简述常见加密算法及常见加密算法原理,最好使用图例解说
在网络通信过程中不管是通过tcp还是udp协议进行互联网中主机之间的通信时,数据都是通过明文进行传输的,容易使传输的数据被人劫持,篡改等等,为了保护传输数据,传输数据加密就应运而生了,加密数据有单向加密,对称加密,非对称加密等,下面介绍常见的几种加密方式及其原理.
对称加密:加密和解密使用同一个密钥并将将原始数据分割成为固定大小的块,逐个进行加密.其安全性依赖于密钥而不是算法,其缺陷是密钥太多,密钥分发困难的情况,主要的加密方式有如下几种.
DES, 3DES, DES, Blowfish, IDEA
DES:算法为密码体制中的对称密码体制,又被称为美国数据加密标准是1972年美国IBM公司研制的对称密码体制加密算法。 明文按64位进行分组,密钥长64位,分组后的明文组和56位的密钥按位替代或交换的方法形成密文组的加密方法。
把输入的64位数据块按位重新组合,并把输出分为L0、R0两部分,每部分各长32位,其置换规则见下
非对称加密:密钥分为公钥与私钥,用公钥加密的数据,只能使用与之配对的私钥解密,用私钥加密的数据只能用对应的公钥进行解密.
私钥通过工具创建,使用者自己留存,必须保证其私密性.
公钥从私钥中提取产生,可公开给所有人
主要用途有:
数字签名:主要在于让接收方确认发送方的身份
密钥交换:发送方用对方公钥加密一个对称密钥,并发送给对方
对进行数据加密等等,主要的加密方式有以下几种:
RSA,DSA,DSS, DSA
RSA:第一个既能用于数据加密也能用于数字签名的算法.它易于理解和操作,也很流行.算法的名字以发明者的名字命名,RSA加密是对明文的E次方后除以N后求余数的过程,可以使用一个通式来表达:
只要知道E和N任何人都可以进行RSA加密了,所以说E、N是RSA加密的密钥,也就是说E和N的组合就是公钥,我们用(E,N)来表示公钥
公钥=(E,N)
RSA的解密同样可以使用一个通式来表达
对密文进行D次方后除以N的余数就是明文,这就是RSA解密过程。知道D和N就能进行解密密文了,所以D和N的组合就是私钥
私钥=(D,N)
要生成密钥就要知道E,D,N,L(中间过程的中间数),其中各个数要满足如下要求
N= p * q ;p,q为质数
L=lcm(p-1,q-1) ;L为p-1、q-1的最小公倍数
1 < E < L,gcd(E,L)=1;E,L最大公约数为1(E和L互质)
1 < D < L,E*D mod L = 1
求N
我们准备两个很小对质数, p = 17 q = 19
N = p * q = 323
求L
L = lcm(p-1, q-1)= lcm(16,18) = 144 (144为16和18对最小公倍数)
求E
求E必须要满足2个条件:1 < E < L ,gcd(E,L)=1
即1 < E < 144,gcd(E,144) = 1
E和144互为质数,5显然满足上述2个条件
故E = 5
此时公钥=(E,N)= (5,323)
求D
求D也必须满足2个条件:1 < D < L,E*D mod L = 1
即1 < D < 144,5 * D mod 144 = 1
显然当D= 29 时满足上述两个条件
1 < 29 < 144
5*29 mod 144 = 145 mod 144 = 1
此时私钥=(D,N)=(29,323)
根据上述结果,假设明文=123,带入公式则密文=255,解密过程带入解密公式即可.
单向加密:即提出数据指纹;只能加密,不能解密,主要用于验证数据的完整性(提取数据的特征码)
其特性:
定长输出:无论原来的数据输是多大的级别,输出的加密结果长度都是一样的.
雪崩效应: 任何输入信息的变化,哪怕仅一位,都将导致散列结果的明显变化.
主要的加密方式有:
md5,sha1,sha224, sha256, sha384, sha512
md5:消息摘要算法第五版,为计算机安全领域广泛使用的一种散列函数,用以提供消息的完整性保护的一种加密技术.
MD5算法具有以下特点:
1、压缩性:任意长度的数据,算出的MD5值长度都是固定的。
2、容易计算:从原数据计算出MD5值很容易。
3、抗修改性:对原数据进行任何改动,哪怕只修改1个字节,所得到的MD5值都有很大区别。
4、强抗碰撞:已知原数据和其MD5值,想找到一个具有相同MD5值的数据(即伪造数据)是非常困难的。
MD5的加密流程图如下:
更为具体的算法计算流程详见百科:
https://baike.baidu.com/item/MD5?fr=aladdin
搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
在实验环境中为apache或者nginx做CA证书自签可以使用openssl命令来实现,具体步骤如下:
构建私有CA:
- 生成私钥
- 生成自签证书
- 为CA提供所需的目录及文件
1. 生成私钥
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)Generating RSA private key, 4096 bit long modulus
...................++
....................................................................................................................................................++
e is 65537 (0x10001)
#()括号起来的命令表示在子shell中运行,而不改变当前shell的umask值.
-----------------分割线-----------------
[root@localhost ~]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA0GbTtPftdGDJFnA8x/ZOqIrL7YBtkBNc7od0O9+ZdJ87Ip5c
HqklKINaubzxR74hEYptPv4wsS9AmgYPOMEepLwSPeKE8EbQbypnQW/L7RSo+SYT
x6YK594YmyYxZJJ48xNA8OsPy+C63mqKEF/Hv34D4cCdjj7/ZE/xlrQuxR2pey5u
hYvODajc7fitDZ9M4dgYeyPuJDr2JmFT+ApoOD3aimoelf74mnJ62CvW/CakRp7C
9+Lcae5nQCTeuUuD6ictTEBxXKGyDrIrSB0HuA9POhPfISumDlcnz5SQkJvFc0ud
zdw8nJvAXvA+5ro4Lqw2szrmsv7x72/cyb0VHaei3ayupDB0pePOYykby/VsuUrR
Z9TEZB+x7Gt6LwZSVMdOXFap/wjczUfaT1pc1uV3D6g4+Vd2VjjrEq7emjDjfdOZ
GmZE2pb6Rif62nDh2SB/R8HFJu5JwIx4SIO7jGzQ5lBfF2JfWD4B+bwA41yx2YQS
GU3b9XL2D8whPWqbYyM8YXqyPN5guJ5J/1RRv6FhDZcWqYO0J02zm9PYrbZ+Gf+V
Grh8Oxoj1CCe3MLEVyfdo/RuZ56SF6fAKjSuMEViEx5fZK2l8NufIOhTWEHon2jC
F0bN5niJIzqP7/0RFL2lmkM8SjzpOGul6/0sUbJRNNaqv/7SnNxFu51Hsz8CAwEA
AQKCAgBCB+KaW1fcYPI17tgDT5J6qoeUt/V/CfOPDFISynUX03/sJxrvCA7i+EOd
yDT201Is+ZxFskqBSYSBiNv30pDAB2sMOqJ+cyGFp3zR6fdGJh6n2p23y293KhLH
zeEmiZZTBk20R/ZYVds/r6gRKhfjH61hMSN6t5E6Gm5knrCW+iACDKMuIy7lexSN
Phau00OL52lSUv8YcaoeXQY6+CkvcMG2y4rnYcMpRI6Rwco7WI8CZTlHS5Uk50nF
tCjxsvCYF1Ot7lk8zWraZy95iOEyO3+R2kv/eZICxzCw/9SSTRjRwCq+2EJIKL1a
F2sGtggpGZ23Sjlgi5DimaHuNb/jc4Xj1PTrcE5p+LkE4OmsX+BcBt5dUt1txRYn
2uVnh8x8qbKpjk1Gn7A6TSfX1YV9ALihTypFGdSc1M1SYfIbmoHdzflycym1Kuyv
/TYF0uuYO9Fj6MpRiEaQEJKjFrwIy3XfJ9l6rRKPCWOrowjmvgxywmcwgFORmUC+
XbH2ZjKHBRWPlIn1PYAoq5Vln4FuiepofXNQvPAwWG54mY5knSwzGBmyo1tj+XiJ
zI1DXdJ3hQPyqB95Z3E9LZwk7balOx0cXyLlYQNjIvma6iHKLmxdjQz3WDhqXbFx
2uVx30Kr3KHiamYn9kjP+IaJcn/T/qdNNQp7mZOTkotCaCxSwQKCAQEA/Tda+2XE
sUFDzhchUyhcIwa8TJDv3cI/8U8gU3yIrimztTj6iJRfC5g6K1yG0aaUuKJ7Tf1q
izqOV1uhxYGhWyHXajojmBXzPmyrq0Eq4ZEBPrKcq0EM6zvkYCw8g9k/9aZ0m9KQ
aHzYtgaLmEchKTXEzTtCir2fE5nhmmG/+W/WfwRfCtRlhQWukhxFDUUJgBgPz4Tb
OL+ycYkIR5UaOgzHGkQqx/4ppA5AXHN8xZe7r+3Nic+lXvE9NvuZm+DN9+jGb7Id
P9SoE3CU4MNZwLGUs47lY/fJGj0Fc2OsZmOqBcAz1dWzFdadIZADiV0SIvV8TeoE
GprTMY1q7ESMXwKCAQEA0rFYw/DOXrFD8KtEOnIPAx+n3MzJ3B+DHbsrDxx0CrYU
eZB9nlBYof1tZ/0pLzppso+8tLqDRPtU9m4ziY2G5nr3nvjOMCF2LOZhsPxFb/Wc
Z5FSlHK9O61vZcah+Gx7S41JNbTF6xZ2EEbRfFkeZM70fVC7Ofa6H8QKNuwBv7cq
j6wlxOB4Sogr6r46CdBKCtXv9gzXYC909pzyZw6MpjBmIwKeMFp4z/CgJJbhQ48x
j7Ag1H7CjssrTfkW9DXnuVTDr4lcJFF5Om7BPgh9CowL9c6T3sVdj6moYedG5W/l
flZ2r2AgOiKeO1J6W+a9fTHhPQw5s9OeDCEIluRFIQKCAQApLPQ1hzH55PQCsk4v
+JMq+vBpvvPSasD9G3HVQZ30PEHFyVMsHHxsJT/oRy6BLwZmE73bS8ckhswYtoTS
2iaD7DfcRUH+fCtGzmMIARvY/DxolqDVVEmmguG7JdZdVlmJN50krZPf+dU/nEbc
50wkKGMtQGKsrvMMO+ysrxKJnD8T/oD6ANnVTLw7dC9iXgSSeNcxVphTXRDGV5Mq
GLvgDq3dvpH6XYEl9U9P+VOjye2ySQgwTbzFeJMMutMavu6fTpHeHeeVtp3yM09y
UTHqHLZikG0K2YMxKhUV03J4X+KI9t02+34YogKBL6rzjlfhqWuiO9iY/u4y0508
eFUfAoIBAGfyQRXiXx5OnHNHO9EN5qQm4P1JN6nXDiwD5Hl/Ey0Zqb5T7/XENAYv
buOn/cKkMfN7gKE1h3/n84Hk2p5ZaZ2aO0J+A9OxHomGW9oii+txpGlgQ/qjJQMl
TNlMhyp18tpSaTUK675RBYyAM+gCW8FmbS7KPqSZOjhj0ppIE5DPQDtDthqMmCxF
RE167k1bKrxv0gR1T2jP4QeuZNU9U1zGcg2BxCOc7w+/6nJC0f4vzkbSoU/U/g3O
5J2Cb7WqRpmj3StkPEZav9F5RPNi4rXqZBgwg7mba85t6HnszYhyjSmoZMOfTCcC
X0hrJ5zhmMkEa9hfiLRUihv3zDINiqECggEBANHpYXv7fjLrtfQXlAqr8z4d12cA
YGR0wahMkE9ohyjbn4P4ybl70OVqjF0eInXtZoI70VwDRJO4yHT7fOFZrgo096AR
lKZh3epdHsgmVMBPA6/5zfOTg1uUgI6UlMf9LY6Hn2wTb4rZORjKqoEDc8Isy3y4
ilzxdOLLltaiOxpIPBBZJS29PIVQIAxfzYSWsUVAc9eTGJEbqjqcKl9zfkBSki8G
wa1nXUS25gLmrF5IEdSnQsI2GwCUwhR/T34/oQZrzv0kjdxJj9LCa5xJZuSQgAHZ
WjRjWLdaeTdwP+jugvrqCP/19wXlCa2xp5xHT36O1oCYiZTrk8zD0tsy++c=
-----END RSA PRIVATE KEY-----
2. 生成自签证书
用生成的私钥制作证书时,会自动从私钥里提取公钥来进行加密.命令格式如下
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
-new:生成新证书签署请求
-x509:生成自签格式证书(专用于创建私有CA时)
-key:生成请求时用到的私钥文件路径
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书
-days:证书的有效时长,单位是day
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家名(简写)
State or Province Name (full name) []:guangxi #所在的省会城市(全名)
Locality Name (eg, city) [Default City]:nanning # 所在的本地城市
Organization Name (eg, company) [Default Company Ltd]:maedu #公司或者组织的名字
Organizational Unit Name (eg, section) []:ops #所在的部门
Common Name (eg, your name or your server's hostname) []:www.maedu.com #服务器主机名或个人申请的名称
Email Address []:abd@maedu.com #邮件地址
-----------------分割线-----------------
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem certs crl newcerts private
3. 为CA提供所需的目录及文件
要在/etc/pki/CA/目录下创建certs,crl,newcerts(默认可能不存在)三个目录和serial,index.txt(序列号和数据库文件)两个文件
[root@localhost ~]# mkdir -v /etc/pki/CA/{certs,newcerts,crl}
mkdir: cannot create directory ‘/etc/pki/CA/certs’: File exists
mkdir: cannot create directory ‘/etc/pki/CA/newcerts’: File exists
mkdir: cannot create directory ‘/etc/pki/CA/crl’: File exists
-----------------分割线-----------------
[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt}
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem certs crl index.txt newcerts private serial
[root@localhost ~]# echo 01 > /etc/pki/CA/serial #给定第一个证书的编号
需要向CA请求签署证书:
- 安装apache或者nginx(如果试验环境中没有)
- 用到证书的主机生成私钥
- 生成证书签署请求
- 将请求通过可靠方式发送给CA主机
- 在CA主机上签署证书
- 发送证书到需要签证的主机中
1. 安装apache或者nginx(如果试验环境中没有)
[root@localhost ~]# yum -y install httpd
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: mirrors.aliyun.com
* updates: centos.ustc.edu.cn
Package httpd-2.4.6-67.el7.centos.6.x86_64 already installed and latest version
Nothing to do
2. 用到证书的主机生成私钥
创建生成私钥的目录及生成私钥
[root@localhost ~]# mkdir -v /etc/httpd/ssl
mkdir: cannot create directory ‘/etc/httpd/ssl’: File exists
[root@localhost ~]# cd /etc/httpd/ssl/
[root@localhost ssl]#
-----------------分割线-----------------
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.....+++
e is 65537 (0x10001)
[root@localhost ssl]# ls
httpd.key
#在当前目录下生成私钥,
3. 生成证书签署请求
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangxi
Locality Name (eg, city) [Default City]:nanning
Organization Name (eg, company) [Default Company Ltd]:maedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.maedu.com
Email Address []:adc@maedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#因为是自建CA,所以填写的信息,国家,地区,公司这些信息最好保持一致
-----------------分割线-----------------
[root@localhost ssl]# ls
httpd.csr httpd.key
4. 将请求通过可靠方式发送给CA主机
可以通过scp,等文件传输工具发送到CA主机上,这里是模拟环境可以用网络传输,实际环境中不应该用网络传输这种不安全的方式
[root@localhost ssl]# scp httpd.csr root@192.168.109.129:/tmp/
The authenticity of host '192.168.109.129 (192.168.109.129)' can't be established.
ECDSA key fingerprint is SHA256:Yrud4cR2ciZ9YozYfnmrDIF7Gw2Z5QQYdvijKEd6ol4.
ECDSA key fingerprint is MD5:f0:c1:27:00:b9:89:9e:67:1f:65:79:7a:d4:91:cd:63.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.109.129' (ECDSA) to the list of known hosts.
root@192.168.109.129's password: #输入root密码
httpd.csr 100% 1045 450.3KB/s 00:00
5. 在CA主机上签署证书
[root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 6 11:08:31 2018 GMT
Not After : Apr 6 11:08:31 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = guangxi
organizationName = maedu
organizationalUnitName = ops
commonName = www.maedu.com
emailAddress = adc@maedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:36:D6:04:3A:7F:C6:F5:EC:CD:1D:C7:79:84:D3:BF:0D:D4:9F:6F
X509v3 Authority Key Identifier:
keyid:9E:8B:94:0E:BA:C9:37:DC:3F:65:3D:49:B6:BE:68:88:22:8E:4E:78
Certificate is to be certified until Apr 6 11:08:31 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-----------------分割线-----------------
[root@localhost ~]# cat /etc/pki/CA/index.txt
V 190406110831Z 01 unknown /C=CN/ST=guangxi/O=maedu/OU=ops/CN=www.maedu.com/emailAddress=adc@maedu.com
# 出现这些信息说明签证成功了
6. 发送证书到需要签证的主机中
[root@localhost ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.109.135:/etc/httpd/ssl/
The authenticity of host '192.168.109.135 (192.168.109.135)' can't be established.
ECDSA key fingerprint is SHA256:yeVsgGHQc5FmnbvOBAG4AH6NS0lCS9ahCB1uA4+UVfw.
ECDSA key fingerprint is MD5:c9:39:9d:51:c6:72:23:9b:e6:64:c9:85:0f:fb:05:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.109.135' (ECDSA) to the list of known hosts.
root@192.168.109.135's password:
httpd.crt 100% 5844 4.4MB/s 00:00
-----------------分割线-----------------
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
#在签证主机上查看文件
简述DNS服务器原理,并搭建主-辅服务器
DNS是域名解析服务,是一种应用层的协议.互联网中主机之间的通信都是靠IP地址进行的,但是成千上万的IP地址繁杂又不方便人类记忆,DNS就是将主机的IP与对应的服务器名称对应起来,可以让主机在互联网中通过www.maedu.com这样的域名访问互联网中与之对应IP的主机而不用一个一个IP的输入.域名服务器可以分为:
- 顶级域名(一级域名): .com .cn .net .org .gov .edu等等由全球13个根服务器来维护
- 二级域名: baidu.com maedu.com等等
- 三级域名:bbs.maedu.com等等二级域名对应的主机名称解析
主机与域名服务器之间的域名解析查询是递归查询,域名服务器之间的查询是迭代查询.根据DNS名称解析方式不同可以分为:
正向解析: 通过域名查询对应主机的IP地址.
反向解析: 通过已知的IP地址查询对应的域名.
根据DNS服务器用途不同类型可以划分如下:
主名称服务器: 负责解析至少一个域
辅助名称服务器: 从主服务器里同步数据,辅DNS服务器只能查询不能修改
缓存名称服务器: 不负责解析域名,只是从指定的服务器缓存数据.
一些DNS服务配置文件的说明及测试工具:
区域数据库文件:
资源记录:Resource Record, 简称RR;
RR_TYPE 常见类型:A, AAAA, PTR, SOA, NS, CNAME, MX
SOA:起始授权记录; 一个区域解析库有且只能有一个SOA记录,而且必须放在第一条
NS:域名服务记录;一个区域解析库可以有多个NS记录;其中一个为主
A: Address, IPv4地址记录,FQDN --> IPv4;(一个A是32位)
AAAA:IPv6地址记录, FQDN --> IPv6
CNAME:别名记录
PTR:IP --> FQDN 反向解析
MX:邮件交换器(优先级:0-99,数字越小优先级越高)
FQDN:完整主机名
资源记录的定义格式:
语法: name [TTL] IN RR_TYPE value
SOA:
name: 当前区域的名字;例如”mageud.com.(正向解析)”,或者“2.3.4.in-addr.arpa.(反向解析)”
value:有多部分组成
(1) 当前区域的区域名称(也可以使用主DNS服务器名称)
(2) 当前区域管理员的邮箱地址;但地址中不能使用@符号,一般使用点号(.)来替代
(3) 主从服务协调属性的定义以及否定答案的TTL
例如:
magedu.com. 86400(TTL值) IN SOA magedu.com. admin.magedu.com. (
2017010801 ; serial,序列号,主服务器数据库内容发生变化时,其版本号递增(这样从服务器摘能更新数据库)
2H(小时) ; refresh,刷新时间,从服务器间隔多久到主服务器检查序列号更新状况
10M(分钟) ; retry,重试时间,主从服务器同步解析库失败时,再次发起尝试请求的时间间隔
1W(周) ; expire,过期时间,一直同步失败多久之后停止从主服务器同步数据的时间
1D(天) ; negative answer ttl ,否定答案的时长(一直查询不到答案返回结果的最长时间)
)
NS:(一个区域可以有多个ns记录)
name: 当前区域的区域名称
value:当前区域的某DNS服务器的名字,例如ns.magedu.com.
例如:
magedu.com. 86400 IN NS ns1.magedu.com.
MX:(MX记录可以有多个;但每个记录的value之前应该有一个数字表示其优先级)
name: 当前区域的区域名称
value:当前区域某邮件交换器的主机名
magedu.com. IN MX 5 mx1.magedu.com.
magedu.com. IN MX 10 mx1.magedu.com.
A(AAAA):
name:某FQDN,例如www.magedu.com.
value:某IPv4地址(IPv6地址)
www.magedu.com. IN A 192.168.2.1
PTR:
name:IP地址,有特定格式,IP反过来写,而且加特定后缀
value:FQND(完整主机名)
1.2.168.192.in-addr.arpa. IN PTR www.magedu.com.
CNAME:
name:FQDN格式的别名
value:FQDN格式的正式名字
bbs.magedu.com. IN CNAME www.magedu.com.
对于上面的配置格式有以下几点注意的地方:
- TTL可以从全局继承
- @表示当前区域的名称
- 相邻的两条记录其name相同时,后面的可省略
- 对于正向解析区域来说,各MX,NS等类型的记录的value为FQDN,这个FQDN应该有一个A地址(IPv4地址)记录
DNS是一种协议,在服务器中实现这种协议的程序是bind,而bind程序的运行的进程名为:named,bind的主要配置文件有:
主配置文件:/etc/named.conf
主配置文件格式:
全局配置段:
options { ... }
日志配置段:
logging { ... }
区域配置段:
zone { ... }
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; }; #监听的端口,哪些主机可以访问解析,
listen-on-v6 port 53 { ::1; };#后面一定要有分号(;)结束,花括号里面有空格
directory "/var/named";#对应数据库文件的目录位置
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; #运行哪些主机请求查询
/*
recursion.
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;#将自身主机作为客户端的一种查询方式
dnssec-enable yes; #sec功能,初学者不熟建议关闭
dnssec-validation yes;#同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;#区域类型{master(主)|slave(从)|hint(根)|forward(转发)}
file "named.ca";#要解析的域名,正向:域名本身(maedu.com).反向:IP反向.in-addr.arpa(1.2.168.192.in-addr.arpa)
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#注意事项: 每个配置语句必须以分号结尾, 花括号前后有空格(否则语法错误)
解析库文件:/var/named/ZONE_NAME.zone
[root@localhost ~]# ls /var/named/
data/ named.ca named.localhost slaves/
dynamic/ named.empty named.loopback
----------------分割线----------------
[root@localhost ~]# vim /var/named/named.ca
h.root-servers.net. 3600000 IN AAAA 2001:500:1::53
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 3600000 IN A 193.0.14.129
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
l.root-servers.net. 3600000 IN A 199.7.83.42
l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42
m.root-servers.net. 3600000 IN A 202.12.27.33
m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
;; Query time: 18 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Po kvě 22 10:14:44 CEST 2017
;; MSG SIZE rcvd: 811
~
说明了DNS配置格式及相关知识之后在配置DNS服务之前,在介绍一下测试工具和配置文件语法检查命令.
检查配置文件语法错误:
named-checkconf [/etc/named.conf] (配置文件的路径,默认在/etc/named.conf不给路径则默认是当前目录下找配置文件)
named-checkzone ZONE_NAME ZONE_FILE 区域配置文件语法检查
[root@localhost ~]# named-checkconf /etc/named.conf
[root@localhost ~]#
#没有错误,所以没有提示信息
测试工具:常用的测试工具有dig, host, nslookup等,主要讲解dig命令,另外两个命令功能没有dig强大不做详解.
dig命令:dig用于测试dns系统,因此不会查询hosts文件内容.
dig [-t RR_TYPE] name [@SERVER] [query options]
查询选项:
+[no]trace:跟踪解析过程;
+[no]recurse:进行递归解析;
反向解析测试
dig -x IP
模拟完全区域传送:
dig -t axfr DOMAIN [@server]
[root@localhost ~]# dig -t A www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8176
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 183.232.231.173
www.a.shifen.com. 5 IN A 183.232.231.172
;; Query time: 4 msec
;; SERVER: 192.168.109.2#53(192.168.109.2)
;; WHEN: Sat Apr 07 18:31:07 CST 2018
;; MSG SIZE rcvd: 90
搭建主-辅服务器
为了保证DNS服务能够稳定的服务,不至于单个DNS服务出现故障是无法使用DNS服务的情况,因此配置主辅服务器是必须的.
主DNS服务器:维护所负责解析的域数据库的那台服务器;可以进行读写操作
辅DNS服务器:从主DNS服务器那里或其它的从DNS服务器那里“复制”一份解析库;辅DNS服务器只能查询不能修改
1. 在主服务器中进行配置:
配置/etc/named.conf 文件
[root@localhost slaves]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; #监听主机改为any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许查询改为any,任何主机
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no; #改为no
dnssec-enable no; #同上
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在/etc/named.rfc1912.zones文件中加入对应的zone
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.com" { #添加正向解析域,
type master; #zone的类型是主服务器类型
file "magedu.com"; #文件名称,这个名声要和/var/named/目录下的文件名一致
allow-query { any; }; #允许查询的主机
allow-transfer { slaves; }; #只允许向从服务器区域传送
allow-update { none; }; #不允许动态更新区域数据库文件中内容
};
zone "1.168.192.in-addr.arpa" IN { #添加反向解析域
type master;
file "192.168.1.zone";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
view external { #这里定义了一个view模版,在智能DNS中会用到的
match-clients { slaves; };
zone "magedu.com" IN {
type master;
file "magedu.com.external";
allow-update { none; };
};
};
在/var/named目录下创建magedu.com文件并输入对应信息
$TTL 3600 #全局TTL否定时间
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2018040806 #序列号,每次修改文件都要更新
1H #刷新时间
10M #刷新失败后重试间隔时间
5D #过期时间
500 ) #否定应答的TTL值
IN NS ns1.magedu.com. #每个NS都必须有个A记录,
IN MX 10 mx1.magedu.com.
ns1 IN A 192.168.1.105
mx1 IN A 192.168.1.105
www IN A 192.168.1.105
web IN CNAME www
~
~
~
~
~
~
"/var/named/magedu.com" 14L, 254C
# @表示当前的区域名称(zone_name),相邻的两条记录其name相同时,后面的可省略不写的.
配置好主服务器的文件要检查配置文件是否出错
[root@localhost slaves]# named-checkconf /etc/named.conf
[root@localhost slaves]# named-checkzone magedu.com /var/named/magedu.com
zone magedu.com/IN: magedu.com/MX 'mail.magedu.com' has no address records (A or AAAA)
zone magedu.com/IN: loaded serial 2018040703
OK
之后要改用户改权限,最后重启服务.
[root@localhost ~]# chown named:named /var/named/magedu.com
[root@localhost ~]# chmod o= /var/named/magedu.com
[root@localhost ~]# ll /var/named/magedu.com
-rw-r-----. 1 named named 238 Apr 7 20:17 /var/named/magedu.com
[root@localhost ~]# rndc reload #也可以使用systemctl来重启named
server reload successful
2. 配置辅服务器:
辅服务器是要从主服务器那里同步数据的,所以只要配置好主配置文件,并在/etc/named.rfc1912.zones文件从加入对应的从服务器zone就行了
[root@localhost slaves]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; #监听主机改为any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许查询改为any,任何主机
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no; #改为no
dnssec-enable no; #同上
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在/etc/named.rfc1912.zones文件从加入对应的从服务器zone
[root@localhost slaves]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.com" IN { #正向解析zone
type slave; #从服务器
file "slaves/magedu.com "; #从服务器同步文件存放地址(/var/named/slaves/magedu.com)
masters { 192.168.1.105; }; #主服务器IP地址,注意格式
};
zone "1.168.192.zone" IN { #反向解析
type slave; #从服务器
file "slaves/1.168.192.zone";
masters { 192.168.1.105; }; #主服务器IP地址,注意格式是masters,前后有空格,结尾有分号.
};
要检查配置文件是否有语法错误
[root@localhost slaves]# named-checkconf /etc/named.conf
[root@localhost slaves]# rndc reload #重启成功说明没问题
server reload successful
最后在主从服务器同步之前为保证实验正常,先主从服务器上都关掉selinux和iptables
[root@localhost slaves]# iptables -F #清空防火墙
[root@localhost slaves]# setenforce 0
[root@localhost slaves]# getenforce
Permissive
现在就可以重启named,(先重启主服务器在重启从服务器,命令都一样只是要在两个服务器都执行一遍)
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# systemctl restart named
作为验证可以在从服务器上dig一下域名看是否能找到对应的IP地址
[root@localhost slaves]# dig -t A www.magedu.com @192.168.1.106
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.1.106
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62422
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86440 IN A 192.168.1.105
;; AUTHORITY SECTION:
magedu.com. 86440 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86440 IN A 192.168.1.105
;; Query time: 0 msec
;; SERVER: 192.168.1.106#53(192.168.1.106)
;; WHEN: Sun Apr 08 21:42:11 CST 2018
;; MSG SIZE rcvd: 93
#看到解析成功证明同步成功了
搭建并实现智能DNS
智能DNS就是可以根据不同客户端的用户在访问同一域名时能返回不一样的IP地址,比如电信的用户访问某网站时返回电信的IP地址,网通的用户访问同一网址时返回网通的IP地址,以加速网站的访问速度.下面简单介绍acl访问控制列表和view视图功能并演示一下智能DNS.
acl的格式
acl acl_name {
ip;
网络/子网掩码;
};
例子:
acl mynet {
192.168.0.0/24;
127.0.0.0/8;
};
#可以将一个网段的IP定义在一个acl里面,比如电信的做一个acl,网通的做一个acl,然后再view中调用不同的acl,做不同的处理.
bind有四个内置的acl
none:没有一个主机
any:任意主机
local:本机
localnet:本机所在的IP所属的网络
访问控制指令:
allow-query {}; 允许查询的主机
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器
allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求
allow-update {}; DDNS,允许动态更新区域数据库文件中内容,这个一般每个定义的zone都要禁止掉的,
view:视图
view VIEW_NAME {
zone
zone
zone
}
#每个view都要包含所有的zone,如果有一个zone在view的花括号外面则会报错,
view internal {
match-clients { 192.169.0.0/24; }; #匹配的IP地址,也可以写acl_name如:match-clients { "mynet"; any: }; 注意格式
zone "magedu.com" IN {
type master;
file "magedu.com/internal";
};
};
1. 修改/etc/named.conf配置文件
[root@localhost named]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl slaves { #定义不同的两个acl,当这两个不同的acl访问同一个智能DNS服务时可以做不同的处理
192.168.1.106;
192.168.1.108;
127.0.0.1;
};
acl mynet {
192.168.1.105;
127.0.0.1/8;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*zone "." IN {
type hint;
file "named.ca";
};
*/ #因为view要包含所有的zone,所以这个zone移动到/etc/named.rfc1912.zones中
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2.修改/etc/named.rfc1912.zones配置文件添加不同的view
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
view internal { #定义一个内部的view
match-clients { "mynet";}; #匹配mynet这个acl控制列表里的IP
zone "." IN { #对匹配的acl所支持的zone区域
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.com" { #内部的mynet所支持的zone,
type master;
file "magedu.com";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
};
view external { #定义一个外部的view,
match-clients { slaves; }; #只匹配slaves这个acl控制列表里对应的IP
zone "magedu.com" IN { #slaves所对应的zone区域
type master;
file "magedu.com.external";
allow-update { none; };
};
};
3. 在/var/named目录下编辑不同zone的配置文件
mynet这个acl控制列表的zone,当访问的IP在mynet这个acl控制列表的IP范围内时,所返回的结果如下配置:
$TTL 86440
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
2018040806
1H
10M
3D
1D
)
IN NS ns1.magedu.com.
IN MX 10 mx1.magedu.com.
ns1 IN A 192.168.1.105
mx1 IN A 192.168.1.105
www IN A 192.168.1.105
web IN CNAME www
~
~
~
~
~
~
~
~
~
"/var/named/magedu.com" 14L, 230C
slavest这个acl控制列表的zone,当访问的IP在slaves这个acl控制列表的IP范围内时,所返回的结果如下配置:
$TTL 86440
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
2018040806
1H
10M
3D
1D
)
IN NS ns1.magedu.com.
IN MX 10 mx1.magedu.com.
ns1 IN A 192.168.1.105
mx1 IN A 192.168.1.105
www IN A 2.2.2.1
web IN CNAME www
~
~
~
~
~
~
~
~
~
"magedu.com.external" 14L, 224C
4. 检查语法,并重启服务
[root@localhost named]# named-checkconf #默认可以不指定文件路径
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl restart named
[root@localhost named]#
5. 验证结果
访问同一个DNS服务器,在mynet这个acl控制列表里的IP访问结果
[root@localhost named]# dig -t A www.magedu.com @192.168.1.105
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.1.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31636
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86440 IN A 192.168.1.105
;; AUTHORITY SECTION:
magedu.com. 86440 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86440 IN A 192.168.1.105
;; Query time: 0 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Mon Apr 09 22:41:14 CST 2018
;; MSG SIZE rcvd: 93
#这里返回的是/var/named/magedu.com里面定义的结果
访问同一个DNS服务器,在slaves这个acl控制列表里的IP访问结果
[root@localhost ~]# dig -t A www.magedu.com @192.168.1.105
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.1.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64278
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86440 IN A 2.2.2.1 #这个位置显示就不一样了
;; AUTHORITY SECTION:
magedu.com. 86440 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86440 IN A 192.168.1.105
;; Query time: 1 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Mon Apr 09 22:38:55 CST 2018
;; MSG SIZE rcvd: 93
#这里返回的是/var/named/magedu.com.external里面定义的结果