开源DNS服务-powerdns

PowerDNS

简介

PowerDNS是荷兰公司的一个开源DNS产品,PowerDNS有3种服务PowerDNS Authoritative, PowerDNS Recursor, dnsdist。
权威DNS服务powerdns-authoritative只做域名解析,如果需要配置域名转发则需要部署递归DNS服务powerdns-recursor,还有一个分流和负载工具dnsdist。

官网https://www.powerdns.com/

版本

2020年5月5日最新版本
Release of PowerDNS Authoritative Server 4.3.0
Release of PowerDNS Recursor 4.3.0
Release of dnsdist 1.4.0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# PowerDNS Authoritative Server - version 4.3.X
$ yum -y install epel-release yum-plugin-priorities
$ curl -o /etc/yum.repos.d/powerdns-auth-43.repo https://repo.powerdns.com/repo-files/centos-auth-43.repo
$ yum install pdns pdns-backend-mysql

# PowerDNS Recursor - version 4.3.X
$ yum -y install epel-release yum-plugin-priorities
$ curl -o /etc/yum.repos.d/powerdns-rec-43.repo https://repo.powerdns.com/repo-files/centos-rec-43.repo
$ yum install pdns-recursor

# dnsdist - version 1.4.X
$ yum -y install epel-release yum-plugin-priorities
$ curl -o /etc/yum.repos.d/powerdns-dnsdist-14.repo https://repo.powerdns.com/repo-files/centos-dnsdist-14.repo
$ yum install dnsdist

以下安装过程以epel源的默认版本pdns-4.1为例

安装pdns组件

初始化配置略,如配置yum源,关闭防火墙和selinux等

1
2
3
4
5
$ yum -y install pdns pdns-recursor pdns-tools pdns-backend-mysql dnsdist mariadb-server
$ systemctl enable mariadb
$ systemctl start mariadb
$ mysql_secure_installation
$ mysql -uroot -p
1
2
3
4
create database pdns;
grant all on pdns.* to pdns@'localhost' identified by 'redhat';
flush privileges;
select User,Password,Host from mysql.user;

初始化sql

下载对应版本的sql文件
https://doc.powerdns.com/authoritative/guides/basic-database.html
https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql
https://github.com/PowerDNS/pdns/blob/rel/auth-4.2.x/modules/gmysqlbackend/schema.mysql.sql

导入mysql文件

1
mysql -updns -p pdns < schema.mysql.sql

然后执行如下外键约束sql语句

1
2
3
4
ALTER TABLE records ADD CONSTRAINT `records_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
ALTER TABLE comments ADD CONSTRAINT `comments_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
ALTER TABLE domainmetadata ADD CONSTRAINT `domainmetadata_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
ALTER TABLE cryptokeys ADD CONSTRAINT `cryptokeys_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;

修改配置文件

配置pdns
https://doc.powerdns.com/authoritative/settings.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ cp /etc/pdns/pdns.conf{,.bak}
$ vim /etc/pdns/pdns.conf
api=yes
api-key=redhat
api-logfile=/var/log/pdns.log
config-dir=/etc/pdns
daemon=yes
guardian=yes
default-ttl=300
launch=gmysql
gmysql-host=localhost
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=pdns
gmysql-password=redhat
local-address=0.0.0.0
local-port=5353
log-timestamp=yes
loglevel=4
setgid=pdns
setuid=pdns
version-string=anonymous
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
webserver-port=8081

配置pdns-recursor
https://doc.powerdns.com/recursor/settings.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ cp /etc/pdns-recursor/recursor.conf{,.bak}
$ vim /etc/pdns-recursor/recursor.conf
allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
api-key=redhat
api-logfile=/var/log/pdns-recursor.log
config-dir=/etc/pdns-recursor
daemon=yes
forward-zones-file=/etc/pdns-recursor/zone.conf
forward-zones-recurse=.=223.5.5.5
local-address=0.0.0.0
local-port=53
log-timestamp=yes
loglevel=6
security-poll-suffix=
setgid=pdns-recursor
setuid=pdns-recursor
version-string=
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=0.0.0.0/0
webserver-port=8082

$ vim /etc/pdns-recursor/zone.conf
abc.com=127.0.0.1:5353
pda.abc=127.0.0.1:5353
pdb.abc=127.0.0.1:5353
pre.abc=127.0.0.1:5353
rec.abc=127.0.0.1:5353
uat.abc=127.0.0.1:5353
dev.abc=127.0.0.1:5353

启动pdns服务

1
2
$ systemctl enable pdns pdns-recursor
$ systemctl start pdns pdns-recursor

配置powerdns-admin

以下版本为PowerDNS-Admin-0.2.2.tar.gz

https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/Running-PowerDNS-Admin-on-Centos-7

安装python3和nodejs

1
2
3
4
$ yum -y install python3 python3-devel gcc mariadb-devel openldap-devel libxml2-devel xmlsec1-devel xmlsec1-openssl-devel libtool-ltdl-devel
$ curl -sL https://rpm.nodesource.com/setup_10.x | bash -
$ curl -sL https://dl.yarnpkg.com/rpm/yarn.repo -o /etc/yum.repos.d/yarn.repo
$ yum -y install nodejs yarn

配置pypi源

1
2
3
4
5
6
7
8
$ mkdir ~/.pip
$ vim ~/.pip/pip.conf
[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple
[install]
trusted-host=pypi.tuna.tsinghua.edu.cn
$ pip3 install --upgrade pip setuptools
$ pip3 list

安装python包

1
2
3
4
5
6
7
8
9
$ cd /data
$ git clone https://github.com/ngoduykhanh/PowerDNS-Admin.git /data/pdns-admin
$ python3 -m venv py3
$ source /data/py3/bin/activate
$ pip list
$ pip install --upgrade pip setuptools
$ cd /data/pdns-admin
$ pip install python-dotenv
$ pip install -r requirements.txt

创建数据库

1
2
3
CREATE DATABASE pdnsadmin CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON pdnsadmin.* TO 'pdnsadmin'@'localhost' IDENTIFIED BY 'redhat';
FLUSH PRIVILEGES;

更改配置文件中的db配置

1
2
3
4
5
6
7
8
9
$ cd /data/pdns-admin
$ vim powerdnsadmin/default_config.py
...
SQLA_DB_USER = 'pdnsadmin'
SQLA_DB_PASSWORD = 'redhat'
SQLA_DB_HOST = 'localhost'
SQLA_DB_NAME = 'pdnsadmin'
SQLALCHEMY_TRACK_MODIFICATIONS = True
...

生成数据库表结构

1
2
export FLASK_APP=powerdnsadmin/__init__.py
flask db upgrade

安装package.json里的所有包

1
2
yarn install --pure-lockfile
flask assets build

启动pdns-admin

1
2
source /data/py3/bin/activate
nohup python run.py &>/dev/null &

推荐启动方式
Running PowerDNS Admin with Systemd, Gunicorn and Nginx
https://github.com/ngoduykhanh/PowerDNS-Admin/wiki/Running-PowerDNS-Admin-with-Systemd,-Gunicorn--and--Nginx

配置admin管理pdns

通过浏览器访问,端口9191
先创建一个admin用户,默认第一个用户为管理员权限,OTP Token可以留空
登录后需要首先配置pdns-api(参考之前的pdns配置)
PDNS API URL:http://127.0.0.1:8081/
PDNS API KEY:redhat
PDNS VERSION:4.1.11
然后先创建一个accounts,相当于一个用户组,方便管理授权
编辑完之后一定要点击右上方的Apply Changes保存,注意所有操作都需要点击保存才会生效。
创建域名和主机记录

验证解析

1
2
3
4
5
dig @127.0.0.1 -p 5353 www.abc.com  #验证pdns服务
dig @127.0.0.1 www.abc.com #验证pdns-recursor服务
dig @192.168.80.12 www.abc.com #在其他主机上验证
dig @127.0.0.1 -p 5353 CHAOS TXT version.bind #查看dns版本
dig @127.0.0.1 CHAOS TXT version.bind

可以登录api查看对应的接口状态,8081端口对应pdns-api,8082端口对应pdns-recursor-api