1茧吊、簡(jiǎn)述常見加密算法及常見加密算法原理贞岭,最好使用圖例解說
在網(wǎng)絡(luò)通信過程中不管是通過TCP還是UDP協(xié)議進(jìn)行互聯(lián)網(wǎng)中主機(jī)之間的通信時(shí),數(shù)據(jù)都是通過明文進(jìn)行傳輸?shù)拇曛叮菀资箓鬏數(shù)臄?shù)據(jù)被人劫持瞄桨、篡改等,為了保護(hù)傳輸數(shù)據(jù)讶踪,傳輸數(shù)據(jù)加密就應(yīng)運(yùn)而生了,加密數(shù)據(jù)有單向加密、對(duì)稱加密臭觉、非對(duì)稱加密等,下面介紹常見的幾種加密方式及原理廓俭。
對(duì)稱加密:加密和解密使用同一個(gè)密鑰并將原始數(shù)據(jù)分割成為固定大小的塊,逐個(gè)進(jìn)行加密物赶,其安全性依賴于密鑰而不是算法白指,其缺陷是密鑰太多,密鑰分發(fā)困難的情況酵紫,主要的加密方式有如下幾種告嘲。
DES, 3DES, AES, Blowfish, Twofish, IDEA, RC6, CAST5
DES:算法為密碼體制中的對(duì)稱密碼體制,又被稱為美國(guó)數(shù)據(jù)加密標(biāo)準(zhǔn)是1972年美國(guó)IBM公司研制的對(duì)稱密碼體制加密算法奖地。明文按64位進(jìn)行分組橄唬,密鑰長(zhǎng)64位,分組后的明文組和56位的密鑰按位替代或交換的方法形成密文組的加密方法参歹。
DES算法結(jié)構(gòu).png
把輸入的64位數(shù)據(jù)塊按位重新組合仰楚,并把輸出分為L(zhǎng)o、Ro兩部分犬庇,每部分各長(zhǎng)32位僧界,其置換規(guī)則見下
DES算法流程.png
非對(duì)稱加密:密鑰分為公鑰與私鑰,用公鑰加密的數(shù)據(jù)臭挽,只能使用與之配對(duì)的私鑰解密捂襟,用私鑰加密的數(shù)據(jù)只能用對(duì)應(yīng)的公鑰進(jìn)行解密。
私鑰通過工具創(chuàng)建欢峰,使用者自己留在葬荷,必須保證其私密性。
公鑰從私鑰中提取產(chǎn)生纽帖,可公開給所有人
主要用途有:
數(shù)字簽名:主要在于讓接收方確認(rèn)發(fā)送方的身份
密鑰交換:發(fā)送方用對(duì)方公鑰加密一個(gè)對(duì)稱密鑰宠漩,并發(fā)送給對(duì)方
對(duì)進(jìn)行數(shù)據(jù)加密等等,主要的加密方式有以下幾種:
RSA, DSA, DSS
RSA:第一個(gè)既能用于數(shù)據(jù)加密也能用于數(shù)字簽名的算法懊直,它易于理解和操作扒吁,也很流行。算法的名字以發(fā)明者的名字命名室囊,RSA加密是對(duì)明文的E次方后除以N后求余數(shù)的過程瘦陈,可以使用一個(gè)通式來表達(dá):
RSA加密.png
只要知道E和N任何人都可以進(jìn)行RSA加密了,所以說E波俄、N是RSA加密的密鑰晨逝,也就是說E和N的組合就是公鑰,我們用(E,N)來表示公鑰
公鑰=(E,N)
RSA的解密同樣可以使用一個(gè)通式來表達(dá)
RSA解密.png
對(duì)密文進(jìn)行D次方后除以N的余數(shù)就是明文懦铺,這就是RSA解密過程捉貌。知道D和N就能進(jìn)行解密密文了,所以D和N的組合就是私鑰
私鑰=(D,N)
要生成密鑰就要知道E,D,N,L(中間過程的中間數(shù)),其中各個(gè)數(shù)要滿足如下要求:
N=p*q ;p趁窃,q為質(zhì)數(shù)
L=lcm (p-1牧挣,q-1);L為p-1醒陆、q-1的最小公倍數(shù)
1<E<L瀑构,gcd(E,L)=1刨摩;E, L最大公約數(shù)為1(E和L互質(zhì))
1<D<L, E*D mod L = 1
求N
我們準(zhǔn)備兩個(gè)很小對(duì)質(zhì)數(shù)寺晌, p = 17 q = 19
N = p * q = 323
求L
L = lcm(p-1, q-1)= lcm(16澡刹,18) = 144 (144為16和18對(duì)最小公倍數(shù))
求E
求E必須要滿足2個(gè)條件:1 < E < L 呻征,gcd(E,L)=1
即1 < E < 144罢浇,gcd(E陆赋,144) = 1
E和144互為質(zhì)數(shù),5顯然滿足上述2個(gè)條件
故E = 5
此時(shí)公鑰=(E嚷闭,N)= (5攒岛,323)
求D
求D也必須滿足2個(gè)條件:1 < D < L,E*D mod L = 1
即1 < D < 144胞锰,5 * D mod 144 = 1
顯然當(dāng)D= 29 時(shí)滿足上述兩個(gè)條件
1 < 29 < 144
5*29 mod 144 = 145 mod 144 = 1
此時(shí)私鑰=(D灾锯,N)=(29,323)
根據(jù)上述結(jié)果,假設(shè)明文=123,帶入公式則密文=255,解密過程帶入解密公式即可.
單向加密:即提出數(shù)據(jù)指紋; 只能加密胜蛉,不能解密挠进,主要用于驗(yàn)證數(shù)據(jù)的完整性(提取數(shù)據(jù)的特征碼)
其特性:
定長(zhǎng)輸出:無論原來的數(shù)據(jù)輸出是多大的級(jí)別色乾,輸出的加密結(jié)果長(zhǎng)度都是一樣的.
雪崩效應(yīng):任何輸入信息的變化誊册,哪怕僅一位,都將導(dǎo)致散列結(jié)果的明顯變化.
主要的加密方式有:
md5, sha1, sha224, sha256, sha384, sha512
md5:消息摘要算法第五版暖璧,為計(jì)算機(jī)安全領(lǐng)域廣泛使用的一種散列函數(shù)案怯,用以提供消息的完整性保護(hù)的一種加密技術(shù).
MD5算法具有以下特點(diǎn):
1、壓縮性:任意長(zhǎng)度的數(shù)據(jù)澎办,算出的MD5值長(zhǎng)度都是固定的嘲碱。
2、容易計(jì)算:從原數(shù)據(jù)計(jì)算MD5值很容易局蚀。
3麦锯、抗修改性:對(duì)原數(shù)據(jù)進(jìn)行任何改動(dòng),哪怕只修改1個(gè)字節(jié)琅绅,所得到的MD5值都有很大區(qū)別扶欣。
4、強(qiáng)抗碰撞:已知原數(shù)據(jù)和其MD5值,想找到一個(gè)具有相同MD5值的數(shù)據(jù)(即偽造數(shù)據(jù))是非常困難料祠。
MD5的加密流程圖如下:
MD5算法流程圖.png
更為具體的算法計(jì)算流程詳見百科:
https://baike.baidu.com/item/MD5?fr=aladdin
2骆捧、搭建apache或者nginx并使用自簽證書實(shí)現(xiàn)https訪問,自簽名證書的域名自擬
在實(shí)驗(yàn)環(huán)境中為apache或者nginx做CA證書自簽可以使用openssl命令來實(shí)現(xiàn)髓绽,具體步驟如下:
構(gòu)建私有CA:
- 生成私鑰
- 生成自簽證書
- 為CA提供所需的目錄及文件
1.生成私鑰
[root@zcy520ooooo ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
...........................................................++
.................................................................................++
e is 65537 (0x10001)
#()括號(hào)起來的命令表示在子shell中運(yùn)行敛苇,而不改變當(dāng)前shell的umask的值.
-------------------------------------分割線-------------------------------------
[root@zcy520ooooo ~]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEA726LZmFnQCWihsvlNwhPV0REMLTOTzOq7NmAjEC2kco5a1AU
RyNY+uU5Mzc0C75CwfrMSBaq4KfXtcPeU6FU/DVjhxC03Y6oFLDejqH/ogfVaVAm
ArVceh44LNpbTHppIbbSmoRR90XUHW740HR8UK8wvG1grH9lhNErIeTGLRjJIUaa
8ZmYBtfGh1rzKGVn+IS+ZWXlTX3XyYXoVlCsoU2+sFnopX8oa0O6hI/KOcd4tFRM
jWaNEM2ATZNyJJdSLPi1+m96RRdeeOX6aPPd+UuxljkdfHRcRwjRTe6IIOkcuuVo
XLE/iM8HEquxIBYsIGlZ6oqi/4DwGaEhoIb+0G9V2UAfkxl/Va0D4WX1U3adhKum
zlV+1QSYlNgk8Xp6KBBu2xPXXvMhLhkykYDWWwWzTRllY47yn7Vt6ZCgTOHHVsHq
jbKjpqsk/6qohGgsea3UdxSU+OW2qCj7WFyhBkDbMz6cmUjoVA1av1TJnFgEpDv9
uz1tMP+1iBcVdw16GQZsPuMpL4LoR5PVXfkgDq6JYiCGPxAHp42ARuAh2kdLNZLv
eh++4MGrbd0C5IvZv9uIhSYBiZjNprz7YK6iCHrMaeUw1+sUyS7vppR+P9ndU18V
9irLostmEm2aqweMTPxRPGJ9T6USFokktNBeJO7A/6UFpR2dRc6TZQWp5z8CAwEA
AQKCAgAYlHirIgS/iR2OSRBW/ftnMhLuDSHA78T0W7/epiYYAXKzmZz7UJ2p5C5j
G5+0NOwVjfG61NjmB1UVy+3fGAjpe3GkRArNU//dX+r5KZhcwgEetqOwU34S61dJ
A4Gr8EUquOIWCs9/WyPTgbj5bXv1rIaMUY5DJzD82Zxb9miB6LF9QQpXEzWQPkab
TrL3yrFJyhbhwfwwYGLuxVh8w/t0885HvHMtykgT+vgC8+AG3nt9x8m0GnsQ5oft
bt2g9AfzpfTIqPkcbrG8J5/1dlOrbCHnEiX8yNVQVY9nOL2w4z2X0kVMfsXO/bH0
MLwWVzBgg3A/q8vf/xSnDOuu1y0BdhRP+g+zbLTjhAqoGyykHCRlnCqBQd3pC1Kt
1DvHg9OPAJYt+C2puRcwR48sdyy1O9sWOD6cUKMALZBa999rLv5GtvXCsQmogcmM
Wozceu39e/XIytG2I5JIjS9yGe8fU3yznnWw3M7ivTR2/VnDvu+NRfQhkdx7/Kcg
H2OQIJBCKwjMTKORDfqkXKXAQE9r5v1ZvBhktC/pxonxPY86xB8c0kKV5ZOwI8Fh
cNPBhXQ2J3v+l8+KRHjGNDtWMKjQQf/OfFHGNZ8d5vrYmkDS7t8EaBLH/cvPKrKp
6RLraZSfWDjV26CpWgFNlrGWEstPYag3jKGtNXDIUM1+upk8QQKCAQEA/O1bPD2m
zf+zHUNSperqhrR9TS4m2OUDUat3uZpat7e9lMXM4XI6E/RiBaibTlBLmKGgZ+Ny
CVhYUnXK1/uRi/VTRR9knoATwtoVwDattaIByjKfAhSL8/fQF7GJ4ZN4TEAomDCu
lIoeqyU/TbWG7O7tF037oc8sjzFtNH8cdVQ7hrO8MTbDt8l6g9LHg1A8O24Er7r8
SCDH0b25JwhGx7+ZSuW1aRSVLn2ucoiegSdKyAufxNv0YXeRM/TsYbPF1dsT3Thl
OdIAxqx3mrwcxFJ7KgNzBzeYEZ4Iyg5XqZ1SSjQk/8AbVf0Kv7wVVwe8tPF6RWVA
CeqYFq+vWiEcRQKCAQEA8lc3JuaVrYDYGbb2ogdkpVAnTz84hNnvyZ1RNocZDwv5
FrT7YvX3Ql/iWFqga2bYAP65DAjsYDADLfvApzOu6k/RXeEDrumt3itTsN3v+HVy
8dCKbWv+jPkhwJ9etqsvfgp8YA4wAzeRKBlV85F0XULpKOUJWVULF9E9pKdrLeXW
X1dus8dIuorGFqBie02u5TWEC1kUpGpzuwJ8ZCeQ734uV0fcJWgF43t57cfOXeJq
SBE2NHia2NtPLkFqaF1UzR76P/haDx4e7d2Hqo9ozaE+0xYpn6DxNoP7MJsSDeAH
S9QbyCkTov7XIDGmTvktl5S52aTkC448a993Q7xHswKCAQAqEQAfoNFhaanMsCnK
1qtzBAnjEE39vPk0WCRthjKYY8LwP4W36Vunffnfnw9Vkx0/oYIgRT/uNfdan6TB
D2JBuOfEk1gU1JB00/jSI0X4850AmDLCEdDFHu5JQooALprPc8xMo6wloGNBa8x/
jDWIqqRcP+geHWr31eyn0oxVJ1FPMg2W0djzdFsgGap9OJcL+1xkLeFPzcPuKnPk
/gdnqYJBZrspYvb86IJfIkHakUJqyyQjhcG7hDtuPMoj5dZ9nxZKsNqFJ1xhrsWl
wqu2K1G4xyIWjTSJmZM0p/YEi9nn5YxRzQ2+23syMIIMG4lTPuZrLE/eVlo9S7MK
dn9RAoIBAQC3SY12B4oHOt62vDHXJF5TxcalYjx+BlMcmrZU1mL2hWi0ateC5mNH
OTv49TpFYPhX8E/GsW0N5uJQwgrYqvdNUmcYaNofTa/py701lPYtZa81AzPfRIG2
36pOhHrfD6QQ4R9mivR3Smyn9lmSqV1oN/YervOeM/r63Y+Q2+rtQNsdKwSYRk5U
gCcH7+/sMDnqM8qVxp8dJ0I2m8+29FHjQP0NmFUBmaZyge4bEDadvWQC87maf+kl
wOEnK+St4IEFzrsY7N44duCPqTA1qNdsRts8TZPXnqMxRysRfQdvpRP/nwIQJjkq
2zGbsNGHA2EfNyZFXTf5IW/DarVKbrmPAoIBAQCZh2cX9zk0Svtt3UZIJmoDIeaK
/CBQ+4FFcO3n12ivTPnwVRCF8jFUUXcIYgEHd7xn1T6iyt81ftTZXpgp9BNCYUOs
IkOzyf97DYLTq24ik7GFN0Xumw3XZHSBvr48/B0kTGXIVeYIkqU3tRGQOIKtR+PY
1+QcveNoR/juItIYUhfsKfEH/zWwjM6mHX3+O1VnvnDAiotJNVOBQmq9GXxIqou3
6Tus72d1EmyoH6yu621QaDVdfmguVMq7peHwQxJfvmYt0qWNN7UtGThYfKTN7tGV
8oUVwhWsHKuIZW6dHV9R8EJZNbZ0SZ+JA7LSLG4YvjwtmnnAw53T2OC+ctTl
-----END RSA PRIVATE KEY-----
2.生成自簽證書
用生成的私鑰制作證書時(shí),會(huì)自動(dòng)從私鑰里提取公鑰來進(jìn)行加密顺呕,命令格式如下:
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
new:生成新證書簽署請(qǐng)求枫攀;
x509:生成自簽格式證書,專用于創(chuàng)建私有CA時(shí)塘匣;
-key:生成請(qǐng)求時(shí)用到的私有文件路徑脓豪;
-out:生成的請(qǐng)求文件路徑;如果自簽操作將直接生成簽署過的證書忌卤;
days:證書的有效時(shí)長(zhǎng)扫夜,單位是day
[root@zcy520ooooo ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #國(guó)家名(簡(jiǎn)寫)
State or Province Name (full name) []:Shanghai #所在的省會(huì)城市(全名)
Locality Name (eg, city) [Default City]:Shanghai #所在的本地城市
Organization Name (eg, company) [Default Company Ltd]:zcy520 #公司或者組織的名字
Organizational Unit Name (eg, section) []:ops #所在的部門(ops表示運(yùn)維)
Common Name (eg, your name or your server's hostname) []:www.zcy520.com #服務(wù)器主機(jī)名或者個(gè)人申請(qǐng)的名稱
Email Address []:307784305@qq.com #郵件地址
[root@zcy520ooooo ~]# ls
--------------------------分割線---------------------------
/etc/pki/CA/
cacert.pem crl/ newcerts/ serial
certs/ private/
3.為CA提供所需的目錄及文件
要在/etc/pki/CA/目錄下創(chuàng)建certs,crl,newcerts(默認(rèn)可能不存在)三個(gè)目錄和serial,index.txt(序列號(hào)和數(shù)據(jù)庫文件)兩個(gè)文件
[root@zcy520ooooo ~]# mkdir -v /etc/pki/CA/{certs,newcerts,crl}
mkdir: 無法創(chuàng)建目錄"/etc/pki/CA/certs": 文件已存在
mkdir: 無法創(chuàng)建目錄"/etc/pki/CA/newcerts": 文件已存在
mkdir: 無法創(chuàng)建目錄"/etc/pki/CA/crl": 文件已存在
[root@zcy520ooooo ~]# touch /etc/pki/CA/{serial,index.txt}
[root@zcy520ooooo ~]# ls /etc/pki/CA
cacert.pem certs crl index.txt newcerts private serial
[root@zcy520ooooo ~]# echo 01 > /etc/pki/CA/serial #給定第一個(gè)證書的編號(hào)
需要向CA請(qǐng)求簽署證書:
1.安裝apache或者nginx(如果試驗(yàn)環(huán)境中沒有)
2.用到證書的主機(jī)生成私鑰
3.生成證書簽署請(qǐng)求
4.將請(qǐng)求通過可靠方式發(fā)送給CA主機(jī)
5.在CA主機(jī)上簽署證書
6.發(fā)送證書到需要簽證的主機(jī)中
1. 安裝apache或者nginx(如果試驗(yàn)環(huán)境中沒有)
[root@zcy520ooooo ~]# rpm -q httpd
httpd-2.4.6-80.el7.centos.1.x86_64
#如果沒有請(qǐng)使用yum install httpd -y安裝即可
2. 用到證書的主機(jī)生成私鑰
創(chuàng)建生成私鑰的目錄及生成私鑰
[root@zcy520ooooo ~]# mkdir /etc/httpd/ssl
[root@zcy520ooooo ~]# cd /etc/httpd/ssl
[root@zcy520ooooo ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..............+++
............+++
e is 65537 (0x10001)
[root@zcy520ooooo ssl]# ls
httpd.key
#在當(dāng)前目錄下生成私鑰
3. 生成證書簽署請(qǐng)求
[root@zcy520ooooo ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:zcy520
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.zcy520.com
Email Address []:307784305@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#因?yàn)槭亲越–A,所以填寫的信息,國(guó)家,地區(qū),公司這些信息最好保持一臻
--------------------------------分割線-----------------------------
[root@zcy520ooooo ssl]# ls
httpd.csr httpd.key
4. 將請(qǐng)求通過可靠方式發(fā)送給CA主機(jī)
可以通過scp,等文件傳輸工具發(fā)送到CA主機(jī)上,這里是模擬環(huán)境可以用網(wǎng)絡(luò)傳輸,實(shí)際環(huán)境中不應(yīng)該用網(wǎng)絡(luò)傳輸這種不安全的方式
[root@zcy520ooooo ssl]# scp httpd.csr root@192.168.80.30:/tmp/
The authenticity of host '192.168.80.30 (192.168.80.30)' can't be established.
ECDSA key fingerprint is SHA256:t37lf7ApkIkXlOgKy2DtpkNIwIRetIF72492IDdvp+U.
ECDSA key fingerprint is MD5:73:aa:fa:71:7c:90:00:5b:02:83:31:ee:84:ac:d4:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.30' (ECDSA) to the list of known hosts.
root@192.168.80.30's password: #輸入root密碼
httpd.csr 100% 1054 324.7KB/s 00:00
5. 在CA主機(jī)上簽署證書
[root@zcy520ooooo ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Oct 29 06:10:51 2018 GMT
Not After : Oct 29 06:10:51 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = zcy520
organizationalUnitName = ops
commonName = www.zcy520.com
emailAddress = 307784305@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5A:57:65:DF:20:D7:53:5D:11:53:00:AF:03:32:19:5A:CE:27:FD:42
X509v3 Authority Key Identifier:
keyid:E7:5D:D3:00:81:2B:F2:C5:65:90:6E:18:E1:F8:F4:DA:8E:FC:6F:56
Certificate is to be certified until Oct 29 06:10:51 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-------------------------------分割線--------------------------
[root@zcy520ooooo ~]# cat /etc/pki/CA/index.txt
V 191029061051Z 01 unknown /C=CN/ST=Shanghai/O=zcy520/OU=ops/CN=www.zcy520.com/emailAddress=307784305@qq.com
#出現(xiàn)這些信息說明簽證成功了
6. 發(fā)送證書到需要簽證的主機(jī)中
[root@zcy520ooooo ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.80.99:/etc/httpd/ssl/
The authenticity of host '192.168.80.99 (192.168.80.99)' can't be established.
ECDSA key fingerprint is SHA256:YcRd1YQjOtXBQUGnRo/xDj9Hm40UL3Fq7SWPvI5BYFU.
ECDSA key fingerprint is MD5:c1:16:8b:0d:04:d5:72:9c:9d:8f:0c:98:8e:cb:42:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.99' (ECDSA) to the list of known hosts.
root@192.168.80.99's password:
httpd.crt 100% 5873 491.4KB/s 00:00
---------------------------------分割線-----------------------------
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key
#在簽證主機(jī)上查看文件
3、簡(jiǎn)述DNS服務(wù)器原理驰徊,并搭建主-輔服務(wù)器
DNS是域名解析服務(wù),是一種應(yīng)用層的協(xié)議,互聯(lián)網(wǎng)中主機(jī)之間的通信都是靠IP地址進(jìn)行的,但是成千上萬的IP地址繁雜又不方便人類記憶,DNS就是將主機(jī)的IP與對(duì)應(yīng)的服務(wù)器名稱對(duì)應(yīng)起來,可以讓主機(jī)在互聯(lián)網(wǎng)中通過www.zcy520.com這樣的域名訪問互聯(lián)網(wǎng)中與之對(duì)應(yīng)IP的主機(jī)而不用一個(gè)一個(gè)IP的輸入.域名服務(wù)器可以分為:
1.頂級(jí)域名(一級(jí)域名): .com .cn .net .org .gov .edu等等由全球13個(gè)根服務(wù)器來維護(hù)
2.二級(jí)域名:baidu.com magedu.com等等
3.三級(jí)域名:bbs.magedu.com等等二級(jí)域名對(duì)應(yīng)的主機(jī)名稱解析
主機(jī)與域名服務(wù)器之間的域名解析查詢是遞歸查詢,域名服務(wù)器之間的查詢是迭代查詢.根據(jù)DNS名稱解析方式不同可以分:
正向解析:通過域名查詢對(duì)應(yīng)主機(jī)的IP地址.
反向解析:通過已知的IP地址查詢對(duì)應(yīng)的域名.
根據(jù)DNS服務(wù)器用途不同類型可以劃分如下:
主名稱服務(wù)器:負(fù)責(zé)解析至少一個(gè)域
輔助名稱服務(wù)器:從主服務(wù)器里同步數(shù)據(jù),輸DNS服務(wù)器只能查詢不能修改
緩存名稱服務(wù)器:不負(fù)責(zé)解析域名,只是從指定的服務(wù)器緩存數(shù)據(jù).
一些DNS服務(wù)配置文件的說明及測(cè)試工具:
區(qū)域數(shù)據(jù)庫文件:
資源記錄:Resource Record, 簡(jiǎn)稱rr笤闯;
RR_TYPE 常見記錄有類型:A, AAAA棍厂, PTR颗味, SOA, NS牺弹, CNAME浦马, MX
SOA:Start Of Authority,起始授權(quán)記錄张漂; 一個(gè)區(qū)域解析庫有且只能有一個(gè)SOA記錄晶默,而且必須放在第一條;
NS:Name Service航攒,域名服務(wù)記錄磺陡;一個(gè)區(qū)域解析庫可以有多個(gè)NS記錄;其中一個(gè)為主的漠畜;
A: Address, 地址記錄币他,F(xiàn)QDN --> IPv4;(一個(gè)A是32位)
AAAA:地址記錄憔狞, FQDN --> IPv6蝴悉;
CNAME:Canonical Name,別名記錄瘾敢;
PTR:Pointer拍冠,IP --> FQDN
MX:Mail eXchanger硝枉,郵件交換器;
優(yōu)先級(jí):0-99倦微,數(shù)字越小優(yōu)先級(jí)越高
FQDND: 完整主機(jī)名
資源記錄的定義格式:
語法: name [TTL] IN RR_TYPE value
SOA:
name: 當(dāng)前區(qū)域的名字妻味;例如”mageud.com.”,或者“2.3.4.in-addr.arpa.”欣福;
value:有多部分組成
(1) 當(dāng)前區(qū)域的區(qū)域名稱(也可以使用主DNS服務(wù)器名稱)责球;
(2) 當(dāng)前區(qū)域管理員的郵箱地址;但地址中不能使用@符號(hào)拓劝,一般使用點(diǎn)號(hào)來替代雏逾;
(3) (主從服務(wù)協(xié)調(diào)屬性的定義以及否定答案的TTL)
例如:
magedu.com. 86400 IN SOA magedu.com. admin.magedu.com. (
2017010801 ; serial,序列號(hào),主服務(wù)器數(shù)據(jù)庫內(nèi)容發(fā)生變化時(shí),其版本號(hào)遞增(這樣從服務(wù)器摘能更新數(shù)據(jù)庫)
2H(小時(shí)) ; refresh,刷新時(shí)間,從服務(wù)器間隔多久到主服務(wù)器檢查序列號(hào)更新狀況
10M(分鐘) ; retry,重試時(shí)間,主從服務(wù)器同步解析庫失敗時(shí),再次發(fā)起嘗試請(qǐng)求的時(shí)間間隔
1W(周) ; expire,過期時(shí)間,一直同步失敗多久之后停止從服務(wù)器同步數(shù)據(jù)的時(shí)間
1D(天) ; negative answer ttl,否定答案的時(shí)間(一直查詢不到答案返回結(jié)果的最長(zhǎng)時(shí)間)
)
NS:
name: 當(dāng)前區(qū)域的區(qū)域名稱
value:當(dāng)前區(qū)域的某DNS服務(wù)器的名字,例如ns.magedu.com.郑临;
注意:一個(gè)區(qū)域可以有多個(gè)ns記錄栖博;
例如:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
MX:
name: 當(dāng)前區(qū)域的區(qū)域名稱
value:當(dāng)前區(qū)域某郵件交換器的主機(jī)名;
注意:MX記錄可以有多個(gè)厢洞;但每個(gè)記錄的value之前應(yīng)該有一個(gè)數(shù)字表示其優(yōu)先級(jí)仇让;
例如:
magedu.com. IN MX 10 mx1.magedu.com.
magedu.com. IN MX 20 mx2.magedu.com.
A:
name:某FQDN,例如www.magedu.com.
value:某IPv4地址躺翻;
例如:
www.magedu.com. IN A 1.1.1.1
www.magedu.com. IN A 1.1.1.2
bbs.magedu.com. IN A 1.1.1.1
AAAA:
name:FQDN
value: IPv6
PTR:
name:IP地址丧叽,有特定格式,IP反過來寫公你,而且加特定后綴踊淳;例如1.2.3.4的記錄應(yīng)該寫為4.3.2.1.in-addr.arpa.;
value:FQND
例如:
4.3.2.1.in-addr.arpa. IN PTR www.magedu.com.
CNAME:
name:FQDN格式的別名陕靠;
value:FQDN格式的正式名字迂尝;
例如:
web.magedu.com. IN CNAME www.magedu.com.
對(duì)于上面的配置格式有以下幾點(diǎn)注意的地方:
1.TTL可以從全局繼承
2.@表示當(dāng)前區(qū)域的名稱;
3.相鄰的兩條記錄其name相同時(shí)剪芥,后面的可省略垄开;
4.對(duì)于正向區(qū)域來說,各MX粗俱,NS等類型的記錄的value為FQDN说榆,此FQDN應(yīng)該有一個(gè)A地址(IPv4地址)記錄
DNS是一種協(xié)議,在服務(wù)器中實(shí)現(xiàn)這種協(xié)議的程序是bind,而bind程序的運(yùn)行的進(jìn)程名為:named,bind的主要配置有:
主配置文件: /etc/name.conf
沒有name.conf的話說明沒有安裝bind,請(qǐng)先使用yum install -y bind 安裝后即會(huì)在/etc/下生成name.conf
主配置文件格式:
全局配置段:
option { ... }
日志配置段:
logging { ... }
區(qū)域配置段:
zone { ... }
注意:花括號(hào)前后必須要有一個(gè)空格,并且每個(gè)配置語句必須以分號(hào)結(jié)尾
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; }; #監(jiān)聽的端口,哪些主機(jī)可以訪問解析
listen-on-v6 port 53 { ::1; }; #后面一定要有分號(hào)(;)結(jié)束,花括號(hào)前后有空格
directory "/var/named"; #對(duì)應(yīng)數(shù)據(jù)庫文件的目錄位置
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; #運(yùn)行哪些主機(jī)請(qǐng)求查詢
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; #將自身主機(jī)作為客戶端的一種查詢方式
dnssec-enable no; #sec功能,初學(xué)者建議關(guān)閉
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint; #區(qū)域類型{master(主)|slave(從)|hindt(根)|forward(轉(zhuǎn)發(fā))}
file "named.ca"; #要解析的域名,正向:域名本身(zcy520.com).反向:IP反向.in-addr.arpa(1.2.168.192.in-addr.arpa)
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#注意事項(xiàng):每個(gè)配置語句必須以分號(hào)結(jié)尾,花括號(hào)前后有空格(否則語法錯(cuò)誤)
解析庫文件:/var/named/ZONE_NAME.zone
[root@zcy520ooooo ~]# ls /var/named/
data dynamic named.ca named.empty named.localhost named.loopback slaves
-------------------------------分割線------------------------------
[root@zcy520ooooo ~]# vim /var/named/named.ca
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17380
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 3600000 IN A 192.228.79.201
b.root-servers.net. 3600000 IN AAAA 2001:500:84::b
c.root-servers.net. 3600000 IN A 192.33.4.12
c.root-servers.net. 3600000 IN AAAA 2001:500:2::c
d.root-servers.net. 3600000 IN A 199.7.91.13
d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
e.root-servers.net. 3600000 IN A 192.203.230.10
e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d
h.root-servers.net. 3600000 IN A 198.97.190.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::53
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 3600000 IN A 193.0.14.129
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
l.root-servers.net. 3600000 IN A 199.7.83.42
l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42
m.root-servers.net. 3600000 IN A 202.12.27.33
m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
;; Query time: 18 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Po kvě 22 10:14:44 CEST 2017
;; MSG SIZE rcvd: 811
說明了DNS配置格式及相關(guān)知識(shí)之后在配置DNS服務(wù)之前,在介紹一下測(cè)試工具和配置文件語法檢查命令.
檢查配置文件語法錯(cuò)誤:
named-chechkconf/etc/named.conf
named-checkzone ZONE_NAME ZONE_FILE區(qū)域配置文件語法檢查
[root@zcy520ooooo ~]# named-checkconf /etc/named.conf
[root@zcy520ooooo ~]#
#沒有錯(cuò)誤,所以沒有提示信息
測(cè)試工具:常用的測(cè)試工具有dig, host, nslookup 等,主要講解dig命令,另外兩個(gè)命令功能沒有dig強(qiáng)大不做詳解.
dig命令:
dig [-t RR_TYPE] name [@SERVER] [query options]
用于測(cè)試dns系統(tǒng)虚吟,因此其不會(huì)查詢hosts文件寸认;
查詢選項(xiàng):
+[no]trace:跟蹤解析過程;
+[no]recurse:進(jìn)行遞歸解析串慰;
注意:反向解析測(cè)試
dig -x IP
模擬完全區(qū)域傳送:
dig -t axfr DOMAIN [@server]
[root@zcy520ooooo ~]# dig -t A www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11730
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 300 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 115.239.210.27
www.a.shifen.com. 300 IN A 115.239.211.112
;; Query time: 2 msec
;; SERVER: 202.96.209.5#53(202.96.209.5)
;; WHEN: 一 10月 29 17:23:48 CST 2018
;; MSG SIZE rcvd: 90
搭建主-從服務(wù)器
為了保證DNS服務(wù)能夠穩(wěn)定的服務(wù),不至于單個(gè)DNS服務(wù)出現(xiàn)故障是無法使用DNS服務(wù)的情況,因此配置主輔服務(wù)器是必須的.
主DNS服務(wù):維護(hù)所負(fù)責(zé)解析的域數(shù)據(jù)庫的那臺(tái)服務(wù)器;可以進(jìn)行讀寫操作
輔DNS服務(wù)器:從主DNS服務(wù)器那里或其它的從DNS服務(wù)器那里"復(fù)制"一份解析庫;輔DNS服務(wù)器只能查詢不能修改
1.在主服務(wù)器中進(jìn)行配置
配置/etc/named.conf文件
[root@zcy520ooooo ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.177.133; }; #監(jiān)聽主機(jī)加入主機(jī)IP偏塞,或改為{ any; }都可以
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允許查詢改為any,任何主機(jī)
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no; #改為no
dnssec-enable no; #同上
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在/etc/named.rfc1912.zones文件中加入對(duì)應(yīng)的zone
[root@localhost named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "zcy520.com" IN { #添加正向解析域
type master; #zone的類型是主服務(wù)器類型
file "zcy520.com.zone"; #文件名稱,這個(gè)名稱要和/var/named/目錄下的文件名一致
allow-query { any; }; #允許查詢的主機(jī)
allow-update { none; }; #不允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫文件中內(nèi)容
};
zone "177.168.192.in-addr.arpa" IN { #添加反向解析域
type master;
file "192.168.177.zone";
allow-query { any; };
allow-update { none; };
};
#訪問控制指令:
#allow-query {}; 允許查詢的主機(jī)邦鲫;白名單灸叼;
#allow-transfer {}; 允許向哪些主機(jī)做區(qū)域傳送神汹;默認(rèn)為向所有主機(jī);應(yīng)該配置僅允許從服務(wù)器古今;
#allow-recursion {}; 允許哪此主機(jī)向當(dāng)前DNS服務(wù)器發(fā)起遞歸查詢請(qǐng)求屁魏;
#allow-update {}; DDNS,允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫文件中內(nèi)容捉腥;
在/var/named目錄下創(chuàng)建zcy520.com.zone和192.168.177.zone文件并輸入對(duì)應(yīng)信息
[root@localhost named]# vim /var/named/zcy520.com.zone
$TTL 3600 #全局TTL否定時(shí)間氓拼,以秒為單位
$ORIGIN zcy520.com. #后面的小數(shù)點(diǎn)不能漏,否則會(huì)語法錯(cuò)誤
@ IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. (
2018103001 #序列號(hào)抵碟,每次修改此文件都要更新
1H #刷新時(shí)間
10M #刷新失敗后的重試間隔時(shí)間
3D #過期時(shí)間
1D ) #否定應(yīng)答的TTL值
IN NS ns1 #每個(gè)NS都必須有A記錄
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.177.133
mx1 IN A 192.168.177.134
mx2 IN A 192.168.177.135
www IN A 192.168.177.133
web IN CNAME www
# @表示當(dāng)前的區(qū)域名稱(zone_name),相鄰的兩條記錄其name相同時(shí)桃漾,后面的可省略不寫的
--------------------------------------------------------------------------------------------
[root@localhost named]# vim /var/named/192.168.177.zone
$TTL 3600
$ORIGIN 177.168.192.in-addr.arpa.
@ IN SOA ns1.zcy520.com. nsadmin.zcy520.com. (
2018103001
1H
10M
3D
12H )
IN NS ns1.zcy520.com.
133 IN PTR ns1.zcy520.com.
134 IN PTR mx1.zcy520.com.
135 IN PTR mx2.zcy520.com.
133 IN PTR www.zcy520.com.
配好主服務(wù)器的文件要檢查配置文件是否出錯(cuò)
[root@localhost named]# named-checkconf /etc/named.conf
[root@localhost named]# named-checkzone zcy520.com /var/named/zcy520.com.zone
zone zcy520.com/IN: loaded serial 2018103001
OK
[root@localhost named]# named-checkzone 177.168.192.in-addr.arpa. /var/named/192.168.177.zone
zone 177.168.192.in-addr.arpa/IN: loaded serial 2018103001
OK
#提示OK就說明成功
之后更改用戶權(quán)限和屬組,最后重啟服務(wù)
[root@localhost named]# chgrp named /var/named/zcy520.com.zone
[root@localhost named]# chmod o= /var/named/zcy520.com.zone
[root@localhost named]# chgrp named /var/named/192.168.177.zone
[root@localhost named]# chmod o= /var/named/192.168.177.zone
[root@localhost named]# ll zcy520.com.zone 192.168.177.zone
-rw-r-----. 1 root named 374 10月 30 14:38 192.168.177.zone
-rw-r-----. 1 root named 266 10月 30 13:03 zcy520.com.zone
[root@localhost named]# rndc reload #也可以用systemctl 來重啟named
server reload successful
2.配置從服務(wù)器:
從服務(wù)器是要從主服務(wù)器那里同步數(shù)據(jù)的拟逮,所以只要配置好主配置文件撬统,并在/etc/name.rfc1912.zones文件中加入對(duì)應(yīng)的從服務(wù)器zone就行了
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.177.134; }; #監(jiān)聽主機(jī)改為本機(jī)IP,或改為{ any; } 都可以
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允許查詢改為any,任何主機(jī)
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no; #改為no
dnssec-enable no; #同上
dnssec-validation no; #同上
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在/etc/named.rfc1912.zones文件中加入對(duì)應(yīng)的從服務(wù)器zone
[root@localhost ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "zcy520.com" IN { #添加正向解析域
type slave; #從服務(wù)器
file "slaves/zcy520.com.zone"; #從服務(wù)器同步文件存放地址/var/named/slaves/目錄下的一個(gè)文件
masters { 192.168.177.133; }; #主服務(wù)器IP地址敦迄,注意格式
};
zone "177.168.192.zone" IN { #添加反向解析域
type slave; #從服務(wù)器
file "slaves/192.168.177.zone";
masters { 192.168.177.133; }; #主服務(wù)器IP地址,注意格式是masters,前后有空格,結(jié)尾有分號(hào)
};
更改本地DNS服務(wù)器并測(cè)試正反向解析
[root@localhost named]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.177.133
[root@localhost named]# dig -t axfr zcy520.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t axfr zcy520.com
;; global options: +cmd
zcy520.com. 3600 IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. 2018103001 3600 600 259200 86400
zcy520.com. 3600 IN NS ns1.zcy520.com.
zcy520.com. 3600 IN MX 10 mx1.zcy520.com.
zcy520.com. 3600 IN MX 20 mx2.zcy520.com.
mx1.zcy520.com. 3600 IN A 192.168.177.134
mx2.zcy520.com. 3600 IN A 192.168.177.135
ns1.zcy520.com. 3600 IN A 192.168.177.133
web.zcy520.com. 3600 IN CNAME www.zcy520.com.
www.zcy520.com. 3600 IN A 192.168.177.133
zcy520.com. 3600 IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. 2018103001 3600 600 259200 86400
;; Query time: 1 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 14:55:39 CST 2018
;; XFR size: 10 records (messages 1, bytes 253)
[root@localhost named]# dig -t A www.zcy520.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.zcy520.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24968
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zcy520.com. IN A
;; ANSWER SECTION:
www.zcy520.com. 3600 IN A 192.168.177.133
;; AUTHORITY SECTION:
zcy520.com. 3600 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 3600 IN A 192.168.177.133
;; Query time: 0 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 14:57:38 CST 2018
;; MSG SIZE rcvd: 93
[root@localhost named]# dig -x 192.168.177.133
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.177.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57526
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;133.177.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
133.177.168.192.in-addr.arpa. 3600 IN PTR www.zcy520.com.
133.177.168.192.in-addr.arpa. 3600 IN PTR ns1.zcy520.com.
;; AUTHORITY SECTION:
177.168.192.in-addr.arpa. 3600 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 3600 IN A 192.168.177.133
;; Query time: 0 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 15:08:53 CST 2018
;; MSG SIZE rcvd: 133
4恋追、搭建并實(shí)現(xiàn)智能DNS
智能DNS是可以根據(jù)不同客戶端的用戶在訪問同一域名時(shí)能返回不一樣的IP地址,比如電信的用戶訪問某網(wǎng)站時(shí)返回電信的IP地址,網(wǎng)通的用戶訪問同一網(wǎng)址時(shí)返回網(wǎng)通的IP地址,以加速網(wǎng)站的訪問速度.下面簡(jiǎn)單介紹acl訪問控制列表和view視圖功能并演示一下智能DNS.
acl:訪問控制列表罚屋;把一個(gè)或多個(gè)地址歸并一個(gè)命名的集合几于,隨后通過此名稱即可對(duì)此集全內(nèi)的所有主機(jī)實(shí)現(xiàn)統(tǒng)一調(diào)用;
acl acl_name {
ip;
net/prelen;
};
示例:
acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
bind有四個(gè)內(nèi)置的acl
none:沒有一個(gè)主機(jī)沿后;
any:任意主機(jī)沿彭;
local:本機(jī);
localnet:本機(jī)所在的IP所屬的網(wǎng)絡(luò)尖滚;
訪問控制指令:
allow-query {}; 允許查詢的主機(jī)喉刘;白名單;
allow-transfer {}; 允許向哪些主機(jī)做區(qū)域傳送漆弄;默認(rèn)為向所有主機(jī)睦裳;應(yīng)該配置僅允許從服務(wù)器;
allow-recursion {}; 允許哪此主機(jī)向當(dāng)前DNS服務(wù)器發(fā)起遞歸查詢請(qǐng)求撼唾;
allow-update {}; DDNS廉邑,允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫文件中內(nèi)容;
bind view:
視圖:
view VIEW_NAME {
zone
zone
zone
}
#每個(gè)view都要包含所有的zone,如果有一個(gè)zone在view的花括號(hào)外面則會(huì)報(bào)錯(cuò)
view internal {
match-clients { 192.168.0.0/24; }; #匹配的IP地址,也可以寫acl_name如:match-clients { "mynet"; any: }; 注意格式
zone "zcy520.com" IN {
type master;
file "zcy520.com/internal";
};
};
1.修改/etc/named.conf配置文件
[root@localhost named]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl slaves { #定義不同的兩個(gè)acl,當(dāng)這兩個(gè)不同的acl訪問同一個(gè)智能DNS服務(wù)時(shí)可以做不同的處理
192.168.177.134;
192.168.177.135;
127.0.0.1;
};
acl mynet {
192.168.177.133;
127.0.0.1/8;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*zone "." IN {
type hint;
file "named.ca";
};
*/ #因?yàn)関iew要包含所有的zone,所以這個(gè)zone移動(dòng)到/etc/named.rfc1912.zones中
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2.修改/etc/named.rfc1912.zones配置文件添加不同的view
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
view internal { #定義一個(gè)內(nèi)部的view
match-clients { "mynet";}; #匹配mynet這個(gè)acl控制列表里的IP
zone "." IN { #對(duì)匹配的acl所支持的zone區(qū)域
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "zcy520.com" { #內(nèi)部的mynet所支持的zone,
type master;
file "zcy520.com";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
zone "177.168.192.in-addr.arpa" IN {
type master;
file "192.168.177.zone";
allow-query { any; };
allow-transfer { slaves; };
allow-update { none; };
};
};
view external { #定義一個(gè)外部的view,
match-clients { slaves; }; #只匹配slaves這個(gè)acl控制列表里對(duì)應(yīng)的IP
zone "zcy520.com" IN { #slaves所對(duì)應(yīng)的zone區(qū)域
type master;
file "zcy520.com.external";
allow-update { none; };
};
};
3.在/var/named目錄下編輯不同zone的配置文件
mynet這個(gè)acl控制列表的zone,當(dāng)訪問的IP在mynet這個(gè)acl控制列表的IP范圍內(nèi)時(shí),所返回的結(jié)果如下配置:
$TTL 86440
@ IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. (
2018040806
1H
10M
3D
1D
)
IN NS ns1.zcy520.com.
IN MX 10 mx1.zcy520.com.
ns1 IN A 192.168.177.133
mx1 IN A 192.168.177.133
www IN A 192.168.177.133
web IN CNAME www
slavest這個(gè)acl控制列表的zone,當(dāng)訪問的IP在slaves這個(gè)acl控制列表的IP范圍內(nèi)時(shí),所返回的結(jié)果如下配置:
$TTL 86440
@ IN SOA ns1.zcy520.com. dnsadmin.zcy520.com. (
2018040806
1H
10M
3D
1D
)
IN NS ns1.zcy520.com.
IN MX 10 mx1.zcy520.com.
ns1 IN A 192.168.177.133
mx1 IN A 192.168.177.133
www IN A 2.2.2.1
web IN CNAME www
4.檢查語法倒谷,并重啟服務(wù)
[root@localhost named]# named-checkconf #默認(rèn)可以不指定文件路徑
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl restart named
[root@localhost named]#
5.驗(yàn)證結(jié)果
訪問同一個(gè)DNS服務(wù)器,在mynet這個(gè)acl控制列表里的IP訪問結(jié)果
[root@localhost named]# dig -t A www.zcy520.com @192.168.177.133
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.zcy520.com @192.168.177.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25423
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zcy52.com. IN A
;; ANSWER SECTION:
www.zcy520.com. 86440 IN A 192.168.177.133
;; AUTHORITY SECTION:
zcy520.com. 86440 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 86440 IN A 192.168.177.133
;; Query time: 0 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 16:44:04 CST 2018
;; MSG SIZE rcvd: 93
#這里返回的是/var/named/zcy520.com里面定義的結(jié)果
訪問同一個(gè)DNS服務(wù)器,在slaves這個(gè)acl控制列表里的IP訪問結(jié)果
[root@localhost ~]# dig -t A www.zcy520.com @192.168.177.133
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.zcy520.com @192.168.177.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64278
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zcy520.com. IN A
;; ANSWER SECTION:
www.zcy520.com. 86440 IN A 2.2.2.1 #這個(gè)位置顯示就不一樣了
;; AUTHORITY SECTION:
zcy520.com. 86440 IN NS ns1.zcy520.com.
;; ADDITIONAL SECTION:
ns1.zcy520.com. 86440 IN A 192.168.177.133
;; Query time: 1 msec
;; SERVER: 192.168.177.133#53(192.168.177.133)
;; WHEN: 二 10月 30 16:49:02 CST 2018
;; MSG SIZE rcvd: 93
#這里返回的是/var/named/zcy520.com.external里面定義的結(jié)果
