一疼蛾、簡述常見加密算法及常見加密算法原理肛跌,最好使用圖例解說
常見的加密方式有四種:對稱加密、密鑰加密、單向加密和密鑰交換衍慎。
對稱加密
特性:
1转唉、加密、解密使用同一個密鑰西饵;
2酝掩、將源時數(shù)據(jù)分割成為固定大小的塊,逐個進行加密眷柔;
常見算法:
DES:Data Encryption Standard期虾,加密端64位明文產(chǎn)生64位密文,解密端使用64位密文還原64位明文驯嘱;64位為一個塊即8個字節(jié)镶苞,加密和解密使用56位的密鑰,DES使用16個迭代塊鞠评。
3DES:Triple DES茂蚓,是DES的三個數(shù)量級。
AES:Advanced Encryption Standard剃幌,加密長度有128bits聋涨、192bits、256bits负乡、384bits牍白。
Blowfish:一個64位分組及可變密鑰長度的對稱密鑰分組密碼算法,可用來加密64比特長度的字符串抖棘。
Twofish:Blowfish算法的加密算法茂腥。
IDEA:International Data Encryption Algorithm,這種算法是在DES算法的基礎上發(fā)展出來的切省,類似于三重DES最岗。
密鑰加密
特性:
1、公鑰加密朝捆、私鑰解密般渡;
2、私鑰加密芙盘、公鑰解密驯用;
常見算法:
RSA
DSA
ELGamal
單向加密
特性:
1、定長輸出:無論數(shù)據(jù)是多大級別何陆,其加密結果長度一樣晨汹;
2、雪崩效應:數(shù)據(jù)發(fā)生微小變化贷盲,其加密結果完全不同淘这;
常見用途:數(shù)據(jù)完整性校驗
常見算法:
MD5
sha1
sha224剥扣,sha256,sha384铝穷,sha512
密鑰交換
常見用途:IPsec VPN
常見算法:
RSA
DH
ECDH
ECDHE
數(shù)據(jù)加密通信的整個過程:
加密過程:
第一步:發(fā)送方使用單向加密算法钠怯,算出數(shù)據(jù)的特征碼;
第二步:發(fā)送方使用自己的私鑰加密特征碼附加在數(shù)據(jù)后面曙聂;
第三步:發(fā)送方生成臨時的對稱密鑰晦炊,并使用對稱密鑰加密整段數(shù)據(jù);
第四步:發(fā)送方使用接收方的公鑰加密上一步生成的對稱密鑰宁脊,并附加在數(shù)據(jù)后面断国;
解密過程:
第一步:接收方使用自己的私鑰解密
第二步:接收方使用對稱密鑰解密
第三步:接收方使用發(fā)送方公鑰解密,確認身份
SSL會話主要三步:
1榆苞、客戶端向服務器端索要并驗證證書稳衬;
2、雙方協(xié)商生成“會話密鑰”坐漏;
3薄疚、雙方采用“會話密鑰”進行加密通信;
直至斷開
SSL Handshake Protocol:
第一階段:ClientHello:
支持的協(xié)議版本赊琳,比如:tls 1.2街夭;
客戶端生成一個隨機數(shù),稍后用于生成“會話密鑰”躏筏;
支持的加密算法板丽,比如AES、RSA寸士;
支持的壓縮算法檐什;
第二階段:ServerHello
確認使用的加密通信協(xié)議版本碴卧,比如tls 1.2弱卡;
服務器端生成一個隨機數(shù),稍后用于生成“會話密鑰”住册;
確認使用的加密方法婶博;
服務器證書;
第三階段:
驗證服務器證書荧飞,在確認無誤后取出公鑰凡人;(發(fā)證機構、證書完整性叹阔、證書持有者挠轴、證書有效期、吊銷列表)
發(fā)送一下信息給服務器端:
一個隨機數(shù)耳幢;
編碼變更通知岸晦,表示隨后的信息都將用雙發(fā)商定的加密方法和密鑰發(fā)送欧啤;
客戶端握手結束通知;
第四階段:
收到客戶端發(fā)來的第三個隨機數(shù)pre-master-key后启上,計算生成本次會話所用到的“會話密鑰”邢隧;
收到客戶端發(fā)送如下信息:
編碼變更通知,表示隨后的信息都將用雙發(fā)商定的加密方法和密鑰發(fā)送冈在;
服務端握手結束通知
二倒慧、搭建apache或者nginx并使用自簽證書實現(xiàn)https訪問,自簽名證書的域名自擬
第一步:利用Apache搭建一個簡單的http服務
[root@webserver ~]# yum install -y -q httpd
[root@webserver ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 19 2015 21:43:13
[root@webserver ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@webserver ~]# echo 'Welcome to www.bitemecake.biz!' > /var/www/html/index.html
[root@webserver ~]# systemctl start httpd
[root@webserver ~]# firewall-cmd --permanent --add-service=http
success
[root@webserver ~]# firewall-cmd --reload
success
[root@webserver ~]# ss -tan | grep 80
LISTEN 0 128 :::80 :::*
確認http服務正常:
image.png
第二步:構建私有CA
1包券、生成私鑰:
[root@webserver ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................++
...........++
e is 65537 (0x10001)
2纫谅、生成自簽證書:
[root@webserver ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:bitemecake
Organizational Unit Name (eg, section) []:manager
Common Name (eg, your name or your server's hostname) []:webserver
Email Address []:27****324@qq.com
[root@webserver ~]#
-new:生成新證書簽署請求;
-x509:生成自簽格式證書溅固,專用于創(chuàng)建私有CA時系宜;
-key:生成請求時用到的私有文件路徑;
-out:生成的請求文件路徑发魄;如果自簽操作將直接生成簽署過的證書盹牧;
-days:證書的有效時長,單位是day励幼;
3汰寓、為CA提供所需的目錄及文件:
[root@webserver ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@webserver ~]# touch /etc/pki/CA/{serial,index.txt}
[root@webserver ~]# echo 01 > /etc/pki/CA/serial
第三步:要用到證書進行安全通信的服務器,需要向CA請求簽署證書:
1苹粟、用到證書的主機生成私鑰:
[root@webserver ~]# mkdir /etc/httpd/ssl
[root@webserver ~]# cd /etc/httpd/ssl
[root@webserver ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2有滑、生成證書簽署請求:
[root@webserver ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:bitemecake
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:webserver
Email Address []:76*****37@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:biteme
3、將請求用可靠的方式發(fā)送給CA主機嵌削;
[root@webserver ssl]# cp /etc/httpd/ssl/httpd.csr /tmp/httpd.csr
4毛好、在CA主機上簽署證書:
[root@webserver ssl]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 4 04:01:29 2018 GMT
Not After : Nov 4 04:01:29 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Sichuan
organizationName = bitemecake
organizationalUnitName = ops
commonName = webserver
emailAddress = 764****37@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B0:DA:40:C4:47:B0:8C:15:70:B0:06:BB:1D:6A:D2:CF:90:CE:01:9E
X509v3 Authority Key Identifier:
keyid:40:83:81:56:94:75:7A:1A:3E:B5:05:91:0D:F4:BD:67:FF:4D:9C:63
Certificate is to be certified until Nov 4 04:01:29 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
后續(xù)步驟:為Apache添加SSL模塊,并配置SSL證書相關配置參數(shù)苛秕;此為web服務相關課程內容肌访,后面再行補充。
三艇劫、簡述DNS服務器原理吼驶,并搭建主-輔服務器
DNS(Domain Name Service)域名解析服務,用于實現(xiàn)域名與IP地址之間對應關系轉換的服務店煞。
DNS名稱解析方式:
域名 --> IP:正向解析
IP --> 域名:反向解析
DNS服務器類型:
負責解析至少一個域:
主名稱服務器
輔助名稱服務器
不負責解析:
緩存名稱服務器
DNS服務流程
DNS的查詢請求經(jīng)過的流程:hosts文件 --> DNS Local Cache --> DNS Server -->Server Cache --> Iteration
說明:
第一步:本地查詢——查詢本機hosts文件蟹演,有記錄則返回肯定答案給主機,無則查詢本地DNS緩存(DNS Local Cache)顷蟀,若還無則進行下一步酒请;
第二步:服務器查詢——將請求發(fā)送給本機網(wǎng)絡配置中指定的DNS服務器(DNS Server),DNS服務器查詢自身緩存的資源記錄和自己負責解析的資源記錄鸣个,有記錄則返回羞反,若無記錄哮兰,則有兩種處理:
1、該DNS服務器未配置遞歸查詢功能苟弛,則返回否定答案給主機喝滞;
2、該DNS服務器配置有遞歸查詢功能膏秫,則該DNS服務器將作為客戶端右遭,繼續(xù)向其上級DNS服務器發(fā)送查詢請求,直到得到肯定答案或否定答案缤削,最后再返回給主機窘哈。
DNS遞歸查詢與迭代查詢的區(qū)別
(1)遞歸查詢
遞歸查詢是一種DNS 服務器的查詢模式,在該模式下DNS 服務器接收到客戶機請求亭敢,必須使用一個準確的查詢結果回復客戶機滚婉。如果DNS 服務器本地沒有存儲查詢DNS 信息,那么該服務器會詢問其他服務器帅刀,并將返回的查詢結果提交給客戶機让腹。
(2)迭代查詢
DNS 服務器另外一種查詢方式為迭代查詢,DNS 服務器會向客戶機提供其他能夠解析查詢請求的DNS 服務器地址扣溺,當客戶機發(fā)送查詢請求時骇窍,DNS 服務器并不直接回復查詢結果,而是告訴客戶機另一臺DNS 服務器地址锥余,客戶機再向這臺DNS 服務器提交請求腹纳,依次循環(huán)直到返回查詢的結果
為止。
兩種過程的示意圖:
image.png
搭建主-輔DNS服務器
第一步:搭建主DNS服務器
1驱犹、使用yum安裝bind包和bind-utils包:
[root@dns-master ~]# yum install -y -q bind bind-utils
[root@dns-master ~]# echo $?
0
2嘲恍、配置named服務開機啟動,以及DNS服務全局配置:
[root@dns-master ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@dns-master ~]# vi /etc/named.conf
[root@dns-master ~]# cat /etc/named.conf
修改部分:
...
options {
listen-on port 53 { 127.0.0.1;192.168.0.132; };
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
...
3雄驹、檢查配置文件語法佃牛,然后啟動服務,并配置防火墻放通DNS服務端口(TCP/53和UDP/53)荠医,此時該主機可作為緩存DNS服務器使用:
[root@dns-master ~]# named-checkconf
[root@dns-master ~]# systemctl start named
[root@dns-master ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@dns-master ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@dns-master ~]# firewall-cmd --reload
success
[root@dns-master ~]# ss -tunlp | grep 53
udp UNCONN 0 0 192.168.0.132:53 *:* users:(("named",pid=11109,fd=515),("named",pid=11109,fd=514))
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=11109,fd=513),("named",pid=11109,fd=512))
udp UNCONN 0 0 ::1:53 :::* users:(("named",pid=11109,fd=517),("named",pid=11109,fd=516))
tcp LISTEN 0 10 192.168.0.132:53 *:* users:(("named",pid=11109,fd=21))
tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",pid=11109,fd=20))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=11109,fd=23))
tcp LISTEN 0 10 ::1:53 :::* users:(("named",pid=11109,fd=22))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=11109,fd=24))
4吁脱、測試服務是否正常:
1)本地解析功能測試:
[root@dns-master ~]# dig -t SOA www.baidu.com @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t SOA www.baidu.com @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52822
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN SOA
;; ANSWER SECTION:
www.baidu.com. 1173 IN CNAME www.a.shifen.com.
;; AUTHORITY SECTION:
a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1811040050 5 5 2592000 3600
;; Query time: 57 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 03:28:10 EST 2018
;; MSG SIZE rcvd: 126
2)對外解析功能:(使用另外一臺主機測試)
[root@dns-slave ~]# dig -t SOA www.163.com @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t SOA www.163.com @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.163.com. IN SOA
;; ANSWER SECTION:
www.163.com. 600 IN CNAME www.163.com.lxdns.com.
;; AUTHORITY SECTION:
lxdns.com. 60 IN SOA dns1.lxdns.org. webmaster.glb0.lxdns.com. 1422577239 10800 3600 604800 60
;; Query time: 1257 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 03:31:25 EST 2018
;; MSG SIZE rcvd: 137
5桑涎、配置一個正向區(qū)域
1)定義區(qū)域文件(/etc/named.rfc1913.zones):
[root@dns-master ~]# tail -5 /etc/named.rfc1912.zones
zone "bitemecake.biz" IN {
type master;
file "bitemecake.biz.zone"
};
2)建立區(qū)域數(shù)據(jù)文件(/var/named/bitemecake.zone):
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@ IN SOA ns1.bitemecake.biz. dnsadmin.bitemecake.biz.(
2018110401
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
mx1 IN A 192.168.0.132
ns1 IN A 192.168.0.132
www IN A 192.168.0.132
web IN CNAME www
3)修改配置文件權限彬向,檢查配置文件語法:
[root@dns-master ~]# chown :named /var/named/bitemecake.biz.zone
[root@dns-master ~]# chmod o= /var/named/bitemecake.biz.zone
[root@dns-master ~]# named-checkzone bitemecake.biz. /var/named/bitemecake.biz.zone
zone bitemecake.biz/IN: loaded serial 2018110401
OK
4)讓服務器重載配置文件和區(qū)域數(shù)據(jù)文件:
[root@dns-master ~]# systemctl reload named
5)測試解析功能:
[root@dns-master ~]# dig -t A www.bitemecake.biz @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.bitemecake.biz @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53376
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.bitemecake.biz. IN A
;; ANSWER SECTION:
www.bitemecake.biz. 3600 IN A 192.168.0.132
;; AUTHORITY SECTION:
bitemecake.biz. 3600 IN NS ns1.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
;; Query time: 0 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 04:00:43 EST 2018
;; MSG SIZE rcvd: 97
6、配置一個反向區(qū)域
1)定義區(qū)域文件(/etc/named.rfc1913.zones):
[root@dns-master ~]# vi /etc/named.rfc1912.zones
[root@dns-master ~]# named-checkconf
[root@dns-master ~]# tail -5 /etc/named.rfc1912.zones
zone "0.168.192.in-addr-arp." IN {
type master;
file "192.168.0.zone";
};
2)定義區(qū)域解析庫文件(主要記錄為PTR)
[root@dns-master ~]# vi /var/named/192.168.0.zone
[root@dns-master ~]# named-checkzone 0.168.192.in-addr.arpa /var/named/192.168.0.zone
zone 0.168.192.in-addr.arpa/IN: loaded serial 2018110401
OK
3)修改配置文件權限攻冷,檢查配置文件語法:
[root@dns-master ~]# chown :named /var/named/192.168.0.zone
[root@dns-master ~]# chmod o= /var/named/192.168.0.zone
4)讓服務器重載配置文件和區(qū)域數(shù)據(jù)文件:
[root@dns-master ~]# systemctl reload named
5)測試解析功能:
[root@dns-master ~]# dig -x 192.168.0.132 @192.168.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.0.132 @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;132.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
132.0.168.192.in-addr.arpa. 3600 IN PTR ns1.bitemecake.biz.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600 IN NS ns1.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
;; Query time: 0 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 04:24:39 EST 2018
;; MSG SIZE rcvd: 117
至此娃胆,主DNS服務器搭建完成。
第二步:搭建輔DNS服務器
1等曼、輔DNS服務器的服務配置和全局配置同主DNS服務器配置前兩步里烦,此處省略凿蒜;
2、輔DNS服務器配置:
1)定義從區(qū)域:
[root@dns-slave ~]# vi /etc/named.rfc1912.zones
[root@dns-slave ~]# tail -12 /etc/named.rfc1912.zones
zone "bitemecake.biz" IN {
type slave;
file "slaves/bitemecake.biz.zone";
masters { 192.168.0.132; };
};
zone "0.168.192.in-addr.arpa." IN {
type slave;
file "slaves/192.168.0.zone";
masters { 192.168.0.132; };
};
[root@dns-slave ~]# named-checkconf
2)重載配置
[root@dns-slave ~]# systemctl reload named
3胁黑、主DNS服務器配置:
1)將輔DNS服務器的NS記錄添加到主DNS服務器的各區(qū)域數(shù)據(jù)文件中废封,且保證各區(qū)域數(shù)據(jù)文件中有輔DNS服務器的一個A記錄:
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@ IN SOA ns1.bitemecake.biz. dnsadmin.bitemecake.biz.(
2018110401
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
mx1 IN A 192.168.0.132
ns1 IN A 192.168.0.132
ns2 IN A 192.168.0.133
www IN A 192.168.0.132
web IN CNAME www
第三步:測試
1、輔DNS服務器解析功能測試:
[root@dns-slave ~]# dig -t A www.bitemecake.biz @192.168.0.133
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.bitemecake.biz @192.168.0.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 232
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.bitemecake.biz. IN A
;; ANSWER SECTION:
www.bitemecake.biz. 3600 IN A 192.168.0.132
;; AUTHORITY SECTION:
bitemecake.biz. 3600 IN NS ns1.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
;; Query time: 0 msec
;; SERVER: 192.168.0.133#53(192.168.0.133)
;; WHEN: Sun Nov 04 07:37:48 EST 2018
;; MSG SIZE rcvd: 97
2丧蘸、輔DNS服務器同步記錄測試:
1)主DNS服務器區(qū)域數(shù)據(jù)文件新增一條A記錄漂洋,并且將Serial號加1
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@ IN SOA ns1.bitemecake.biz. dnsadmin.bitemecake.biz.(
2018110402
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
mx1 IN A 192.168.0.132
ns1 IN A 192.168.0.132
ns2 IN A 192.168.0.133
www IN A 192.168.0.132
web IN CNAME www
bbs IN A 192.168.0.134
2)主-輔DNS服務器DNS服務狀態(tài)均有同步記錄:
[root@dns-master ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-11-04 07:09:54 EST; 33min ago
Process: 3281 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 3001 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2021 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 3049 (named)
CGroup: /system.slice/named.service
└─3049 /usr/sbin/named -u named
Nov 04 07:42:55 dns-master named[3049]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 04 07:42:55 dns-master named[3049]: reloading configuration succeeded
Nov 04 07:42:55 dns-master named[3049]: reloading zones succeeded
Nov 04 07:42:55 dns-master named[3049]: zone bitemecake.biz/IN: loaded serial 2018110402
Nov 04 07:42:55 dns-master named[3049]: zone bitemecake.biz/IN: sending notifies (serial 2018110402)
Nov 04 07:42:55 dns-master named[3049]: all zones loaded
Nov 04 07:42:55 dns-master named[3049]: running
Nov 04 07:42:55 dns-master named[3049]: client 192.168.0.133#34791 (bitemecake.biz): transfer of 'bitemecake.biz/...tarted
Nov 04 07:42:55 dns-master named[3049]: client 192.168.0.133#34791 (bitemecake.biz): transfer of 'bitemecake.biz/... ended
Nov 04 07:42:55 dns-master systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
[root@dns-slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-11-04 07:33:38 EST; 9min ago
Process: 3590 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 3603 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3600 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 3606 (named)
CGroup: /system.slice/named.service
└─3606 /usr/sbin/named -u named
Nov 04 07:33:38 dns-slave named[3606]: running
Nov 04 07:33:38 dns-slave systemd[1]: Started Berkeley Internet Name Domain (DNS).
Nov 04 07:42:25 dns-slave named[3606]: client 192.168.0.132#46166: received notify for zone 'bitemecake.biz'
Nov 04 07:42:25 dns-slave named[3606]: zone bitemecake.biz/IN: notify from 192.168.0.132#46166: zone is up to date
Nov 04 07:42:56 dns-slave named[3606]: client 192.168.0.132#42389: received notify for zone 'bitemecake.biz'
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: Transfer started.
Nov 04 07:42:56 dns-slave named[3606]: transfer of 'bitemecake.biz/IN' from 192.168.0.132#53: connected using 192...#34791
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: transferred serial 2018110402
Nov 04 07:42:56 dns-slave named[3606]: transfer of 'bitemecake.biz/IN' from 192.168.0.132#53: Transfer completed:...s/sec)
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: sending notifies (serial 2018110402)
Hint: Some lines were ellipsized, use -l to show in full.
3)輔DNS服務器解析功能測試:
[root@dns-slave ~]# dig -t A bbs.bitemecake.biz @192.168.0.133
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A bbs.bitemecake.biz @192.168.0.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40767
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.bitemecake.biz. IN A
;; ANSWER SECTION:
bbs.bitemecake.biz. 3600 IN A 192.168.0.134
;; AUTHORITY SECTION:
bitemecake.biz. 3600 IN NS ns1.bitemecake.biz.
bitemecake.biz. 3600 IN NS ns2.bitemecake.biz.
;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600 IN A 192.168.0.132
ns2.bitemecake.biz. 3600 IN A 192.168.0.133
;; Query time: 0 msec
;; SERVER: 192.168.0.133#53(192.168.0.133)
;; WHEN: Sun Nov 04 07:48:46 EST 2018
;; MSG SIZE rcvd: 131
四、搭建并實現(xiàn)智能DNS
實現(xiàn)智能DNS的三種方式:
1)定義轉發(fā)
2)訪問控制
3)定義視圖
方法示例:
1)制定轉發(fā)策略:
注意:被轉發(fā)的服務器必須允許當前服務做遞歸力喷;
(1)區(qū)域轉發(fā):僅轉發(fā)對某特定區(qū)域的解析請求刽漂;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先轉發(fā);轉發(fā)器不響應時弟孟,自行去迭代查詢贝咙;
only:只轉發(fā);
(2)全局轉發(fā):針對凡本地沒有通過zone定義的區(qū)域查詢請求拂募,通通轉發(fā)給某轉發(fā)器庭猩;
options{
... ...
forward {only|first};
forwarders { SERVER_IP; };
... ...
}
2)訪問控制:
acl:訪問控制列表;把一個或多個地址歸并一個命名的集合陈症,隨后通過此名稱即可對此集合內的所有主機實現(xiàn)統(tǒng)一調用眯娱;
acl acl_name {
ip;
net/prelen;
};
示例:
acl mynet{
172.16.0.0/16;
127.0.0.0/8;
};
bind有四個內置的acl
none:沒有一個主機爬凑;
any:任意主機徙缴;
local:本機;
localnet:本機所在的IP所屬的網(wǎng)絡嘁信;
訪問控制指令:
allow-query {}; 允許查詢的主機于样;白名單;
allow-transfer {}; 允許向哪些主機做區(qū)域傳送潘靖;默認為向所有主機穿剖;應該配置僅允許從服務器;
allow-recursion {}; 允許哪些主機向當前DNS服務器發(fā)起遞歸查詢請求卦溢;
allow-update {}; DDNS糊余,允許動態(tài)更新區(qū)域數(shù)據(jù)庫文件中的內容;
3)定義視圖:
方法:
view VIEW_NAME {
zone
zone
zone
}
示例:
view internal {
match-clients { 172.16.0.0/8; };
zone "magedu.com" IN {
type master;
file "magedu.com/internal";
};
};
view external {
match-clients { any; };
zone "magedu.com" IN {
type master;
file "magedu.com/external";
};
};
智能DNS示例
需求:
1单寂、凡本地沒有通過zone定義的區(qū)域查詢請求贬芥,通通轉發(fā)給轉發(fā)器;轉發(fā)器不響應時宣决,可自行會去迭代查詢蘸劈;
2、僅允許向輔DNS服務器做區(qū)域傳送尊沸;
3威沫、僅允許192.168.0.0/16網(wǎng)段內主機向當前DNS服務器發(fā)起遞歸查詢請求贤惯;
4、192.168.0.0/16內網(wǎng)段內的主機訪問域名www.bitemecake.biz解析為內網(wǎng)口地址192.168.0.132棒掠,外網(wǎng)主機訪問域名解析為外網(wǎng)口地址172.16.25.132孵构;
配置:
1、全局配置:/etc/named.conf中加上以下字段:
[root@dns-master ~]# vi /etc/named.conf
options{
...
forward first;
forwarders { 61.139.2.69;119.6.6.6; };
allow-transfer { 192.168.0.133烟很;}浦译;
allow-recursion { 192.168.0.0/16; };
...
};
[root@dns-master ~]# named-checkconf
2、區(qū)域文件參數(shù)配置:/etc/named.rfc1912.zones中配置:
[root@dns-master ~]# vi /etc/named.rfc1912.zones
[root@dns-master ~]# tail -26 /etc/named.rfc1912.zones
view internal {
match-clients { 192.168.0.0/16; };
zone "bitemecake.biz" IN {
type master;
file "bitemecake.biz.zone/internal";
};
zone "0.168.192.in-addr.arpa." IN {
type master;
file "192.168.0.zone/internal";
};
};
view external {
match-clients { any; };
zone "bitemecake.biz" IN {
type master;
file "bitemecake.biz.zone/external";
};
zone "0.168.192.in-addr.arpa." IN {
type master;
file "192.168.0.zone/external";
};
};
