1、简述常见加密算法及常见加密算法原理,最好使用图例解说
在网络通信过程中不管是通过TCP还是UDP协议进行互联网中主机之间的通信时,数据都是通过明文进行传输的,容易使传输的数据被人劫持、篡改等,为了保护传输数据,传输数据加密就应运而生了,加密数据有单向加密、对称加密、非对称加密等,下面介绍常见的几种加密方式及原理。
对称加密:加密和解密使用同一个密钥并将原始数据分割成为固定大小的块,逐个进行加密,其安全性依赖于密钥而不是算法,其缺陷是密钥太多,密钥分发困难的情况,主要的加密方式有如下几种。
DES, 3DES, AES, Blowfish, Twofish, IDEA, RC6, CAST5
DES:算法为密码体制中的对称密码体制,又被称为美国数据加密标准是1972年美国IBM公司研制的对称密码体制加密算法。明文按64位进行分组,密钥长64位,分组后的明文组和56位的密钥按位替代或交换的方法形成密文组的加密方法。
DES算法结构.png
把输入的64位数据块按位重新组合,并把输出分为Lo、Ro两部分,每部分各长32位,其置换规则见下
DES算法流程.png
非对称加密:密钥分为公钥与私钥,用公钥加密的数据,只能使用与之配对的私钥解密,用私钥加密的数据只能用对应的公钥进行解密。
私钥通过工具创建,使用者自己留在,必须保证其私密性。
公钥从私钥中提取产生,可公开给所有人
主要用途有:
数字签名:主要在于让接收方确认发送方的身份
密钥交换:发送方用对方公钥加密一个对称密钥,并发送给对方
对进行数据加密等等,主要的加密方式有以下几种:
RSA, DSA, DSS
RSA:第一个既能用于数据加密也能用于数字签名的算法,它易于理解和操作,也很流行。算法的名字以发明者的名字命名,RSA加密是对明文的E次方后除以N后求余数的过程,可以使用一个通式来表达:
RSA加密.png
只要知道E和N任何人都可以进行RSA加密了,所以说E、N是RSA加密的密钥,也就是说E和N的组合就是公钥,我们用(E,N)来表示公钥
公钥=(E,N)
RSA的解密同样可以使用一个通式来表达
RSA解密.png
对密文进行D次方后除以N的余数就是明文,这就是RSA解密过程。知道D和N就能进行解密密文了,所以D和N的组合就是私钥
私钥=(D,N)
要生成密钥就要知道E,D,N,L(中间过程的中间数),其中各个数要满足如下要求:
N=p*q ;p,q为质数
L=lcm (p-1,q-1);L为p-1、q-1的最小公倍数
1<E<L,gcd(E,L)=1;E, L最大公约数为1(E和L互质)
1<D<L, E*D mod L = 1
求N
我们准备两个很小对质数, p = 17 q = 19
N = p * q = 323
求L
L = lcm(p-1, q-1)= lcm(16,18) = 144 (144为16和18对最小公倍数)
求E
求E必须要满足2个条件:1 < E < L ,gcd(E,L)=1
即1 < E < 144,gcd(E,144) = 1
E和144互为质数,5显然满足上述2个条件
故E = 5
此时公钥=(E,N)= (5,323)
求D
求D也必须满足2个条件:1 < D < L,E*D mod L = 1
即1 < D < 144,5 * D mod 144 = 1
显然当D= 29 时满足上述两个条件
1 < 29 < 144
5*29 mod 144 = 145 mod 144 = 1
此时私钥=(D,N)=(29,323)
根据上述结果,假设明文=123,带入公式则密文=255,解密过程带入解密公式即可.
单向加密:即提出数据指纹; 只能加密,不能解密,主要用于验证数据的完整性(提取数据的特征码)
其特性:
定长输出:无论原来的数据输出是多大的级别,输出的加密结果长度都是一样的.
雪崩效应:任何输入信息的变化,哪怕仅一位,都将导致散列结果的明显变化.
主要的加密方式有:
md5, sha1, sha224, sha256, sha384, sha512
md5:消息摘要算法第五版,为计算机安全领域广泛使用的一种散列函数,用以提供消息的完整性保护的一种加密技术.
MD5算法具有以下特点:
1、压缩性:任意长度的数据,算出的MD5值长度都是固定的。
2、容易计算:从原数据计算MD5值很容易。
3、抗修改性:对原数据进行任何改动,哪怕只修改1个字节,所得到的MD5值都有很大区别。
4、强抗碰撞:已知原数据和其MD5值,想找到一个具有相同MD5值的数据(即伪造数据)是非常困难。
MD5的加密流程图如下:
MD5算法流程图.png
更为具体的算法计算流程详见百科:
https://baike.baidu.com/item/MD5?fr=aladdin
2、搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
在实验环境中为apache或者nginx做CA证书自签可以使用openssl命令来实现,具体步骤如下:
构建私有CA:
- 生成私钥
- 生成自签证书
- 为CA提供所需的目录及文件
1.生成私钥
[root@zcy520ooooo ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
...........................................................++
.................................................................................++
e is 65537 (0x10001)
#()括号起来的命令表示在子shell中运行,而不改变当前shell的umask的值.
-------------------------------------分割线-------------------------------------
[root@zcy520ooooo ~]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEA726LZmFnQCWihsvlNwhPV0REMLTOTzOq7NmAjEC2kco5a1AU
RyNY+uU5Mzc0C75CwfrMSBaq4KfXtcPeU6FU/DVjhxC03Y6oFLDejqH/ogfVaVAm
ArVceh44LNpbTHppIbbSmoRR90XUHW740HR8UK8wvG1grH9lhNErIeTGLRjJIUaa
8ZmYBtfGh1rzKGVn+IS+ZWXlTX3XyYXoVlCsoU2+sFnopX8oa0O6hI/KOcd4tFRM
jWaNEM2ATZNyJJdSLPi1+m96RRdeeOX6aPPd+UuxljkdfHRcRwjRTe6IIOkcuuVo
XLE/iM8HEquxIBYsIGlZ6oqi/4DwGaEhoIb+0G9V2UAfkxl/Va0D4WX1U3adhKum
zlV+1QSYlNgk8Xp6KBBu2xPXXvMhLhkykYDWWwWzTRllY47yn7Vt6ZCgTOHHVsHq
jbKjpqsk/6qohGgsea3UdxSU+OW2qCj7WFyhBkDbMz6cmUjoVA1av1TJnFgEpDv9
uz1tMP+1iBcVdw16GQZsPuMpL4LoR5PVXfkgDq6JYiCGPxAHp42ARuAh2kdLNZLv
eh++4MGrbd0C5IvZv9uIhSYBiZjNprz7YK6iCHrMaeUw1+sUyS7vppR+P9ndU18V
9irLostmEm2aqweMTPxRPGJ9T6USFokktNBeJO7A/6UFpR2dRc6TZQWp5z8CAwEA
AQKCAgAYlHirIgS/iR2OSRBW/ftnMhLuDSHA78T0W7/epiYYAXKzmZz7UJ2p5C5j
G5+0NOwVjfG61NjmB1UVy+3fGAjpe3GkRArNU//dX+r5KZhcwgEetqOwU34S61dJ
A4Gr8EUquOIWCs9/WyPTgbj5bXv1rIaMUY5DJzD82Zxb9miB6LF9QQpXEzWQPkab
TrL3yrFJyhbhwfwwYGLuxVh8w/t0885HvHMtykgT+vgC8+AG3nt9x8m0GnsQ5oft
bt2g9AfzpfTIqPkcbrG8J5/1dlOrbCHnEiX8yNVQVY9nOL2w4z2X0kVMfsXO/bH0
MLwWVzBgg3A/q8vf/xSnDOuu1y0BdhRP+g+zbLTjhAqoGyykHCRlnCqBQd3pC1Kt
1DvHg9OPAJYt+C2puRcwR48sdyy1O9sWOD6cUKMALZBa999rLv5GtvXCsQmogcmM
Wozceu39e/XIytG2I5JIjS9yGe8fU3yznnWw3M7ivTR2/VnDvu+NRfQhkdx7/Kcg
H2OQIJBCKwjMTKORDfqkXKXAQE9r5v1ZvBhktC/pxonxPY86xB8c0kKV5ZOwI8Fh
cNPBhXQ2J3v+l8+KRHjGNDtWMKjQQf/OfFHGNZ8d5vrYmkDS7t8EaBLH/cvPKrKp
6RLraZSfWDjV26CpWgFNlrGWEstPYag3jKGtNXDIUM1+upk8QQKCAQEA/O1bPD2m
zf+zHUNSperqhrR9TS4m2OUDUat3uZpat7e9lMXM4XI6E/RiBaibTlBLmKGgZ+Ny
CVhYUnXK1/uRi/VTRR9knoATwtoVwDattaIByjKfAhSL8/fQF7GJ4ZN4TEAomDCu
lIoeqyU/TbWG7O7tF037oc8sjzFtNH8cdVQ7hrO8MTbDt8l6g9LHg1A8O24Er7r8
SCDH0b25JwhGx7+ZSuW1aRSVLn2ucoiegSdKyAufxNv0YXeRM/TsYbPF1dsT3Thl
OdIAxqx3mrwcxFJ7KgNzBzeYEZ4Iyg5XqZ1SSjQk/8AbVf0Kv7wVVwe8tPF6RWVA
CeqYFq+vWiEcRQKCAQEA8lc3JuaVrYDYGbb2ogdkpVAnTz84hNnvyZ1RNocZDwv5
FrT7YvX3Ql/iWFqga2bYAP65DAjsYDADLfvApzOu6k/RXeEDrumt3itTsN3v+HVy
8dCKbWv+jPkhwJ9etqsvfgp8YA4wAzeRKBlV85F0XULpKOUJWVULF9E9pKdrLeXW
X1dus8dIuorGFqBie02u5TWEC1kUpGpzuwJ8ZCeQ734uV0fcJWgF43t57cfOXeJq
SBE2NHia2NtPLkFqaF1UzR76P/haDx4e7d2Hqo9ozaE+0xYpn6DxNoP7MJsSDeAH
S9QbyCkTov7XIDGmTvktl5S52aTkC448a993Q7xHswKCAQAqEQAfoNFhaanMsCnK
1qtzBAnjEE39vPk0WCRthjKYY8LwP4W36Vunffnfnw9Vkx0/oYIgRT/uNfdan6TB
D2JBuOfEk1gU1JB00/jSI0X4850AmDLCEdDFHu5JQooALprPc8xMo6wloGNBa8x/
jDWIqqRcP+geHWr31eyn0oxVJ1FPMg2W0djzdFsgGap9OJcL+1xkLeFPzcPuKnPk
/gdnqYJBZrspYvb86IJfIkHakUJqyyQjhcG7hDtuPMoj5dZ9nxZKsNqFJ1xhrsWl
wqu2K1G4xyIWjTSJmZM0p/YEi9nn5YxRzQ2+23syMIIMG4lTPuZrLE/eVlo9S7MK
dn9RAoIBAQC3SY12B4oHOt62vDHXJF5TxcalYjx+BlMcmrZU1mL2hWi0ateC5mNH
OTv49TpFYPhX8E/GsW0N5uJQwgrYqvdNUmcYaNofTa/py701lPYtZa81AzPfRIG2
36pOhHrfD6QQ4R9mivR3Smyn9lmSqV1oN/YervOeM/r63Y+Q2+rtQNsdKwSYRk5U
gCcH7+/sMDnqM8qVxp8dJ0I2m8+29FHjQP0NmFUBmaZyge4bEDadvWQC87maf+kl
wOEnK+St4IEFzrsY7N44duCPqTA1qNdsRts8TZPXnqMxRysRfQdvpRP/nwIQJjkq
2zGbsNGHA2EfNyZFXTf5IW/DarVKbrmPAoIBAQCZh2cX9zk0Svtt3UZIJmoDIeaK
/CBQ+4FFcO3n12ivTPnwVRCF8jFUUXcIYgEHd7xn1T6iyt81ftTZXpgp9BNCYUOs
IkOzyf97DYLTq24ik7GFN0Xumw3XZHSBvr48/B0kTGXIVeYIkqU3tRGQOIKtR+PY
1+QcveNoR/juItIYUhfsKfEH/zWwjM6mHX3+O1VnvnDAiotJNVOBQmq9GXxIqou3
6Tus72d1EmyoH6yu621QaDVdfmguVMq7peHwQxJfvmYt0qWNN7UtGThYfKTN7tGV
8oUVwhWsHKuIZW6dHV9R8EJZNbZ0SZ+JA7LSLG4YvjwtmnnAw53T2OC+ctTl
-----END RSA PRIVATE KEY-----
2.生成自签证书
用生成的私钥制作证书时,会自动从私钥里提取公钥来进行加密,命令格式如下:
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
new:生成新证书签署请求;
x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
days:证书的有效时长,单位是day
[root@zcy520ooooo ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家名(简写)
State or Province Name (full name) []:Shanghai #所在的省会城市(全名)
Locality Name (eg, city) [Default City]:Shanghai #所在的本地城市
Organization Name (eg, company) [Default Company Ltd]:zcy520 #公司或者组织的名字
Organizational Unit Name (eg, section) []:ops #所在的部门(ops表示运维)
Common Name (eg, your name or your server's hostname) []:www.zcy520.com #服务器主机名或者个人申请的名称
Email Address []:307784305@qq.com #邮件地址
[root@zcy520ooooo ~]# ls
--------------------------分割线---------------------------
/etc/pki/CA/
cacert.pem crl/ newcerts/ serial
certs/ private/
3.为CA提供所需的目录及文件
要在/etc/pki/CA/目录下创建certs,crl,newcerts(默认可能不存在)三个目录和serial,index.txt(序列号和数据库文件)两个文件
[root@zcy520ooooo ~]# mkdir -v /etc/pki/CA/{certs,newcerts,crl}
mkdir: 无法创建目录"/etc/pki/CA/certs": 文件已存在
mkdir: 无法创建目录"/etc/pki/CA/newcerts": 文件已存在
mkdir: 无法创建目录"/etc/pki/CA/crl": 文件已存在
[root@zcy520ooooo ~]# touch /etc/pki/CA/{serial,index.txt}
[root@zcy520ooooo ~]# ls /etc/pki/CA
cacert.pem certs crl index.txt newcerts private serial
[root@zcy520ooooo ~]# echo 01 > /etc/pki/CA/serial #给定第一个证书的编号
需要向CA请求签署证书:
1.安装apache或者nginx(如果试验环境中没有)
2.用到证书的主机生成私钥
3.生成证书签署请求
4.将请求通过可靠方式发送给CA主机
5.在CA主机上签署证书
6.发送证书到需要签证的主机中
1. 安装apache或者nginx(如果试验环境中没有)
[root@zcy520ooooo ~]# rpm -q httpd
httpd-2.4.6-80.el7.centos.1.x86_64
#如果没有请使用yum install httpd -y安装即可
2. 用到证书的主机生成私钥
创建生成私钥的目录及生成私钥
[root@zcy520ooooo ~]# mkdir /etc/httpd/ssl
[root@zcy520ooooo ~]# cd /etc/httpd/ssl
[root@zcy520ooooo ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..............+++
............+++
e is 65537 (0x10001)
[root@zcy520ooooo ssl]# ls
httpd.key
#在当前目录下生成私钥
3. 生成证书签署请求
[root@zcy520ooooo ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:zcy520
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.zcy520.com
Email Address []:307784305@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#因为是自建CA,所以填写的信息,国家,地区,公司这些信息最好保持一臻
--------------------------------分割线-----------------------------
[root@zcy520ooooo ssl]# ls
httpd.csr httpd.key
4. 将请求通过可靠方式发送给CA主机
可以通过scp,等文件传输工具发送到CA主机上,这里是模拟环境可以用网络传输,实际环境中不应该用网络传输这种不安全的方式
[root@zcy520ooooo ssl]# scp httpd.csr root@192.168.80.30:/tmp/
The authenticity of host '192.168.80.30 (192.168.80.30)' can't be established.
ECDSA key fingerprint is SHA256:t37lf7ApkIkXlOgKy2DtpkNIwIRetIF72492IDdvp+U.
ECDSA key fingerprint is MD5:73:aa:fa:71:7c:90:00:5b:02:83:31:ee:84:ac:d4:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.30' (ECDSA) to the list of known hosts.
root@192.168.80.30's password: #输入root密码
httpd.csr 100% 1054 324.7KB/s 00:00
5. 在CA主机上签署证书
[root@zcy520ooooo ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Oct 29 06:10:51 2018 GMT
Not After : Oct 29 06:10:51 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = zcy520
organizationalUnitName = ops
commonName = www.zcy520.com
emailAddress = 307784305@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5A:57:65:DF:20:D7:53:5D:11:53:00:AF:03:32:19:5A:CE:27:FD:42
X509v3 Authority Key Identifier:
keyid:E7:5D:D3:00:81:2B:F2:C5:65:90:6E:18:E1:F8:F4:DA:8E:FC:6F:56
Certificate is to be certified until Oct 29 06:10:51 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-------------------------------分割线--------------------------
[root@zcy520ooooo ~]# cat /etc/pki/CA/index.txt
V 191029061051Z 01 unknown /C=CN/ST=Shanghai/O=zcy520/OU=ops/CN=www.zcy520.com/emailAddress=307784305@qq.com
#出现这些信息说明签证成功了
6. 发送证书到需要签证的主机中
[root@zcy520ooooo ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.80.99:/etc/httpd/ssl/
The authenticity of host '192.168.80.99 (192.168.80.99)' can't be established.
ECDSA key fingerprint is SHA256:YcRd1YQjOtXBQUGnRo/xDj9Hm40UL3Fq7SWPvI5BYFU.
ECDSA key fingerprint is MD5:c1:16:8b:0d:04:d5:72:9c:9d:8f:0c:98:8e:cb:42:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.99' (ECDSA) to the list of known hosts.
root@192.168.80.99's password:
httpd.crt 100% 5873 491.4KB/s 00:00
---------------------------------分割线-----------------------------
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
#在签证主机上查看文件
3、简述DNS服务器原理,并搭建主-辅服务器
DNS是域名解析服务,是一种应用层的协议,互联网中主机之间的通信都是靠IP地址进行的,但是成千上万的IP地址繁杂又不方便人类记忆,DNS就是将主机的IP与对应的服务器名称对应起来,可以让主机在互联网中通过www.zcy520.com这样的域名访问互联网中与之对应IP的主机而不用一个一个IP的输入.域名服务器可以分为:
1.顶级域名(一级域名): .com .cn .net .org .gov .edu等等由全球13个根服务器来维护
2.二级域名:baidu.com magedu.com等等
3.三级域名:bbs.magedu.com等等二级域名对应的主机名称解析
主机与域名服务器之间的域名解析查询是递归查询,域名服务器之间的查询是迭代查询.根据DNS名称解析方式不同可以分:
正向解析:通过域名查询对应主机的IP地址.
反向解析:通过已知的IP地址查询对应的域名.
根据DNS服务器用途不同类型可以划分如下:
主名称服务器:负责解析至少一个域
辅助名称服务器:从主服务器里同步数据,输DNS服务器只能查询不能修改
缓存名称服务器:不负责解析域名,只是从指定的服务器缓存数据.
一些DNS服务配置文件的说明及测试工具:
区域数据库文件:
资源记录:Resource Record, 简称rr;
RR_TYPE 常见记录有类型:A, AAAA, PTR, SOA, NS, CNAME, MX
SOA:Start Of Authority,起始授权记录; 一个区域解析库有且只能有一个SOA记录,而且必须放在第一条;
NS:Name Service,域名服务记录;一个区域解析库可以有多个NS记录;其中一个为主的;
A: Address, 地址记录,FQDN --> IPv4;(一个A是32位)
AAAA:地址记录, FQDN --> IPv6;
CNAME:Canonical Name,别名记录;
PTR:Pointer,IP --> FQDN
MX:Mail eXchanger,邮件交换器;
优先级:0-99,数字越小优先级越高
FQDND: 完整主机名
资源记录的定义格式:
语法: name [TTL] IN RR_TYPE value
SOA:
name: 当前区域的名字;例如”mageud.com.”,或者“2.3.4.in-addr.arpa.”;
value:有多部分组成
(1) 当前区域的区域名称(也可以使用主DNS服务器名称);
(2) 当前区域管理员的邮箱地址;但地址中不能使用@符号,一般使用点号来替代;
(3) (主从服务协调属性的定义以及否定答案的TTL)
例如:
magedu.com. 86400 IN SOA magedu.com. admin.magedu.com. (
2017010801 ; serial,序列号,主服务器数据库内容发生变化时,其版本号递增(这样从服务器摘能更新数据库)
2H(小时) ; refresh,刷新时间,从服务器间隔多久到主服务器检查序列号更新状况
10M(分钟) ; retry,重试时间,主从服务器同步解析库失败时,再次发起尝试请求的时间间隔
1W(周) ; expire,过期时间,一直同步失败多久之后停止从服务器同步数据的时间
1D(天) ; negative answer ttl,否定答案的时间(一直查询不到答案返回结果的最长时间)
)
NS:
name: 当前区域的区域名称
value:当前区域的某DNS服务器的名字,例如ns.magedu.com.;
注意:一个区域可以有多个ns记录;
例如:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
MX:
name: 当前区域的区域名称
value:当前区域某邮件交换器的主机名;
注意:MX记录可以有多个;但每个记录的value之前应该有一个数字表示其优先级;
例如:
magedu.com. IN MX 10 mx1.magedu.com.
magedu.com. IN MX 20 mx2.magedu.com.
A:
name:某FQDN,例如www.magedu.com.
value:某IPv4地址;
例如:
www.magedu.com. IN A 1.1.1.1
www.magedu.com. IN A 1.1.1.2
bbs.magedu.com. IN A 1.1.1.1
AAAA:
name:FQDN
value: IPv6
PTR:
name:IP地址,有特定格式,IP反过来写,而且加特定后缀;例如1.2.3.4的记录应该写为4.3.2.1.in-addr.arpa.;
value:FQND
例如:
4.3.2.1.in-addr.arpa. IN PTR www.magedu.com.
CNAME:
name:FQDN格式的别名;
value:FQDN格式的正式名字;
例如:
web.magedu.com. IN CNAME www.magedu.com.
对于上面的配置格式有以下几点注意的地方:
1.TTL可以从全局继承
2.@表示当前区域的名称;
3.相邻的两条记录其name相同时,后面的可省略;
4.对于正向区域来说,各MX,NS等类型的记录的value为FQDN,此FQDN应该有一个A地址(IPv4地址)记录
DNS是一种协议,在服务器中实现这种协议的程序是bind,而bind程序的运行的进程名为:named,bind的主要配置有:
主配置文件: /etc/name.conf
没有name.conf的话说明没有安装bind,请先使用yum install -y bind 安装后即会在/etc/下生成name.conf
主配置文件格式:
全局配置段:
option { ... }
日志配置段:
logging { ... }
区域配置段:
zone { ... }
注意:花括号前后必须要有一个空格,并且每个配置语句必须以分号结尾
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; }; #监听的端口,哪些主机可以访问解析
listen-on-v6 port 53 { ::1; }; #后面一定要有分号(;)结束,花括号前后有空格
directory "/var/named"; #对应数据库文件的目录位置
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; #运行哪些主机请求查询
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; #将自身主机作为客户端的一种查询方式
dnssec-enable no; #sec功能,初学者建议关闭
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint; #区域类型{master(主)|slave(从)|hindt(根)|forward(转发)}
file "named.ca"; #要解析的域名,正向:域名本身(zcy520.com).反向:IP反向.in-addr.arpa(1.2.168.192.in-addr.arpa)
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#注意事项:每个配置语句必须以分号结尾,花括号前后有空格(否则语法错误)
解析库文件:/var/named/ZONE_NAME.zone
[root@zcy520ooooo ~]# ls /var/named/
data dynamic named.ca named.empty named.localhost named.loopback slaves
-------------------------------分割线------------------------------
[root@zcy520ooooo ~]# vim /var/named/named.ca
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17380
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
b.root-servers.net. 3600000 IN AAAA 2001:500:84::b
c.root-servers.net. 3600000 IN A 192.33.4.12
c.root-servers.net. 3600000 IN AAAA 2001:500:2::c
d.root-servers.net. 3600000 IN A 199.7.91.13
d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
e.root-servers.net. 3600000 IN A 192.203.230.10
e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d
h.root-servers.net. 3600000 IN A 198.97.190.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::53
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 3600000 IN A 193.0.14.129
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
l.root-servers.net. 3600000 IN A 199.7.83.42
l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42
m.root-servers.net. 3600000 IN A 202.12.27.33
m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
;; Query time: 18 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Po kvě 22 10:14:44 CEST 2017
;; MSG SIZE rcvd: 811
说明了DNS配置格式及相关知识之后在配置DNS服务之前,在介绍一下测试工具和配置文件语法检查命令.
检查配置文件语法错误:
named-chechkconf/etc/named.conf
named-checkzone ZONE_NAME ZONE_FILE区域配置文件语法检查
[root@zcy520ooooo ~]# named-checkconf /etc/named.conf
[root@zcy520ooooo ~]#
#没有错误,所以没有提示信息
测试工具:常用的测试工具有dig, host, nslookup 等,主要讲解dig命令,另外两个命令功能没有dig强大不做详解.
dig命令:
dig [-t RR_TYPE] name [@SERVER] [query options]
用于测试dns系统,因此其不会查询hosts文件;
查询选项:
+[no]trace:跟踪解析过程;
+[no]recurse:进行递归解析;
注意:反向解析测试
dig -x IP
模拟完全区域传送:
dig -t axfr DOMAIN [@server]
[root@zcy520ooooo ~]# dig -t A www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11730
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 300 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 115.239.210.27
www.a.shifen.com. 300 IN A 115.239.211.112
;; Query time: 2 msec
;; SERVER: 202.96.209.5#53(202.96.209.5)
;; WHEN: 一 10月 29 17:23:48 CST 2018
;; MSG SIZE rcvd: 90
搭建主-从服务器
为了保证DNS服务能够稳定的服务,不至于单个DNS服务出现故障是无法使用DNS服务的情况,因此配置主辅服务器是必须的.
主DNS服务:维护所负责解析的域数据库的那台服务器;可以进行读写操作
辅DNS服务器:从主DNS服务器那里或其它的从DNS服务器那里"复制"一份解析库;辅DNS服务器只能查询不能修改
1.在主服务器中进行配置
配置/etc/named.conf文件
[root@zcy520ooooo ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.177.133; }; #监听主机加入主机IP,或改为{ any; }都可以
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许查询改为any,任何主机
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no; #改为no
dnssec-enable no; #同上
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在/etc/named.rfc1912.zones文件中加入对应的zone
[root@localhost named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "zcy520.com" IN { #添加正向解析域
type master; #zone的类型是主服务器类型
file "zcy520.com.zone"; #文件名称,这个名称要和/var/named/目录下的文件名一致
allow-query { any; }; #允许查询的主机
allow-update { none; }; #不允许动态更新区域数据库文件中内容
};
zone "177.168.192.in-addr.arpa" IN { #添加反向解析域
type master;
file "192.168.177.zone";
allow-query { any; };
allow-update { none; };
};
#访问控制指令:
#allow-query {}; 允许查询的主机;白名单;
#allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
#allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求;
#allow-update {}; DDNS,允许动态更新区域数据库文件中内容;
在/var/named目录下创建zcy520.com.zone和192.168.177.zone文件并输入对应信息
[root@localhost named]# vim /var/named/zcy520.com.zone
$TTL 3600 #全局TTL否定时间,以秒为单位
$ORIGIN zcy520.com. #后面的小数点不能漏,否则会语法错误
@ IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. (
2018103001 #序列号,每次修改此文件都要更新
1H #刷新时间
10M #刷新失败后的重试间隔时间
3D #过期时间
1D ) #否定应答的TTL值
IN NS ns1 #每个NS都必须有A记录
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.177.133
mx1 IN A 192.168.177.134
mx2 IN A 192.168.177.135
www IN A 192.168.177.133
web IN CNAME www
# @表示当前的区域名称(zone_name),相邻的两条记录其name相同时,后面的可省略不写的
--------------------------------------------------------------------------------------------
[root@localhost named]# vim /var/named/192.168.177.zone
$TTL 3600
$ORIGIN 177.168.192.in-addr.arpa.
@ IN SOA ns1.zcy520.com. nsadmin.zcy520.com. (
2018103001
1H
10M
3D
12H )
IN NS ns1.zcy520.com.
133 IN PTR ns1.zcy520.com.
134 IN PTR mx1.zcy520.com.
135 IN PTR mx2.zcy520.com.
133 IN PTR www.zcy520.com.
配好主服务器的文件要检查配置文件是否出错
[root@localhost named]# named-checkconf /etc/named.conf
[root@localhost named]# named-checkzone zcy520.com /var/named/zcy520.com.zone
zone zcy520.com/IN: loaded serial 2018103001
OK
[root@localhost named]# named-checkzone 177.168.192.in-addr.arpa. /var/named/192.168.177.zone
zone 177.168.192.in-addr.arpa/IN: loaded serial 2018103001
OK
#提示OK就说明成功
之后更改用户权限和属组,最后重启服务
[root@localhost named]# chgrp named /var/named/zcy520.com.zone
[root@localhost named]# chmod o= /var/named/zcy520.com.zone
[root@localhost named]# chgrp named /var/named/192.168.177.zone
[root@localhost named]# chmod o= /var/named/192.168.177.zone
[root@localhost named]# ll zcy520.com.zone 192.168.177.zone
-rw-r-----. 1 root named 374 10月 30 14:38 192.168.177.zone
-rw-r-----. 1 root named 266 10月 30 13:03 zcy520.com.zone
[root@localhost named]# rndc reload #也可以用systemctl 来重启named
server reload successful
2.配置从服务器:
从服务器是要从主服务器那里同步数据的,所以只要配置好主配置文件,并在/etc/name.rfc1912.zones文件中加入对应的从服务器zone就行了
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.177.134; }; #监听主机改为本机IP,或改为{ any; } 都可以
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许查询改为any,任何主机
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no; #改为no
dnssec-enable no; #同上
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在/etc/named.rfc1912.zones文件中加入对应的从服务器zone
[root@localhost ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "zcy520.com" IN { #添加正向解析域
type slave; #从服务器
file "slaves/zcy520.com.zone"; #从服务器同步文件存放地址/var/named/slaves/目录下的一个文件
masters { 192.168.177.133; }; #主服务器IP地址,注意格式
};
zone "177.168.192.zone" IN { #添加反向解析域
type slave; #从服务器
file "slaves/192.168.177.zone";
masters { 192.168.177.133; }; #主服务器IP地址,注意格式是masters,前后有空格,结尾有分号
};
更改本地DNS服务器并测试正反向解析
[root@localhost named]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.177.133
[root@localhost named]# dig -t axfr zcy520.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t axfr zcy520.com
;; global options: +cmd
zcy520.com. 3600 IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. 2018103001 3600 600 259200 86400
zcy520.com. 3600 IN NS ns1.zcy520.com.
zcy520.com. 3600 IN MX 10 mx1.zcy520.com.
zcy520.com. 3600 IN MX 20 mx2.zcy520.com.
mx1.zcy520.com. 3600 IN A 192.168.177.134
mx2.zcy520.com. 3600 IN A 192.168.177.135
ns1.zcy520.com. 3600 IN A 192.168.177.133
web.zcy520.com. 3600 IN CNAME www.zcy520.com.
www.zcy520.com. 3600 IN A 192.168.177.133
zcy520.com. 3600 IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. 2018103001 3600 600 259200 86400
;; Query time: 1 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 14:55:39 CST 2018
;; XFR size: 10 records (messages 1, bytes 253)
[root@localhost named]# dig -t A www.zcy520.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.zcy520.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24968
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zcy520.com. IN A
;; ANSWER SECTION:
www.zcy520.com. 3600 IN A 192.168.177.133
;; AUTHORITY SECTION:
zcy520.com. 3600 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 3600 IN A 192.168.177.133
;; Query time: 0 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 14:57:38 CST 2018
;; MSG SIZE rcvd: 93
[root@localhost named]# dig -x 192.168.177.133
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.177.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57526
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;133.177.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
133.177.168.192.in-addr.arpa. 3600 IN PTR www.zcy520.com.
133.177.168.192.in-addr.arpa. 3600 IN PTR ns1.zcy520.com.
;; AUTHORITY SECTION:
177.168.192.in-addr.arpa. 3600 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 3600 IN A 192.168.177.133
;; Query time: 0 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 15:08:53 CST 2018
;; MSG SIZE rcvd: 133
4、搭建并实现智能DNS
智能DNS是可以根据不同客户端的用户在访问同一域名时能返回不一样的IP地址,比如电信的用户访问某网站时返回电信的IP地址,网通的用户访问同一网址时返回网通的IP地址,以加速网站的访问速度.下面简单介绍acl访问控制列表和view视图功能并演示一下智能DNS.
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集全内的所有主机实现统一调用;
acl acl_name {
ip;
net/prelen;
};
示例:
acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
bind有四个内置的acl
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令:
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求;
allow-update {}; DDNS,允许动态更新区域数据库文件中内容;
bind view:
视图:
view VIEW_NAME {
zone
zone
zone
}
#每个view都要包含所有的zone,如果有一个zone在view的花括号外面则会报错
view internal {
match-clients { 192.168.0.0/24; }; #匹配的IP地址,也可以写acl_name如:match-clients { "mynet"; any: }; 注意格式
zone "zcy520.com" IN {
type master;
file "zcy520.com/internal";
};
};
1.修改/etc/named.conf配置文件
[root@localhost named]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl slaves { #定义不同的两个acl,当这两个不同的acl访问同一个智能DNS服务时可以做不同的处理
192.168.177.134;
192.168.177.135;
127.0.0.1;
};
acl mynet {
192.168.177.133;
127.0.0.1/8;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*zone "." IN {
type hint;
file "named.ca";
};
*/ #因为view要包含所有的zone,所以这个zone移动到/etc/named.rfc1912.zones中
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2.修改/etc/named.rfc1912.zones配置文件添加不同的view
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
view internal { #定义一个内部的view
match-clients { "mynet";}; #匹配mynet这个acl控制列表里的IP
zone "." IN { #对匹配的acl所支持的zone区域
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "zcy520.com" { #内部的mynet所支持的zone,
type master;
file "zcy520.com";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
zone "177.168.192.in-addr.arpa" IN {
type master;
file "192.168.177.zone";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
};
view external { #定义一个外部的view,
match-clients { slaves; }; #只匹配slaves这个acl控制列表里对应的IP
zone "zcy520.com" IN { #slaves所对应的zone区域
type master;
file "zcy520.com.external";
allow-update { none; };
};
};
3.在/var/named目录下编辑不同zone的配置文件
mynet这个acl控制列表的zone,当访问的IP在mynet这个acl控制列表的IP范围内时,所返回的结果如下配置:
$TTL 86440
@ IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. (
2018040806
1H
10M
3D
1D
)
IN NS ns1.zcy520.com.
IN MX 10 mx1.zcy520.com.
ns1 IN A 192.168.177.133
mx1 IN A 192.168.177.133
www IN A 192.168.177.133
web IN CNAME www
slavest这个acl控制列表的zone,当访问的IP在slaves这个acl控制列表的IP范围内时,所返回的结果如下配置:
$TTL 86440
@ IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. (
2018040806
1H
10M
3D
1D
)
IN NS ns1.zcy520.com.
IN MX 10 mx1.zcy520.com.
ns1 IN A 192.168.177.133
mx1 IN A 192.168.177.133
www IN A 2.2.2.1
web IN CNAME www
4.检查语法,并重启服务
[root@localhost named]# named-checkconf #默认可以不指定文件路径
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl restart named
[root@localhost named]#
5.验证结果
访问同一个DNS服务器,在mynet这个acl控制列表里的IP访问结果
[root@localhost named]# dig -t A www.zcy520.com @192.168.177.133
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.zcy520.com @192.168.177.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25423
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zcy52.com. IN A
;; ANSWER SECTION:
www.zcy520.com. 86440 IN A 192.168.177.133
;; AUTHORITY SECTION:
zcy520.com. 86440 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 86440 IN A 192.168.177.133
;; Query time: 0 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 16:44:04 CST 2018
;; MSG SIZE rcvd: 93
#这里返回的是/var/named/zcy520.com里面定义的结果
访问同一个DNS服务器,在slaves这个acl控制列表里的IP访问结果
[root@localhost ~]# dig -t A www.zcy520.com @192.168.177.133
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.zcy520.com @192.168.177.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64278
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zcy520.com. IN A
;; ANSWER SECTION:
www.zcy520.com. 86440 IN A 2.2.2.1 #这个位置显示就不一样了
;; AUTHORITY SECTION:
zcy520.com. 86440 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 86440 IN A 192.168.177.133
;; Query time: 1 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 16:49:02 CST 2018
;; MSG SIZE rcvd: 93
#这里返回的是/var/named/zcy520.com.external里面定义的结果
