一、简述常见加密算法及常见加密算法原理,最好使用图例解说
常见的加密方式有四种:对称加密、密钥加密、单向加密和密钥交换。
对称加密
特性:
1、加密、解密使用同一个密钥;
2、将源时数据分割成为固定大小的块,逐个进行加密;
常见算法:
DES:Data Encryption Standard,加密端64位明文产生64位密文,解密端使用64位密文还原64位明文;64位为一个块即8个字节,加密和解密使用56位的密钥,DES使用16个迭代块。
3DES:Triple DES,是DES的三个数量级。
AES:Advanced Encryption Standard,加密长度有128bits、192bits、256bits、384bits。
Blowfish:一个64位分组及可变密钥长度的对称密钥分组密码算法,可用来加密64比特长度的字符串。
Twofish:Blowfish算法的加密算法。
IDEA:International Data Encryption Algorithm,这种算法是在DES算法的基础上发展出来的,类似于三重DES。
密钥加密
特性:
1、公钥加密、私钥解密;
2、私钥加密、公钥解密;
常见算法:
RSA
DSA
ELGamal
单向加密
特性:
1、定长输出:无论数据是多大级别,其加密结果长度一样;
2、雪崩效应:数据发生微小变化,其加密结果完全不同;
常见用途:数据完整性校验
常见算法:
MD5
sha1
sha224,sha256,sha384,sha512
密钥交换
常见用途:IPsec VPN
常见算法:
RSA
DH
ECDH
ECDHE
数据加密通信的整个过程:
加密过程:
第一步:发送方使用单向加密算法,算出数据的特征码;
第二步:发送方使用自己的私钥加密特征码附加在数据后面;
第三步:发送方生成临时的对称密钥,并使用对称密钥加密整段数据;
第四步:发送方使用接收方的公钥加密上一步生成的对称密钥,并附加在数据后面;
解密过程:
第一步:接收方使用自己的私钥解密
第二步:接收方使用对称密钥解密
第三步:接收方使用发送方公钥解密,确认身份
SSL会话主要三步:
1、客户端向服务器端索要并验证证书;
2、双方协商生成“会话密钥”;
3、双方采用“会话密钥”进行加密通信;
直至断开
SSL Handshake Protocol:
第一阶段:ClientHello:
支持的协议版本,比如:tls 1.2;
客户端生成一个随机数,稍后用于生成“会话密钥”;
支持的加密算法,比如AES、RSA;
支持的压缩算法;
第二阶段:ServerHello
确认使用的加密通信协议版本,比如tls 1.2;
服务器端生成一个随机数,稍后用于生成“会话密钥”;
确认使用的加密方法;
服务器证书;
第三阶段:
验证服务器证书,在确认无误后取出公钥;(发证机构、证书完整性、证书持有者、证书有效期、吊销列表)
发送一下信息给服务器端:
一个随机数;
编码变更通知,表示随后的信息都将用双发商定的加密方法和密钥发送;
客户端握手结束通知;
第四阶段:
收到客户端发来的第三个随机数pre-master-key后,计算生成本次会话所用到的“会话密钥”;
收到客户端发送如下信息:
编码变更通知,表示随后的信息都将用双发商定的加密方法和密钥发送;
服务端握手结束通知
二、搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
第一步:利用Apache搭建一个简单的http服务
[root@webserver ~]# yum install -y -q httpd
[root@webserver ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 19 2015 21:43:13
[root@webserver ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@webserver ~]# echo 'Welcome to www.bitemecake.biz!' > /var/www/html/index.html
[root@webserver ~]# systemctl start httpd
[root@webserver ~]# firewall-cmd --permanent --add-service=http
success
[root@webserver ~]# firewall-cmd --reload
success
[root@webserver ~]# ss -tan | grep 80
LISTEN 0 128 :::80 :::*
确认http服务正常:
image.png
第二步:构建私有CA
1、生成私钥:
[root@webserver ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................++
...........++
e is 65537 (0x10001)
2、生成自签证书:
[root@webserver ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:bitemecake
Organizational Unit Name (eg, section) []:manager
Common Name (eg, your name or your server's hostname) []:webserver
Email Address []:27****324@qq.com
[root@webserver ~]#
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
3、为CA提供所需的目录及文件:
[root@webserver ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@webserver ~]# touch /etc/pki/CA/{serial,index.txt}
[root@webserver ~]# echo 01 > /etc/pki/CA/serial
第三步:要用到证书进行安全通信的服务器,需要向CA请求签署证书:
1、用到证书的主机生成私钥:
[root@webserver ~]# mkdir /etc/httpd/ssl
[root@webserver ~]# cd /etc/httpd/ssl
[root@webserver ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2、生成证书签署请求:
[root@webserver ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:bitemecake
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:webserver
Email Address []:76*****37@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:biteme
3、将请求用可靠的方式发送给CA主机;
[root@webserver ssl]# cp /etc/httpd/ssl/httpd.csr /tmp/httpd.csr
4、在CA主机上签署证书:
[root@webserver ssl]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 4 04:01:29 2018 GMT
Not After : Nov 4 04:01:29 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Sichuan
organizationName = bitemecake
organizationalUnitName = ops
commonName = webserver
emailAddress = 764****37@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B0:DA:40:C4:47:B0:8C:15:70:B0:06:BB:1D:6A:D2:CF:90:CE:01:9E
X509v3 Authority Key Identifier:
keyid:40:83:81:56:94:75:7A:1A:3E:B5:05:91:0D:F4:BD:67:FF:4D:9C:63
Certificate is to be certified until Nov 4 04:01:29 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
后续步骤:为Apache添加SSL模块,并配置SSL证书相关配置参数;此为web服务相关课程内容,后面再行补充。
三、简述DNS服务器原理,并搭建主-辅服务器
DNS(Domain Name Service)域名解析服务,用于实现域名与IP地址之间对应关系转换的服务。
DNS名称解析方式:
域名 --> IP:正向解析
IP --> 域名:反向解析
DNS服务器类型:
负责解析至少一个域:
主名称服务器
辅助名称服务器
不负责解析:
缓存名称服务器
DNS服务流程
DNS的查询请求经过的流程:hosts文件 --> DNS Local Cache --> DNS Server -->Server Cache --> Iteration
说明:
第一步:本地查询——查询本机hosts文件,有记录则返回肯定答案给主机,无则查询本地DNS缓存(DNS Local Cache),若还无则进行下一步;
第二步:服务器查询——将请求发送给本机网络配置中指定的DNS服务器(DNS Server),DNS服务器查询自身缓存的资源记录和自己负责解析的资源记录,有记录则返回,若无记录,则有两种处理:
1、该DNS服务器未配置递归查询功能,则返回否定答案给主机;
2、该DNS服务器配置有递归查询功能,则该DNS服务器将作为客户端,继续向其上级DNS服务器发送查询请求,直到得到肯定答案或否定答案,最后再返回给主机。
DNS递归查询与迭代查询的区别
(1)递归查询
递归查询是一种DNS 服务器的查询模式,在该模式下DNS 服务器接收到客户机请求,必须使用一个准确的查询结果回复客户机。如果DNS 服务器本地没有存储查询DNS 信息,那么该服务器会询问其他服务器,并将返回的查询结果提交给客户机。
(2)迭代查询
DNS 服务器另外一种查询方式为迭代查询,DNS 服务器会向客户机提供其他能够解析查询请求的DNS 服务器地址,当客户机发送查询请求时,DNS 服务器并不直接回复查询结果,而是告诉客户机另一台DNS 服务器地址,客户机再向这台DNS 服务器提交请求,依次循环直到返回查询的结果
为止。
两种过程的示意图:
image.png
搭建主-辅DNS服务器
第一步:搭建主DNS服务器
1、使用yum安装bind包和bind-utils包:
[root@dns-master ~]# yum install -y -q bind bind-utils
[root@dns-master ~]# echo $?
0
2、配置named服务开机启动,以及DNS服务全局配置:
[root@dns-master ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@dns-master ~]# vi /etc/named.conf
[root@dns-master ~]# cat /etc/named.conf
修改部分:
...
options {
listen-on port 53 { 127.0.0.1;192.168.0.132; };
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
...
3、检查配置文件语法,然后启动服务,并配置防火墙放通DNS服务端口(TCP/53和UDP/53),此时该主机可作为缓存DNS服务器使用:
[root@dns-master ~]# named-checkconf
[root@dns-master ~]# systemctl start named
[root@dns-master ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@dns-master ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@dns-master ~]# firewall-cmd --reload
success
[root@dns-master ~]# ss -tunlp | grep 53
udp UNCONN 0 0 192.168.0.132:53 *:* users:(("named",pid=11109,fd=515),("named",pid=11109,fd=514))
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=11109,fd=513),("named",pid=11109,fd=512))
udp UNCONN 0 0 ::1:53 :::* users:(("named",pid=11109,fd=517),("named",pid=11109,fd=516))
tcp LISTEN 0 10 192.168.0.132:53 *:* users:(("named",pid=11109,fd=21))
tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",pid=11109,fd=20))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=11109,fd=23))
tcp LISTEN 0 10 ::1:53 :::* users:(("named",pid=11109,fd=22))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=11109,fd=24))
4、测试服务是否正常:
1)本地解析功能测试:
[root@dns-master ~]# dig -t SOA www.baidu.com @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t SOA www.baidu.com @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52822
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN SOA
;; ANSWER SECTION:
www.baidu.com. 1173 IN CNAME www.a.shifen.com.
;; AUTHORITY SECTION:
a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1811040050 5 5 2592000 3600
;; Query time: 57 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 03:28:10 EST 2018
;; MSG SIZE rcvd: 126
2)对外解析功能:(使用另外一台主机测试)
[root@dns-slave ~]# dig -t SOA www.163.com @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t SOA www.163.com @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.163.com. IN SOA
;; ANSWER SECTION:
www.163.com. 600 IN CNAME www.163.com.lxdns.com.
;; AUTHORITY SECTION:
lxdns.com. 60 IN SOA dns1.lxdns.org. webmaster.glb0.lxdns.com. 1422577239 10800 3600 604800 60
;; Query time: 1257 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 03:31:25 EST 2018
;; MSG SIZE rcvd: 137
5、配置一个正向区域
1)定义区域文件(/etc/named.rfc1913.zones):
[root@dns-master ~]# tail -5 /etc/named.rfc1912.zones
zone "bitemecake.biz" IN {
type master;
file "bitemecake.biz.zone"
};
2)建立区域数据文件(/var/named/bitemecake.zone):
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@ IN SOA ns1.bitemecake.biz. dnsadmin.bitemecake.biz.(
2018110401
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
mx1 IN A 192.168.0.132
ns1 IN A 192.168.0.132
www IN A 192.168.0.132
web IN CNAME www
3)修改配置文件权限,检查配置文件语法:
[root@dns-master ~]# chown :named /var/named/bitemecake.biz.zone
[root@dns-master ~]# chmod o= /var/named/bitemecake.biz.zone
[root@dns-master ~]# named-checkzone bitemecake.biz. /var/named/bitemecake.biz.zone
zone bitemecake.biz/IN: loaded serial 2018110401
OK
4)让服务器重载配置文件和区域数据文件:
[root@dns-master ~]# systemctl reload named
5)测试解析功能:
[root@dns-master ~]# dig -t A www.bitemecake.biz @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.bitemecake.biz @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53376
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.bitemecake.biz. IN A
;; ANSWER SECTION:
www.bitemecake.biz. 3600 IN A 192.168.0.132
;; AUTHORITY SECTION:
bitemecake.biz. 3600 IN NS ns1.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
;; Query time: 0 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 04:00:43 EST 2018
;; MSG SIZE rcvd: 97
6、配置一个反向区域
1)定义区域文件(/etc/named.rfc1913.zones):
[root@dns-master ~]# vi /etc/named.rfc1912.zones
[root@dns-master ~]# named-checkconf
[root@dns-master ~]# tail -5 /etc/named.rfc1912.zones
zone "0.168.192.in-addr-arp." IN {
type master;
file "192.168.0.zone";
};
2)定义区域解析库文件(主要记录为PTR)
[root@dns-master ~]# vi /var/named/192.168.0.zone
[root@dns-master ~]# named-checkzone 0.168.192.in-addr.arpa /var/named/192.168.0.zone
zone 0.168.192.in-addr.arpa/IN: loaded serial 2018110401
OK
3)修改配置文件权限,检查配置文件语法:
[root@dns-master ~]# chown :named /var/named/192.168.0.zone
[root@dns-master ~]# chmod o= /var/named/192.168.0.zone
4)让服务器重载配置文件和区域数据文件:
[root@dns-master ~]# systemctl reload named
5)测试解析功能:
[root@dns-master ~]# dig -x 192.168.0.132 @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.0.132 @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;132.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
132.0.168.192.in-addr.arpa. 3600 IN PTR ns1.bitemecake.biz.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600 IN NS ns1.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
;; Query time: 0 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 04:24:39 EST 2018
;; MSG SIZE rcvd: 117
至此,主DNS服务器搭建完成。
第二步:搭建辅DNS服务器
1、辅DNS服务器的服务配置和全局配置同主DNS服务器配置前两步,此处省略;
2、辅DNS服务器配置:
1)定义从区域:
[root@dns-slave ~]# vi /etc/named.rfc1912.zones
[root@dns-slave ~]# tail -12 /etc/named.rfc1912.zones
zone "bitemecake.biz" IN {
type slave;
file "slaves/bitemecake.biz.zone";
masters { 192.168.0.132; };
};
zone "0.168.192.in-addr.arpa." IN {
type slave;
file "slaves/192.168.0.zone";
masters { 192.168.0.132; };
};
[root@dns-slave ~]# named-checkconf
2)重载配置
[root@dns-slave ~]# systemctl reload named
3、主DNS服务器配置:
1)将辅DNS服务器的NS记录添加到主DNS服务器的各区域数据文件中,且保证各区域数据文件中有辅DNS服务器的一个A记录:
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@ IN SOA ns1.bitemecake.biz. dnsadmin.bitemecake.biz.(
2018110401
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
mx1 IN A 192.168.0.132
ns1 IN A 192.168.0.132
ns2 IN A 192.168.0.133
www IN A 192.168.0.132
web IN CNAME www
第三步:测试
1、辅DNS服务器解析功能测试:
[root@dns-slave ~]# dig -t A www.bitemecake.biz @192.168.0.133
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.bitemecake.biz @192.168.0.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 232
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.bitemecake.biz. IN A
;; ANSWER SECTION:
www.bitemecake.biz. 3600 IN A 192.168.0.132
;; AUTHORITY SECTION:
bitemecake.biz. 3600 IN NS ns1.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
;; Query time: 0 msec
;; SERVER: 192.168.0.133#53(192.168.0.133)
;; WHEN: Sun Nov 04 07:37:48 EST 2018
;; MSG SIZE rcvd: 97
2、辅DNS服务器同步记录测试:
1)主DNS服务器区域数据文件新增一条A记录,并且将Serial号加1
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@ IN SOA ns1.bitemecake.biz. dnsadmin.bitemecake.biz.(
2018110402
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
mx1 IN A 192.168.0.132
ns1 IN A 192.168.0.132
ns2 IN A 192.168.0.133
www IN A 192.168.0.132
web IN CNAME www
bbs IN A 192.168.0.134
2)主-辅DNS服务器DNS服务状态均有同步记录:
[root@dns-master ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-11-04 07:09:54 EST; 33min ago
Process: 3281 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 3001 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2021 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 3049 (named)
CGroup: /system.slice/named.service
└─3049 /usr/sbin/named -u named
Nov 04 07:42:55 dns-master named[3049]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 04 07:42:55 dns-master named[3049]: reloading configuration succeeded
Nov 04 07:42:55 dns-master named[3049]: reloading zones succeeded
Nov 04 07:42:55 dns-master named[3049]: zone bitemecake.biz/IN: loaded serial 2018110402
Nov 04 07:42:55 dns-master named[3049]: zone bitemecake.biz/IN: sending notifies (serial 2018110402)
Nov 04 07:42:55 dns-master named[3049]: all zones loaded
Nov 04 07:42:55 dns-master named[3049]: running
Nov 04 07:42:55 dns-master named[3049]: client 192.168.0.133#34791 (bitemecake.biz): transfer of 'bitemecake.biz/...tarted
Nov 04 07:42:55 dns-master named[3049]: client 192.168.0.133#34791 (bitemecake.biz): transfer of 'bitemecake.biz/... ended
Nov 04 07:42:55 dns-master systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
[root@dns-slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-11-04 07:33:38 EST; 9min ago
Process: 3590 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 3603 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3600 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 3606 (named)
CGroup: /system.slice/named.service
└─3606 /usr/sbin/named -u named
Nov 04 07:33:38 dns-slave named[3606]: running
Nov 04 07:33:38 dns-slave systemd[1]: Started Berkeley Internet Name Domain (DNS).
Nov 04 07:42:25 dns-slave named[3606]: client 192.168.0.132#46166: received notify for zone 'bitemecake.biz'
Nov 04 07:42:25 dns-slave named[3606]: zone bitemecake.biz/IN: notify from 192.168.0.132#46166: zone is up to date
Nov 04 07:42:56 dns-slave named[3606]: client 192.168.0.132#42389: received notify for zone 'bitemecake.biz'
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: Transfer started.
Nov 04 07:42:56 dns-slave named[3606]: transfer of 'bitemecake.biz/IN' from 192.168.0.132#53: connected using 192...#34791
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: transferred serial 2018110402
Nov 04 07:42:56 dns-slave named[3606]: transfer of 'bitemecake.biz/IN' from 192.168.0.132#53: Transfer completed:...s/sec)
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: sending notifies (serial 2018110402)
Hint: Some lines were ellipsized, use -l to show in full.
3)辅DNS服务器解析功能测试:
[root@dns-slave ~]# dig -t A bbs.bitemecake.biz @192.168.0.133
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A bbs.bitemecake.biz @192.168.0.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40767
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.bitemecake.biz. IN A
;; ANSWER SECTION:
bbs.bitemecake.biz. 3600 IN A 192.168.0.134
;; AUTHORITY SECTION:
bitemecake.biz. 3600 IN NS ns1.bitemecake.biz.
bitemecake.biz. 3600 IN NS ns2.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
ns2.bitemecake.biz. 3600 IN A 192.168.0.133
;; Query time: 0 msec
;; SERVER: 192.168.0.133#53(192.168.0.133)
;; WHEN: Sun Nov 04 07:48:46 EST 2018
;; MSG SIZE rcvd: 131
四、搭建并实现智能DNS
实现智能DNS的三种方式:
1)定义转发
2)访问控制
3)定义视图
方法示例:
1)制定转发策略:
注意:被转发的服务器必须允许当前服务做递归;
(1)区域转发:仅转发对某特定区域的解析请求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先转发;转发器不响应时,自行去迭代查询;
only:只转发;
(2)全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转发给某转发器;
options{
... ...
forward {only|first};
forwarders { SERVER_IP; };
... ...
}
2)访问控制:
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集合内的所有主机实现统一调用;
acl acl_name {
ip;
net/prelen;
};
示例:
acl mynet{
172.16.0.0/16;
127.0.0.0/8;
};
bind有四个内置的acl
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令:
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}; 允许哪些主机向当前DNS服务器发起递归查询请求;
allow-update {}; DDNS,允许动态更新区域数据库文件中的内容;
3)定义视图:
方法:
view VIEW_NAME {
zone
zone
zone
}
示例:
view internal {
match-clients { 172.16.0.0/8; };
zone "magedu.com" IN {
type master;
file "magedu.com/internal";
};
};
view external {
match-clients { any; };
zone "magedu.com" IN {
type master;
file "magedu.com/external";
};
};
智能DNS示例
需求:
1、凡本地没有通过zone定义的区域查询请求,通通转发给转发器;转发器不响应时,可自行会去迭代查询;
2、仅允许向辅DNS服务器做区域传送;
3、仅允许192.168.0.0/16网段内主机向当前DNS服务器发起递归查询请求;
4、192.168.0.0/16内网段内的主机访问域名www.bitemecake.biz解析为内网口地址192.168.0.132,外网主机访问域名解析为外网口地址172.16.25.132;
配置:
1、全局配置:/etc/named.conf中加上以下字段:
[root@dns-master ~]# vi /etc/named.conf
options{
...
forward first;
forwarders { 61.139.2.69;119.6.6.6; };
allow-transfer { 192.168.0.133;};
allow-recursion { 192.168.0.0/16; };
...
};
[root@dns-master ~]# named-checkconf
2、区域文件参数配置:/etc/named.rfc1912.zones中配置:
[root@dns-master ~]# vi /etc/named.rfc1912.zones
[root@dns-master ~]# tail -26 /etc/named.rfc1912.zones
view internal {
match-clients { 192.168.0.0/16; };
zone "bitemecake.biz" IN {
type master;
file "bitemecake.biz.zone/internal";
};
zone "0.168.192.in-addr.arpa." IN {
type master;
file "192.168.0.zone/internal";
};
};
view external {
match-clients { any; };
zone "bitemecake.biz" IN {
type master;
file "bitemecake.biz.zone/external";
};
zone "0.168.192.in-addr.arpa." IN {
type master;
file "192.168.0.zone/external";
};
};
