DNS加密及DDNS
接着上篇博客DNS解析做的实验,博客:http://blog.csdn.net/dream_ya/article/details/79326054
辅助DNS
在客户端IP:172.25.254.225(重置)
yum install bind.x86_64 -y
vim /etc/named.conf
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { any; };
17 allow-query { any; };
32 dnssec-validation no;
或者用//注释掉
vim /etc/named.rfc1912.zones
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24
25 zone "dream.com" IN {
26 type slave;
27 masters { 172.25.254.125; };
28 file "slave/dream.com.zone";
29 allow-update { none; };
30 };
vim /etc/resolv.conf
namesever 172.25.254.225
systemctl start named
systemctl stop firewalld.service 虚拟机IP:172.25.254.125(服务器)
vim /etc/named.rfc1912.zones
25 zone "dream.com" IN {
26 type master;
27 file "dream.com.zone";
28 allow-update { none; };
29 also-notify { 172.25.254.225; }; ###主dns发生变化时,将同步到辅助dns:172.25.254.225
30 };
vim /var/named/dream.com.zone
1 $TTL 1D
2 @ IN SOA dns.dream.com. root.dream.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.dream.com.
9 dns A 172.25.254.125
10 www CNAME login.dream.com.
11 login A 172.25.254.225
systemctl restart named测试
虚拟机IP:172.25.254.125(服务器)
vim /var/named/dream.com.zone
1 $TTL 1D
2 @ IN SOA dns.dream.com. root.dream.com. (
3 1 ; serial ###修改这个值(系统根据这个值是否有变化)
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.dream.com.
9 dns A 172.25.254.125
10 www CNAME login.dream.com.
11 login A 172.25.254.225
12 login A 172.25.254.222 ###改变IP
systemctl restart named虚拟机IP:172.25.254.225
dig www.dream.com ###发现IP跟着改变我们可以发现只要服务器更改就可以,不用更改客户机器
远程控制DNS
cp -p /var/named/dream.com.zone /mnt ###给加密做个备份,方便下面实验 vim /etc/named.conf
50 zone "." IN {
51 type hint;
52 file "named.ca";
53 };
54
55 include "/etc/named.rfc1912.zones";
56 include "/etc/named.root.key";
#####下面的全部注释掉#####
57 /*view localnet {
58 match-clients { 172.25.254.125; };
59 zone "." IN {
60 type hint;
61 file "named.ca";
62 };
63 include "/etc/named.rfc1912.zones.inter";
64 };
65 view internet {
66 match-clients { any; };
67 zone "." IN {
68 type hint;
69 file "named.ca";
70 };
71 include "/etc/named.rfc1912.zones";
72 };*/
vim /etc/named.rfc1912.zones
25 zone "dream.com" IN {
26 type master;
27 file "dream.com.zone";
28 allow-update { 172.25.254.225; }; ###允许 172.25.254.225更新
29 also-notify { 172.25.254.225; };
30 };
systemctl restart named
chmod g+w /var/named/ ###ls /var/named 可以发现多了dream.com.zone.jnl测试
虚拟机IP:172.25.254.225
[root@server ~]# nsupdate
> server 172.25.254.125
> update add hello.dream.com 86400 A 172.25.254.111
> send
> quit虚拟机IP:172.25.254.125(服务器)
systemctl restart named
cat /var/named/dream.com.zone
DNS加密
恢复环境:虚拟机IP:172.25.254.125(服务器)
cd /var/named/
rm -f dream.com.zone.jnl dream.com.zone
cp -p /mnt/dream.com.zone /var/named/
cd /mnt
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dream ###-a:md5加密方式,-b:大小512最大,-n:通过host解析 /etc/rndc.key我们从中可以看到未md5加密,慢的话敲键盘
[root@desktop mnt]# ls
dream.com.zone Kdream.+157+12690.key Kdream.+157+12690.private
[root@desktop mnt]# cat Kdream.+157+12690.key
dream. IN KEY 512 3 157 1avTZv1Lrb3YVOat2tQ+AQ== ###1avTZv1Lrb3YVOat2tQ+AQ==为加密字符
vim /etc/dream.key
1 key "dream" {
2 algorithm hmac-md5;
3 secret "1avTZv1Lrb3YVOat2tQ+AQ==";
4 };
vim /etc/named.conf
42 include "/etc/dream.key"; ###写在任意位置
vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { key dream; };
29 also-notify { 172.25.254.225; };
30 };
systemctl restart named
scp /mnt/Kdream.* root@172.25.254.225:/mnt测试
虚拟机IP:172.25.254.225
[root@server mnt]# nsupdate -k Kdream.+157+12690.private
> update add hello.dream.com 86400 A 172.25.254.123
> send
> quit虚拟机IP:172.25.254.125(服务器)
systemctl restart named
cat /var/named/dream.com.zone
DDNS=DHCP+DNS
dhcp参考博客:http://mp.blog.csdn.net/mdeditor/79245704
虚拟机IP:172.25.254.125(服务器)
rm -f /var/named/dream.com.zone*
cp /mnt/dream.com.zone /var/named -p
yum install dhcp -y
systemctl start dhcpd
systemctl stop firewalld
[root@desktop mnt]# cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp /dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
vim /etc/dhcp/dhcpd.conf
6 # option definitions common to all supported networks...
7 option domain-name "dream.com";
8 option domain-name-servers 172.25.254.125;
13 # Use this to enble / disable dynamic dns updates globally.
14 ddns-update-style interim; ###允许更新
27 #subnet 10.152.187.0 netmask 255.255.255.0 {
28 #}
32 subnet 172.25.254.0 netmask 255.255.255.0 {
33 range 172.25.254.100 172.25.254.105;
34 option routers 172.25.254.125;
35 }
36 key dream {
37 algorithm hmac-md5;
38 secret 1avTZv1Lrb3YVOat2tQ+AQ==;
39 };
40 zone dream.com. {
41 primary 172.25.254.125;
42 key dream;
43 }测试
另外一台虚拟机:把网卡设置为dhcp方式
vim /etc/hostname
hello.dream.com
dig hello.dream.com可以发现IP改变跟着DNS解析的IP跟着变