码蚁

打码改变人生

CentOS 7 中安装配置 PowerDNS、PowerAdmin 并结合 Windows Active Directory

Posted at — Dec 1, 2017

PowerDNS是一个运行在许多 Linux/Unix 衍生版上的 DNS 服务器,它可以使用不同的后端进行配置,包括 BIND 类型的区域文件、关系型数据库,或者负载均衡/失效转移算法。它也可以被配置成一台 DNS 递归器,作为服务器上的一个独立进程运行。

本文用于向你演示如何在 CentOS 7 中安装并配置以 MariaDB 作为后端的 PowerDNS,以及它的界面友好的 Web 管理工具 PowerAdmin。PowerDNS 授权服务器的官方仓库最新的正式版是 4.0.5,在此我们安装此版本。

第一部分:安装带有 MariaDB 后端的 PowerDNS 权威服务器

  1. 启用 EPEL 仓库

    $ yum install epel-release.noarch

  2. 安装 MariaDB 服务器

    $ yum install mariadb-server mariadb

  3. 配置并启用 MariaDB,并设置开机启动

    $ systemctl enable mariadb.service

    $ systemctl start mariadb.service

  4. 为 MariaDB 设置密码进行安全加固

`$ mysql_secure_installation`
  1. 安装 PowerDNS

    yum install yum-plugin-priorities &&
    curl -o /etc/yum.repos.d/powerdns-auth-40.repo https://repo.powerdns.com/repo-files/centos-auth-40.repo &&
    yum install pdns pdns-backend-mysql
    
  2. 创建 PowerDNS 数据库和用户

    $ mysql -u root -p
    MariaDB[(none)]> CREATE DATABASE powerdns;
    
    MariaDB[(none)]> GRANT ALL ON powerdns.* TO 'powerdns'@'%' IDENTIFIED BY '[email protected]';
    
    MariaDB[(none)]> FLUSH PRIVILEGES;
    
    MariaDB[(none)]> USE powerdns;
    
    CREATE TABLE domains (
      id                    INT AUTO_INCREMENT,
      name                  VARCHAR(255) NOT NULL,
      master                VARCHAR(128) DEFAULT NULL,
      last_check            INT DEFAULT NULL,
      type                  VARCHAR(6) NOT NULL,
      notified_serial       INT DEFAULT NULL,
      account               VARCHAR(40) DEFAULT NULL,
      PRIMARY KEY (id)
    ) Engine=InnoDB;
    
    CREATE UNIQUE INDEX name_index ON domains(name);
    
    CREATE TABLE records (
      id                    BIGINT AUTO_INCREMENT,
      domain_id             INT DEFAULT NULL,
      name                  VARCHAR(255) DEFAULT NULL,
      type                  VARCHAR(10) DEFAULT NULL,
      content               VARCHAR(64000) DEFAULT NULL,
      ttl                   INT DEFAULT NULL,
      prio                  INT DEFAULT NULL,
      change_date           INT DEFAULT NULL,
      disabled              TINYINT(1) DEFAULT 0,
      ordername             VARCHAR(255) BINARY DEFAULT NULL,
      auth                  TINYINT(1) DEFAULT 1,
      PRIMARY KEY (id)
    ) Engine=InnoDB;
    
    CREATE INDEX nametype_index ON records(name,type);
    CREATE INDEX domain_id ON records(domain_id);
    CREATE INDEX recordorder ON records (domain_id, ordername);
    
    CREATE TABLE supermasters (
      ip                    VARCHAR(64) NOT NULL,
      nameserver            VARCHAR(255) NOT NULL,
      account               VARCHAR(40) NOT NULL,
      PRIMARY KEY (ip, nameserver)
    ) Engine=InnoDB;
    
    CREATE TABLE comments (
      id                    INT AUTO_INCREMENT,
      domain_id             INT NOT NULL,
      name                  VARCHAR(255) NOT NULL,
      type                  VARCHAR(10) NOT NULL,
      modified_at           INT NOT NULL,
      account               VARCHAR(40) NOT NULL,
      comment               VARCHAR(64000) NOT NULL,
      PRIMARY KEY (id)
    ) Engine=InnoDB;
    
    CREATE INDEX comments_domain_id_idx ON comments (domain_id);
    CREATE INDEX comments_name_type_idx ON comments (name, type);
    CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
    
    CREATE TABLE domainmetadata (
      id                    INT AUTO_INCREMENT,
      domain_id             INT NOT NULL,
      kind                  VARCHAR(32),
      content               TEXT,
      PRIMARY KEY (id)
    ) Engine=InnoDB;
    
    CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);
    
    CREATE TABLE cryptokeys (
      id                    INT AUTO_INCREMENT,
      domain_id             INT NOT NULL,
      flags                 INT NOT NULL,
      active                BOOL,
      content               TEXT,
      PRIMARY KEY(id)
    ) Engine=InnoDB;
    
    CREATE INDEX domainidindex ON cryptokeys(domain_id);
    
    CREATE TABLE tsigkeys (
      id                    INT AUTO_INCREMENT,
      name                  VARCHAR(255),
      algorithm             VARCHAR(50),
      secret                VARCHAR(255),
      PRIMARY KEY (id)
    ) Engine=InnoDB;
    
    CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
    
    MariaDB[(none)]> quit;
    
  3. 配置 PowerDNS 了,以 MariaDB 作为后台。

    打开 PowerDNS 的配置文件

    vim /etc/pdns/pdns.conf

    找到 launch= 配置块,添加如下内容

    launch=gmysql
    gmysql-host=127.0.0.1
    gmysql-user=powerdns
    gmysql-dbname=powerdns
    [email protected]
    

    如需要解析公网域名,配置文件需添加下面内容,不建议使用此方法,权威服务器递归有超时 BUG 详情见这里,建议自建递归服务器 pdns-recursor,详情见第三步

    recursor=119.29.29.29
    recursive-cache-ttl=3600
    
  4. 启动并添加 PowerDNS 到系统开机启动列表

    测试启动观察是否报错

    [[email protected] ~]# /usr/sbin/pdns_server --daemon=no --guardian=no --loglevel=9
    Nov 27 11:26:59 Reading random entropy from '/dev/urandom'
    Nov 27 11:26:59 Loading '/usr/lib64/pdns/libgmysqlbackend.so'
    Nov 27 11:26:59 [gmysqlbackend] This is the gmysql backend version 4.0.4 (Jun 22 2017 20:10:46) reporting
    Nov 27 11:26:59 This is a standalone pdns
    Nov 27 11:26:59 Listening on controlsocket in '/var/run/pdns.controlsocket'
    Nov 27 11:26:59 UDP server bound to 0.0.0.0:53
    Nov 27 11:26:59 UDPv6 server bound to [::]:53
    Nov 27 11:26:59 TCP server bound to 0.0.0.0:53
    Nov 27 11:26:59 TCPv6 server bound to [::]:53
    Nov 27 11:26:59 PowerDNS Authoritative Server 4.0.4 (C) 2001-2016 PowerDNS.COM BV
    Nov 27 11:26:59 Using 64-bits mode. Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-11) on Jun 22 2017 20:33:52 by [email protected]
    Nov 27 11:26:59 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
    Nov 27 11:26:59 Set effective group id to 995
    Nov 27 11:26:59 Set effective user id to 997
    Nov 27 11:26:59 Doing stub resolving, using resolvers: 119.29.29.29
    Nov 27 11:27:00 Question got answered by 119.29.29.29
    Nov 27 11:27:00 Polled security status of version 4.0.4 at startup, no known issues reported: OK
    Nov 27 11:27:00 Creating backend connection for TCP
    Nov 27 11:27:00 gmysql Connection successful. Connected to database 'powerdns' on '127.0.0.1'.
    Nov 27 11:27:00 About to create 3 backend threads for UDP
    Nov 27 11:27:00 gmysql Connection successful. Connected to database 'powerdns' on '127.0.0.1'.
    Nov 27 11:27:00 gmysql Connection successful. Connected to database 'powerdns' on '127.0.0.1'.
    Nov 27 11:27:00 gmysql Connection successful. Connected to database 'powerdns' on '127.0.0.1'.
    Nov 27 11:27:00 Done launching threads, ready to distribute questions
    

    要获取更多关于 PowerDNS 的信息,你可以参考官方手册

    启动并添加 PowerDNS 到系统开机启动列表

    $ systemctl start pdns
    $ systemctl enable pdns
    

第二部分:安装 PowerAdmin 来管理 PowerDNS

  1. PowerDNS 开启 api

    修改 PowerDNS 配置文件 /etc/pdns/pdns.conf

    PowerDNS 4.0.0 之后版本:

    api=yes
    api-key=your-powerdns-api-key
    webserver=yes
    

    PowerDNS 4.0.0 之前版本: ​

    experimental-json-interface=yes
    experimental-api-key=your-powerdns-api-key
    webserver=yes
    ```      ​
    
    
  2. 创建 PowerAdmin 所需要的数据库

    $ mysql -u root [email protected]
    MariaDB [(none)]> CREATE DATABASE powerdnsadmin;
    
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON powerdnsadmin.* TO [email protected]'%' IDENTIFIED BY '[email protected]';
    
  3. 安装依赖环境

    安装 pip

    curl https://bootstrap.pypa.io/get-pip.py | python

    安装 python 编译环境

    yum install python-devel mysql-devel gcc

    安装 openldap 环境

    yum install openldap openldap-devel

    安装 virtualenv 并创建虚拟环境

    pip install virtualenv

    virtualenv PowerDNS-Admin

  4. 下载 PowerDNS-Admin 并配置

    进入虚拟环境

    source ./PowerDNS-Admin/bin/activate

    下载工程文件

    wget https://github.com/ngoduykhanh/PowerDNS-Admin/archive/master.zip && unzip master

    进入工程文件夹并安装 python 第三方依赖库

    `cd PowerDNS-Admin-master && pip install -r requirements.txt

    安装 MySQL-python 第三方库

    pip install MySQL-python

    修改配置文件

    $ cp config_template.py config.py 
    $ vi config.py
    
    监听地址以及端口
    BIND_ADDRESS = '0.0.0.0'
    PORT = 9393
    
    mysql 配置
    #You'll need MySQL-python
    SQLA_DB_USER = 'powerdnsadmin'
    SQLA_DB_PASSWORD = '[email protected]'
    SQLA_DB_HOST = '127.0.0.1'
    SQLA_DB_NAME = 'powerdnsadmin'
    
    powerdns 配置
    # POWERDNS CONFIG
    PDNS_STATS_URL = 'http://127.0.0.1:8081/'
    PDNS_API_KEY = '[email protected]'
    PDNS_VERSION = '4.0.4'
    

    创建数据表

    ./create_db.py

    创建 systemd 服务

    $ vi /etc/systemd/system/powerdns-admin.service 
    [Unit]
    Description=PowerDNS-Admin
    After=network-online.target
    
    [Service]
    Type=simple
    ExecStart=/app/python/PowerDNS-Admin/bin/python /app/python/PowerDNS-Admin/PowerDNS-Admin-master/run.py --serve-in-foreground
    
    [Install]
    WantedBy=multi-user.target
    
    systemctl daemon-reload
    systemctl start powerdns-admin.service 
    systemctl enable powerdns-admin.service 
    

第三部分:安装递归服务来解析公网地址并转发私有域名到自建权威服务器

  1. 修改 PowerDNS 配置文件默认端口为 54

    $ vim /etc/pdns/pdns.conf
    local-port=54
    
  2. 安装 pdns-recursor

    $ yum install epel-release yum-plugin-priorities && curl -o /etc/yum.repos.d/powerdns-rec-40.repo https://repo.powerdns.com/repo-files/centos-rec-40.repo && yum install pdns-recursor
    
  3. 设置私有域名转发

    $ vi /etc/pdns-recursor/recursor.conf
    forward-zones=xueanquan.cc=127.0.0.1:54
    
  4. 启动并设置开机启动

    $ systemctl start pdns-recursor
    $ systemctl enable pdns-recursor
    

第四部分:修改组件支持 Active Directory 域服务

  1. 修改 PowerDNS 配置文件使其支持动态更新

    allow-dnsupdate-from=172.16.0.0/16
    dnsupdate=yes
    
  2. 添加修改解析记录

    @	SOA	Active	3600	ns.adtest.com. ns.adtest.com. 2017112802 10800 3600 604800 3600 
    _kerberos._tcp	SRV	Active	3600	0 0 88 ad.adtest.com. 
    _kerberos._tcp.dc._msdcs	SRV	Active	3600	0 0 88 ad.adtest.com. 
    _ldap._tcp	SRV	Active	3600	0 0 389 ad.adtest.com. 
    _ldap._tcp.dc._msdcs	SRV	Active	3600	0 0 389 ad.adtest.com. 
    ad	A	Active	3600	192.168.50.207 
    ns	A	Active	3600	192.168.50.237
    
  3. PowerDNS-Admin 允许通过 DynDNS 更新按需创建记录

    域名面板中,进入需要修改的域名 Admin 设置,在 DynDNS 2 Settings 勾选 Allow on-demand creation of records via DynDNS updates?

第五部分:Windows Server 安装 Active Directory 域控制器

  1. 安装 Active Directory 勾选 Active Directory 服务

  2. 勾选 .NET Framework3.5 功能

  3. 指定备用源路径,路径填入 X:\sources\sxs 然后开始安装

  4. 安装完成后,部署 Active Directory 选择添加新林 域名填入需要的名称 .com 结尾

  5. 如有第三方 DNS,就去掉 域名系统(DNS)服务器 选项,输入还原模式的密码

  6. 先决条件检查,确定除截图第一个警告外没有其它警告,就点击安装部署,重启后,主域控安装部署完成

第六部分:Windows Server 安装额外 Active Directory 域控制器

  1. 安装跟第一个一样,接着部署额外控制器,选择 将域控制器添加到现有域 选项,输入域控地址并提供拥有管理员权限的域控账户

  2. 中间默认,在其它选项,选择 复制自 主域控制器

  3. 先决条件检查,确定除截图第一个警告外没有其它警告,就点击安装部署,重启后,额外域控安装部署完成

comments powered by Disqus