亲手架设Master/Slave智能DNS的流程

[背景]这是老早我做的一个案例,今天拿出来供大家参考!
所需资料
:M/S DNS 架设流程
:TSIG 技术用与不同 view 区域传输
: 获取电信与网通 IP shell 脚本
: 服务器端修改路由表 bat
: 服务器安全
:
DNS 架设流程
配置步骤:

1
  软件列表

BIND  9.3.2
[url]ftp://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz[/url]

2
  安装 BIND 9

安装 BIND9

# tar zxvf bind-9.3.2.tar.gz
# cd bind-9.3.2
# ./configure
--prefix=/usr/local/named
--disable-ipv6
# make && make install

建立 BIND 用户:

# groupadd bind
# useradd -g bind -d /usr/local/named -s /sbin/nologin bind

创建配置文件目录:

# mkdir �Cp /usr/local/named/etc
# chown bind:bind /usr/local/named/etc
# chmod 700 /usr/local/named/etc

创建主要的配置文件:

# vi /usr/local/named/etc/named.conf
===========================named.conf=======================
key "rndc-key" {
       algorithm hmac-md5;
       secret "7cMD1EIkZIVVcdO52D24Aw==";
 };
 
key "hahazhu"{
        algorithm hmac-md5;
        secret "cnXsAYNrypKcTdhfy3FABA==";
};
controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };
 
 
acl "trust-lan" { 127.0.0.1/8;};
 
options {
 
directory "/usr/local/named/etc/";
 
pid-file "/var/run/named/named.pid";
 
version " 0.0.0 ";
 
datasize 40M ;
 
allow-transfer {
 
"trust-lan";};
 
recursion yes;
 
allow-notify {
 
"trust-lan";
 
};
 
allow-recursion {
"trust-lan";
};
 
auth-nxdomain yes;
 
forwarders {
202.102.192.68;
 
202.102.200.101;};
 
};
logging {
 
channel warning
 
{ file "/var/log/named/dns_warnings" versions 3 size 1240k;
severity warning;
 
print-category yes;
 
print-severity yes;
 
print-time yes;
 
};
 
channel general_dns
 
{ file "/var/log/named/dns_logs" versions 3 size 1240k;
 
severity info;
 
print-category yes;
 
print-severity yes;
 
print-time yes;
 
};
 
category default { warning; };
 
category queries { general_dns; };
};
zone "." {
type hint;
file "named.root";
};
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.242.161.0/29;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.158.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.180.128.0/17;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.16.128.0/18;
210.21.0.0/16;
210.51.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
211.152.0.0/13;
218.7.0.0/16;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.28.0.0/15;
218.56.0.0/14;
218.60.0.0/15;
218.62.0.0/17;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
218.106.81.0/29;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.7.128.0/17;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.214.0.0/16;
221.215.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
219.235.56.194;
};
view "view_cnc"{
match-clients { key hahazhu;CNC;};
recursion no;
allow-transfer {key hahazhu;};
server 218.22.93.237 {keys hahazhu;};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";};
include "master/cnc.def";};
view "view_any" {
match-clients { key rndc-key;any; };
recursion no;
allow-transfer {key rndc-key;};
server 218.22.93.237 {keys rndc-key;};
zone "." {
type hint;
file "named.root";};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";};
添加完成后,保存。

更新根区文件:

# cd /usr/local/named/etc/
# wget [url]ftp://ftp.internic.org/domain/named.root[/url]

创建 PID 和日志文件:

# mkdir /var/run/named/
# chmod 777 /var/run/named/
# chown bind:bind /var/run/named/

# mkdir /var/log/named/
# touch /var/log/named/dns_warnings
# touch /var/log/named/dns_logs
# chown bind:bind /var/log/named/*

# mkdir master
# touch master/cnc.def
# touch master/telecom.def

生成 rndc-key

# cd /usr/local/named/etc/
# ../sbin/rndc-confgen > rndc.conf

rndc.conf 中:
# Use with the following in named.conf, adjusting the allow list as needed:
后面以的部分加到 /usr/local/named/etc/named.conf 中并去掉注释

运行测试:

# /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf &

状态检查:

# /usr/local/named/sbin/rndc status

建立启动脚本:

# vi /etc/init.d/named
============================== named.sh============================
#!/bin/bash
#
# named        a network name service.
#
#
# chkconfig: 545 35 75
# description: a name server
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in

start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;

stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;

esac
===============================named.sh============================

# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on


到这里 bind 已经安装完毕  . 下面是解析部分 .
3   添加一个 NS
注册两个 dns
Ns2.yyyy.com
4   添加一个域名
# cd /usr/local/named/etc/master
# mkdir cnc
# mkdir telecom
# vi cnc.def
添加
zone " 18l .net" {
type master;
file "master/cnc/ 18l .net";
};
zone "bbtsd.com"{
type master;
file "master/cnc/bbtsd.com";
};
# vi telecom.def
添加
zone " 18l .net" {
type master;
file "master/telecom/ 18l .net";
};
zone "bbtsd.com"{
type master;
file "master/telecom/bbtsd.com";
};
添加网通的解析
#vi cnc/ 18l .net
$TTL 3600
$ORIGIN 18l .net.
18l .net.        IN      SOA ns2.yyyy. root.yyyy.com.(
        2007070901
        3600
        900
        68400
        15)
@       IN NS ns2.yyyy.com.
;ns2.yyyy.com. IN A    218.22.93.242
@ IN A 218.106.81.34
www IN A 58.242.161.2
mail    IN      A       218.106.81.34
        IN      MX      10      mail
#Vi cnc/bbtsd.com
$TTL 3600
$ORIGIN bbtsd.com.
bbtsd.com.      IN      SOA ns2.yyyy.com. root.yyyy.com.(
        2007070901
        3600
        900
        68400
        15)
@       IN NS ns2.yyyy.com.
;ns2.yyyy.com. IN A    218.22.93.242
www IN A        58.242.161.4
mail    IN      A       218.106.81.34
        IN      MX      10      mail
@       IN      A       58.242.161.4
添加电信的解析
#vi telecom/ 18l .net
$TTL 3600
$ORIGIN 18l .net.
@       IN SOA ns2.yyyy.com. root.yyyy.com.(
        2007070901
        3600
        900
        68400
        15 )
 
@       IN      NS              ns2.yyyy.com.
ns2.yyyy.com   IN      A       218.22.93.242
@       IN      A               218.22.93.244
www     IN      A               218.22.93.244
mail    IN      A               218.106.81.34
        IN      MX      10      mail
#vi telecom/bbtsd.com
$TTL 3600
$ORIGIN bbtsd.com.
bbtsd.com. IN SOA ns2.yyyy.com. root.yyyy.com.(
        2007070901
        3600
        900
        68400
        15 )
 
@       IN      NS      ns2.yyyy.com.
ns2.yyyy.com    IN      A       218.22.93.242
www IN A 218.22.93.253
mail    IN      A       218.106.81.34
        IN      MX      10      mail
@       IN      A       218.22.93.253
#/usr/local/named/sbin/rndc reload
OK ,到此你的主 DNS 服务器配置就算是搞起来了。
DNS 架设流程
配置步骤:

1
  软件列表

BIND  9.3.2
[url]ftp://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz[/url]

2
  安装 BIND 9

安装 BIND9

# tar zxvf bind-9.3.2.tar.gz
# cd bind-9.3.2
# ./configure
--prefix=/usr/local/named
--disable-ipv6
# make && make install

建立 BIND 用户:

# groupadd bind
# useradd -g bind -d /usr/local/named -s /sbin/nologin bind

创建配置文件目录:

# mkdir �Cp /usr/local/named/etc
# chown bind:bind /usr/local/named/etc
# chmod 700 /usr/local/named/etc

创建主要的配置文件:

# vi /usr/local/named/etc/named.conf
===========================named.conf=======================
key "rndc-key" {
       algorithm hmac-md5;
        secret "7cMD1EIkZIVVcdO52D24Aw==";
 };
 key"hahazhu"{
        algorithm hmac-md5;
        secret "cnXsAYNrypKcTdhfy3FABA==";
 };
 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };
 
 
acl "trust-lan" { 127.0.0.1/8;};
 
options {
 
directory "/usr/local/named/etc/";
 
pid-file "/var/run/named/named.pid";
 
version " 0.0.0 ";
 
datasize 40M ;
/*
allow-transfer {
 
"trust-lan";};
 
recursion yes;
 
allow-notify {
 
"trust-lan";
 
};
 
allow-recursion {
"trust-lan";
 
};
auth-nxdomain no;
*/
recursion yes;
forwarders {
202.102.192.68;
202.102.200.101;};
 
};
logging {
 
channel warning
 
{ file "/var/log/named/dns_warnings" versions 3 size 1240k;
severity warning;
print-category yes;
 
print-severity yes;
 
print-time yes;
 
};
 
channel general_dns
 
{ file "/var/log/named/dns_logs" versions 3 size 1240k;
 
severity info;
 
print-category yes;
 
print-severity yes;
 
print-time yes;
 
};
 
category default { warning; };
 
category queries { general_dns; };
 
};
zone "." {
type hint;
file "named.root";
};
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.242.161.0/29;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.158.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.180.128.0/17;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.16.128.0/18;
210.21.0.0/16;
210.51.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
211.152.0.0/13;
218.7.0.0/16;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.28.0.0/15;
218.56.0.0/14;
218.60.0.0/15;
218.62.0.0/17;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
218.106.81.0/29;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.7.128.0/17;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.214.0.0/16;
221.215.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
219.235.56.194;
};
view "view_cnc"{
match-clients { key hahazhu;CNC;};
recursion no;
allow-transfer {none;};
server 218.22.93.242 {keys hahazhu;};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";};
include "master/cnc.def";};
view "view_any" {
match-clients { key rndc-key;any; };
recursion yes;
allow-transfer {none;};
server 218.22.93.242 {keys rndc-key;};
zone "." {
type hint;
file "named.root";};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";};
添加完成后,保存。

更新根区文件:

# cd /usr/local/named/etc/
# wget [url]ftp://ftp.internic.org/domain/named.root[/url]

创建 PID 和日志文件:

# mkdir /var/run/named/
# chmod 777 /var/run/named/
# chown bind:bind /var/run/named/

# mkdir /var/log/named/
# touch /var/log/named/dns_warnings
# touch /var/log/named/dns_logs
# chown bind:bind /var/log/named/*

# mkdir master
# touch master/cnc.def
# touch master/telecom.def

生成 rndc-key
将从主 DNS 中把其复制过来 . 从主的 key 内容一样 .
rndc.conf 中:
# Use with the following in named.conf, adjusting the allow list as needed:
后面以的部分加到 /usr/local/named/etc/named.conf 中并去掉注释

运行测试:

# /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf &

状态检查:

# /usr/local/named/sbin/rndc status

建立启动脚本:

# vi /etc/init.d/named
============================== named.sh============================
#!/bin/bash
#
# named        a network name service.
#
#
# chkconfig: 545 35 75
# description: a name server
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in

start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;

stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;

esac
===============================named.sh============================

# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on


到这里 bind 已经安装完毕  . 下面是解析部分 .


3
  添加一个 NS
Ns.xxxx.net
4   添加一个域名
# cd /usr/local/named/etc/master
# mkdir cnc
# mkdir telecom
# vi cnc.def
zone " 18l .net" {
type slave;
masters {218.22.93.242;};
file "master/cnc/ 18l .net";
};
zone "bbtsd.com"{
type slave;
masters {218.22.93.242;};
file "master/cnc/bbtsd.com";
};
# vi telecom.def
添加
zone " 18l .net" {
type slave;
masters {218.22.93.242;};
file "master/telecom/ 18l .net";
};
zone "bbtsd.com"{
type slave;
masters {218.22.93.242;};
file "master/telecom/bbtsd.com";
};
OK, 到这里 , DNS 就算架设成功了 . 至于出现错误 , 请检查日志 /var/log/messages 还有定义的日志 .
记住 , 架设容易 , 维护难 . 以后 , 还需要好好看管 , 才行噢 !!!
至于这一部分 , 已经在配置文件中体现了 . 我只需要将在 bind9 管理手册中的资料复制来来 , 看下如何操作就成了 .
5.4 TSIG (信号安全处理)
这是一个基于 BIND 中的安全处理的 Transaction SIGnature (TSIG) 。它描述了配置文件
的更新和在不同情况下的更新要求,包括产生处理密匙和使用 BIND TSIG 的过程。
BIND 主要支持服务器对服务器之间通讯的 TSIG 。包括域传送( zone transfer ),通报
notify )和递归查询信息。基于 BIND8 的新版本对 TSIG 的支持较为有限。
TSIG 可能对动态更新最有用了,一个动态域的主 DNS 服务器使用访问控制来控制更
新,而基于 IP 的访问控制是不够的。基于密匙的访问控制要高级的多了,参看推荐标准。
nsupdate 程序通过 -k -y 命令选项支持 TSIG
5.4.1 为每对主机产生共享密匙
产生一个共享的加密方式就是在 host1 host2 之间共享使用。可选择任意的密
匙: “host1-host 2” 。但密匙必须在两个主机上是一样的。
5.4.1 .1 自动产生
下列命令将会产生一个如上所述 128 位( 16 字节) HAMC-MD5 的密匙。越长的键越
好,但是较短的键比较容易读取。注意键的最大长度是 512 比特;更长的键将会被 MD5
化以产生 128 位的密匙。
dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
密匙存在于 Khost1-host2.+157+00000.private 文件中。文件不直接被调用,但是在 ”Key:”
之后的 base-64 编码字符串可以直接拷贝出作为共享密匙:
DNS BIND9 RunStone Tech. Inc.
[url]http://www.runstone.com[/url] , 2003 22
Key: La/E5CjG9O+os1jq 0a 2jdA==
字符串 "La/E5CjG9O+os1jq 0a 2jdA==" 可以作为共享密匙使用
5.4.1 .2 手工生成
共享密匙仅仅是使用 base-64 编码的随机序列结果。大多数 ASCII 字符串是有效的
base-64 字符串(假设长度是 4 的倍数,只有有效的字符被使用),所以共享密匙可以被手工
生成。
而且,一个熟知的字符串可以通过 mmencode 或者一个相似的程序以产生 base-64 编码
数据。
5.4.2 把共享密匙拷到两台机器中
这超过了 DNS 的范围。使用一种安全传输机制,例如可以是安全 FTP ssh 、电话等。
5.4.3 通知服务器密匙的存在
设想 host1 host2 是这 2 台服务器。下列语句将会加到每个服务器中的 named.conf file
中:
key host1-host2. {
algorithm hmac-md5;
secret "La/E5CjG9O+os1jq 0a 2jdA==";
};
BIND 只支持 hmac-md5 算法。密匙就是在上面产生的这个。既然这是一个密匙,建议
named.conf 设为不可读,或者在 named.conf 中调用一个包含了密匙的不可读的文件。
这样, key 就被认可了。这意味着如果服务器受到一则被这个 key 标记的消息,它可以
对这个签字进行校验。如果校验成功,应答就会被同一个 key 所标记。
5.4.4 通知服务器使用密匙
既然密匙只在两个主机之间共享,服务器就必须被告知什么时候使用 key 。下列是加入
host1 named.conf 文件中的配置,如果 host2 IP 地址是 10.1.2 .3:
server 10.1.2 .3 {
DNS BIND9 RunStone Tech. Inc.
[url]http://www.runstone.com[/url] , 2003 23
keys { host1-host2. ;};
};
多个 key 可能同时被使用,但是只有第一个有效。这个指示不包括任何加密,所以它
可能是一个普遍可读文件。
如果 host1 向那个地址发送一个消息,此消息将会被特殊的 key 标记。 host1 则会等待
任何使用了相同 key 标记的回复信息。
一个相似的语句也会存在于 host2 的配置文件中(使用 host1 的地址),这样 host2 就会
在回复 host1 的消息中标记相同的 key
5.4.5 基于TSIG 密匙的访问控制
BIND 承认在 ACL 定义中使用 IP 地址和地址段和 allow-{ query | transfer | update } 。这
也拓展到允许使用 TSIG 密匙。上述 key 可以表示为 key host1-host2
一个 allow-update 的例子是:
allow-update { key host1-host2. ;};
它只允许那些带有 ”host1-host 2” 标记的动态更新请求被接受。后面的 update-policy 还有
更加强大的功能。
5.4.6 _________
在处理用 TSIG 标记信息时会发生一些错误。如果一个标记信息被发送到一个不兼容
TSIG 的服务器中,服务器不能识别记录,就会返回一个 FORMERR 。这是配置错误的结果,
服务器应该配置清楚要发送到的特定的 server
如果识别 TSIG 的服务器收到一则由未知 key 标志的信息,响应时就不会用 TSIG 标记,
且会带有错误编码 BADKEY 。如果一个识别 TSIG 服务器收到一个带着无效标记的信息,
回应就不会用 TSIG 标记,且会带有错误编码 BADSIG 。如果一台识别 TSIG 服务器接收到
一个超过规定时限的信息,响应时就会带有 TSIG 标记的错误代码 BADTIME ,且时间值将
会被重新调整,使得响应可以被成功验证。在所有这些情况中,消息的错误代码都被设置
NOTAUTH
* 记住,主辅DNS时间差不能大于5分钟,最好做个网络同步时间服务.不过,我没做.嘿嘿~~
(1)
以下方法可以查询到 3 个服务商大致的地址范围,不过是否完整还需要大家验证。

下载并编译最新的 ripe-dbase-client
# wget [url]http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client-v3.tar.gz[/url]

#tar zxvf ripe-dbase*.gz
#cd whois-3.1
#./configure;make
执行查询并输出结果
#./whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP >/tmp/cnc
#./whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET >/tmp/chinanet
#./whois3 -h whois.apnic.net -l -i mb MAINT-CN-CRTC > /tmp/crtc

如果想得到具体的服务商比如江苏省电信的 IP 池,就把 mb 的值改为 MAINT-CHINANET-JS ,或者是辽宁网通,那就改为 MAINT-CNCGROUP-LN

然后用 grep  sed 去掉多余的文字就可以得到了。
(2)
#!/bin/sh
FILE=/root/study/apnic/ip_apnic
rm -f $FILE
wget [url]http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest[/url] -O $FILE
grep 'apnic|CN|ipv4|' $FILE | cut -f 4,5 -d'|'|sed -e 's/|/ /g' | while read ip
cnt
do
        echo $ip:$cnt
        mask=$(cat << EOF | bc | tail -1
pow=32;
define log2(x) {
if (x<=1) return (pow);
pow--;
return(log2(x/2));
}
log2($cnt)
EOF)
        echo $ip/$mask>> cn.net
        NETNAME=`whois [email protected] | sed -e '/./{H;$!d;}' -e 'x;/netnum/!d' |grep ^netname | sed -e 's/.*:      \(.*\)/\1/g' | sed -e 's/-.*//g'`
        case $NETNAME in
        CHINANET|CNCGROUP)
                echo $ip/$mask >> $NETNAME
        ;;
# 如果你�要其他 ISP , �在�@�加上去即可 , 透�^ apnic whois , 你可以知道他的 NETNAME
        OTHER_NETNAME_here)
        ;;
        Esac
done
以前写的 , 用于放在服务器端判定的 . 不过 , 比这复杂 , 考略系统资源 , 就不用这么复杂了 . 只需要一条 Bat, 就可以了 .
REM Version 20060830,Copyright Netbank Co.LTD
 
@echo off
echo 正在启动网通链路,请稍候 ...
 
REM CNC
route add 58.16.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 58.240.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 60.0.0.0 mask 255.224.0.0 58.242.161.1 -p
route add 60.55.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 60.208.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 60.255.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.48.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 61.133.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.134.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 61.136.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.137.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.138.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.138.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.139.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.148.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 61.156.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.158.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.159.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.161.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.161.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.162.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 61.167.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.168.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.176.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.179.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.180.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.181.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.182.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.189.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 121.16.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 121.89.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 124.64.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 124.66.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 124.67.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 124.88.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 124.128.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 124.160.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 125.32.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 202.38.143.0 mask 255.255.255.0 58.242.161.1 -p
route add 202.74.8.0 mask 255.255.248.0 58.242.161.1 -p
route add 202.75.208.0 mask 255.255.240.0 58.242.161.1 -p
route add 202.90.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.96.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 202.96.64.0 mask 255.255.224.0 58.242.161.1 -p
route add 202.97.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 202.98.0.0 mask 255.255.224.0 58.242.161.1 -p
route add 202.99.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.102.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 202.106.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.107.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 202.108.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.110.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.111.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 202.130.224.0 mask 255.255.224.0 58.242.161.1 -p
route add 203.93.8.0 mask 255.255.255.0 58.242.161.1 -p
route add 203.93.192.0 mask 255.255.192.0 58.242.161.1 -p
route add 203.175.192.0 mask 255.255.192.0 58.242.161.1 -p
route add 210.13.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 210.14.160.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.14.192.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.15.32.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.15.96.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.15.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 210.21.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 210.22.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 210.51.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 210.52.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 210.74.96.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.74.128.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.78.0.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.82.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.144.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.152.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.7.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 218.8.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.12.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 218.21.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 218.24.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.28.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.56.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.60.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.62.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 218.67.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 218.68.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.104.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.244.32.0 mask 255.255.224.0 58.242.161.1 -p
route add 218.247.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 219.154.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 219.156.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 219.158.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 219.159.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 219.232.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 220.248.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 220.252.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 221.0.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 221.136.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 221.192.0.0 mask 255.224.0.0 58.242.161.1 -p
route add 222.128.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 222.160.0.0 mask 255.252.0.0 58.242.161.1 -p
 
REM HZCNC
route add 58.100.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 125.210.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 211.155.224.0 mask 255.255.240.0 58.242.161.1 -p
route add 218.108.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 219.82.0.0 mask 255.255.0.0 58.242.161.1 -p
 
REM CRC
route add 61.232.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 61.236.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.98.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 221.172.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 222.32.0.0 mask 255.224.0.0 58.242.161.1 -p
route add 58.82.176.0 mask 255.255.240.0 58.242.161.1 -p
route add 58.82.224.0 mask 255.255.240.0 58.242.161.1 -p
route add 61.29.240.0 mask 255.255.240.0 58.242.161.1 -p
route add 121.46.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 121.46.192.0 mask 255.255.224.0 58.242.161.1 -p
route add 122.198.32.0 mask 255.255.224.0 58.242.161.1 -p
route add 124.156.112.0 mask 255.255.240.0 58.242.161.1 -p
route add 124.156.128.0 mask 255.255.240.0 58.242.161.1 -p
route add 124.249.224.0 mask 255.255.240.0 58.242.161.1 -p
 
REM UNICOM
route add 61.240.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 211.90.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.92.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 211.96.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 220.192.0.0 mask 255.240.0.0 58.242.161.1 �Cp
保存为 cncstart.bat
REM Version 20060830,Copyright Netbank Co.LTD
 
@echo off
echo 正在关闭网通链路,请稍候 ...
 
REM CNC
route delete 58.16.0.0 mask 255.248.0.0
route delete 58.240.0.0 mask 255.240.0.0
route delete 60.0.0.0 mask 255.224.0.0
route delete 60.55.0.0 mask 255.255.0.0
route delete 60.208.0.0 mask 255.240.0.0
route delete 60.255.0.0 mask 255.255.0.0
route delete 61.48.0.0 mask 255.248.0.0
route delete 61.133.0.0 mask 255.255.128.0
route delete 61.134.0.0 mask 255.254.0.0
route delete 61.136.0.0 mask 255.255.128.0
route delete 61.137.128.0 mask 255.255.128.0
route delete 61.138.0.0 mask 255.255.128.0
route delete 61.138.128.0 mask 255.255.192.0
route delete 61.139.128.0 mask 255.255.192.0
route delete 61.148.0.0 mask 255.254.0.0
route delete 61.156.0.0 mask 255.255.0.0
route delete 61.158.0.0 mask 255.255.0.0
route delete 61.159.0.0 mask 255.255.192.0
route delete 61.161.0.0 mask 255.255.192.0
route delete 61.161.128.0 mask 255.255.128.0
route delete 61.162.0.0 mask 255.254.0.0
route delete 61.167.0.0 mask 255.255.0.0
route delete 61.168.0.0 mask 255.255.0.0
route delete 61.176.0.0 mask 255.255.0.0
route delete 61.179.0.0 mask 255.255.0.0
route delete 61.180.128.0 mask 255.255.128.0
route delete 61.181.0.0 mask 255.255.0.0
route delete 61.182.0.0 mask 255.255.0.0
route delete 61.189.0.0 mask 255.255.128.0
route delete 121.16.0.0 mask 255.240.0.0
route delete 121.89.0.0 mask 255.255.0.0
route delete 124.64.0.0 mask 255.254.0.0
route delete 124.66.0.0 mask 255.255.128.0
route delete 124.67.0.0 mask 255.255.0.0
route delete 124.88.0.0 mask 255.248.0.0
route delete 124.128.0.0 mask 255.248.0.0
route delete 124.160.0.0 mask 255.248.0.0
route delete 125.32.0.0 mask 255.240.0.0
route delete 202.38.143.0 mask 255.255.255.0
route delete 202.74.8.0 mask 255.255.248.0
route delete 202.75.208.0 mask 255.255.240.0
route delete 202.90.0.0 mask 255.255.0.0
route delete 202.96.0.0 mask 255.255.192.0
route delete 202.96.64.0 mask 255.255.224.0
route delete 202.97.128.0 mask 255.255.128.0
route delete 202.98.0.0 mask 255.255.224.0
route delete 202.99.0.0 mask 255.255.0.0
route delete 202.102.128.0 mask 255.255.128.0
route delete 202.106.0.0 mask 255.255.0.0
route delete 202.107.0.0 mask 255.255.128.0
route delete 202.108.0.0 mask 255.255.0.0
route delete 202.110.0.0 mask 255.255.0.0
route delete 202.111.128.0 mask 255.255.192.0
route delete 202.130.224.0 mask 255.255.224.0
route delete 203.93.8.0 mask 255.255.255.0
route delete 203.93.192.0 mask 255.255.192.0
route delete 203.175.192.0 mask 255.255.192.0
route delete 210.13.128.0 mask 255.255.128.0
route delete 210.14.160.0 mask 255.255.224.0
route delete 210.14.192.0 mask 255.255.224.0
route delete 210.15.32.0 mask 255.255.224.0
route delete 210.15.96.0 mask 255.255.224.0
route delete 210.15.128.0 mask 255.255.192.0
route delete 210.21.0.0 mask 255.255.0.0
route delete 210.22.0.0 mask 255.255.0.0
route delete 210.51.0.0 mask 255.255.0.0
route delete 210.52.0.0 mask 255.254.0.0
route delete 210.74.96.0 mask 255.255.224.0
route delete 210.74.128.0 mask 255.255.224.0
route delete 210.78.0.0 mask 255.255.224.0
route delete 210.82.0.0 mask 255.254.0.0
route delete 211.144.0.0 mask 255.254.0.0
route delete 211.152.0.0 mask 255.254.0.0
route delete 218.7.0.0 mask 255.255.0.0
route delete 218.8.0.0 mask 255.252.0.0
route delete 218.12.0.0 mask 255.255.0.0
route delete 218.21.128.0 mask 255.255.128.0
route delete 218.24.0.0 mask 255.252.0.0
route delete 218.28.0.0 mask 255.254.0.0
route delete 218.56.0.0 mask 255.252.0.0
route delete 218.60.0.0 mask 255.254.0.0
route delete 218.62.0.0 mask 255.255.128.0
route delete 218.67.128.0 mask 255.255.128.0
route delete 218.68.0.0 mask 255.254.0.0
route delete 218.104.0.0 mask 255.252.0.0
route delete 218.244.32.0 mask 255.255.224.0
route delete 218.247.0.0 mask 255.255.0.0
route delete 219.154.0.0 mask 255.254.0.0
route delete 219.156.0.0 mask 255.254.0.0
route delete 219.158.0.0 mask 255.255.0.0
route delete 219.159.0.0 mask 255.255.192.0
route delete 219.232.0.0 mask 255.252.0.0
route delete 220.248.0.0 mask 255.252.0.0
route delete 220.252.0.0 mask 255.255.0.0
route delete 221.0.0.0 mask 255.240.0.0
route delete 221.136.0.0 mask 255.255.0.0
route delete 221.192.0.0 mask 255.224.0.0
route delete 222.128.0.0 mask 255.240.0.0
route delete 222.160.0.0 mask 255.252.0.0
 
REM HZCNC
route delete 58.100.0.0 mask 255.254.0.0
route delete 125.210.0.0 mask 255.255.0.0
route delete 211.155.224.0 mask 255.255.240.0
route delete 218.108.0.0 mask 255.254.0.0
route delete 219.82.0.0 mask 255.255.0.0
 
REM CRC
route delete 61.232.0.0 mask 255.248.0.0
route delete 61.236.0.0 mask 255.254.0.0
route delete 211.98.0.0 mask 255.255.0.0
route delete 221.172.0.0 mask 255.252.0.0
route delete 222.32.0.0 mask 255.224.0.0
route delete 58.82.176.0 mask 255.255.240.0
route delete 58.82.224.0 mask 255.255.240.0
route delete 61.29.240.0 mask 255.255.240.0
route delete 121.46.0.0 mask 255.255.192.0
route delete 121.46.192.0 mask 255.255.224.0
route delete 122.198.32.0 mask 255.255.224.0
route delete 124.156.112.0 mask 255.255.240.0
route delete 124.156.128.0 mask 255.255.240.0
route delete 124.249.224.0 mask 255.255.240.0
 
REM UNICOM
route delete 61.240.0.0 mask 255.252.0.0
route delete 211.90.0.0 mask 255.254.0.0
route delete 211.92.0.0 mask 255.252.0.0
route delete 211.96.0.0 mask 255.254.0.0
route delete 220.192.0.0 mask 255.240.0.0
保存为 :cncstop.bat
, 服务器安全 , 那就多了 . 不过 , 我将其 iptables 复制下来 .
# Generated by iptables-save v 1.2.11 on Sun Jul  8 20:36:32 2007
*filter
:INPUT DROP [1:75]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 222 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Sun Jul  8 20:36:32 2007
将其保存到 /etc/sysconfig/iptables ,
Service iptables start
至于其他资料 , 我以并打包 .
 
 

你可能感兴趣的:(职场,dns,休闲,智能,主从复制)