1).简述常见加密算法及常见加密算法原理,最好使用图例解说
加密算法类型:
对称加密、公钥加密、单向加密
各加密算法的特性:
(第一种).对称加密: 加密和解密使用同一个密钥
常用的一些加密种类
DES: Date Encryption Standard
3DES: Triple DES
AES: Advanced Encryption Standard,(128bits,192bits,256bits,384bits)
Blowfish
Twofish
IDEA
RC6
CAST5
存在的特性:
1、加密、解密使用同一个密钥;
2、将源氏数据分割成为固定大小的块,逐个进行加密
缺陷:
1、密钥过多;
2、密钥分发困难;
(第二种).公钥加密: 密钥分为公钥与私钥
6716920_1407061378m5RW.jpg
公钥: 从私钥中提取产生;公开给所有人; pubkey
私钥: 通过工具创建,使用者自己留存,必须保证其私密性;secret key
特点: 用公钥加密的数据只能使用与之配对的私钥解密,反之亦然
用途:
数字签名: 主要在于让接收方确认发送方的身份
密钥交换: 发送发用对方的公钥加密一个对称密钥,并发送给对方;
数据加密
算法: RSA,DSA,ELGamal
DSS: Digital Signature Standard
DSA: Digital Signature Algorithm
(第三种)单向加密: 即提出数据指纹;只能加密,不能解密
特征: 定长输出、雪崩效应;
功能: 完整性验证
算法:
md5: Message Digest 5,128bits
sha1: Secure Hash Algorithm 1,160bits
sha224,sha256,sha384,sha512
2).搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟.
第一步: 生成私钥:(路径必须与默认配置相同)
[root@cherry ~]#(umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
注意: 需要查看生成的私钥是否只是自己的权限(很重要!)
[root@cherry ~]#ls /etc/pki/CA/private -l
-rw------- 1 root root 3243 Oct 7 08:35 cakey.pem
第二步: 生成自签证书(自签需要加-x509,否则只是自请的功能, -new指新创建)
[root@cherry ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
第三步: 为CA提供目录及文件 (三目录两文件)
[root@cherry ~]#mkdir -pv /etc/pki/CA/certs
[root@cherry ~]#mkdir -pv /etc/pki/CA/newcerts
[root@cherry ~]#mkdir -pv /etc/pki/CA/crl
[root@cherry ~]#touch /etc/pki/CA/serial
[root@cherry ~]#touch /etc/pki/CA/index.txt
[root@cherry ~]#ls /etc/pki/CA
cacert.pem certs crl index.txt newcerts private serial
最后一步: 为serial文件添加开始码"01"
[root@cherry ~]#echo "01" > /etc/pki/CA/serial
要用到证书进行安全通信的服务器,需要向CA请求签署证书
- 步骤:(以httpd为例)
- (1) 用到证书的主机生成证书签署请求;
- ~]#mkdir /etc/httpd/ssl
- ~]#cd /etc/httpd/ssl
- ~]#(umask 077; openssl genrsa -out httpd.key 2048)
- (1) 用到证书的主机生成证书签署请求;
[root@localhost ~]# yum -y install httpd
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: mirrors.aliyun.com
* updates: centos.ustc.edu.cn
Package httpd-2.4.6-67.el7.centos.6.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# cd /etc/httpd/ssl/
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
[root@localhost ssl]# ls
httpd.key
- (2) 生成证书签署请求
- ~]#openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:admin@magedu.com
[root@localhost ssl]# ls
httpd.csr httpd.key
- (3) 将请求通过可靠方式发送给CA主机
- SCP 源文件 root@ip
[root@localhost ssl]# scp httpd.csr root@192.168.60.44:/tmp/
The authenticity of host '192.168.60.44 (192.168.60.44)' can't be established.
ECDSA key fingerprint is SHA256:Yrud4cR2ciZ9YozYfnmrDIF7Gw2Z5QQYdvijKEd6ol4.
ECDSA key fingerprint is MD5:f0:c1:27:00:b9:89:9e:67:1f:65:79:7a:d4:91:cd:63.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.60.44' (ECDSA) to the list of known hosts.
root@192.168.60.44's password: #输入root密码
httpd.csr
- (4) 在CA主机上签署证书;
- ~]#openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
[root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 6 14:34:561 2018 GMT
Not After : Apr 6 14:34:56 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = ops
commonName = www.magedu.com
emailAddress = admin@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:36:D6:04:3A:7F:C6:F5:EC:CD:1D:C7:79:84:D3:BF:0D:D4:9F:6F
X509v3 Authority Key Identifier:
keyid:9E:8B:94:0E:BA:C9:37:DC:3F:65:3D:49:B6:BE:68:88:22:8E:4E:78
Certificate is to be certified until Apr 6 14:34:56 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# cat /etc/pki/CA/index.txt
V 190406110831Z 01 unknown /C=CN/ST=guangxi/O=maedu/OU=ops/CN=www.maedu.com/emailAddress=adc@maedu.com
3).简述DNS服务器原理,并搭建主-辅服务器.
DNS域名基础知识
1.什么是DNS:
DNS: (Domain Name System, 域名系统)
2.DNS服务器的类型:
- 主DNS服务器
- 维护所负责解析的域的数据库的那台服务器; 读写操作均可进行; - 从DNS服务器
- 从主DNS服务器那里或其他的从DNS服务器那里"复制"一份解析库;但只能进行读操作; - 缓存服务器
- 通过其他域名服务器查询获得的域名与IP地址对应关系,并将经常查询的域名信息保存到服务器本地,用于提高查询效率.
实战配置
(一).服务器搭建环境
| 项目明细 | 配置信息 |
|---|---|
| 主服务器地址 | ip: 192.168.60.42 |
| 从服务器地址 | ip: 192.168.60.44 |
| 系统版本 | CentOS Linux release 7.5.1804 |
| bind版本 | bind-9.9.4-61.el7_5.1.x86_64 |
(二).搭建DNS主服务器
1.安装bind服务程序
[root@CentOS7 ~]#rpm -qa bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf ##主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones ##域配置文件
/etc/named.root.key
/etc/rndc.conf
....
[root@CentOS7 ~]#yum install bind -y
2.编辑主配置文件
[root@CentOS7 ~]#vim /etc/named.conf
options {
listen-on port 53 { any; }; ***对应做更改
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; }; ***对应做更改
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no; ***对应做更改
dnssec-validation no; ***对应做更改
3.检查主配置文件语法并启动bind服务程序
[root@CentOS7 ~]#named-checkconf
[root@CentOS7 ~]#systemctl start named.service
[root@CentOS7 ~]#systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-10-09 12:21:37 CST; 8s ago
Process: 2839 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
4.配置域文件
[root@CentOS7 ~]#vim /etc/named.rfc1912.zones
//并在里面添加如下解析域内容:
zone "magedu.com" IN { **正向解析
type master;
file "magedu.com.zone";
allow-update { none; };
};
zone "60.168.192.in-addr.arpa" IN { **反向解析
type master;
file "192.168.60.in-addr.zone";
};
5.创建对应的zone文件
[root@CentOS7 ~]#cd /var/named
[root@CentOS7 named]#cp -a named.localhost magedu.com.zone
[root@CentOS7 named]#cp -a named.loopback 192.168.60.in-addr.zone
[root@CentOS7 named]#ll
total 24
-rw-r----- 1 root named 168 Dec 15 2009 192.168.60.in-addr.zone **注意权限问题
drwxrwx--- 2 named named 23 Oct 9 12:21 data
drwxrwx--- 2 named named 60 Oct 9 12:22 dynamic
-rw-r----- 1 root named 365 Oct 9 12:32 magedu.com.zone **注意权限问题
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Aug 27 23:40 slaves
6.编辑域名数据配置文件
[root@CentOS7 named]#vim magedu.com.zone
$TTL 1D
@ IN SOA magedu.com. admin.magedu.com. (
2018101001 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.magedu.com.
IN MX 10 mail1.mageedu.com.
IN MX 20 mail2.mageedu.com.
ns IN A 192.168.60.42
mail1 IN A 192.168.60.42
mail2 IN A 192.168.60.50
www IN A 192.168.60.42
bbs IN CNAME www
ftp IN A 192.168.60.50
[root@CentOS7 named]#vim 192.168.60.in-addr.zone
$TTL 1D
@ IN SOA magedu.com. rname.invalid. (
2018101001 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.magedu.com.
42 IN PTR ns.magedu.com.
42 IN PTR mail1.magedu.com.
50 IN PTR mail2.magedu.com.
42 IN PTR www.magedu.com.
50 IN PTR ftp.magedu.com.
7.再次检查语法错误并重载服务
[root@CentOS7 named]#named-checkconf
[root@CentOS7 named]#named-checkzone magedu.com /var/named/magedu.com.zone
[root@CentOS7 named]#named-checkzone 60.168.192.in-addr.arpa /var/named/192.168.60.in-addr.zone
zone 60.168.192.in-addr.arpa/IN: loaded serial 2018101001
OK
[root@CentOS7 named]#rndc reload
server reload successful
[root@CentOS7 named]#systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-10-09 12:21:37 CST; 18min ago
Process: 2839 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
8.更改本地DNS服务器并测试正向和反向解析
[root@CentOS7 named]#vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.60.42
[root@CentOS7 named]#dig -t axfr magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t axfr magedu.com
;; global options: +cmd
magedu.com. 86400 IN SOA magedu.com. admin.magedu.com. 2018101001 86400 3600 604800 10800
magedu.com. 86400 IN NS ns.magedu.com.
magedu.com. 86400 IN MX 10 mail1.mageedu.com.
magedu.com. 86400 IN MX 20 mail2.mageedu.com.
bbs.magedu.com. 86400 IN CNAME www.magedu.com.
ftp.magedu.com. 86400 IN A 192.168.60.50
mail1.magedu.com. 86400 IN A 192.168.60.42
mail2.magedu.com. 86400 IN A 192.168.60.50
ns.magedu.com. 86400 IN A 192.168.60.42
www.magedu.com. 86400 IN A 192.168.60.42
magedu.com. 86400 IN SOA magedu.com. admin.magedu.com. 2018101001 86400 3600 604800 10800
;; Query time: 2 msec
;; SERVER: 192.168.60.42#53(192.168.60.42)
;; WHEN: Tue Oct 09 12:45:25 CST 2018
;; XFR size: 11 records (messages 1, bytes 293)
[root@CentOS7 named]#dig -t A www.magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33893
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.60.42
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns.magedu.com.
;; ADDITIONAL SECTION:
ns.magedu.com. 86400 IN A 192.168.60.42
;; Query time: 0 msec
;; SERVER: 192.168.60.42#53(192.168.60.42)
;; WHEN: Tue Oct 09 12:40:55 CST 2018
;; MSG SIZE rcvd: 92
[root@CentOS7 named]#dig -x 192.168.60.42
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.60.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36597
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;42.60.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
42.60.168.192.in-addr.arpa. 86400 IN PTR ns.magedu.com.
42.60.168.192.in-addr.arpa. 86400 IN PTR mail1.magedu.com.
42.60.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com.
;; AUTHORITY SECTION:
60.168.192.in-addr.arpa. 86400 IN NS ns.magedu.com.
;; ADDITIONAL SECTION:
ns.magedu.com. 86400 IN A 192.168.60.42
;; Query time: 0 msec
;; SERVER: 192.168.60.42#53(192.168.60.42)
;; WHEN: Tue Oct 09 13:02:34 CST 2018
;; MSG SIZE rcvd: 150
(三).搭建DNS从服务器
1.安装bind服务程序并配置相关的设置,参考上述主服务器搭建
[root@localhost ~]#yum install bind -y
[root@localhost ~]#vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1;192.168.60.44; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
▽ recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
2.启动bind程序并且配置从服务器上对应的域配置文件
[root@localhost ~]#systemctl start named.service
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type slave;
file "slaves/magedu.com.zone";
masters { 192.168.60.42; }; ***需要添加主服务器的IP
};
zone "60.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.60.in-addr.zone";
masters { 192.168.60.42; }; ***需要添加主服务器的IP
};
[root@localhost ~]#named-checkconf
3.切回到主DNS服务器,在主服务器域配置文件中添加从服务器的IP信息
[root@CentOS7 named]#vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-update { 192.168.60.44; }; ***从服务器的IP
};
zone "60.168.192.in-addr.arpa" IN {
type master;
file "192.168.60.in-addr.zone";
allow-update { 192.168.60.44; }; ***从服务器的IP
};
4.切回到主DNS服务器,在主服务器数据配置文件中添加从服务器IP与域的一一对应关系
[root@CentOS7 named]#vim /var/named/magedu.com.zone
$TTL 1D
@ IN SOA magedu.com. admin.magedu.com. (
2018101001 ; serial
▽ 1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.magedu.com.
IN NS ns1.magedu.com.
IN MX 10 mail1.mageedu.com.
IN MX 20 mail2.mageedu.com.
ns IN A 192.168.60.42
ns1 IN A 192.168.60.44
mail1 IN A 192.168.60.42
mail2 IN A 192.168.60.50
www IN A 192.168.60.42
bbs IN CNAME www
ftp IN A 192.168.60.50
[root@CentOS7 named]#vim /var/named/192.168.60.in-addr.zone
$TTL 1D
@ IN SOA magedu.com. rname.invalid. (
2018101002 ; serial
▽ 1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.magedu.com.
42 IN PTR ns.magedu.com.
44 IN PTR ns1.magedu.com.
42 IN PTR mail1.magedu.com.
50 IN PTR mail2.magedu.com.
42 IN PTR www.magedu.com.
50 IN PTR ftp.magedu.com.
[root@CentOS7 named]#named-checkconf
[root@CentOS7 named]#named-checkzone magedu.com /var/named/magedu.com.zone
[root@CentOS7 named]#named-checkzone 60.168.192.in-addr.arpa /var/named/192.168.60.in-addr.zone
5.先重载主服务器端bind程序,然后切回从服务器重载等待更新同步完成
[root@CentOS7 named]#rndc reload **顺序要主服务器优先重载,然后才是从服务器
6.测试从服务器正向反向解析
[root@localhost ~]#dig -t axfr magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t axfr magedu.com
;; global options: +cmd
magedu.com. 86400 IN SOA magedu.com. admin.magedu.com. 2018101001 86400 3600 604800 10800
magedu.com. 86400 IN MX 10 mail1.mageedu.com.
magedu.com. 86400 IN MX 20 mail2.mageedu.com.
magedu.com. 86400 IN NS ns.magedu.com.
bbs.magedu.com. 86400 IN CNAME www.magedu.com.
ftp.magedu.com. 86400 IN A 192.168.60.50
mail1.magedu.com. 86400 IN A 192.168.60.42
mail2.magedu.com. 86400 IN A 192.168.60.50
ns.magedu.com. 86400 IN A 192.168.60.42
www.magedu.com. 86400 IN A 192.168.60.42
magedu.com. 86400 IN SOA magedu.com. admin.magedu.com. 2018101001 86400 3600 604800 10800
;; Query time: 1 msec
;; SERVER: 192.168.60.44#53(192.168.60.44)
;; WHEN: Tue Oct 09 13:26:48 CST 2018
;; XFR size: 11 records (messages 1, bytes 293)
[root@localhost ~]#dig -t A www.magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19535
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.60.42
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns.magedu.com.
;; ADDITIONAL SECTION:
ns.magedu.com. 86400 IN A 192.168.60.42
;; Query time: 0 msec
;; SERVER: 192.168.60.44#53(192.168.60.44)
;; WHEN: Tue Oct 09 13:26:24 CST 2018
;; MSG SIZE rcvd: 92
[root@localhost ~]#dig -x 192.168.60.42
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.60.42
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56987
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;42.60.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
42.60.168.192.in-addr.arpa. 86400 IN PTR mail1.magedu.com.
42.60.168.192.in-addr.arpa. 86400 IN PTR ns.magedu.com.
42.60.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com.
;; AUTHORITY SECTION:
60.168.192.in-addr.arpa. 86400 IN NS ns.magedu.com.
;; ADDITIONAL SECTION:
ns.magedu.com. 86400 IN A 192.168.60.42
;; Query time: 0 msec
;; SERVER: 192.168.60.44#53(192.168.60.44)
;; WHEN: Tue Oct 09 13:27:42 CST 2018
;; MSG SIZE rcvd: 150
4).搭建并实现智能DNS
| 项目明细 | 配置信息 |
|---|---|
| 北京DNS服务器地址 | ip: 192.168.60.42 |
| 上海DNS服务器地址 | ip: 192.168.6.128 |
| 系统版本 | CentOS Linux release 7.5.1804 |
| bind版本 | bind-9.9.4-61.el7_5.1.x86_64 |
1.安装bind服务
[root@localhost ~]#yum install bind -y
2.配置修改主文件
[root@localhost named]#cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl "beijing" { 192.168.60.0/24; }; ***控制访问范围
acl "shanghai" { 192.168.6.0/24; }; ***控制访问范围
options {
listen-on port 53 { any; }; ***需要做修改
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; ***需要做修改
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no; ***需要做修改
dnssec-validation no; ***需要做修改
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view bj {
match-clients { beijing; };
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone.bj";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view sh {
match-clients { shanghai; };
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone.sh";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view default {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
//zone "." IN {
// type hint;
// file "named.ca";
//};
2.创建对应zone空间文件
[root@localhost ~]#cd /var/named
[root@localhost named]#cp -a named.localhost magedu.com.zone.bj
[root@localhost named]#cp -a named.localhost magedu.com.zone.sh
[root@localhost named]#ll
total 28
drwxrwx--- 2 named named 23 Oct 9 16:18 data
drwxrwx--- 2 named named 4096 Oct 9 16:19 dynamic
-rw-r----- 1 root named 213 Oct 9 16:14 magedu.com.zone.bj
-rw-r----- 1 root named 214 Oct 9 16:16 magedu.com.zone.sh
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Aug 27 23:40 slaves
3.对数据文件做配置修改
[root@localhost named]#vim /var/named/magedu.com.zone.bj
$TTL 1D
@ IN SOA magedu.com. admin.magedu.com. (
2018101001 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.magedu.com.
ns IN A 192.168.60.42
www IN A 192.168.60.100
[root@localhost named]#vim /var/named/magedu.com.zone.sh
$TTL 1D
@ IN SOA magedu.com. admin.magedu.com. (
2018101001 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.magedu.com.
ns IN A 192.168.6.128
www IN A 192.168.6.100
4.对配置文件做语法检查并重载操作
[root@localhost named]#named-checkconf
[root@localhost named]#named-checkzone magedu.com /var/named/magedu.com.zone.bj
zone magedu.com/IN: loaded serial 2018101001
OK
[root@localhost named]#named-checkzone magedu.com /var/named/magedu.com.zone.sh
zone magedu.com/IN: loaded serial 2018101001
OK
[root@localhost named]#rndc reload
5.测试不同区域的解析
[root@localhost named]#nslookup
> server 192.168.60.42
Default server: 192.168.60.42
Address: 192.168.60.42#53
> set q=A
> www.magedu.com
Server: 192.168.60.42
Address: 192.168.60.42#53
Name: www.magedu.com
Address: 192.168.60.100
> exit
[root@localhost named]#nslookup
> server 192.168.6.128
Default server: 192.168.6.128
Address: 192.168.6.128#53
> www.magedu.com
Server: 192.168.6.128
Address: 192.168.6.128#53
Name: www.magedu.com
Address: 192.168.6.100
