一、NamedManager 介紹
NamedManager is an AGPL web-based DNS management system designed to make the adding, adjusting and removal of zones/records easy and reliable.
This also ensures that an outage of the management server web interface or SQL database will not result in any impact to DNS servers.
Key Features
Allows addition, adjusting and deletion DNS zones.
Supports Bind 9 and pushes Bind compatible configuration and zone files to configured servers.
Supports Amazon Route53
Ability to import from Bind zonefile support.
Includes a log tailer that runs on the name servers and sends back logs that are rendered in the web interface.
SOAP API to allow other tools to hook into the interface.
Written in PHP and uses a MySQL database backend.
Supports IPv4 and IPv6 users of the management interface.
Supports IPv4 and IPv6 forward and reverse records zones.
Supports internationalized domain names.
Using NamedManager
NamedManager is split into two parts:
The web interface and MySQL DB that stores and provides configuration for the DNS zones.
A component for bind which runs frequently and applies any configuration on the Bind name servers, eloads them and sends logs back to the web interface.
You should (really should!) have at least two name servers, one model that works well is to have a master name server that runs the NamedManager interface and two slave servers that are public facing.
With NamedManager, the usual Bind slave replication isn't used for zones, instead all the servers run as independents and NamedManager handles the replication of configuration between them.
更多信息請參考官方wiki: https://github.com/jethrocarr/namedmanager/wiki
二、NamedManager 安裝
Installation
NamedManager is split into two key components:
Management web interface
Bind server integration component
These packages have a documented installation process, however it presumes a level of understanding and familiarity with Bind name servers and Linux administration.
The easiest way to install is to use RHEL (or a clone such as CentOS, Scientific Linux, Oracle Enterprise Linux, etc) and use the RPM package process as it saves considerable steps.
Requirements
NamedManager's web interface requires:
PHP 5.3+ (php, php-soap, php-mysql, php-intl, php-xml)
MySQL Server
The NamedManager Bind integration requires:
Bind 9
PHP 5.3+ (php-cli, php-soap, php-intl).
1. Preparation
Before installing NamedManager, make sure you have:
a) A functional Apache server setup with PHP 5 installed and SSL enabled.
b) A MySQL database server for storing the application's settings and cache DB.
c) One or more functional bind name servers (can be same or different hosts to the web interface). It is recommended that you use the "bind-chroot" package on RHEL systems.
d) Check the PHP version shipped with your distribution - RHEL 5 ships with PHP 5.1.x by default, ensure that this is upgraded to 5.3 by using the newer PHP packages from amberdms-upgrades OR by installing php53 packages provided by the distribution.
# cd /etc/yum.repos.d/ # wget http://repos.amberdms.com/config/centos/6/amberdms-c6-public.repo # yum makecache # yum -y install namedmanager-www
2. Install the MySQL database
When you install the RPM as per the steps above, it will advise you on the command to run to install the database.
This will execute a script that allows you to specific your MySQL root password (if any) and then sets up a new DB and user for NamedManager.
3. Write the configuration file
The configuration file will be automatically generated with all the options needed to get up and running by the installer. Note that the installer only contains the minimal key values, most of the options for configuration are exposed via the web interface.
All configuration is in the /etc/namedmanager/config.php file.
By default internal application authentication is used, optionally it can be switched to use LDAP - refer to Installation-Integration-LDAP for instructions on how to do this.
4. Login and setup the name servers.
Before you can configure any domain names and records, it's necessary to login to the web interface and configure your name servers.
NamedManager requires all the name servers to have an entry in NamedManager - this information is used to generate NS records for all the domains, as well as being where the API keys are set to allow the name servers to connect to NamedManager for pulling configuration.
The default login is username "setup", password "setup123". The application installs default Apache configuration to run at https://localhost/namedmanager.
5. (optional) Install the Bind integration modules
For each Bind nameserver being used, the namedmanager-bind RPM package needs to be installed. This step is optional and only needed if you want to use Bind with NamedManager.
This package provides two components:
Configuration generation script which connects to the NamedManager web interface via SOAP and downloads the latest configuration and writes to Bind zonefiles and config files.
The log feeder script which installs a bootscript that monitors logs and pushes them back into NamedManager.
6. (optional) Configure the Bind Integration Component
Read and perform the steps in Installation-Integration-Bind for details on configuring NamedManager to hook into the existing Bind environment.
Pre-requisites
You must have completed the installation steps as detailed in the Installation guides.
Configure all your name servers via the NamedManager web interface including setting an API key for them.
Ensure the web interface is reachable from the name servers, as they need to connect to the API at http://example.com/namedmanager to fetch DNS zone and record information, as well as to send logs back.
1. Configuration of Bind configuration writer
All configuration for the bind integration will be in: /etc/namedmanager/config-bind.php
It is important to review and adjust all paths and variables to match your particular environment, however the following are particularly key:
1.1. API Credentials
Set the path of the API for the NamedManager web interface to query for zonefile information, along with the nameserver name and key.
$config["api_url"] = "http://example.com/namedmanager"; $config["api_server_name"] = "ns1.example.com"; $config["api_auth_key"] = "AAAAABBBBBCCCCDDDD111222333";
1.2. Bind paths & locations
Configure bind locations - typically the only option that needs changing is bind/config and bind/zonefiledir if your Bind process is using a different filesystem path (such as a chroot location).
Note that "named.namedmanager.conf" is intentional, this if the file that NamedManager generates, and is then included by your existing config, rather than being a full configuration replacement.
Example when using non-chrooted bind:
$config["bind"]["config"] = "/etc/named.namedmanager.conf"; $config["bind"]["zonefiledir"] = "/var/named/";
Example when using bind-chroot:
$config["bind"]["config"] = "/var/named/chroot/etc/named.namedmanager.conf"; $config["bind"]["zonefiledir"] = "/var/named/chroot/var/named/";
The bind config writer generates a configuration file for bind, that should be included from within the main configuration for bind (either /var/named/chroot/etc/named.conf or /etc/named.conf).
This file only defines the configured DNS zones, not any other Bind configuration. It can even be included in an existing configuration of zones, as long as none of the zones in NamedManager clash with the manually configured ones.
Note: this file path is the same both for bind-chroot and non-chroot, as it is relative to within the chroot jail:
The following line is required to be included inside the NamedManager zones - note you can include this inside multiple views if you have your name server configured in such a way.
include "/etc/named.namedmanager.conf";
1.3. Cronjob frequency
By default the Bind configuration is checked for new versions every minute. If you're running a large deployment with many domains, you may wish to reduce the frequency of this check, by editing /etc/cron.d/namedmanager-bind
1.4. Test and verify correct operation
Verify the configuration for each name server is correct, by executing the configuration writer process:
php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php
This will check for configuration and if found apply it - if there are any API connection issues, it will provide details.
If you have any configured DNS zones, they will be written to the named.namedmanager.conf file and an associated zonefile will be generated.
Any errors will normally be recorded in /var/log/namedmanager_bind_configwriter
2. Configuration of Bind log integration
If you wish to aggregate all the Bind logs from all the name servers into the web interface, you need to configure and start the Bind logpush process.
2.1. Configure the logpush collector
As long as the API has been correctly configured as per step 1, the only adjustment needed to /etc/namedmanager/config-bind.php is to set the path to the NamedManager log:
$config["log_file"] = "/var/log/messages";
On RHEL Namedmanager logs to /var/log/messages, other platforms may have NamedManager logging to /var/log/syslog or elsewhere.
2.2. Start the logpush daemon
Execute the following to (re)start the logpush daeon:
/etc/init.d/namedmanager_logpush restart
You may need to enable the bootscript for startup on your platform - on RHEL, this is:
chkconfig --level 345 namedmanager_logpush on
Logs should start appearing in the web interface within a few seconds (5-10) after they are generated on the nameserver.
Any errors will be recorded in /var/log/namedmanager_logpush
3. Complete
The configuration of the name server is now complete - you will need to repeat the above process for any name server you deploy to.
一. 系統初始化
關閉SELinux
[root@localhost ~]# setenforce 0 [root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config [root@localhost ~]# service iptables stop [root@localhost ~]# ntpdate time.nist.gov
二. 安裝namedmanager
namedmanager-www : web interface
namedmanager-bind : bind integration module
For each Bind nameserver being used, the namedmanager-bind RPM package needs to be installed. This step is optional and only needed if you want to use Bind with NamedManager.
This package provides two components:
Configuration generation script which connects to the NamedManager web interface via SOAP and downloads the latest configuration and writes to Bind zonefiles and config files.
The log feeder script which installs a bootscript that monitors logs and pushes them back into NamedManager.
[root@localhost ~]# wget -O /etc/yum.repos.d/amberdms-c6-public.repo http://repos.amberdms.com/config/centos/6/amberdms-c6-public.repo [root@localhost ~]# yum -y install namedmanager-www namedmanager-bind ## 留意安裝信息 ################################# BIND/NAMED CONFIGURATION NamedManager BIND components have been installed, you will need to install and configure bind/named to use the configuration file by adding the following to /etc/named.conf: # # Include NamedManager Configuration # include "/etc/named.namedmanager.conf"; NAMEDMANAGER BIND CONFIGURATION You need to set the application configuration in /etc/namedmanager/config-bind.php
提示: 當前需要修改 named.conf , 添加 include "/etc/named.namedmanager.conf";
另外 php 管理頁面需要配置 /etc/namedmanager/config-bind.php 文件
################################### ## crond.d 下計劃任務說明,每分鐘把 mysql 中的 DNS 數據數據刷新並記錄到日誌中 [root@localhost ~]# vi /etc/cron.d/namedmanager-bind # # NAMEDMANAGER INTEGRATION # Cron Jobs # # check for new configuration every minute */1 * * * * root php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php >> /var/log/namedmanager_bind_configwriter &> /dev/null # PHP slowly leaks memory, restart the process weekly to prevent it getting too large over months 01 01 * * 0 root /etc/init.d/namedmanager_logpush restart >> /dev/null 2>&1 [root@localhost ~]# chkconfig --level 35 namedmanager_logpush on [root@localhost ~]# /etc/init.d/namedmanager_logpush start ## 驗證 namedmanager 配置文件是否正確(因爲此時還未配置,所以會報錯) [root@localhost ~]# /usr/bin/php -q /usr/share/namedmanager/bind/namedmanager_bind_configwriter.php
三. 安裝LAMP環境
#安裝lamp環境 [root@localhost ~]# yum -y install mysql mysql-server mysql-devel httpd php php-mysql [root@localhost ~]# chkconfig httpd on [root@localhost ~]# chkconfig mysqld on [root@localhost ~]# service mysqld start [root@localhost ~]# /usr/bin/mysql_secure_installation ## 更改 mysql 管理員密碼 [root@localhost ~]# mysqladmin -u root password 123456 ## 配置系統主機名,httpd的servername名,類似ns1.example.com [root@localhost ~]# vi /etc/httpd/conf/httpd.conf ServerName dns.test.com:80 [root@localhost ~]# service httpd start ## 初始化數據,載入 namedmanager 表到mysql數據庫 [root@localhost ~]# cd /usr/share/namedmanager/resources/ [root@localhost ~]# ./autoinstall.pl #輸入mysql的root用戶的passwd [root@localhost resources]# ./autoinstall.pl autoinstall.pl This script setups the NamedManager database components: * NamedManager MySQL user * NamedManager database * NamedManager co THIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER. DO NOT RUN FOR ANY OTHER REASON Please enter MySQL root password (if any): 123456 Searching ../sql/ for latest install schema... ../sql//version_20131222_install.sql is the latest file and will be used for the install. Importing file ../sql//version_20131222_install.sql Creating user... Updating configuration file... DB installation complete! You can now login with the default username/password of setup/setup123 at http://localhost/namedmanager
四. 安裝配置named
[root@localhost ~]# yum install -y bind-*
[root@localhost ~]# chkconfig named on
## 編輯named配置文件
[root@localhost ~]# cp -rv /usr/share/doc/bind-9.8.2/sample/etc/* /var/named/chroot/etc/
[root@localhost ~]# cp -rv /usr/share/doc/bind-9.8.2/sample/var/* /var/named/chroot/var/
## 在bind chroot 的目錄中創建相關文件
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
## 將 Bind 鎖定文件設置爲可寫
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
[root@localhost ~]# cp /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.conf.bak
[root@localhost ~]# echo > /var/named/chroot/etc/named.conf
[root@localhost ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by RedHat bind package to configure the ISC BIND named(8) DNS
// server as acaching only nameserver (as a localhost DNS resolver only).
//
// See/usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file"/var/named/data/named_stats.txt";
memstatistics-file"/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
allow-query { 192.168.0.0/16; localhost; };
recursion yes;
allow-recursion { 192.168.0.0/16; localhost; };
forward first;
forwarders {
61.128.128.68;
};
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file"/etc/named.iscdlv.key";
managed-keys-directory"/var/named/dynamic";
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
// This is theroot servers zone file, already present on this system.
zone "."IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
// End of the named.conf
## 啓動bind服務
[root@localhost ~]# service named configtest
[root@localhost ~]# service named start
## 測試域名解析服務是否正常
[root@localhost ~]# dig www.baidu.com @localhost修改 /etc/named.conf
*******************************************************************************************************************
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
recursion yes;
forward first;
forwarders{ 180.76.76.76; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.namedmanager.conf";
******************************************************************************************************************
如果要bind可以在chroot的模式下運行
# yum install bind-chroot
建立“/etc/named.namedmanager.conf”文件的硬連接
# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf
如果不建立硬連接named啓動時,會提示找不到“/etc/named.namedmanager.conf”。
這是因爲:
bind-chroot是bind的一個功能,使bind可以在一個chroot的模式下運行。也就是說,bind運行時的/(根)目錄,並不是系統真正的/(根)目錄,只是系統中的一個子目錄而已。這樣做的目的是爲了提高安全性。因爲在chroot的模式下,bind可以訪問的範圍僅限於這個子目錄的範圍裏,無法進一步提升,進入到系統的其他目錄中。
chroot可以改變程序運行時所參考的根目錄(/)位置,即將某個特定的子目錄作爲程序的虛擬根目錄,並且對程序運行時可以使用的系統資源,用戶權限和所在目錄進行嚴格控制,程序只在這個虛擬的根目錄下具有權限,一旦跳出該目錄就無任何權限。例如在centos中,/var/name/chroot實際上是根目錄(/)的虛擬目錄,所以虛擬目錄中的/etc目錄實際上是/var/named/chroot/etc目錄,而/var/named目錄實際上是/var/named/chroot/var/named目錄。chroot功能的優點是:如果有***通過Bind侵入系統,也只能被限定在chroot目錄及其子目錄中,其破壞力也僅侷限在該虛擬目錄中,不會威脅到整個服務器的安全。
************************************************************************************************************
五. 配置named && namedmanager
[root@localhost ~]# ln /etc/named.namedmanager.conf /var/named/chroot/etc/named.namedmanager.conf [root@localhost ~]# chown named:named /var/named/chroot/etc/named.namedmanager.conf [root@localhost ~]# vi /var/named/chroot/etc/named.conf include "/etc/named.namedmanager.conf"; # 提示: 當前需要修改 named.conf , 添加 include "/etc/named.namedmanager.conf";
配置namedmanager
修改/etc/namedmanager/config-bind.php
$config["api_url"] = "https://192.168.32.131/namedmanager"; // 應用程序的安裝位置
$config["api_server_name"] = "dns.test.com"; // 此處必須與httpd配置裏的Name Server名稱一致
$config["api_auth_key"] = "Dns";
# 配置namedmanager [root@localhost ~]# vi /etc/namedmanager/config-bind.php #修改/etc/namedmanager/config-bind.php $config["api_url"] = "https://192.168.32.131/namedmanager"; #應用程序的安裝位置 $config["api_server_name"] = "dns.test.com"; #此處必須與httpd配置裏的Name Server名稱一致 $config["api_auth_key"] = "Dns"; #[該密鑰隨意定義] /* when using bind-chroot */ $config["bind"]["config"] = "/var/named/chroot/etc/named.namedmanager.conf"; $config["bind"]["zonefiledir"] = "/var/named/chroot/var/named/"; ## 重新啓動 apache [root@localhost ~]# service httpd restart ## 重新啓動 named [root@localhost ~]# service named restart
六. 使用 namedmanager
通過瀏覽器登陸 http://192.168.32.131/namedmanager",默認用戶名和密碼(setup,setup123)。不要忘記在用戶管理中修改用戶名和密碼。
1、選擇 configuration ,
填寫 管理員 email ( [email protected])
接着設置API key:
填寫 ADMIN_API_KEY (之前/etc/namedmanager/config-bind.php 中定義的密鑰)
2、選擇 Domains/zones -> View Domains 通過 Add New Domain 添加一個新的域
3、添加服務器。Name Server FQDN的名稱要和httpd中的ServerName一致。
Name Server FQDN * 配置 DNS FQDN 爲當前域中的 DNS 服務器主機名
選擇服務器類型, [API]
再次填寫 ADMIN_API_KEY 密鑰
定義當前主機爲 DNS 主服務器
確保最後綠色部分爲配置文件同步中(時間稍長一點), 假設非綠色顯示, 則需要進一步排錯
I have 2 CentOS, both with namedmanager and they are syncing each other.
I took some time to understand that the $config['api_url'] in config-bind.php must be the same for each server of the pool, and I put the url of the first server for each namedmanager.
api_server_name should contain the name of the server you are configuring.
And api_auth_key, obviously the same key.
爲NameServer 添加A記錄(非常重要的一步)
導入domain , zone 文件的記錄最好不要超過50行,否則會報錯。
添加正向域
添加反向域
上述步驟完成之後,相當於我們手動在 named.namedmanager.conf 添加區域記錄, 以及在 var/named 目錄下面創建相應的 zone 文件。
建議
不建議直接【手動】修改: 區域文件 zone 以及 named.namedmanager.conf 文件
// This file is automatically generated any manual changes will be lost.
// 直接修改了zone文件(will be lost),web上也不會同步更新,然後又會回寫到 zone 文件
六. namedmanager 主從(master、slave)
You should (really should!) have at least two name servers, one model that works well is to have a master name server that runs the NamedManager interface and two slave servers that are public facing.
With NamedManager, the usual Bind slave replication isn't used for zones, instead all the servers run as independents and NamedManager handles the replication of configuration between them.
使用 NamedManager, 主從複製不是通過 zones 文件(區域傳送功能)實現的,而是NamedManager 來處理。
NamedManager 提供一個統一的web界面,管理所有的NS服務器。實現向多臺服務器分發zone文件,所以不建議手工改動各個NS的zone文件,導致NS間的zone數據不一致的狀態。
Web 向多臺NS分發, 而不是NS之間同步。
這是從官方 wiki 抄錄過來的, config-bind.php 文件配置
$config['api_url'] : must be the same for each server of the pool. 必須設置和 master 保持一致。
$config['api_server_name'] : 和各自NS的 httpd.conf 中 ServerName 保持一致。
$config['api_auth_key'] : 各自NS的隨意指定,足夠複雜即可
然後,登錄 master 的 web 管理頁,所有的 dns server pool 一致。 添加 Name Server :
再者,在 master 域的 Domain Records 中, 添加 該 slave DNS 的
NS 記錄
A 記錄
添加 NS 記錄
添加 A 記錄
master : tail -f /var/log/messages
slave : tail -f /var/log/messages
我們可以看到,日誌中並沒有任何zones同步、傳輸的信息。(和區域傳輸不一樣)
配置服務防火牆
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
http://www.bkjia.com/xtzh/729566.html
http://blog.sina.com.cn/s/blog_4085c8c70102vmco.html