企业级Web DNS实战

系统环境

1
2
3
4
5
#cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)

#uname -a
Linux node 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

安装部署namedmanager

准备rpm包

https://repos.jethrocarr.com/pub/jethrocarr/linux/centos/7/jethrocarr-custom/x86_64/

下载最新版

1
2
3
4
[root@hdss7-11 opt]# ll
total 62244
-rw-r--r-- 1 root root 102136 Feb 1 18:17 namedmanager-bind-1.9.0-2.el7.centos.noarch.rpm
-rw-r--r-- 1 root root 1084340 Feb 1 18:17 namedmanager-www-1.9.0-2.el7.centos.noarch.rpm

安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@hdss7-11 opt]# yum localinstall namedmanager-* -y
...
Installed:
namedmanager-bind.noarch 0:1.9.0-2.el7.centos namedmanager-www.noarch 0:1.9.0-2.el7.centos

Dependency Installed:
apr.x86_64 0:1.4.8-3.el7_4.1 apr-util.x86_64 0:1.5.2-6.el7 bind.x86_64 32:9.9.4-73.el7_6
httpd.x86_64 0:2.4.6-88.el7.centos httpd-tools.x86_64 0:2.4.6-88.el7.centos libzip.x86_64 0:0.10.1-8.el7
mailcap.noarch 0:2.1.41-2.el7 mariadb.x86_64 1:5.5.60-1.el7_5 mariadb-libs.x86_64 1:5.5.60-1.el7_5
mariadb-server.x86_64 1:5.5.60-1.el7_5 mod_ssl.x86_64 1:2.4.6-88.el7.centos perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBD-MySQL.x86_64 0:4.023-6.el7 perl-DBI.x86_64 0:1.627-4.el7
perl-IO-Compress.noarch 0:2.061-2.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7
php.x86_64 0:5.4.16-46.el7 php-cli.x86_64 0:5.4.16-46.el7 php-common.x86_64 0:5.4.16-46.el7
php-intl.x86_64 0:5.4.16-46.el7 php-ldap.x86_64 0:5.4.16-46.el7 php-mysqlnd.x86_64 0:5.4.16-46.el7
php-pdo.x86_64 0:5.4.16-46.el7 php-process.x86_64 0:5.4.16-46.el7 php-soap.x86_64 0:5.4.16-46.el7
php-xml.x86_64 0:5.4.16-46.el7

Dependency Updated:
bind-libs.x86_64 32:9.9.4-73.el7_6 bind-libs-lite.x86_64 32:9.9.4-73.el7_6 bind-license.noarch 32:9.9.4-73.el7_6 bind-utils.x86_64 32:9.9.4-73.el7_6

Complete!

先配mysql

启动mysql

1
[root@hdss7-11 mysql]# systemctl start mariadb.service

开机自启动

1
2
[root@hdss7-11 ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

配mysql的root密码

1
[root@hdss7-11 mysql]# mysqladmin -uroot password 123456

导入namedmanager的数据库脚本

/usr/share/namedmanager/resources/autoinstall.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@hdss7-11 ~]# cd /usr/share/namedmanager/resources/
[root@hdss7-11 resources]# ./autoinstall.pl
autoinstall.pl

This script setups the NamedManager database components:
* NamedManager MySQL user
* NamedManager database
* NamedManager configuration files

THIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER.
DO NOT RUN FOR ANY OTHER REASON

Please enter MySQL root password (if any): 123456

输入123456

Searching ../sql/ for latest install schema...
../sql//version_20131222_install.sql is the latest file and will be used for the install.
Importing file ../sql//version_20131222_install.sql
Creating user...
Updating configuration file...
DB installation complete!

You can now login with the default username/password of setup/setup123 at http://localhost/namedmanager

配置namedmanager

config.php,增加一条配置

/etc/namedmanager/config.php
1
$_SERVER['HTTPS'] = "TRUE";

config-bind.php,修改以下三条配置

/etc/namedmanager/config-bind.php
1
2
3
4
$config["api_url"]              = "http://dns-manager.od.com/namedmanager";     // Application Install Location
$config["api_server_name"] = "dns-manager.od.com"; // Name of the DNS server (important: part of the authentication process)
$config["api_auth_key"] = "verycloud"; // API authentication key
$config["log_file"] = "/var/log/namedmanager_bind_configwriter";

php.ini,修改一条配置

/etc/php.ini
1
2
; How many GET/POST/COOKIE input variables may be accepted
max_input_vars = 10000

绑host(临时)

/etc/hosts
1
10.4.7.11   dns-manager.od.com

配apache

/etc/httpd/conf/httpd.conf
1
2
3
4
5
6
7
Listen 10.4.7.11:8080
ServerName dns-manager.od.com
<Directory />
AllowOverride none
allow from all
#Require all denied
</Directory>

配nginx

/etc/nginx/conf.d/dns-manager.od.com.conf
1
2
3
4
5
6
7
8
9
10
11
12
server {
server_name dns-manager.od.com;

location =/ {
rewrite ^/(.*) http://dns-manager.od.com/namedmanager permanent;
}
location / {
proxy_pass http://10.4.7.11:8080;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}

启动apache和nginx

  • 启动apache

    1
    2
    3
    [root@hdss7-11 ~]# systemctl start httpd
    [root@hdss7-11 ~]# systemctl enable httpd
    Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
  • 启动nginx

    1
    2
    3
    4
    [root@hdss7-11 ~]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    [root@hdss7-11 ~]# nginx

访问http://dns-manager.od.com,看看页面是否正常

继续改namedmanager的配置

改namedmanager_bind_configwriter.php

/usr/share/namedmanager/bind/namedmanager_bind_configwriter.php
1
2
3
4
if (flock($fh_lock, LOCK_EX ))
{
log_write("debug", "script", "Obtained filelock");
}

启动namedmanager_logpush.rcsysinit

加执行权限

/usr/share/namedmanager/resources/namedmanager_logpush.rcsysinit
1
[root@hdss7-11 resources]# chmod u+x namedmanager_logpush.rcsysinit

启动该脚本

/usr/share/namedmanager/resources/namedmanager_logpush.rcsysinit
1
2
3
[root@hdss7-11 resources]# sh namedmanager_logpush.rcsysinit start
Starting namedmanager_logpush service:
[root@hdss7-11 resources]# nohup: redirecting stderr to stdout

检查是否启动

1
2
[root@hdss7-11 resources]# ps -ef|grep php|egrep -v grep
root 10738 1 0 10:49 pts/1 00:00:00 php -q /usr/share/namedmanager/bind/namedmanager_logpush.php

用supervisor管理起来

这个脚本非常重要,是整个namedmanager软件的核心,所以要保证它一直在后台启动,这里我们用supervisor这个软件把它管理起来

先安装supervisor软件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@hdss7-11 resources]# yum install supervisor -y
ependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
supervisor noarch 3.1.4-1.el7 epel 446 k
Installing for dependencies:
python-meld3 x86_64 0.6.10-1.el7 epel 73 k
python-setuptools noarch 0.9.8-7.el7 base 397 k

Transaction Summary
=============================================================================================================================================================
Install 1 Package (+2 Dependent packages)

Total download size: 916 k
Installed size: 4.4 M
...
Installed:
supervisor.noarch 0:3.1.4-1.el7

Dependency Installed:
python-meld3.x86_64 0:0.6.10-1.el7 python-setuptools.noarch 0:0.9.8-7.el7

Complete!
创建脚本启动的配置文件
/etc/supervisord.d/namedmanager_logpush.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[program:namedmanager_logpush]
command=php -q /usr/share/namedmanager/bind/namedmanager_logpush.php 2>&1 > /var/log/namedmanager_logpush
numprocs=1
directory=/usr/share/namedmanager/resources
autostart=true
autorestart=true
startsecs=22
startretries=4
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=false
stdout_logfile=/var/log/namedmanager_logpush.out
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
stderr_logfile=/var/log/namedmanager_logpush.err
stderr_logfile_maxbytes=64MB
stderr_logfile_backups=4
stderr_capture_maxbytes=1MB
stderr_events_enabled=false
启动supservisord服务
1
[root@hdss7-11 resources]# systemctl start supervisord
开机自启
1
2
[root@hdss7-11 resources]# systemctl enable supervisord
Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service.

查看脚本启动情况

1
2
3
4
[root@hdss7-11 resources]# supervisorctl status
namedmanager_logpush RUNNING pid 9194, uptime 0:01:44
[root@hdss7-11 resources]# ps -ef|grep -v grep|grep php
root 9194 8979 0 11:14 ? 00:00:00 php -q /usr/share/namedmanager/bind/namedmanager_logpush.php 2>&1 > /var/log/namedmanager_logpush

这样脚本就可以保证高可用性了

检查日志

/var/log/namedmanager_logpush
1
2
[root@hdss7-11 resources]# tail -fn 200 /var/log/namedmanager_logpush
Error: Unable to authenticate with NamedManager API - check that auth API key and server name are valid

有报错,所以需要继续配置

改inc_soap_api.php

/usr/share/namedmanager/bind/include/application/inc_soap_api.php
1
preg_match("/^http:\/\/(\S*?)[:0-9]*\//", $GLOBALS["config"]["api_url"], $matches);

重启namedmanager_logpush.rcsysinit

如果已经用supervisor软件管理起来了,只需要kill掉脚本进程即可

1
2
3
4
5
[root@hdss7-11 resources]# ps -ef|grep -v grep|grep php|awk '{print $2}'|xargs kill -9
[root@hdss7-11 resources]# ps -ef|grep -v grep|grep php
root 9295 8979 1 11:18 ? 00:00:00 php -q /usr/share/namedmanager/bind/namedmanager_logpush.php 2>&1 > /var/log/namedmanager_logpush
[root@hdss7-11 resources]# supervisorctl
namedmanager_logpush RUNNING pid 9295, uptime 0:00:23

否则需要手动重启脚本

/usr/share/namedmanager/resources/namedmanager_logpush.rcsysinit
1
2
3
4
[root@hdss7-11 resources]# sh namedmanager_logpush.rcsysinit restart
Stopping namedmanager_logpush services:
Starting namedmanager_logpush service:
nohup: redirecting stderr to stdout

配置BIND9

先配rndc

rndc.key

1
2
3
4
5
[root@hdss7-11 ~]# cat /etc/rndc.key 
key "rndc-key" {
algorithm hmac-sha256;
secret "CD/4vqb9l0WiMy5TXjfeu1cMhyRerQ9kL2jwdBFWwa4=";
};

如果没有,使用如下命令生成rndc.key

1
[root@hdss7-11 ~]# rndc-confgen -r /dev/urandom

配rndc.conf

/etc/rndc.conf
1
2
3
4
5
6
7
8
9
10
key "rndc-key" {
algorithm hmac-sha256;
secret "CD/4vqb9l0WiMy5TXjfeu1cMhyRerQ9kL2jwdBFWwa4=";
};

options {
default-key "rndc-key";
default-server 10.4.7.11;
default-port 953;
};

删除rndc.key

1
[root@hdss7-11 ~]# rm -f /etc/rndc.key

BIND9主配置文件

/etc/named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
options {
listen-on port 53 { 10.4.7.11; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { 10.4.7.12; };
also-notify { 10.4.7.12; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable no;
dnssec-validation no;


/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

key "rndc-key" {
algorithm hmac-sha256;
secret "CD/4vqb9l0WiMy5TXjfeu1cMhyRerQ9kL2jwdBFWwa4=";
};

controls {
inet 10.4.7.11 port 953
allow { 10.4.7.11; } keys { "rndc-key"; };
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.namedmanager.conf";

改named.namedmanager.conf文件属性

/etc/named.namedmanager.conf
1
2
3
[root@hdss7-11 named]# chown apache.apache /etc/named.namedmanager.conf
[root@hdss7-11 named]# ls -l /etc/named.namedmanager.conf
-rw-r--r-- 1 apache named 112 Dec 16 11:19 /etc/named.namedmanager.conf

检查配置并启动BIND9

检查配置

1
[root@hdss7-11 ~]# named-checkconf

启动BIND9

1
[root@hdss7-11 ~]# systemctl start named

开机自启动

1
[root@hdss7-11 ~]# systemctl enable named

检查启动情况

1
2
3
4
[root@hdss7-11 ~]# netstat -luntp|grep 53
tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN 10922/named
tcp 0 0 10.4.7.11:953 0.0.0.0:* LISTEN 10922/named
udp 0 0 10.4.7.11:53 0.0.0.0:* 10922/named

配置NamedManager页面

浏览器打开http://dns-manager.od.com(提前绑好host),用户名/密码:setup/setup123

配置Configuration选项卡

Zone Configuration Defaults

  • DEFAULT_HOSTMASTER

    87527941@qq.com

  • DEFAULT_TTL_SOA

    86400

  • DEFAULT_TTL_NS

    120

  • DEFAULT_TTL_MX

    60

  • DEFAULT_TTL_OTHER

    60

API Configuration

  • ADMIN_API_KEY

    verycloud

Date and Time Configuration

  • DATEFORMAT

    yyyy-mm-dd

  • TIMEZONE_DEFAULT

    Asia/Shanghai

Save Changes

配置New Servers选项卡

Add NewServer

Server Details

  • Name Server FQDN *

    dns-manager.od.com
    注意:这里一定要填config-bind.php里对应$config["api_server_name"]项配置的值

  • Description

    dns server for od.com

    Server Type

  • Server Type

    API (supports Bind)

  • API Authentication Key *

    verycloud

    Server Domain Settings

    必须勾选以下三项
  • Nameserver Group *

    default – Default Nameserver Group

  • Primary Nameserver *

    Make this server the primary one used for DNS SOA records.

  • Use as NS Record *

    Adds this name server to all domains as a public NS record.

Save Changes

保存后View Name Servers选项卡下,Logging Status应变绿且成为status_synced,如一直不变绿,需要进行排错,不要继续往下做了。

配置Domain/Zones选项卡

添加Domain/Zone

两种方式

  • 手动添加域
  • 自动导入域

Add Domain(手动添加)

Domain Details
  • Domain Type *

    Standard Domain
    Reverse Domain (IPv4)
    Reverse Domain (IPv6)
    根据实际情况选择,这里选择Standard Domain(正解域)

  • Domain Name *

    od.com

  • Description

    od.com domain

Domain Server Groups

注意:一定要勾选域服务器组

default – Default Nameserver Group

Start of Authority Record
  • Email Administrator Address *

    Email Administrator Address *

  • Domain Serial *

    2018121601

  • Refresh Timer *

    21600

  • Refresh Retry Timeout *

    3600

  • Expiry Timer *

    604800

  • Default Record TTL *

    60
    注意:这里配置SOA记录最后一个参数值没有按套路出牌,配置的并不是否定应答超时时间(NegativeAnswerTTL),而是默认资源记录的过期时间

Save Changes

Import Domain(自动导入)

  • Import Source

    Bind 8/9 Compatible Zonefile

  • Zone File

    选择文件host.com.txt

导入一个正解域
upload,选择文件

附1:host.com.txt

host.com.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
$ORIGIN .
$TTL 600 ; 10 minutes
host.com IN SOA dns-manager.od.com. 87527941.qq.com. (
2019013106 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
$ORIGIN host.com.
$TTL 60 ; 1 minute
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12

注意:这里可以不用给NS记录和对应的A记录了,会默认生成

Save Changes

点保存进入下一个配置页面

Domain Details

这里可以配置域的信息和描述,我们这里先配一个Standard Domain(正解域)

Start of Authority Record

这里注意SOA记录的最后一个选项Default Record TTL *

Domain Records

检查一下和导入文件里的记录是否一致

Save Changes

先点一次保存

Domain Details

检查一遍域信息和描述

Domain Server Groups

注意:这里一定要勾选服务器组(上个页面没有,这里新出来的选项)

Start of Authority Record

检查一遍SOA记录

Save Changes

最后点一下保存,导入成功

导入一个反解域
upload,选择文件

附2:7.4.10.in-addr.arpa.txt

7.4.10.in-addr.arpa.txt
1
2
3
4
5
6
7
8
9
10
11
12
$TTL 600	; 10 minutes
@ IN SOA dns-manager.od.com. 87527941.qq.com. (
2018121603 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
$ORIGIN 7.4.10.in-addr.arpa.
$TTL 60 ; 1 minute
11 PTR HDSS7-11.host.com.
12 PTR HDSS7-12.host.com.

注意:这里可以不用给NS记录和对应的A记录了,会默认生成

Save Changes

点保存进入下一个配置页面

Domain Details

注意:

  • Domain Type *应为Reverse Domain (IPv4)
  • IPv4 Network Address *应为10.4.7.0/24
Start of Authority Record

配置SOA记录

Domain Records

检查一下和导入文件里的记录是否一致

Save Changes

先点一次保存

Domain Details

检查一遍域信息和描述

Domain Server Groups

注意:这里一定要勾选服务器组(上个页面没有,这里新出来的选项)

Start of Authority Record

检查一遍SOA记录

Save Changes

最后点一下保存,导入成功

在对应的Zone里操作资源记录(增、删、改)

View Domains选项卡

details 按钮

维护domain的基本配置,略

delete 按钮

删除domain,略

domain record(od.com)
配置页面
  • Domain Details

    Domain od.com selected for adjustment

  • Nameserver Configuration

    这里是配置NS记录的配置区,默认会生成一条

TypeTTLName/OriginContent-
NS 120 od.com dns-manager.od.com -
  • Mailserver Configuration

    略,暂不配置MX记录

  • Host Records Configuration

    这里是配置重点,A记录、CNAME记录、TXT记录等都在这个里配置
    这里增加两条A记录解析,增加一条CNAME解析

TypeTTLNameContentReversePTR-
A 60 dns-manager 10.4.7.11 no delete
A 60 www 10.4.7.11 no delete
CNAME 60 eshop www.od.com no delete
Save Changes
domain record(host.com)
配置页面
  • Domain Details

    Domain host.com selected for adjustment

  • Nameserver Configuration

    这里是配置NS记录的配置区,默认会生成一条

TypeTTLName/OriginContent-
NS 120 host.com dns-manager.od.com -
  • Mailserver Configuration

    略,暂不配置MX记录

  • Host Records Configuration

    这里是配置重点,A记录、CNAME记录、TXT记录等都在这个里配置
    因为是从文件导入的域,默认会有记录

TypeTTLNameContentReversePTR-
A 60 HDSS7-11 10.4.7.11 delete
A 60 HDSS7-12 10.4.7.12 delete
Save Changes
domain record(7.4.10.in-addr.arpa)
配置页面
  • Domain Details

    Domain 7.4.10.in-addr.arpa selected for adjustment

  • Nameserver Configuration

    这里是配置NS记录的配置区,默认会生成一条

TypeTTLName/OriginContent-
NS 120 7.4.10.in-addr.arpa dns-manager.od.com -
  • Mailserver Configuration

    略,暂不配置MX记录

  • Host Records Configuration

    这里是配置重点,A记录、CNAME记录、TXT记录等都在这个里配置
    因为是从文件导入的域,默认会有记录

TypeTTLNameContent-
PTR 60 11 HDSS7-11.host.com delete
PTR 60 12 HDSS7-12.host.com delete
Save Changes

返回Name Servers选项卡

查看页面DNS服务器状态

  • Logging Status
    status_synced
  • Zonefile Status
    status_synced

全部变绿且为status_synced即为正常

查看服务器上配置文件(都是由namedmanager服务自动生成的)

named.namedmanager.conf

/etc/named.namedmanager.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
//
// NamedManager Configuration
//
// This file is automatically generated any manual changes will be lost.
//
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { none; };
};
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { none; };
};
zone "7.4.10.in-addr.arpa" IN {
type master;
file "7.4.10.in-addr.arpa.zone";
allow-update { none; };
};

这里生成了三个zone,两个正解域,一个反解域,依次检查三个域的区域数据库文件:

od.com.zone

/var/named/od.com.zone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ORIGIN od.com.
$TTL 60
@ IN SOA dns-manager.od.com. 87527941.qq.com. (
2018121610 ; serial
21600 ; refresh
3600 ; retry
604800 ; expiry
60 ; minimum ttl
)

; Nameservers

od.com. 120 IN NS dns-manager.od.com.

; Mailservers


; Reverse DNS Records (PTR)


; CNAME


; HOST RECORDS

dns-manager 60 IN A 10.4.7.11
www 60 IN A 10.4.7.11
eshop 60 IN CNAME www.od.com.

host.com.zone

/var/named/host.com.zone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ORIGIN host.com.
$TTL 60
@ IN SOA dns-manager.od.com. 87527941.qq.com. (
2018121604 ; serial
10800 ; refresh
900 ; retry
604800 ; expiry
60 ; minimum ttl
)

; Nameservers

host.com. 120 IN NS dns-manager.od.com.

; Mailservers


; Reverse DNS Records (PTR)


; CNAME


; HOST RECORDS

HDSS7-11 60 IN A 10.4.7.11
HDSS7-12 60 IN A 10.4.7.12

7.4.10.in-addr.arpa.zone

/var/named/7.4.10.in-addr.arpa.zone
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ORIGIN 7.4.10.in-addr.arpa.
$TTL 60
@ IN SOA dns-manager.od.com. 87527941.qq.com. (
2018121603 ; serial
10800 ; refresh
900 ; retry
604800 ; expiry
60 ; minimum ttl
)

; Nameservers

7.4.10.in-addr.arpa. 120 IN NS dns-manager.od.com.

; Mailservers


; Reverse DNS Records (PTR)

11 60 IN PTR HDSS7-11.host.com.
12 60 IN PTR HDSS7-12.host.com.

; CNAME


; HOST RECORDS

检查资源记录解析是否生效

1
2
3
4
5
6
7
8
# dig -t A www.od.com @10.4.7.11 +short
10.4.7.11

#dig -t A HDSS7-12.host.com @10.4.7.11 +short
10.4.7.12

#dig -x 10.4.7.11 @10.4.7.11 +short
HDSS7-11.host.com.

验证页面增、删、改是否均生效

注意:

  • 增、删、改资源记录时,对应域的SOA记录的serial序列号会自动滚动,非常方便
  • 这里在页面上操作资源记录,会先写mysql,再由php脚本定期刷到磁盘文件上,所以大概需要1分钟的时间生效
  • 在维护主机域时,添加正解记录,并勾选后面的reverse选项,将同时生成一条反解记录,简化了操作
  • 由于服务器上的区域数据库文件是由php进程定期更新的(根据mysql数据库里的数据),所以手动在服务器上修改资源记录是无法生效的,应该严格禁止

配置DNS主辅同步

配置客户端的DNS服务器

/etc/resolv.conf
1
2
3
4
# Generated by NetworkManager
search od.com host.com
nameserver 10.4.7.11
nameserver 10.4.7.12

把所有客户端绑定的临时hosts删除

/etc/hosts
1
#10.4.7.11   dns-manager.od.com

配置客户端DNS服务器的小技巧

用户系统及操作审计功能

用户系统

可以创建不同的管理员用户

User Management选项卡

该页面下可以查看所有的系统用户,并可以进行用户管理

Create a new User Account 增加用户

User Details

User Password

  • password *

    123456

  • password_confirm *

    123456

Save Changes

User Permissions 用户权限

  • disabled

    勾上,用户不生效
    不勾,用户生效
    这里不勾

  • admin(超级管理员)

    勾上,可以创建用户管理用户权限
    不勾,不可以创建用户管理用户权限
    这里不勾

  • namedadmins(管理员)

    勾上,dns管理员,可以管理zone和资源记录
    不勾,不可以管理zone和资源记录
    这里勾选

Save Changes

delete

删除用户,略

details

这里可以配置用户的基本信息

User Password

超级管理员可以帮助用户修改密码

User Options

  • option_shrink_tableoptions

    Automatically hide the options table when using defaults
    默认勾选,高级查询框显示与否

  • option_debug

    Enable debug logging - this will impact performance a bit but will show a full trail of all functions and SQL queries made
    默认不勾,勾选上可以在页面显示debug日志,建议部署时使用,投产后关闭

  • option_concurrent_logins

    Permit this user to make multiple simultaneous logins
    默认不勾,允许该用户在多点同时登录,应该严格禁止(审计)

使用wangdao用户登录

可以进行DNS服务管理,但无法管理用户

审计

使用wangdao用户在页面增加一条资源记录

操作过程略

Changelog选项卡

可以看到所有用户的操作记录,实现审计功能,做到操作可溯

Tips

    • 生产上强烈建议新生成一个超级管理员用户并将setup用户删除!
    • 超级管理员用户应只有一个且不要轻易外泄,可以创建多个管理员账户。(一般根据业务而定,每个管理员负责一个子域)
    • 管理员账户创建好后,应由各人自行登录修改密码。
    • 超级管理员用户密码的复杂度要足够高,定期更换超级管理员用户密码。

 

 

原文地址:https://blog.stanley.wang/page/2/

 

posted @ 2021-01-20 18:29  听&夏  阅读(345)  评论(0编辑  收藏  举报