[背景]这是老早我做的一个案例,今天拿出来供大家参考!
所需资料
一
:M/S DNS
架设流程
二
:TSIG
技术用与不同
view
区域传输
三
:
获取电信与网通
IP shell
脚本
四
:
服务器端修改路由表
bat
五
:
服务器安全
一
:
主
DNS
架设流程
配置步骤:
1
、
软件列表
BIND 9.3.2
[url]ftp://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz[/url]
2
、
安装
BIND 9
安装
BIND9
:
# tar zxvf bind-9.3.2.tar.gz
# cd bind-9.3.2
# ./configure
--prefix=/usr/local/named
--disable-ipv6
# make && make install
建立
BIND
用户:
# groupadd bind
# useradd -g bind -d /usr/local/named -s /sbin/nologin bind
创建配置文件目录:
# mkdir �Cp /usr/local/named/etc
# chown bind:bind /usr/local/named/etc
# chmod 700 /usr/local/named/etc
创建主要的配置文件:
# vi /usr/local/named/etc/named.conf
===========================named.conf=======================
key "rndc-key" {
algorithm hmac-md5;
secret "7cMD1EIkZIVVcdO52D24Aw==";
};
key "hahazhu"{
algorithm hmac-md5;
secret "cnXsAYNrypKcTdhfy3FABA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl "trust-lan" { 127.0.0.1/8;};
options {
directory "/usr/local/named/etc/";
pid-file "/var/run/named/named.pid";
version " 0.0.0 ";
datasize 40M ;
allow-transfer {
"trust-lan";};
recursion yes;
allow-notify {
"trust-lan";
};
allow-recursion {
"trust-lan";
};
auth-nxdomain yes;
forwarders {
202.102.192.68;
202.102.200.101;};
};
logging {
channel warning
{ file "/var/log/named/dns_warnings" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{ file "/var/log/named/dns_logs" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { general_dns; };
};
zone "." {
type hint;
file "named.root";
};
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.242.161.0/29;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.158.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.180.128.0/17;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.16.128.0/18;
210.21.0.0/16;
210.51.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
211.152.0.0/13;
218.7.0.0/16;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.28.0.0/15;
218.56.0.0/14;
218.60.0.0/15;
218.62.0.0/17;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
218.106.81.0/29;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.7.128.0/17;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.214.0.0/16;
221.215.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
219.235.56.194;
};
view "view_cnc"{
match-clients { key hahazhu;CNC;};
recursion no;
allow-transfer {key hahazhu;};
server 218.22.93.237 {keys hahazhu;};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";};
include "master/cnc.def";};
view "view_any" {
match-clients { key rndc-key;any; };
recursion no;
allow-transfer {key rndc-key;};
server 218.22.93.237 {keys rndc-key;};
zone "." {
type hint;
file "named.root";};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";};
添加完成后,保存。
更新根区文件:
# cd /usr/local/named/etc/
# wget [url]ftp://ftp.internic.org/domain/named.root[/url]
创建
PID
和日志文件:
# mkdir /var/run/named/
# chmod 777 /var/run/named/
# chown bind:bind /var/run/named/
# mkdir /var/log/named/
# touch /var/log/named/dns_warnings
# touch /var/log/named/dns_logs
# chown bind:bind /var/log/named/*
# mkdir master
# touch master/cnc.def
# touch master/telecom.def
生成
rndc-key
:
# cd /usr/local/named/etc/
# ../sbin/rndc-confgen > rndc.conf
把
rndc.conf
中:
# Use with the following in named.conf, adjusting the allow list as needed:
后面以的部分加到
/usr/local/named/etc/named.conf
中并去掉注释
运行测试:
# /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf &
状态检查:
# /usr/local/named/sbin/rndc status
建立启动脚本:
# vi /etc/init.d/named
============================== named.sh============================
#!/bin/bash
#
# named a network name service.
#
#
# chkconfig: 545 35 75
# description: a name server
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;
stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;
esac
===============================named.sh============================
# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on
到这里
bind
已经安装完毕
.
下面是解析部分
.
3
、
添加一个
NS
注册两个
dns
Ns2.yyyy.com
4
、
添加一个域名
# cd /usr/local/named/etc/master
# mkdir cnc
# mkdir telecom
# vi cnc.def
添加
zone " 18l .net" {
type master;
file "master/cnc/ 18l .net";
};
zone "bbtsd.com"{
type master;
file "master/cnc/bbtsd.com";
};
# vi telecom.def
添加
zone " 18l .net" {
type master;
file "master/telecom/ 18l .net";
};
zone "bbtsd.com"{
type master;
file "master/telecom/bbtsd.com";
};
添加网通的解析
#vi cnc/ 18l .net
$TTL 3600
$ORIGIN 18l .net.
18l
.net. IN SOA ns2.yyyy. root.yyyy.com.(
2007070901
3600
900
68400
15)
@ IN NS ns2.yyyy.com.
;ns2.yyyy.com. IN A 218.22.93.242
@ IN A 218.106.81.34
www IN A 58.242.161.2
mail IN A 218.106.81.34
IN MX 10 mail
#Vi cnc/bbtsd.com
$TTL 3600
$ORIGIN bbtsd.com.
bbtsd.com. IN SOA ns2.yyyy.com. root.yyyy.com.(
2007070901
3600
900
68400
15)
@ IN NS ns2.yyyy.com.
;ns2.yyyy.com. IN A 218.22.93.242
www IN A 58.242.161.4
mail IN A 218.106.81.34
IN MX 10 mail
@ IN A 58.242.161.4
添加电信的解析
#vi telecom/ 18l .net
$TTL 3600
$ORIGIN 18l .net.
@ IN SOA ns2.yyyy.com. root.yyyy.com.(
2007070901
3600
900
68400
15 )
@ IN NS ns2.yyyy.com.
ns2.yyyy.com IN A 218.22.93.242
@ IN A 218.22.93.244
www IN A 218.22.93.244
mail IN A 218.106.81.34
IN MX 10 mail
#vi telecom/bbtsd.com
$TTL 3600
$ORIGIN bbtsd.com.
bbtsd.com. IN SOA ns2.yyyy.com. root.yyyy.com.(
2007070901
3600
900
68400
15 )
@ IN NS ns2.yyyy.com.
ns2.yyyy.com IN A 218.22.93.242
www IN A 218.22.93.253
mail IN A 218.106.81.34
IN MX 10 mail
@ IN A 218.22.93.253
#/usr/local/named/sbin/rndc reload
OK
,到此你的主
DNS
服务器配置就算是搞起来了。
从
DNS
架设流程
配置步骤:
1
、
软件列表
BIND 9.3.2
[url]ftp://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz[/url]
2
、
安装
BIND 9
安装
BIND9
:
# tar zxvf bind-9.3.2.tar.gz
# cd bind-9.3.2
# ./configure
--prefix=/usr/local/named
--disable-ipv6
# make && make install
建立
BIND
用户:
# groupadd bind
# useradd -g bind -d /usr/local/named -s /sbin/nologin bind
创建配置文件目录:
# mkdir �Cp /usr/local/named/etc
# chown bind:bind /usr/local/named/etc
# chmod 700 /usr/local/named/etc
创建主要的配置文件:
# vi /usr/local/named/etc/named.conf
===========================named.conf=======================
key "rndc-key" {
algorithm hmac-md5;
secret "7cMD1EIkZIVVcdO52D24Aw==";
};
key"hahazhu"{
algorithm hmac-md5;
secret "cnXsAYNrypKcTdhfy3FABA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl "trust-lan" { 127.0.0.1/8;};
options {
directory "/usr/local/named/etc/";
pid-file "/var/run/named/named.pid";
version " 0.0.0 ";
datasize 40M ;
/*
allow-transfer {
"trust-lan";};
recursion yes;
allow-notify {
"trust-lan";
};
allow-recursion {
"trust-lan";
};
auth-nxdomain no;
*/
recursion yes;
forwarders {
202.102.192.68;
202.102.200.101;};
};
logging {
channel warning
{ file "/var/log/named/dns_warnings" versions 3 size 1240k;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns
{ file "/var/log/named/dns_logs" versions 3 size 1240k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning; };
category queries { general_dns; };
};
zone "." {
type hint;
file "named.root";
};
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.242.161.0/29;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.158.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.180.128.0/17;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.16.128.0/18;
210.21.0.0/16;
210.51.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
211.152.0.0/13;
218.7.0.0/16;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.28.0.0/15;
218.56.0.0/14;
218.60.0.0/15;
218.62.0.0/17;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
218.106.81.0/29;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.7.128.0/17;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.214.0.0/16;
221.215.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
219.235.56.194;
};
view "view_cnc"{
match-clients { key hahazhu;CNC;};
recursion no;
allow-transfer {none;};
server 218.22.93.242 {keys hahazhu;};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";};
include "master/cnc.def";};
view "view_any" {
match-clients { key rndc-key;any; };
recursion yes;
allow-transfer {none;};
server 218.22.93.242 {keys rndc-key;};
zone "." {
type hint;
file "named.root";};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";};
添加完成后,保存。
更新根区文件:
# cd /usr/local/named/etc/
# wget [url]ftp://ftp.internic.org/domain/named.root[/url]
创建
PID
和日志文件:
# mkdir /var/run/named/
# chmod 777 /var/run/named/
# chown bind:bind /var/run/named/
# mkdir /var/log/named/
# touch /var/log/named/dns_warnings
# touch /var/log/named/dns_logs
# chown bind:bind /var/log/named/*
# mkdir master
# touch master/cnc.def
# touch master/telecom.def
生成
rndc-key
:
将从主
DNS
中把其复制过来
.
从主的
key
内容一样
.
把
rndc.conf
中:
# Use with the following in named.conf, adjusting the allow list as needed:
后面以的部分加到
/usr/local/named/etc/named.conf
中并去掉注释
运行测试:
# /usr/local/named/sbin/named -gc /usr/local/named/etc/named.conf &
状态检查:
# /usr/local/named/sbin/rndc status
建立启动脚本:
# vi /etc/init.d/named
============================== named.sh============================
#!/bin/bash
#
# named a network name service.
#
#
# chkconfig: 545 35 75
# description: a name server
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -u bind -c /usr/local/named/etc/named.conf && echo . && echo 'BIND9 server started.'
fi
;;
stop)
kill `cat /var/run/named/pid` && echo . && echo 'BIND9 server stopped.'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
*)
echo "$0 start | stop | restart"
;;
esac
===============================named.sh============================
# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on
到这里
bind
已经安装完毕
.
下面是解析部分
.
3
、
添加一个
NS
Ns.xxxx.net
4
、
添加一个域名
# cd /usr/local/named/etc/master
# mkdir cnc
# mkdir telecom
# vi cnc.def
zone " 18l .net" {
type slave;
masters {218.22.93.242;};
file "master/cnc/ 18l .net";
};
zone "bbtsd.com"{
type slave;
masters {218.22.93.242;};
file "master/cnc/bbtsd.com";
};
# vi telecom.def
添加
zone " 18l .net" {
type slave;
masters {218.22.93.242;};
file "master/telecom/ 18l .net";
};
zone "bbtsd.com"{
type slave;
masters {218.22.93.242;};
file "master/telecom/bbtsd.com";
};
OK,
到这里
,
从
DNS
就算架设成功了
.
至于出现错误
,
请检查日志
/var/log/messages
还有定义的日志
.
记住
,
架设容易
,
维护难
.
以后
,
还需要好好看管
,
才行噢
!!!
二
至于这一部分
,
已经在配置文件中体现了
.
我只需要将在
bind9
管理手册中的资料复制来来
,
看下如何操作就成了
.
5.4 TSIG
(信号安全处理)
这是一个基于
BIND
中的安全处理的
Transaction SIGnature (TSIG)
。它描述了配置文件
的更新和在不同情况下的更新要求,包括产生处理密匙和使用
BIND TSIG
的过程。
BIND
主要支持服务器对服务器之间通讯的
TSIG
。包括域传送(
zone transfer
),通报
(
notify
)和递归查询信息。基于
BIND8
的新版本对
TSIG
的支持较为有限。
TSIG
可能对动态更新最有用了,一个动态域的主
DNS
服务器使用访问控制来控制更
新,而基于
IP
的访问控制是不够的。基于密匙的访问控制要高级的多了,参看推荐标准。
nsupdate
程序通过
-k
和
-y
命令选项支持
TSIG
。
5.4.1
为每对主机产生共享密匙
产生一个共享的加密方式就是在
host1
和
host2
之间共享使用。可选择任意的密
匙:
“host1-host 2”
。但密匙必须在两个主机上是一样的。
5.4.1
.1
自动产生
下列命令将会产生一个如上所述
128
位(
16
字节)
HAMC-MD5
的密匙。越长的键越
好,但是较短的键比较容易读取。注意键的最大长度是
512
比特;更长的键将会被
MD5
消
化以产生
128
位的密匙。
dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
密匙存在于
Khost1-host2.+157+00000.private
文件中。文件不直接被调用,但是在
”Key:”
之后的
base-64
编码字符串可以直接拷贝出作为共享密匙:
DNS
(
BIND9
)
RunStone Tech. Inc.
[url]http://www.runstone.com[/url]
, 2003
22
Key: La/E5CjG9O+os1jq 0a 2jdA==
字符串
"La/E5CjG9O+os1jq 0a 2jdA=="
可以作为共享密匙使用
5.4.1
.2
手工生成
共享密匙仅仅是使用
base-64
编码的随机序列结果。大多数
ASCII
字符串是有效的
base-64
字符串(假设长度是
4
的倍数,只有有效的字符被使用),所以共享密匙可以被手工
生成。
而且,一个熟知的字符串可以通过
mmencode
或者一个相似的程序以产生
base-64
编码
数据。
5.4.2
把共享密匙拷到两台机器中
这超过了
DNS
的范围。使用一种安全传输机制,例如可以是安全
FTP
、
ssh
、电话等。
5.4.3
通知服务器密匙的存在
设想
host1
和
host2
是这
2
台服务器。下列语句将会加到每个服务器中的
named.conf file
中:
key host1-host2. {
algorithm hmac-md5;
secret "La/E5CjG9O+os1jq 0a 2jdA==";
};
BIND
只支持
hmac-md5
算法。密匙就是在上面产生的这个。既然这是一个密匙,建议
将
named.conf
设为不可读,或者在
named.conf
中调用一个包含了密匙的不可读的文件。
这样,
key
就被认可了。这意味着如果服务器受到一则被这个
key
标记的消息,它可以
对这个签字进行校验。如果校验成功,应答就会被同一个
key
所标记。
5.4.4
通知服务器使用密匙
既然密匙只在两个主机之间共享,服务器就必须被告知什么时候使用
key
。下列是加入
到
host1
的
named.conf
文件中的配置,如果
host2
的
IP
地址是
10.1.2
.3:
server 10.1.2 .3 {
DNS
(
BIND9
)
RunStone Tech. Inc.
[url]http://www.runstone.com[/url]
, 2003
23
keys { host1-host2. ;};
};
多个
key
可能同时被使用,但是只有第一个有效。这个指示不包括任何加密,所以它
可能是一个普遍可读文件。
如果
host1
向那个地址发送一个消息,此消息将会被特殊的
key
标记。
host1
则会等待
任何使用了相同
key
标记的回复信息。
一个相似的语句也会存在于
host2
的配置文件中(使用
host1
的地址),这样
host2
就会
在回复
host1
的消息中标记相同的
key
。
5.4.5
基于TSIG 密匙的访问控制
BIND
承认在
ACL
定义中使用
IP
地址和地址段和
allow-{ query | transfer | update }
。这
也拓展到允许使用
TSIG
密匙。上述
key
可以表示为
key host1-host2
。
一个
allow-update
的例子是:
allow-update { key host1-host2. ;};
它只允许那些带有
”host1-host 2”
标记的动态更新请求被接受。后面的
update-policy
还有
更加强大的功能。
5.4.6
错
_________
误
在处理用
TSIG
标记信息时会发生一些错误。如果一个标记信息被发送到一个不兼容
TSIG
的服务器中,服务器不能识别记录,就会返回一个
FORMERR
。这是配置错误的结果,
服务器应该配置清楚要发送到的特定的
server
。
如果识别
TSIG
的服务器收到一则由未知
key
标志的信息,响应时就不会用
TSIG
标记,
且会带有错误编码
BADKEY
。如果一个识别
TSIG
服务器收到一个带着无效标记的信息,
回应就不会用
TSIG
标记,且会带有错误编码
BADSIG
。如果一台识别
TSIG
服务器接收到
一个超过规定时限的信息,响应时就会带有
TSIG
标记的错误代码
BADTIME
,且时间值将
会被重新调整,使得响应可以被成功验证。在所有这些情况中,消息的错误代码都被设置
为
NOTAUTH
。
*
记住,主辅DNS时间差不能大于5分钟,最好做个网络同步时间服务.不过,我没做.嘿嘿~~
三
(1)
以下方法可以查询到
3
个服务商大致的地址范围,不过是否完整还需要大家验证。
下载并编译最新的
ripe-dbase-client
# wget [url]http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client-v3.tar.gz[/url]
#tar zxvf ripe-dbase*.gz
#cd whois-3.1
#./configure;make
执行查询并输出结果
#./whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP >/tmp/cnc
#./whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET >/tmp/chinanet
#./whois3 -h whois.apnic.net -l -i mb MAINT-CN-CRTC > /tmp/crtc
如果想得到具体的服务商比如江苏省电信的
IP
池,就把
mb
的值改为
MAINT-CHINANET-JS
,或者是辽宁网通,那就改为
MAINT-CNCGROUP-LN
然后用
grep
和
sed
去掉多余的文字就可以得到了。
(2)
#!/bin/sh
FILE=/root/study/apnic/ip_apnic
rm -f $FILE
wget [url]http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest[/url] -O $FILE
grep 'apnic|CN|ipv4|' $FILE | cut -f 4,5 -d'|'|sed -e 's/|/ /g' | while read ip
cnt
do
echo $ip:$cnt
mask=$(cat << EOF | bc | tail -1
pow=32;
define log2(x) {
if (x<=1) return (pow);
pow--;
return(log2(x/2));
}
log2($cnt)
EOF)
echo $ip/$mask>> cn.net
NETNAME=`whois [email protected] | sed -e '/./{H;$!d;}' -e 'x;/netnum/!d' |grep ^netname | sed -e 's/.*: \(.*\)/\1/g' | sed -e 's/-.*//g'`
case $NETNAME in
CHINANET|CNCGROUP)
echo $ip/$mask >> $NETNAME
;;
#
如果你�要其他
ISP ,
�在�@�加上去即可
,
透�^
apnic whois ,
你可以知道他的
NETNAME
OTHER_NETNAME_here)
;;
Esac
done
四
以前写的
,
用于放在服务器端判定的
.
不过
,
比这复杂
,
考略系统资源
,
就不用这么复杂了
.
只需要一条
Bat,
就可以了
.
REM Version 20060830,Copyright Netbank Co.LTD
@echo off
echo
正在启动网通链路,请稍候
...
REM CNC
route add 58.16.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 58.240.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 60.0.0.0 mask 255.224.0.0 58.242.161.1 -p
route add 60.55.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 60.208.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 60.255.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.48.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 61.133.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.134.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 61.136.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.137.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.138.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.138.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.139.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.148.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 61.156.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.158.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.159.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.161.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 61.161.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.162.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 61.167.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.168.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.176.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.179.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.180.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 61.181.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.182.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 61.189.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 121.16.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 121.89.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 124.64.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 124.66.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 124.67.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 124.88.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 124.128.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 124.160.0.0 mask 255.248.0.0 58.242.161.1 -p
route add 125.32.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 202.38.143.0 mask 255.255.255.0 58.242.161.1 -p
route add 202.74.8.0 mask 255.255.248.0 58.242.161.1 -p
route add 202.75.208.0 mask 255.255.240.0 58.242.161.1 -p
route add 202.90.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.96.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 202.96.64.0 mask 255.255.224.0 58.242.161.1 -p
route add 202.97.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 202.98.0.0 mask 255.255.224.0 58.242.161.1 -p
route add 202.99.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.102.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 202.106.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.107.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 202.108.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.110.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 202.111.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 202.130.224.0 mask 255.255.224.0 58.242.161.1 -p
route add 203.93.8.0 mask 255.255.255.0 58.242.161.1 -p
route add 203.93.192.0 mask 255.255.192.0 58.242.161.1 -p
route add 203.175.192.0 mask 255.255.192.0 58.242.161.1 -p
route add 210.13.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 210.14.160.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.14.192.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.15.32.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.15.96.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.15.128.0 mask 255.255.192.0 58.242.161.1 -p
route add 210.21.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 210.22.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 210.51.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 210.52.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 210.74.96.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.74.128.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.78.0.0 mask 255.255.224.0 58.242.161.1 -p
route add 210.82.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.144.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.152.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.7.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 218.8.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.12.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 218.21.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 218.24.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.28.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.56.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.60.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.62.0.0 mask 255.255.128.0 58.242.161.1 -p
route add 218.67.128.0 mask 255.255.128.0 58.242.161.1 -p
route add 218.68.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 218.104.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 218.244.32.0 mask 255.255.224.0 58.242.161.1 -p
route add 218.247.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 219.154.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 219.156.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 219.158.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 219.159.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 219.232.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 220.248.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 220.252.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 221.0.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 221.136.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 221.192.0.0 mask 255.224.0.0 58.242.161.1 -p
route add 222.128.0.0 mask 255.240.0.0 58.242.161.1 -p
route add 222.160.0.0 mask 255.252.0.0 58.242.161.1 -p
REM HZCNC
route add 58.100.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 125.210.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 211.155.224.0 mask 255.255.240.0 58.242.161.1 -p
route add 218.108.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 219.82.0.0 mask 255.255.0.0 58.242.161.1 -p
REM CRC
route add 61.232.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 61.236.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.98.0.0 mask 255.255.0.0 58.242.161.1 -p
route add 221.172.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 222.32.0.0 mask 255.224.0.0 58.242.161.1 -p
route add 58.82.176.0 mask 255.255.240.0 58.242.161.1 -p
route add 58.82.224.0 mask 255.255.240.0 58.242.161.1 -p
route add 61.29.240.0 mask 255.255.240.0 58.242.161.1 -p
route add 121.46.0.0 mask 255.255.192.0 58.242.161.1 -p
route add 121.46.192.0 mask 255.255.224.0 58.242.161.1 -p
route add 122.198.32.0 mask 255.255.224.0 58.242.161.1 -p
route add 124.156.112.0 mask 255.255.240.0 58.242.161.1 -p
route add 124.156.128.0 mask 255.255.240.0 58.242.161.1 -p
route add 124.249.224.0 mask 255.255.240.0 58.242.161.1 -p
REM UNICOM
route add 61.240.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 211.90.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 211.92.0.0 mask 255.252.0.0 58.242.161.1 -p
route add 211.96.0.0 mask 255.254.0.0 58.242.161.1 -p
route add 220.192.0.0 mask 255.240.0.0 58.242.161.1 �Cp
保存为
cncstart.bat
REM Version 20060830,Copyright Netbank Co.LTD
@echo off
echo
正在关闭网通链路,请稍候
...
REM CNC
route delete 58.16.0.0 mask 255.248.0.0
route delete 58.240.0.0 mask 255.240.0.0
route delete 60.0.0.0 mask 255.224.0.0
route delete 60.55.0.0 mask 255.255.0.0
route delete 60.208.0.0 mask 255.240.0.0
route delete 60.255.0.0 mask 255.255.0.0
route delete 61.48.0.0 mask 255.248.0.0
route delete 61.133.0.0 mask 255.255.128.0
route delete 61.134.0.0 mask 255.254.0.0
route delete 61.136.0.0 mask 255.255.128.0
route delete 61.137.128.0 mask 255.255.128.0
route delete 61.138.0.0 mask 255.255.128.0
route delete 61.138.128.0 mask 255.255.192.0
route delete 61.139.128.0 mask 255.255.192.0
route delete 61.148.0.0 mask 255.254.0.0
route delete 61.156.0.0 mask 255.255.0.0
route delete 61.158.0.0 mask 255.255.0.0
route delete 61.159.0.0 mask 255.255.192.0
route delete 61.161.0.0 mask 255.255.192.0
route delete 61.161.128.0 mask 255.255.128.0
route delete 61.162.0.0 mask 255.254.0.0
route delete 61.167.0.0 mask 255.255.0.0
route delete 61.168.0.0 mask 255.255.0.0
route delete 61.176.0.0 mask 255.255.0.0
route delete 61.179.0.0 mask 255.255.0.0
route delete 61.180.128.0 mask 255.255.128.0
route delete 61.181.0.0 mask 255.255.0.0
route delete 61.182.0.0 mask 255.255.0.0
route delete 61.189.0.0 mask 255.255.128.0
route delete 121.16.0.0 mask 255.240.0.0
route delete 121.89.0.0 mask 255.255.0.0
route delete 124.64.0.0 mask 255.254.0.0
route delete 124.66.0.0 mask 255.255.128.0
route delete 124.67.0.0 mask 255.255.0.0
route delete 124.88.0.0 mask 255.248.0.0
route delete 124.128.0.0 mask 255.248.0.0
route delete 124.160.0.0 mask 255.248.0.0
route delete 125.32.0.0 mask 255.240.0.0
route delete 202.38.143.0 mask 255.255.255.0
route delete 202.74.8.0 mask 255.255.248.0
route delete 202.75.208.0 mask 255.255.240.0
route delete 202.90.0.0 mask 255.255.0.0
route delete 202.96.0.0 mask 255.255.192.0
route delete 202.96.64.0 mask 255.255.224.0
route delete 202.97.128.0 mask 255.255.128.0
route delete 202.98.0.0 mask 255.255.224.0
route delete 202.99.0.0 mask 255.255.0.0
route delete 202.102.128.0 mask 255.255.128.0
route delete 202.106.0.0 mask 255.255.0.0
route delete 202.107.0.0 mask 255.255.128.0
route delete 202.108.0.0 mask 255.255.0.0
route delete 202.110.0.0 mask 255.255.0.0
route delete 202.111.128.0 mask 255.255.192.0
route delete 202.130.224.0 mask 255.255.224.0
route delete 203.93.8.0 mask 255.255.255.0
route delete 203.93.192.0 mask 255.255.192.0
route delete 203.175.192.0 mask 255.255.192.0
route delete 210.13.128.0 mask 255.255.128.0
route delete 210.14.160.0 mask 255.255.224.0
route delete 210.14.192.0 mask 255.255.224.0
route delete 210.15.32.0 mask 255.255.224.0
route delete 210.15.96.0 mask 255.255.224.0
route delete 210.15.128.0 mask 255.255.192.0
route delete 210.21.0.0 mask 255.255.0.0
route delete 210.22.0.0 mask 255.255.0.0
route delete 210.51.0.0 mask 255.255.0.0
route delete 210.52.0.0 mask 255.254.0.0
route delete 210.74.96.0 mask 255.255.224.0
route delete 210.74.128.0 mask 255.255.224.0
route delete 210.78.0.0 mask 255.255.224.0
route delete 210.82.0.0 mask 255.254.0.0
route delete 211.144.0.0 mask 255.254.0.0
route delete 211.152.0.0 mask 255.254.0.0
route delete 218.7.0.0 mask 255.255.0.0
route delete 218.8.0.0 mask 255.252.0.0
route delete 218.12.0.0 mask 255.255.0.0
route delete 218.21.128.0 mask 255.255.128.0
route delete 218.24.0.0 mask 255.252.0.0
route delete 218.28.0.0 mask 255.254.0.0
route delete 218.56.0.0 mask 255.252.0.0
route delete 218.60.0.0 mask 255.254.0.0
route delete 218.62.0.0 mask 255.255.128.0
route delete 218.67.128.0 mask 255.255.128.0
route delete 218.68.0.0 mask 255.254.0.0
route delete 218.104.0.0 mask 255.252.0.0
route delete 218.244.32.0 mask 255.255.224.0
route delete 218.247.0.0 mask 255.255.0.0
route delete 219.154.0.0 mask 255.254.0.0
route delete 219.156.0.0 mask 255.254.0.0
route delete 219.158.0.0 mask 255.255.0.0
route delete 219.159.0.0 mask 255.255.192.0
route delete 219.232.0.0 mask 255.252.0.0
route delete 220.248.0.0 mask 255.252.0.0
route delete 220.252.0.0 mask 255.255.0.0
route delete 221.0.0.0 mask 255.240.0.0
route delete 221.136.0.0 mask 255.255.0.0
route delete 221.192.0.0 mask 255.224.0.0
route delete 222.128.0.0 mask 255.240.0.0
route delete 222.160.0.0 mask 255.252.0.0
REM HZCNC
route delete 58.100.0.0 mask 255.254.0.0
route delete 125.210.0.0 mask 255.255.0.0
route delete 211.155.224.0 mask 255.255.240.0
route delete 218.108.0.0 mask 255.254.0.0
route delete 219.82.0.0 mask 255.255.0.0
REM CRC
route delete 61.232.0.0 mask 255.248.0.0
route delete 61.236.0.0 mask 255.254.0.0
route delete 211.98.0.0 mask 255.255.0.0
route delete 221.172.0.0 mask 255.252.0.0
route delete 222.32.0.0 mask 255.224.0.0
route delete 58.82.176.0 mask 255.255.240.0
route delete 58.82.224.0 mask 255.255.240.0
route delete 61.29.240.0 mask 255.255.240.0
route delete 121.46.0.0 mask 255.255.192.0
route delete 121.46.192.0 mask 255.255.224.0
route delete 122.198.32.0 mask 255.255.224.0
route delete 124.156.112.0 mask 255.255.240.0
route delete 124.156.128.0 mask 255.255.240.0
route delete 124.249.224.0 mask 255.255.240.0
REM UNICOM
route delete 61.240.0.0 mask 255.252.0.0
route delete 211.90.0.0 mask 255.254.0.0
route delete 211.92.0.0 mask 255.252.0.0
route delete 211.96.0.0 mask 255.254.0.0
route delete 220.192.0.0 mask 255.240.0.0
保存为
:cncstop.bat
五
,
服务器安全
,
那就多了
.
不过
,
我将其
iptables
复制下来
.
# Generated by iptables-save v 1.2.11 on Sun Jul 8 20:36:32 2007
*filter
:INPUT DROP [1:75]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 222 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Sun Jul 8 20:36:32 2007
将其保存到
/etc/sysconfig/iptables
下
,
Service iptables start
至于其他资料
,
我以并打包
.