Chapter 9——通信加密解密技术和DNS服务

一、简述常见加密算法及常见加密算法原理,最好使用图例解说

常见的加密方式有四种:对称加密密钥加密单向加密密钥交换

对称加密

特性:
1、加密、解密使用同一个密钥;
2、将源时数据分割成为固定大小的块,逐个进行加密;

常见算法:
DES:Data Encryption Standard,加密端64位明文产生64位密文,解密端使用64位密文还原64位明文;64位为一个块即8个字节,加密和解密使用56位的密钥,DES使用16个迭代块。
3DES:Triple DES,是DES的三个数量级。
AES:Advanced Encryption Standard,加密长度有128bits、192bits、256bits、384bits。
Blowfish:一个64位分组及可变密钥长度的对称密钥分组密码算法,可用来加密64比特长度的字符串。
Twofish:Blowfish算法的加密算法。
IDEA:International Data Encryption Algorithm,这种算法是在DES算法的基础上发展出来的,类似于三重DES。

密钥加密

特性:
1、公钥加密、私钥解密;
2、私钥加密、公钥解密;

常见算法:
RSA
DSA
ELGamal

单向加密

特性:
1、定长输出:无论数据是多大级别,其加密结果长度一样;
2、雪崩效应:数据发生微小变化,其加密结果完全不同;
常见用途:数据完整性校验

常见算法:
MD5
sha1
sha224,sha256,sha384,sha512

密钥交换

常见用途:IPsec VPN
常见算法:
RSA
DH
ECDH
ECDHE

数据加密通信的整个过程:

加密过程:
    第一步:发送方使用单向加密算法,算出数据的特征码;
    第二步:发送方使用自己的私钥加密特征码附加在数据后面;
    第三步:发送方生成临时的对称密钥,并使用对称密钥加密整段数据;
    第四步:发送方使用接收方的公钥加密上一步生成的对称密钥,并附加在数据后面;
解密过程:
    第一步:接收方使用自己的私钥解密
    第二步:接收方使用对称密钥解密
    第三步:接收方使用发送方公钥解密,确认身份

SSL会话主要三步:

1、客户端向服务器端索要并验证证书;
2、双方协商生成“会话密钥”;
3、双方采用“会话密钥”进行加密通信;
直至断开

SSL Handshake Protocol:

第一阶段:ClientHello:
    支持的协议版本,比如:tls 1.2;
    客户端生成一个随机数,稍后用于生成“会话密钥”;
    支持的加密算法,比如AES、RSA;
    支持的压缩算法;
第二阶段:ServerHello
    确认使用的加密通信协议版本,比如tls 1.2;
    服务器端生成一个随机数,稍后用于生成“会话密钥”;
    确认使用的加密方法;
    服务器证书;
第三阶段:
    验证服务器证书,在确认无误后取出公钥;(发证机构、证书完整性、证书持有者、证书有效期、吊销列表)
    发送一下信息给服务器端:
        一个随机数;
        编码变更通知,表示随后的信息都将用双发商定的加密方法和密钥发送;
        客户端握手结束通知;
第四阶段:
    收到客户端发来的第三个随机数pre-master-key后,计算生成本次会话所用到的“会话密钥”;
    收到客户端发送如下信息:
        编码变更通知,表示随后的信息都将用双发商定的加密方法和密钥发送;
        服务端握手结束通知

二、搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟

第一步:利用Apache搭建一个简单的http服务
[root@webserver ~]# yum install -y -q httpd
[root@webserver ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 19 2015 21:43:13
[root@webserver ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@webserver ~]# echo 'Welcome to www.bitemecake.biz!' > /var/www/html/index.html
[root@webserver ~]# systemctl start httpd
[root@webserver ~]# firewall-cmd --permanent --add-service=http
success
[root@webserver ~]# firewall-cmd --reload
success
[root@webserver ~]# ss -tan | grep 80
LISTEN     0      128         :::80                      :::*

确认http服务正常:


image.png
第二步:构建私有CA
1、生成私钥:
[root@webserver ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................++
...........++
e is 65537 (0x10001)
2、生成自签证书:
[root@webserver ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:bitemecake  
Organizational Unit Name (eg, section) []:manager
Common Name (eg, your name or your server's hostname) []:webserver
Email Address []:27****[email protected]
[root@webserver ~]# 
                        -new:生成新证书签署请求;
                        -x509:生成自签格式证书,专用于创建私有CA时;
                        -key:生成请求时用到的私有文件路径;
                        -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
                        -days:证书的有效时长,单位是day;
3、为CA提供所需的目录及文件:
[root@webserver ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@webserver ~]# touch /etc/pki/CA/{serial,index.txt}
[root@webserver ~]# echo 01 > /etc/pki/CA/serial
第三步:要用到证书进行安全通信的服务器,需要向CA请求签署证书:
1、用到证书的主机生成私钥:
[root@webserver ~]# mkdir /etc/httpd/ssl
[root@webserver ~]# cd /etc/httpd/ssl
[root@webserver ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2、生成证书签署请求:
[root@webserver ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:bitemecake
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:webserver
Email Address []:76*****[email protected]                                                                                
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:biteme
3、将请求用可靠的方式发送给CA主机;
[root@webserver ssl]# cp /etc/httpd/ssl/httpd.csr /tmp/httpd.csr
4、在CA主机上签署证书:
[root@webserver ssl]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov  4 04:01:29 2018 GMT
            Not After : Nov  4 04:01:29 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Sichuan
            organizationName          = bitemecake
            organizationalUnitName    = ops
            commonName                = webserver
            emailAddress              = 764****[email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B0:DA:40:C4:47:B0:8C:15:70:B0:06:BB:1D:6A:D2:CF:90:CE:01:9E
            X509v3 Authority Key Identifier: 
                keyid:40:83:81:56:94:75:7A:1A:3E:B5:05:91:0D:F4:BD:67:FF:4D:9C:63

Certificate is to be certified until Nov  4 04:01:29 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
后续步骤:为Apache添加SSL模块,并配置SSL证书相关配置参数;此为web服务相关课程内容,后面再行补充。

三、简述DNS服务器原理,并搭建主-辅服务器

DNS(Domain Name Service)域名解析服务,用于实现域名与IP地址之间对应关系转换的服务。

DNS名称解析方式:

域名 --> IP:正向解析
IP --> 域名:反向解析

DNS服务器类型:

负责解析至少一个域:
主名称服务器
辅助名称服务器
不负责解析:
缓存名称服务器

DNS服务流程

DNS的查询请求经过的流程:hosts文件 --> DNS Local Cache --> DNS Server -->Server Cache --> Iteration
说明:
第一步:本地查询——查询本机hosts文件,有记录则返回肯定答案给主机,无则查询本地DNS缓存(DNS Local Cache),若还无则进行下一步;
第二步:服务器查询——将请求发送给本机网络配置中指定的DNS服务器(DNS Server),DNS服务器查询自身缓存的资源记录和自己负责解析的资源记录,有记录则返回,若无记录,则有两种处理:
1、该DNS服务器未配置递归查询功能,则返回否定答案给主机;
2、该DNS服务器配置有递归查询功能,则该DNS服务器将作为客户端,继续向其上级DNS服务器发送查询请求,直到得到肯定答案或否定答案,最后再返回给主机。

DNS递归查询与迭代查询的区别

(1)递归查询
递归查询是一种DNS 服务器的查询模式,在该模式下DNS 服务器接收到客户机请求,必须使用一个准确的查询结果回复客户机。如果DNS 服务器本地没有存储查询DNS 信息,那么该服务器会询问其他服务器,并将返回的查询结果提交给客户机。
(2)迭代查询
DNS 服务器另外一种查询方式为迭代查询,DNS 服务器会向客户机提供其他能够解析查询请求的DNS 服务器地址,当客户机发送查询请求时,DNS 服务器并不直接回复查询结果,而是告诉客户机另一台DNS 服务器地址,客户机再向这台DNS 服务器提交请求,依次循环直到返回查询的结果
为止。
两种过程的示意图:


image.png

搭建主-辅DNS服务器

第一步:搭建主DNS服务器
1、使用yum安装bind包和bind-utils包:
[root@dns-master ~]# yum install -y -q bind bind-utils 
[root@dns-master ~]# echo $?
0

2、配置named服务开机启动,以及DNS服务全局配置:
[root@dns-master ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@dns-master ~]# vi /etc/named.conf
[root@dns-master ~]# cat /etc/named.conf
修改部分:
...
options {
    listen-on port 53 { 127.0.0.1;192.168.0.132; };
    //allow-query     { localhost; };
    recursion yes;
    dnssec-enable no;
    dnssec-validation no;
...

3、检查配置文件语法,然后启动服务,并配置防火墙放通DNS服务端口(TCP/53和UDP/53),此时该主机可作为缓存DNS服务器使用:
[root@dns-master ~]# named-checkconf
[root@dns-master ~]# systemctl start named
[root@dns-master ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@dns-master ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@dns-master ~]# firewall-cmd --reload
success
[root@dns-master ~]# ss -tunlp | grep 53
udp    UNCONN     0      0      192.168.0.132:53                    *:*                   users:(("named",pid=11109,fd=515),("named",pid=11109,fd=514))
udp    UNCONN     0      0      127.0.0.1:53                    *:*                   users:(("named",pid=11109,fd=513),("named",pid=11109,fd=512))
udp    UNCONN     0      0       ::1:53                   :::*                   users:(("named",pid=11109,fd=517),("named",pid=11109,fd=516))
tcp    LISTEN     0      10     192.168.0.132:53                    *:*                   users:(("named",pid=11109,fd=21))
tcp    LISTEN     0      10     127.0.0.1:53                    *:*                   users:(("named",pid=11109,fd=20))
tcp    LISTEN     0      128    127.0.0.1:953                   *:*                   users:(("named",pid=11109,fd=23))
tcp    LISTEN     0      10      ::1:53                   :::*                   users:(("named",pid=11109,fd=22))
tcp    LISTEN     0      128     ::1:953                  :::*                   users:(("named",pid=11109,fd=24))

4、测试服务是否正常:
1)本地解析功能测试:
[root@dns-master ~]# dig -t SOA www.baidu.com @192.168.0.132

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t SOA www.baidu.com @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52822
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.         IN  SOA

;; ANSWER SECTION:
www.baidu.com.      1173    IN  CNAME   www.a.shifen.com.

;; AUTHORITY SECTION:
a.shifen.com.       600 IN  SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1811040050 5 5 2592000 3600

;; Query time: 57 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 03:28:10 EST 2018
;; MSG SIZE  rcvd: 126
2)对外解析功能:(使用另外一台主机测试)
[root@dns-slave ~]# dig -t SOA www.163.com @192.168.0.132

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t SOA www.163.com @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.163.com.           IN  SOA

;; ANSWER SECTION:
www.163.com.        600 IN  CNAME   www.163.com.lxdns.com.

;; AUTHORITY SECTION:
lxdns.com.      60  IN  SOA dns1.lxdns.org. webmaster.glb0.lxdns.com. 1422577239 10800 3600 604800 60

;; Query time: 1257 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 03:31:25 EST 2018
;; MSG SIZE  rcvd: 137

5、配置一个正向区域
1)定义区域文件(/etc/named.rfc1913.zones):
[root@dns-master ~]# tail -5 /etc/named.rfc1912.zones

zone "bitemecake.biz" IN {
    type master;
    file "bitemecake.biz.zone"
};
2)建立区域数据文件(/var/named/bitemecake.zone):
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@   IN  SOA     ns1.bitemecake.biz.     dnsadmin.bitemecake.biz.(
        2018110401
        1H
        10M
        3D
        1D )
    IN  NS      ns1
    IN  MX  10  mx1
mx1     IN      A       192.168.0.132
ns1     IN      A       192.168.0.132
www     IN      A       192.168.0.132
web     IN      CNAME       www
3)修改配置文件权限,检查配置文件语法:
[root@dns-master ~]# chown :named /var/named/bitemecake.biz.zone
[root@dns-master ~]# chmod o= /var/named/bitemecake.biz.zone
[root@dns-master ~]# named-checkzone bitemecake.biz. /var/named/bitemecake.biz.zone
zone bitemecake.biz/IN: loaded serial 2018110401
OK
4)让服务器重载配置文件和区域数据文件:
[root@dns-master ~]# systemctl reload named
5)测试解析功能:
[root@dns-master ~]# dig -t A www.bitemecake.biz @192.168.0.132

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.bitemecake.biz @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53376
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.bitemecake.biz.        IN  A

;; ANSWER SECTION:
www.bitemecake.biz. 3600    IN  A   192.168.0.132

;; AUTHORITY SECTION:
bitemecake.biz.     3600    IN  NS  ns1.bitemecake.biz.

;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600    IN  A   192.168.0.132

;; Query time: 0 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 04:00:43 EST 2018
;; MSG SIZE  rcvd: 97

6、配置一个反向区域
1)定义区域文件(/etc/named.rfc1913.zones):
[root@dns-master ~]# vi /etc/named.rfc1912.zones 
[root@dns-master ~]# named-checkconf
[root@dns-master ~]# tail -5 /etc/named.rfc1912.zones 

zone "0.168.192.in-addr-arp." IN {
    type master;
    file "192.168.0.zone";
};
2)定义区域解析库文件(主要记录为PTR)
[root@dns-master ~]# vi /var/named/192.168.0.zone
[root@dns-master ~]# named-checkzone 0.168.192.in-addr.arpa /var/named/192.168.0.zone
zone 0.168.192.in-addr.arpa/IN: loaded serial 2018110401
OK
3)修改配置文件权限,检查配置文件语法:
[root@dns-master ~]# chown :named /var/named/192.168.0.zone
[root@dns-master ~]# chmod o= /var/named/192.168.0.zone
4)让服务器重载配置文件和区域数据文件:
[root@dns-master ~]# systemctl reload named
5)测试解析功能:
[root@dns-master ~]# dig -x 192.168.0.132 @192.168.0.132

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.0.132 @192.168.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;132.0.168.192.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
132.0.168.192.in-addr.arpa. 3600 IN PTR ns1.bitemecake.biz.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600    IN  NS  ns1.bitemecake.biz.

;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600    IN  A   192.168.0.132

;; Query time: 0 msec
;; SERVER: 192.168.0.132#53(192.168.0.132)
;; WHEN: Sun Nov 04 04:24:39 EST 2018
;; MSG SIZE  rcvd: 117

至此,主DNS服务器搭建完成。

第二步:搭建辅DNS服务器

1、辅DNS服务器的服务配置和全局配置同主DNS服务器配置前两步,此处省略;

2、辅DNS服务器配置:

1)定义从区域:
[root@dns-slave ~]# vi /etc/named.rfc1912.zones
[root@dns-slave ~]# tail -12 /etc/named.rfc1912.zones

zone "bitemecake.biz" IN {
    type slave;
    file "slaves/bitemecake.biz.zone";
    masters { 192.168.0.132; };
};

zone "0.168.192.in-addr.arpa." IN {
    type slave;
    file "slaves/192.168.0.zone";
    masters { 192.168.0.132; };
};
[root@dns-slave ~]# named-checkconf
2)重载配置
[root@dns-slave ~]# systemctl reload named

3、主DNS服务器配置:
1)将辅DNS服务器的NS记录添加到主DNS服务器的各区域数据文件中,且保证各区域数据文件中有辅DNS服务器的一个A记录:
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone
$TTL 3600
$ORIGIN bitemecake.biz.
@   IN  SOA     ns1.bitemecake.biz.     dnsadmin.bitemecake.biz.(
        2018110401
        1H
        10M
        3D
        1D )
    IN  NS      ns1
    IN  NS      ns2
    IN  MX  10  mx1
mx1     IN      A       192.168.0.132
ns1     IN      A       192.168.0.132
ns2     IN      A       192.168.0.133
www     IN      A       192.168.0.132
web     IN      CNAME       www
第三步:测试

1、辅DNS服务器解析功能测试:

[root@dns-slave ~]# dig -t A www.bitemecake.biz @192.168.0.133

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.bitemecake.biz @192.168.0.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 232
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.bitemecake.biz.        IN  A

;; ANSWER SECTION:
www.bitemecake.biz. 3600    IN  A   192.168.0.132

;; AUTHORITY SECTION:
bitemecake.biz.     3600    IN  NS  ns1.bitemecake.biz.

;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600    IN  A   192.168.0.132

;; Query time: 0 msec
;; SERVER: 192.168.0.133#53(192.168.0.133)
;; WHEN: Sun Nov 04 07:37:48 EST 2018
;; MSG SIZE  rcvd: 97

2、辅DNS服务器同步记录测试:

1)主DNS服务器区域数据文件新增一条A记录,并且将Serial号加1
[root@dns-master ~]# vi /var/named/bitemecake.biz.zone 
[root@dns-master ~]# cat /var/named/bitemecake.biz.zone 
$TTL 3600
$ORIGIN bitemecake.biz.
@   IN  SOA     ns1.bitemecake.biz.     dnsadmin.bitemecake.biz.(
        2018110402
        1H
        10M
        3D
        1D )
    IN  NS      ns1
    IN  NS      ns2
    IN  MX  10  mx1
mx1     IN      A       192.168.0.132
ns1     IN      A       192.168.0.132
ns2     IN      A       192.168.0.133
www     IN      A       192.168.0.132
web     IN      CNAME       www
bbs     IN      A       192.168.0.134
2)主-辅DNS服务器DNS服务状态均有同步记录:
[root@dns-master ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-11-04 07:09:54 EST; 33min ago
  Process: 3281 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 3001 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 2021 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 3049 (named)
   CGroup: /system.slice/named.service
           └─3049 /usr/sbin/named -u named

Nov 04 07:42:55 dns-master named[3049]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 04 07:42:55 dns-master named[3049]: reloading configuration succeeded
Nov 04 07:42:55 dns-master named[3049]: reloading zones succeeded
Nov 04 07:42:55 dns-master named[3049]: zone bitemecake.biz/IN: loaded serial 2018110402
Nov 04 07:42:55 dns-master named[3049]: zone bitemecake.biz/IN: sending notifies (serial 2018110402)
Nov 04 07:42:55 dns-master named[3049]: all zones loaded
Nov 04 07:42:55 dns-master named[3049]: running
Nov 04 07:42:55 dns-master named[3049]: client 192.168.0.133#34791 (bitemecake.biz): transfer of 'bitemecake.biz/...tarted
Nov 04 07:42:55 dns-master named[3049]: client 192.168.0.133#34791 (bitemecake.biz): transfer of 'bitemecake.biz/... ended
Nov 04 07:42:55 dns-master systemd[1]: Reloaded Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.

[root@dns-slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-11-04 07:33:38 EST; 9min ago
  Process: 3590 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 3603 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 3600 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 3606 (named)
   CGroup: /system.slice/named.service
           └─3606 /usr/sbin/named -u named

Nov 04 07:33:38 dns-slave named[3606]: running
Nov 04 07:33:38 dns-slave systemd[1]: Started Berkeley Internet Name Domain (DNS).
Nov 04 07:42:25 dns-slave named[3606]: client 192.168.0.132#46166: received notify for zone 'bitemecake.biz'
Nov 04 07:42:25 dns-slave named[3606]: zone bitemecake.biz/IN: notify from 192.168.0.132#46166: zone is up to date
Nov 04 07:42:56 dns-slave named[3606]: client 192.168.0.132#42389: received notify for zone 'bitemecake.biz'
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: Transfer started.
Nov 04 07:42:56 dns-slave named[3606]: transfer of 'bitemecake.biz/IN' from 192.168.0.132#53: connected using 192...#34791
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: transferred serial 2018110402
Nov 04 07:42:56 dns-slave named[3606]: transfer of 'bitemecake.biz/IN' from 192.168.0.132#53: Transfer completed:...s/sec)
Nov 04 07:42:56 dns-slave named[3606]: zone bitemecake.biz/IN: sending notifies (serial 2018110402)
Hint: Some lines were ellipsized, use -l to show in full.
3)辅DNS服务器解析功能测试:
[root@dns-slave ~]# dig -t A bbs.bitemecake.biz @192.168.0.133

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A bbs.bitemecake.biz @192.168.0.133
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40767
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.bitemecake.biz.        IN  A

;; ANSWER SECTION:
bbs.bitemecake.biz. 3600    IN  A   192.168.0.134

;; AUTHORITY SECTION:
bitemecake.biz.     3600    IN  NS  ns1.bitemecake.biz.
bitemecake.biz.     3600    IN  NS  ns2.bitemecake.biz.

;; ADDITIONAL SECTION:
ns1.bitemecake.biz. 3600    IN  A   192.168.0.132
ns2.bitemecake.biz. 3600    IN  A   192.168.0.133

;; Query time: 0 msec
;; SERVER: 192.168.0.133#53(192.168.0.133)
;; WHEN: Sun Nov 04 07:48:46 EST 2018
;; MSG SIZE  rcvd: 131

四、搭建并实现智能DNS

实现智能DNS的三种方式:
1)定义转发
2)访问控制
3)定义视图
方法示例:

1)制定转发策略:
    注意:被转发的服务器必须允许当前服务做递归;

    (1)区域转发:仅转发对某特定区域的解析请求;
        zone "ZONE_NAME" IN {
            type forward;
            forward {first|only};
            forwarders { SERVER_IP; };
        };

        first:首先转发;转发器不响应时,自行去迭代查询;
        only:只转发;

    (2)全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转发给某转发器;
        options{
            ... ...
            forward {only|first};
            forwarders { SERVER_IP; };
            ... ...
        }

2)访问控制:
    acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集合内的所有主机实现统一调用;

        acl acl_name {
            ip;
            net/prelen;
        };

        示例:
            acl mynet{
                172.16.0.0/16;
                127.0.0.0/8;
            };

        bind有四个内置的acl
            none:没有一个主机;
            any:任意主机;
            local:本机;
            localnet:本机所在的IP所属的网络;

    访问控制指令:
        allow-query {}; 允许查询的主机;白名单;
        allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
        allow-recursion {}; 允许哪些主机向当前DNS服务器发起递归查询请求;
        allow-update {}; DDNS,允许动态更新区域数据库文件中的内容;

3)定义视图:
    方法:
        view VIEW_NAME {
            zone
            zone
            zone
        }

        示例:
        view internal {
            match-clients { 172.16.0.0/8; };
            zone "magedu.com" IN {
                type master;
                file "magedu.com/internal";
            };
        };

        view external {
            match-clients { any; };
            zone "magedu.com" IN {
                type master;
                file "magedu.com/external";
            };
        };

智能DNS示例

需求:
1、凡本地没有通过zone定义的区域查询请求,通通转发给转发器;转发器不响应时,可自行会去迭代查询;
2、仅允许向辅DNS服务器做区域传送;
3、仅允许192.168.0.0/16网段内主机向当前DNS服务器发起递归查询请求;
4、192.168.0.0/16内网段内的主机访问域名www.bitemecake.biz解析为内网口地址192.168.0.132,外网主机访问域名解析为外网口地址172.16.25.132;

配置:

1、全局配置:/etc/named.conf中加上以下字段:
[root@dns-master ~]# vi /etc/named.conf 
options{
...
        forward first;
        forwarders { 61.139.2.69;119.6.6.6; };
        allow-transfer { 192.168.0.133;};
        allow-recursion { 192.168.0.0/16; };
...
};
[root@dns-master ~]# named-checkconf
2、区域文件参数配置:/etc/named.rfc1912.zones中配置:
[root@dns-master ~]# vi /etc/named.rfc1912.zones
[root@dns-master ~]# tail -26 /etc/named.rfc1912.zones

view internal {
    match-clients { 192.168.0.0/16; };
    zone "bitemecake.biz" IN {
        type master;
        file "bitemecake.biz.zone/internal";
    };

    zone "0.168.192.in-addr.arpa." IN {
        type master;
        file "192.168.0.zone/internal";
    };
};

view external {
    match-clients { any; };
    zone "bitemecake.biz" IN {
        type master;
        file "bitemecake.biz.zone/external";
    };

    zone "0.168.192.in-addr.arpa." IN {
        type master;
        file "192.168.0.zone/external";
    };
};

你可能感兴趣的:(Chapter 9——通信加密解密技术和DNS服务)