企业级Web DNS实战

系统环境

复制

1 2 3 4 5

#cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) #uname -a Linux node 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

安装部署namedmanager

准备rpm包

https://repos.jethrocarr.com/pub/jethrocarr/linux/centos/7/jethrocarr-custom/x86_64/

下载最新版

复制

1 2 3 4

[root@hdss7-11 opt]# ll total 62244 -rw-r--r-- 1 root root 102136 Feb 1 18:17 namedmanager-bind-1.9.0-2.el7.centos.noarch.rpm -rw-r--r-- 1 root root 1084340 Feb 1 18:17 namedmanager-www-1.9.0-2.el7.centos.noarch.rpm

安装

复制

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

[root@hdss7-11 opt]# yum localinstall namedmanager-* -y ... Installed: namedmanager-bind.noarch 0:1.9.0-2.el7.centos namedmanager-www.noarch 0:1.9.0-2.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-3.el7_4.1 apr-util.x86_64 0:1.5.2-6.el7 bind.x86_64 32:9.9.4-73.el7_6 httpd.x86_64 0:2.4.6-88.el7.centos httpd-tools.x86_64 0:2.4.6-88.el7.centos libzip.x86_64 0:0.10.1-8.el7 mailcap.noarch 0:2.1.41-2.el7 mariadb.x86_64 1:5.5.60-1.el7_5 mariadb-libs.x86_64 1:5.5.60-1.el7_5 mariadb-server.x86_64 1:5.5.60-1.el7_5 mod_ssl.x86_64 1:2.4.6-88.el7.centos perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBD-MySQL.x86_64 0:4.023-6.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-IO-Compress.noarch 0:2.061-2.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7 php.x86_64 0:5.4.16-46.el7 php-cli.x86_64 0:5.4.16-46.el7 php-common.x86_64 0:5.4.16-46.el7 php-intl.x86_64 0:5.4.16-46.el7 php-ldap.x86_64 0:5.4.16-46.el7 php-mysqlnd.x86_64 0:5.4.16-46.el7 php-pdo.x86_64 0:5.4.16-46.el7 php-process.x86_64 0:5.4.16-46.el7 php-soap.x86_64 0:5.4.16-46.el7 php-xml.x86_64 0:5.4.16-46.el7 Dependency Updated: bind-libs.x86_64 32:9.9.4-73.el7_6 bind-libs-lite.x86_64 32:9.9.4-73.el7_6 bind-license.noarch 32:9.9.4-73.el7_6 bind-utils.x86_64 32:9.9.4-73.el7_6 Complete!

先配mysql

启动mysql

复制

1	[root@hdss7-11 mysql]# systemctl start mariadb.service

开机自启动

复制

1 2	[root@hdss7-11 ~]# systemctl enable mariadb Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

配mysql的root密码

复制

1	[root@hdss7-11 mysql]# mysqladmin -uroot password 123456

导入namedmanager的数据库脚本

复制/usr/share/namedmanager/resources/autoinstall.pl

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

[root@hdss7-11 ~]# cd /usr/share/namedmanager/resources/ [root@hdss7-11 resources]# ./autoinstall.pl autoinstall.pl This script setups the NamedManager database components: * NamedManager MySQL user * NamedManager database * NamedManager configuration files THIS SCRIPT ONLY NEEDS TO BE RUN FOR THE VERY FIRST INSTALL OF NAMEDMANAGER. DO NOT RUN FOR ANY OTHER REASON Please enter MySQL root password (if any): 123456 输入123456 Searching ../sql/ for latest install schema... ../sql//version_20131222_install.sql is the latest file and will be used for the install. Importing file ../sql//version_20131222_install.sql Creating user... Updating configuration file... DB installation complete! You can now login with the default username/password of setup/setup123 at http://localhost/namedmanager

配置namedmanager

config.php，增加一条配置

复制/etc/namedmanager/config.php

1	$_SERVER['HTTPS'] = "TRUE";

config-bind.php，修改以下三条配置

复制/etc/namedmanager/config-bind.php

1 2 3 4

$config["api_url"] = "http://dns-manager.od.com/namedmanager"; // Application Install Location $config["api_server_name"] = "dns-manager.od.com"; // Name of the DNS server (important: part of the authentication process) $config["api_auth_key"] = "verycloud"; // API authentication key $config["log_file"] = "/var/log/namedmanager_bind_configwriter";

php.ini，修改一条配置

复制/etc/php.ini

1 2	; How many GET/POST/COOKIE input variables may be accepted max_input_vars = 10000

绑host（临时）

复制/etc/hosts

1	10.4.7.11 dns-manager.od.com

配apache

复制/etc/httpd/conf/httpd.conf

1 2 3 4 5 6 7

Listen 10.4.7.11:8080 ServerName dns-manager.od.com <Directory /> AllowOverride none allow from all #Require all denied </Directory>

配nginx

复制/etc/nginx/conf.d/dns-manager.od.com.conf

1 2 3 4 5 6 7 8 9 10 11 12

server { server_name dns-manager.od.com; location =/ { rewrite ^/(.*) http://dns-manager.od.com/namedmanager permanent; } location / { proxy_pass http://10.4.7.11:8080; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } }

启动apache和nginx

• 启动apache

  复制

  1 2 3

  [root@hdss7-11 ~]# systemctl start httpd [root@hdss7-11 ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

• 启动nginx

  复制

  1 2 3 4

  [root@hdss7-11 ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@hdss7-11 ~]# nginx

访问http://dns-manager.od.com，看看页面是否正常

继续改namedmanager的配置

改namedmanager_bind_configwriter.php

复制/usr/share/namedmanager/bind/namedmanager_bind_configwriter.php

1 2 3 4

if (flock($fh_lock, LOCK_EX )) { log_write("debug", "script", "Obtained filelock"); }

启动namedmanager_logpush.rcsysinit

加执行权限

复制/usr/share/namedmanager/resources/namedmanager_logpush.rcsysinit

1	[root@hdss7-11 resources]# chmod u+x namedmanager_logpush.rcsysinit

启动该脚本

复制/usr/share/namedmanager/resources/namedmanager_logpush.rcsysinit

1 2 3

[root@hdss7-11 resources]# sh namedmanager_logpush.rcsysinit start Starting namedmanager_logpush service: [root@hdss7-11 resources]# nohup: redirecting stderr to stdout

检查是否启动

复制

1 2	[root@hdss7-11 resources]# ps -ef|grep php|egrep -v grep root 10738 1 0 10:49 pts/1 00:00:00 php -q /usr/share/namedmanager/bind/namedmanager_logpush.php

用supervisor管理起来

这个脚本非常重要，是整个namedmanager软件的核心，所以要保证它一直在后台启动，这里我们用supervisor这个软件把它管理起来

先安装supervisor软件

复制

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

[root@hdss7-11 resources]# yum install supervisor -y ependencies Resolved ============================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================= Installing: supervisor noarch 3.1.4-1.el7 epel 446 k Installing for dependencies: python-meld3 x86_64 0.6.10-1.el7 epel 73 k python-setuptools noarch 0.9.8-7.el7 base 397 k Transaction Summary ============================================================================================================================================================= Install 1 Package (+2 Dependent packages) Total download size: 916 k Installed size: 4.4 M ... Installed: supervisor.noarch 0:3.1.4-1.el7 Dependency Installed: python-meld3.x86_64 0:0.6.10-1.el7 python-setuptools.noarch 0:0.9.8-7.el7 Complete!

创建脚本启动的配置文件

复制/etc/supervisord.d/namedmanager_logpush.ini

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

[program:namedmanager_logpush] command=php -q /usr/share/namedmanager/bind/namedmanager_logpush.php 2>&1 > /var/log/namedmanager_logpush numprocs=1 directory=/usr/share/namedmanager/resources autostart=true autorestart=true startsecs=22 startretries=4 exitcodes=0,2 stopsignal=QUIT stopwaitsecs=10 user=root redirect_stderr=false stdout_logfile=/var/log/namedmanager_logpush.out stdout_logfile_maxbytes=64MB stdout_logfile_backups=4 stdout_capture_maxbytes=1MB stdout_events_enabled=false stderr_logfile=/var/log/namedmanager_logpush.err stderr_logfile_maxbytes=64MB stderr_logfile_backups=4 stderr_capture_maxbytes=1MB stderr_events_enabled=false

启动supservisord服务

复制

1	[root@hdss7-11 resources]# systemctl start supervisord

开机自启

复制

1 2	[root@hdss7-11 resources]# systemctl enable supervisord Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service.

查看脚本启动情况

复制

1 2 3 4

[root@hdss7-11 resources]# supervisorctl status namedmanager_logpush RUNNING pid 9194, uptime 0:01:44 [root@hdss7-11 resources]# ps -ef|grep -v grep|grep php root 9194 8979 0 11:14 ? 00:00:00 php -q /usr/share/namedmanager/bind/namedmanager_logpush.php 2>&1 > /var/log/namedmanager_logpush

这样脚本就可以保证高可用性了

检查日志

复制/var/log/namedmanager_logpush

1 2	[root@hdss7-11 resources]# tail -fn 200 /var/log/namedmanager_logpush Error: Unable to authenticate with NamedManager API - check that auth API key and server name are valid

有报错，所以需要继续配置

改inc_soap_api.php

复制/usr/share/namedmanager/bind/include/application/inc_soap_api.php

1	preg_match("/^http:\/\/(\S*?)[:0-9]*\//", $GLOBALS["config"]["api_url"], $matches);

重启namedmanager_logpush.rcsysinit

如果已经用supervisor软件管理起来了，只需要kill掉脚本进程即可

复制

1 2 3 4 5

[root@hdss7-11 resources]# ps -ef|grep -v grep|grep php|awk '{print $2}'|xargs kill -9 [root@hdss7-11 resources]# ps -ef|grep -v grep|grep php root 9295 8979 1 11:18 ? 00:00:00 php -q /usr/share/namedmanager/bind/namedmanager_logpush.php 2>&1 > /var/log/namedmanager_logpush [root@hdss7-11 resources]# supervisorctl namedmanager_logpush RUNNING pid 9295, uptime 0:00:23

否则需要手动重启脚本

复制/usr/share/namedmanager/resources/namedmanager_logpush.rcsysinit

1 2 3 4

[root@hdss7-11 resources]# sh namedmanager_logpush.rcsysinit restart Stopping namedmanager_logpush services: Starting namedmanager_logpush service: nohup: redirecting stderr to stdout

配置BIND9

先配rndc

rndc.key

复制

1 2 3 4 5

[root@hdss7-11 ~]# cat /etc/rndc.key key "rndc-key" { algorithm hmac-sha256; secret "CD/4vqb9l0WiMy5TXjfeu1cMhyRerQ9kL2jwdBFWwa4="; };

如果没有，使用如下命令生成rndc.key

复制

1	[root@hdss7-11 ~]# rndc-confgen -r /dev/urandom

配rndc.conf

复制/etc/rndc.conf

1 2 3 4 5 6 7 8 9 10

key "rndc-key" { algorithm hmac-sha256; secret "CD/4vqb9l0WiMy5TXjfeu1cMhyRerQ9kL2jwdBFWwa4="; }; options { default-key "rndc-key"; default-server 10.4.7.11; default-port 953; };

删除rndc.key

复制

1	[root@hdss7-11 ~]# rm -f /etc/rndc.key

BIND9主配置文件

复制/etc/named.conf

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

options { listen-on port 53 { 10.4.7.11; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-transfer { 10.4.7.12; }; also-notify { 10.4.7.12; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; key "rndc-key" { algorithm hmac-sha256; secret "CD/4vqb9l0WiMy5TXjfeu1cMhyRerQ9kL2jwdBFWwa4="; }; controls { inet 10.4.7.11 port 953 allow { 10.4.7.11; } keys { "rndc-key"; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.namedmanager.conf";

改named.namedmanager.conf文件属性

复制/etc/named.namedmanager.conf

1 2 3

[root@hdss7-11 named]# chown apache.apache /etc/named.namedmanager.conf [root@hdss7-11 named]# ls -l /etc/named.namedmanager.conf -rw-r--r-- 1 apache named 112 Dec 16 11:19 /etc/named.namedmanager.conf

检查配置并启动BIND9

检查配置

复制

1	[root@hdss7-11 ~]# named-checkconf

启动BIND9

复制

1	[root@hdss7-11 ~]# systemctl start named

开机自启动

复制

1	[root@hdss7-11 ~]# systemctl enable named

检查启动情况

复制

1 2 3 4

[root@hdss7-11 ~]# netstat -luntp|grep 53 tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN 10922/named tcp 0 0 10.4.7.11:953 0.0.0.0:* LISTEN 10922/named udp 0 0 10.4.7.11:53 0.0.0.0:* 10922/named

配置NamedManager页面

浏览器打开http://dns-manager.od.com（提前绑好host），用户名/密码：setup/setup123

配置Configuration选项卡

Zone Configuration Defaults

• DEFAULT_HOSTMASTER

  87527941@qq.com

• DEFAULT_TTL_SOA

  86400

• DEFAULT_TTL_NS

  120

• DEFAULT_TTL_MX

  60

• DEFAULT_TTL_OTHER

  60

API Configuration

• ADMIN_API_KEY

  verycloud

Date and Time Configuration

• DATEFORMAT

  yyyy-mm-dd

• TIMEZONE_DEFAULT

  Asia/Shanghai

Save Changes

配置New Servers选项卡

Add NewServer

Server Details

• Name Server FQDN *

  dns-manager.od.com
  注意：这里一定要填config-bind.php里对应$config["api_server_name"]项配置的值

• Description

  dns server for od.com

  Server Type

• Server Type

  API (supports Bind)

• API Authentication Key *

  verycloud

  Server Domain Settings

  必须勾选以下三项
• Nameserver Group *

  default – Default Nameserver Group

• Primary Nameserver *

  Make this server the primary one used for DNS SOA records.

• Use as NS Record *

  Adds this name server to all domains as a public NS record.

Save Changes

保存后View Name Servers选项卡下，Logging Status应变绿且成为status_synced，如一直不变绿，需要进行排错，不要继续往下做了。

配置Domain/Zones选项卡

添加Domain/Zone

两种方式

• 手动添加域
• 自动导入域

Add Domain（手动添加）

Domain Details

• Domain Type *

  Standard Domain
  Reverse Domain (IPv4)
  Reverse Domain (IPv6)
  根据实际情况选择，这里选择Standard Domain（正解域）

• Domain Name *

  od.com

• Description

  od.com domain

Domain Server Groups

注意：一定要勾选域服务器组

default – Default Nameserver Group

Start of Authority Record

• Email Administrator Address *

  Email Administrator Address *

• Domain Serial *

  2018121601

• Refresh Timer *

  21600

• Refresh Retry Timeout *

  3600

• Expiry Timer *

  604800

• Default Record TTL *

  60
  注意：这里配置SOA记录最后一个参数值没有按套路出牌，配置的并不是否定应答超时时间（NegativeAnswerTTL），而是默认资源记录的过期时间

Save Changes

Import Domain（自动导入）

• Import Source

  Bind 8/9 Compatible Zonefile

• Zone File

  选择文件host.com.txt

导入一个正解域

upload，选择文件

附1：host.com.txt

复制host.com.txt

1 2 3 4 5 6 7 8 9 10 11 12 13

$ORIGIN . $TTL 600 ; 10 minutes host.com IN SOA dns-manager.od.com. 87527941.qq.com. ( 2019013106 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) $ORIGIN host.com. $TTL 60 ; 1 minute HDSS7-11 A 10.4.7.11 HDSS7-12 A 10.4.7.12

注意：这里可以不用给NS记录和对应的A记录了，会默认生成

Save Changes

点保存进入下一个配置页面

Domain Details

这里可以配置域的信息和描述，我们这里先配一个Standard Domain（正解域）

Start of Authority Record

这里注意SOA记录的最后一个选项Default Record TTL *

Domain Records

检查一下和导入文件里的记录是否一致

Save Changes

先点一次保存

Domain Details

检查一遍域信息和描述

Domain Server Groups

注意：这里一定要勾选服务器组（上个页面没有，这里新出来的选项）

Start of Authority Record

检查一遍SOA记录

Save Changes

最后点一下保存，导入成功

导入一个反解域

upload，选择文件

附2：7.4.10.in-addr.arpa.txt

复制7.4.10.in-addr.arpa.txt

1 2 3 4 5 6 7 8 9 10 11 12

$TTL 600 ; 10 minutes @ IN SOA dns-manager.od.com. 87527941.qq.com. ( 2018121603 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) $ORIGIN 7.4.10.in-addr.arpa. $TTL 60 ; 1 minute 11 PTR HDSS7-11.host.com. 12 PTR HDSS7-12.host.com.

注意：这里可以不用给NS记录和对应的A记录了，会默认生成

Save Changes

点保存进入下一个配置页面

Domain Details

注意：

• Domain Type *应为Reverse Domain (IPv4)
• IPv4 Network Address *应为10.4.7.0/24

Start of Authority Record

配置SOA记录

Domain Records

检查一下和导入文件里的记录是否一致

Save Changes

先点一次保存

Domain Details

检查一遍域信息和描述

Domain Server Groups

注意：这里一定要勾选服务器组（上个页面没有，这里新出来的选项）

Start of Authority Record

检查一遍SOA记录

Save Changes

最后点一下保存，导入成功

在对应的Zone里操作资源记录（增、删、改）

View Domains选项卡

details 按钮

维护domain的基本配置，略

delete 按钮

删除domain，略

domain record(od.com)

配置页面

• Domain Details

  Domain od.com selected for adjustment

• Nameserver Configuration

  这里是配置NS记录的配置区，默认会生成一条

Type	TTL	Name/Origin	Content	-
NS	120	od.com	dns-manager.od.com	-

• Mailserver Configuration

  略，暂不配置MX记录

• Host Records Configuration

  这里是配置重点，A记录、CNAME记录、TXT记录等都在这个里配置
  这里增加两条A记录解析，增加一条CNAME解析

Type	TTL	Name	Content	ReversePTR	-
A	60	dns-manager	10.4.7.11	no	delete
A	60	www	10.4.7.11	no	delete
CNAME	60	eshop	www.od.com	no	delete

Save Changes

domain record(host.com)

配置页面

• Domain Details

  Domain host.com selected for adjustment

• Nameserver Configuration

  这里是配置NS记录的配置区，默认会生成一条

Type	TTL	Name/Origin	Content	-
NS	120	host.com	dns-manager.od.com	-

• Mailserver Configuration

  略，暂不配置MX记录

• Host Records Configuration

  这里是配置重点，A记录、CNAME记录、TXT记录等都在这个里配置
  因为是从文件导入的域，默认会有记录

Type	TTL	Name	Content	ReversePTR	-
A	60	HDSS7-11	10.4.7.11	√	delete
A	60	HDSS7-12	10.4.7.12	√	delete

Save Changes

domain record(7.4.10.in-addr.arpa)

配置页面

• Domain Details

  Domain 7.4.10.in-addr.arpa selected for adjustment

• Nameserver Configuration

  这里是配置NS记录的配置区，默认会生成一条

Type	TTL	Name/Origin	Content	-
NS	120	7.4.10.in-addr.arpa	dns-manager.od.com	-

• Mailserver Configuration

  略，暂不配置MX记录

• Host Records Configuration

  这里是配置重点，A记录、CNAME记录、TXT记录等都在这个里配置
  因为是从文件导入的域，默认会有记录

Type	TTL	Name	Content	-
PTR	60	11	HDSS7-11.host.com	delete
PTR	60	12	HDSS7-12.host.com	delete

Save Changes

返回Name Servers选项卡

查看页面DNS服务器状态

• Logging Status

  status_synced

• Zonefile Status

  status_synced

全部变绿且为status_synced即为正常

查看服务器上配置文件（都是由namedmanager服务自动生成的）

named.namedmanager.conf

复制/etc/named.namedmanager.conf

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

// // NamedManager Configuration // // This file is automatically generated any manual changes will be lost. // zone "od.com" IN { type master; file "od.com.zone"; allow-update { none; }; }; zone "host.com" IN { type master; file "host.com.zone"; allow-update { none; }; }; zone "7.4.10.in-addr.arpa" IN { type master; file "7.4.10.in-addr.arpa.zone"; allow-update { none; }; };

这里生成了三个zone，两个正解域，一个反解域，依次检查三个域的区域数据库文件：

od.com.zone

复制/var/named/od.com.zone

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

$ORIGIN od.com. $TTL 60 @ IN SOA dns-manager.od.com. 87527941.qq.com. ( 2018121610 ; serial 21600 ; refresh 3600 ; retry 604800 ; expiry 60 ; minimum ttl ) ; Nameservers od.com. 120 IN NS dns-manager.od.com. ; Mailservers ; Reverse DNS Records (PTR) ; CNAME ; HOST RECORDS dns-manager 60 IN A 10.4.7.11 www 60 IN A 10.4.7.11 eshop 60 IN CNAME www.od.com.

host.com.zone

复制/var/named/host.com.zone

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

$ORIGIN host.com. $TTL 60 @ IN SOA dns-manager.od.com. 87527941.qq.com. ( 2018121604 ; serial 10800 ; refresh 900 ; retry 604800 ; expiry 60 ; minimum ttl ) ; Nameservers host.com. 120 IN NS dns-manager.od.com. ; Mailservers ; Reverse DNS Records (PTR) ; CNAME ; HOST RECORDS HDSS7-11 60 IN A 10.4.7.11 HDSS7-12 60 IN A 10.4.7.12

7.4.10.in-addr.arpa.zone

复制/var/named/7.4.10.in-addr.arpa.zone

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

$ORIGIN 7.4.10.in-addr.arpa. $TTL 60 @ IN SOA dns-manager.od.com. 87527941.qq.com. ( 2018121603 ; serial 10800 ; refresh 900 ; retry 604800 ; expiry 60 ; minimum ttl ) ; Nameservers 7.4.10.in-addr.arpa. 120 IN NS dns-manager.od.com. ; Mailservers ; Reverse DNS Records (PTR) 11 60 IN PTR HDSS7-11.host.com. 12 60 IN PTR HDSS7-12.host.com. ; CNAME ; HOST RECORDS

检查资源记录解析是否生效

复制

1 2 3 4 5 6 7 8

# dig -t A www.od.com @10.4.7.11 +short 10.4.7.11 #dig -t A HDSS7-12.host.com @10.4.7.11 +short 10.4.7.12 #dig -x 10.4.7.11 @10.4.7.11 +short HDSS7-11.host.com.

验证页面增、删、改是否均生效

注意：

• 增、删、改资源记录时，对应域的SOA记录的serial序列号会自动滚动，非常方便
• 这里在页面上操作资源记录，会先写mysql，再由php脚本定期刷到磁盘文件上，所以大概需要1分钟的时间生效
• 在维护主机域时，添加正解记录，并勾选后面的reverse选项，将同时生成一条反解记录，简化了操作
• 由于服务器上的区域数据库文件是由php进程定期更新的（根据mysql数据库里的数据），所以手动在服务器上修改资源记录是无法生效的，应该严格禁止

配置DNS主辅同步

略

配置客户端的DNS服务器

复制/etc/resolv.conf

1 2 3 4

# Generated by NetworkManager search od.com host.com nameserver 10.4.7.11 nameserver 10.4.7.12

把所有客户端绑定的临时hosts删除

复制/etc/hosts

1	#10.4.7.11 dns-manager.od.com

配置客户端DNS服务器的小技巧

用户系统及操作审计功能

用户系统

可以创建不同的管理员用户

User Management选项卡

该页面下可以查看所有的系统用户，并可以进行用户管理

Create a new User Account 增加用户

User Details

• Username *

  wangdao

• Real Name *

  StanleyWang

• Contact Email *

  stanley.wang.m@qq.com

User Password

• password *

  123456

• password_confirm *

  123456

Save Changes

User Permissions 用户权限

• disabled

  勾上，用户不生效
  不勾，用户生效
  这里不勾

• admin（超级管理员）

  勾上，可以创建用户管理用户权限
  不勾，不可以创建用户管理用户权限
  这里不勾

• namedadmins（管理员）

  勾上，dns管理员，可以管理zone和资源记录
  不勾，不可以管理zone和资源记录
  这里勾选

Save Changes

delete

删除用户，略

details

这里可以配置用户的基本信息

User Password

超级管理员可以帮助用户修改密码

User Options

• option_shrink_tableoptions

  Automatically hide the options table when using defaults
  默认勾选，高级查询框显示与否

• option_debug

  Enable debug logging - this will impact performance a bit but will show a full trail of all functions and SQL queries made
  默认不勾，勾选上可以在页面显示debug日志，建议部署时使用，投产后关闭

• option_concurrent_logins

  Permit this user to make multiple simultaneous logins
  默认不勾，允许该用户在多点同时登录，应该严格禁止（审计）

使用wangdao用户登录

可以进行DNS服务管理，但无法管理用户

审计

使用wangdao用户在页面增加一条资源记录

操作过程略

Changelog选项卡

可以看到所有用户的操作记录，实现审计功能，做到操作可溯

Tips

• 生产上强烈建议新生成一个超级管理员用户并将setup用户删除！
• 超级管理员用户应只有一个且不要轻易外泄，可以创建多个管理员账户。（一般根据业务而定，每个管理员负责一个子域）
• 管理员账户创建好后，应由各人自行登录修改密码。
• 超级管理员用户密码的复杂度要足够高，定期更换超级管理员用户密码。

原文地址：https://blog.stanley.wang/page/2/