管理中修改用戶名和密碼。

一、選擇 configuration ,
填寫管理員 email ( test@sina.com)

接着設置API key：

填寫 ADMIN_API_KEY (以前/etc/namedmanager/config-bind.php 中定義的密鑰)

二、選擇 Domains/zones -> View Domains 經過 Add New Domain 添加一個新的域

三、添加服務器。Name Server FQDN的名稱要和httpd中的ServerName一致。

Name Server FQDN * 配置 DNS FQDN 爲當前域中的 DNS 服務器主機名
選擇服務器類型, [API]
再次填寫 ADMIN_API_KEY 密鑰
定義當前主機爲 DNS 主服務器

確保最後綠色部分爲配置文件同步中（時間稍長一點）, 假設非綠色顯示, 則須要進一步排錯

I have 2 CentOS, both with namedmanager and they are syncing each other.
I took some time to understand that the $config['api_url'] in config-bind.php must be the same for each server of the pool, and I put the url of the first server for each namedmanager.
api_server_name should contain the name of the server you are configuring.

And api_auth_key, obviously the same key.

爲NameServer 添加A記錄（很是重要的一步）

導入domain ， zone 文件的記錄最好不要超過50行，不然會報錯。

添加正向域

添加反向域

上述步驟完成以後，至關於咱們手動在 named.namedmanager.conf 添加區域記錄，以及在 var/named 目錄下面建立相應的 zone 文件。

建議

不建議直接【手動】修改：區域文件 zone 以及 named.namedmanager.conf 文件

// This file is automatically generated any manual changes will be lost.

// 直接修改了zone文件（will be lost），web上也不會同步更新，而後又會回寫到 zone 文件

六. namedmanager 主從（master、slave）

With NamedManager, the usual Bind slave replication isn't used for zones, instead all the servers run as independents and NamedManager handles the replication of configuration between them.

使用 NamedManager，主從複製不是經過 zones 文件（區域傳送功能）實現的，而是NamedManager 來處理。

NamedManager 提供一個統一的web界面，管理全部的NS服務器。實現向多臺服務器分發zone文件，因此不建議手工改動各個NS的zone文件，致使NS間的zone數據不一致的狀態。

Web 向多臺NS分發，而不是NS之間同步。

這是從官方 wiki 抄錄過來的， config-bind.php 文件配置

$config['api_url'] ： must be the same for each server of the pool. 必須設置和 master 保持一致。

$config['api_server_name'] : 和各自NS的 httpd.conf 中 ServerName 保持一致。

$config['api_auth_key'] : 各自NS的隨意指定，足夠複雜便可

而後，登陸 master 的 web 管理頁，全部的 dns server pool 一致。添加 Name Server :

再者，在 master 域的 Domain Records 中，添加該 slave DNS 的