DNS Configuration
You must configure access to DNS server by Sudo (the DNS server is on the same server as the Web server) or by SSH (for local or remote access to DNS server). Both can be used on differents servers.
To modify the zones files and reload the server, DomDNS can use sudo. You must configure the /etc/sudoers.d/domdns file with the parameters:
# Allow the user 'www-data' to reload bind and to write in the zones dir
# Don't forget to change the www-data user if your Web server don't work with it
www-data ALL = (domdns) NOPASSWD: /usr/sbin/rndc reload*
www-data ALL = (domdns) NOPASSWD: /usr/sbin/rndc reconfig
www-data ALL = (domdns) NOPASSWD: /bin/cp /tmp/[A-Za-z0-9-]* /etc/bind/zones/[A-Za-z0-9.-]*The configuration file of DomDNS will contain :
$conf = array (
"servers"=>array (
"127.0.0.1"=>array (
"type"=>"bind", // Actually, only bind is allowed
"methodCLI"=>"sudo", // Can be ssh or sudo
"methodFILE"=>"sudo", // Can be scp or sudo
"username"=>"domdns", // The login used to connect by SSH or sudo
"password"=>"", // The password used to connect by SSH
"fingerprint"=>FALSE, // The SSH fingerprint
"publickeyfile"=>FALSE, // The public key used to connect by SSH
"privatekeyfile"=>FALSE, // The private key used to connect by SSH
"passphrase"=>FALSE, // The passphrase used to open the private key
"zonepath"=>"/etc/bind/zones", // The path of the zones
),
),
...You must create the user domdns, with main group bind :
adduser --system --home /var/cache/bind --gecos "DomDNS user" \
--ingroup bind --no-create-home \
--disabled-password --quiet --shell /bin/sh domdnsDouble check that /etc/bind/zones is writeable for group bind, or force it :
chmod 775 /etc/bind/zonesIf the DNS server is distant, it must accept SSH connections to domdns user. This user is used to modify the DNS zones and reload the DNS server.
You must configure the server to allow domdns connections on SSH server. The PHP must have the SSH support installed with : apt-get install php-ssh2
The configuration file of DomDNS will contain :
<?php
$conf = array (
"servers"=>array (
"192.168.56.110" => array ( // IP of DNS server
"type"=>"bind", // Actually, only bind is allowed
"methodCLI"=>"ssh", // Can be ssh or sudo
"methodFILE"=>"scp", // Can be scp or sudo
"username"=>"domdns", // The login used to connect by SSH or sudo
"password"=>"Secret 1", // The password used to connect by SSH
"fingerprint"=>FALSE, // The SSH fingerprint
"publickeyfile"=>FALSE, // The public key used to connect by SSH
"privatekeyfile"=>FALSE, // The private key used to connect by SSH
"passphrase"=>FALSE, // The passphrase used to open the private key
"zonepath"=>"/etc/bind/zones", // The path of the zones
),
),
...adduser --system --home /var/cache/bind --gecos "DomDNS user" \
--ingroup bind --no-create-home \
--disabled-password --quiet --shell /bin/sh domdnsDouble check that /etc/bind/zones is writeable for group bind, or force it :
chmod 775 /etc/bind/zonesEdit the /etc/bind/named.conf.local file and just add
//include "/etc/bind/zones/named.conf.local.withView";
//include "/etc/bind/zones/named.conf.local.withoutView";Uncomment the line you want : with or without views support
If the Apparmor is active, edit the /etc/apparmor.d/local/usr.sbin.named file and add in it :
/etc/bind/zones/** rw,Then reload to apply :
service apparmor reload