1、詳細描述一次加密通訊的過程,結合圖示最佳。
一次完整的加密通訊過程如下:
通訊的雙方需要事先協商好單向加密算法,並交換各自的公鑰
發送端加密過程
1、發送端先用單向加密算法計算出數據的特徵碼
2、發送端用自己的私鑰加密特徵碼,生成數字簽名,並將該數字簽名附加在數據之後
3、發送端生成一個臨時對稱密鑰,並使用該對稱密鑰加密整段數據(數據+數字簽名)
4、發送端獲取接收端的公鑰,使用該公鑰加密之前生成的臨時對稱密鑰,並附加其在對稱祕鑰加密後的數據之後
5、將以上數據發送給對方
接收端解密過程
1、接收端先使用自己的私鑰解密加密過的臨時對稱密鑰,得到臨時對稱密鑰
2、接收端用臨時對稱密鑰解密加密過的數據(數據+數字簽名)
3、接收端用發送端的公鑰解密特徵碼,能解密則發送端身份得到驗證
4、用相同的單向加密算法計算數據的特徵碼,並將其與解密得到的特徵碼進行比較,驗證數據完整性
2、描述創建私有CA的過程,以及爲客戶端發來的證書請求進行辦法證書。
CA主機構建私有CA
1、生成私鑰
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus .......................................++ .......................................++ e is 65537 (0x10001)
2、生成自簽證書
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:MagEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.magedu.com Email Address []:[email protected] [root@localhost ~]# ls /etc/pki/CA/ cacert.pem certs crl newcerts private
參數說明:
-new:生成新證書籤署請求;
-x509:生成自籤格式證書,專用於創建私有CA時;
-key:生成請求時用到的私有文件路徑;
-out:生成的請求文件路徑;如果自籤操作將直接生成簽署過的證書;
-days:證書的有效時長,單位是day;
3、爲CA提供所需的目錄及文件
[root@localhost ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt}
[root@localhost ~]# echo 01 > /etc/pki/CA/serial要用到證書進行安全通信的主機,需要向CA主機請求籤署證書:
步驟(以httpd爲例):
[root@localhost ~]# systemctl status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Wed 2017-07-12 21:16:38 CST; 10s ago Main PID: 3975 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─3975 /usr/sbin/httpd -DFOREGROUND ├─3976 /usr/sbin/httpd -DFOREGROUND ├─3977 /usr/sbin/httpd -DFOREGROUND ├─3978 /usr/sbin/httpd -DFOREGROUND ├─3979 /usr/sbin/httpd -DFOREGROUND └─3980 /usr/sbin/httpd -DFOREGROUND Jul 12 21:16:38 localhost.localdomain httpd[3975]: AH00558: httpd: Could not ... Jul 12 21:16:38 localhost.localdomain systemd[1]: Started The Apache HTTP Ser... Hint: Some lines were ellipsized, use -l to show in full.
1、用到證書的主機生成私鑰;
[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .....................................+++ ..........+++ e is 65537 (0x10001)
2、生成證書籤署請求
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:MagEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www.magedu.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# ll total 8 -rw-r--r--. 1 root root 1058 Jul 12 21:21 httpd.csr -rw-------. 1 root root 1679 Jul 12 21:17 httpd.key
3、將請求通過可靠方式發送給CA主機;
[root@localhost ssl]# scp httpd.csr 192.168.10.10:/tmp/ The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. ECDSA key fingerprint is 32:15:52:1a:72:71:51:a2:c2:ad:bb:c4:b9:55:f8:e2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 1058 1.0KB/s 00:00
4、在CA主機上籤署證書;
[root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 12 13:24:27 2017 GMT Not After : Jul 12 13:24:27 2018 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = MagEdu organizationalUnitName = Ops commonName = www.magedu.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9A:B9:84:A8:FC:F8:06:37:A1:BD:B7:E7:E6:BD:08:35:AE:A2:2A:C6 X509v3 Authority Key Identifier: keyid:B4:63:A6:45:FF:D9:C2:7B:7A:F3:09:45:CF:F0:9C:0E:6D:26:9A:E4 Certificate is to be certified until Jul 12 13:24:27 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost ~]# cd /etc/pki/CA [root@localhost CA]# ls cacert.pem crl index.txt.attr newcerts serial certs index.txt index.txt.old private serial.old [root@localhost CA]# cat index.txt V180712132427Z01unknown/C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]
5、將CA主機簽署完的證書發送給申請主機
[root@localhost CA]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/ The authenticity of host '192.168.10.20 (192.168.10.20)' can't be established. ECDSA key fingerprint is 93:3b:4a:9e:0e:a0:bd:84:de:a0:cb:6e:3a:9f:43:46. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.20' (ECDSA) to the list of known hosts. [email protected]'s password: httpd.crt 100% 5881 5.7KB/s 00:00
6、查看證書中的信息:(CA主機和客戶機都可以查看)
CA主機
[root@localhost CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected] 客戶機 [root@localhost ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]
3、描述DNS查詢過程以及DNS服務器類別。
DNS查詢過程
Client --> hosts文件 --> DNS Local Cache --> DNS Server --> recursion(遞歸)
自己負責解析的域:直接查詢數據庫並返回答案;
不是自己負責解析域:Server Cache --> iteration(迭代)
客戶端鍵入域名後便會發起DNS查詢
1、客戶端查詢本地hosts文件應答
2、如果本地hosts文件查詢無果,則查詢本地DNS緩存信息應答
3、如果本地緩存信息查詢無果,則通過本機設定的DNS服務器應答(客戶端到指定DNS服務器只查詢一次,後續查詢由指定DNS服務器完成,此爲遞歸查詢)
4、如果本機設定的DNS服務器依然查詢無果,則默認DNS服務器向根DNS服務器、二級域服務器、三級域服務器依次迭代查詢,並將結果應答客戶端
DNS服務器類別
負責解析至少一個域:
主名稱服務器:維護所負責解析的域數據庫的那臺服務器;讀寫操作均可進行
輔助名稱服務器:從主DNS服務器那裏或其它的從DNS服務器那裏“複製”一份解析庫;但只能進行讀操作
不負責解析:
緩存名稱服務器:可運行域名服務器軟件,但是沒有域名數據庫軟件
轉發名稱服務器:負責所有非本地域名的本地查詢
4、搭建一套DNS服務器,負責解析magedu.com域名(自行設定主機名及IP)
實驗環境:
主DNS服務器:192.168.10.11(CentOS 7.2)
從DNS服務器:192.168.10.12(CentOS 7.2)
子域DNS服務器:192.168.10.13(CentOS 7.2)
(1)、能夠對一些主機名進行正向解析和逆向解析;
1、主DNS服務器安裝bind程序包,並修改主配置文件/etc/named.conf全局選項如下:
[root@localhost ~]# yum install bind -y
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };2、檢查配置文件、啓動服務,並查看53端口監聽狀態
[root@localhost ~]# named-checkconf [root@localhost ~]# systemctl start named.service [root@localhost ~]# ss -tunl | grep :53 udp UNCONN 0 0 192.168.10.11:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 10 192.168.10.11:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:*
3、在主配置文件輔助配置文件/etc/named.rfc1912.zones中定義正向域magedu.com及反向域10.168.192.in-addr.arpa
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "192.168.10.zone";
};4、編輯正向區域解析庫文件/var/named/magedu.com.zone、修改屬組及權限,並檢查配置文件
[root@localhost ~]# vim /var/named/magedu.com.zone $TTL 3600 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100101 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mail IN MX 20 smtp ns1 IN A 192.168.10.11 mail IN A 192.168.10.12 smtp IN A 192.168.10.13 www IN A 192.168.10.11 web IN CNAME www bbs IN A 192.168.10.12 bbs IN A 192.168.10.13 [root@localhost ~]# chown :named /var/named/magedu.com.zone [root@localhost ~]# chmod o= /var/named/magedu.com.zone [root@localhost ~]# ll /var/named/magedu.com.zone -rw-r-----. 1 root named 313 Sep 2 16:54 /var/named/magedu.com.zone [root@localhost ~]# named-checkzone magedu.com /var/named/magedu.com.zone zone magedu.com/IN: loaded serial 2017100101 OK
5、編輯正向區域解析庫文件/var/named/192.168.10.zone、修改屬組及權限,並檢查配置文件
[root@localhost ~]# vim /var/named/192.168.10.zone $TTL 3600 $ORIGIN 10.168.192.in-addr.arpa. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100101 1H 10M 3D 1D ) IN NS ns1.magedu.com. 11 IN PTR ns1.magedu.com. 12 IN PTR mail.magedu.com. 13 IN PTR smtp.magedu.com. 11 IN PTR www.magedu.com. 12 IN PTR bbs.magedu.com. 13 IN PTR bbs.magedu.com. [root@localhost ~]# chgrp named /var/named/192.168.10.zone [root@localhost ~]# chmod o= /var/named/192.168.10.zone [root@localhost ~]# ll /var/named/192.168.10.zone -rw-r-----. 1 root named 309 Sep 2 17:05 /var/named/192.168.10.zone [root@localhost ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone magedu.com/IN: loaded serial 2017100101 zone 10.168.192.in-addr.arpa/IN: loaded serial 2017100101
6、重新加載配置文件,並測試正向解析及反向解析是否正常
[root@localhost ~]# rndc reload server reload successful [root@localhost ~]# host ns1.magedu.com 192.168.10.11 Using domain server: Name: 192.168.10.11 Address: 192.168.10.11#53 Aliases: ns1.magedu.com has address 192.168.10.11 [root@localhost ~]# dig -t A www.magedu.com @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com @192.168.10.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32622 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com.INA ;; ANSWER SECTION: www.magedu.com.3600INA192.168.10.11 ;; AUTHORITY SECTION: magedu.com.3600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 17:15:16 CST 2017 ;; MSG SIZE rcvd: 93 [root@localhost ~]# dig -x 192.168.10.13 @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.10.13 @192.168.10.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51557 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;13.10.168.192.in-addr.arpa.INPTR ;; ANSWER SECTION: 13.10.168.192.in-addr.arpa. 3600 INPTRsmtp.magedu.com. 13.10.168.192.in-addr.arpa. 3600 INPTRbbs.magedu.com. ;; AUTHORITY SECTION: 10.168.192.in-addr.arpa. 3600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 17:17:45 CST 2017 ;; MSG SIZE rcvd: 136
(2)、對子域cdn.magedu.com進行子域授權,子域負責解析對應子域中的主機名;
1、編輯主DNS服務器正向區域解析庫文件/var/named/192.168.10.zone,添加子域項並同時修改版本號,重新加載配置文件
[root@localhost ~]# vim /var/named/magedu.com.zone $TTL 3600 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100102 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mail IN MX 20 smtp ns1 IN A 192.168.10.11 mail IN A 192.168.10.12 smtp IN A 192.168.10.13 www IN A 192.168.10.11 web IN CNAME www bbs IN A 192.168.10.12 bbs IN A 192.168.10.13 cdn IN NS ns1.cdn ns1.cdn IN A 192.168.10.13 [root@localhost ~]# systemctl reload named.service
2、子域DNS服務器安裝bind程序包,並修改主配置文件/etc/named.conf全局選項如下:
[root@localhost ~]# yum install -y bind
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };3、檢查配置文件、啓動服務,並查看53端口監聽狀態
[root@localhost ~]# named-checkconf [root@localhost ~]# systemctl start named.service [root@localhost ~]# ss -tunl | grep :53 udp UNCONN 0 0 192.168.10.13:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:* tcp LISTEN 0 5 192.168.122.1:53 *:*
4、在主配置文件輔助配置文件/etc/named.rfc1912.zones中定義子域cdn.magedu.com及父域轉發magedu.com
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 192.168.10.11; };
};5、編輯子域解析庫文件/var/named/cdn.maedu.com.zone、修改屬組及權限,並檢查配置文件
[root@localhost ~]# vim /var/named/cdn.magedu.com.zone $TTL 3600 $ORIGIN cdn.magedu.com. @ IN SOA ns1.cdn.magedu.com. dnsadmin.magedu.com. ( 2017100101 1H 10M 3D 1D ) IN NS ns1 ns1 IN A 192.168.10.13 www IN A 192.168.10.14 forum IN A 192.168.10.15 [root@localhost ~]# chgrp named /var/named/cdn.magedu.com.zone [root@localhost ~]# chmod o= /var/named/cdn.magedu.com.zone [root@localhost ~]# ll /var/named/cdn.magedu.com.zone -rw-r-----. 1 root named 204 Sep 2 17:50 /var/named/cdn.magedu.com.zone [root@localhost ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone cdn.magedu.com/IN: loaded serial 2017100101
6、重新加載配置文件,並測試父域解析及子域解析是否正常
[root@localhost ~]# systemctl reload named.service
父域主DNS服務器解析子域測試結果:
[root@localhost ~]# dig -t A forum.cdn.magedu.com @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A forum.cdn.magedu.com @192.168.10.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3305 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;forum.cdn.magedu.com.INA ;; ANSWER SECTION: forum.cdn.magedu.com.3544INA192.168.10.15 ;; AUTHORITY SECTION: cdn.magedu.com.3544INNSns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.cdn.magedu.com.3544INA192.168.10.13 ;; Query time: 0 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 19:34:10 CST 2017 ;; MSG SIZE rcvd: 99
子域DNS服務器解析子域及父域測試結果:
[root@localhost ~]# dig -t A www.cdn.magedu.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.cdn.magedu.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26686 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cdn.magedu.com.INA ;; ANSWER SECTION: www.cdn.magedu.com.3600INA192.168.10.14 ;; AUTHORITY SECTION: cdn.magedu.com.3600INNSns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.cdn.magedu.com.3600INA192.168.10.13 ;; Query time: 3 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sat Sep 02 19:30:50 CST 2017 ;; MSG SIZE rcvd: 97 [root@localhost ~]# dig -t A www.magedu.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com.INA ;; ANSWER SECTION: www.magedu.com.3448INA192.168.10.11 ;; AUTHORITY SECTION: magedu.com.3448INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3448INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sat Sep 02 19:30:55 CST 2017 ;; MSG SIZE rcvd: 93
(3)、爲了保證DNS服務系統的高可用性,請設計一套方案,並寫出詳細的實施過程
一般通過主從DNS服務器複製來確保DNS服務系統的高可用性,同時通過相關訪問控制指令確保安全,實現過程如下:
1、編輯主DNS服務器主配置文件輔助配置文件/etc/named.rfc1912.zones,正向域magedu.com添加allow-transfer {};字段,確保只有授權從DNS服務器複製
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 192.168.10.12; };
};2、編輯主DNS服務器正向區域解析庫文件/var/named/magedu.com.zone,添加從DNS服務器資源記錄及A記錄,並同時修改版本號
[root@localhost ~]# vim /var/named/magedu.com.zone $TTL 3600 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100104 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mail IN MX 20 smtp ns1 IN A 192.168.10.11 mail IN A 192.168.10.12 smtp IN A 192.168.10.13 www IN A 192.168.10.11 web IN CNAME www bbs IN A 192.168.10.12 bbs IN A 192.168.10.13 cdn IN NS ns1.cdn ns1.cdn IN A 192.168.10.13 IN NS slave slave IN A 192.168.10.12
3、檢查並重新加載配置文件
[root@localhost ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone magedu.com/IN: loaded serial 2017100104 zone 10.168.192.in-addr.arpa/IN: loaded serial 2017100101 [root@localhost ~]# rndc reload server reload successful
4、從DNS服務器安裝bind程序包,並修改主配置文件/etc/named.conf全局選項如下:
[root@localhost ~]# yum install bind -y
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };5、檢查配置文件、啓動服務,並查看53端口監聽狀態
[root@localhost ~]# named-checkconf [root@localhost ~]# systemctl start named.service [root@localhost ~]# ss -tunl | grep :53 udp UNCONN 0 0 192.168.10.12:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 10 192.168.10.12:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:*
6、編輯從DNS服務器正向區域解析庫文件/var/named/magedu.com.zone,添加如下字段
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type slave;
file "slaves/magedu.com.zone";
masters { 192.168.10.11; };
};7、檢查並重新加載配置文件
[root@localhost ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 [root@localhost ~]# rndc reload server reload successful
8、使用dig -t axfr模擬完全區域傳送是否有效,同時查看區域解析庫文件是否已經傳送到從DNS服務器上
[root@localhost ~]# dig -t axfr magedu.com @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr magedu.com @192.168.10.11 ;; global options: +cmd magedu.com.3600INSOAns1.magedu.com. dnsadmin.magedu.com. 2017100104 3600 600 259200 86400 magedu.com.3600INNSns1.magedu.com. magedu.com.3600INMX10 mail.magedu.com. magedu.com.3600INMX20 smtp.magedu.com. bbs.magedu.com.3600INA192.168.10.12 bbs.magedu.com.3600INA192.168.10.13 cdn.magedu.com.3600INNSns1.cdn.magedu.com. ns1.cdn.magedu.com.3600INA192.168.10.13 ns1.cdn.magedu.com.3600INNSslave.magedu.com. mail.magedu.com.3600INA192.168.10.12 ns1.magedu.com.3600INA192.168.10.11 slave.magedu.com.3600INA192.168.10.12 smtp.magedu.com.3600INA192.168.10.13 web.magedu.com.3600INCNAMEwww.magedu.com. www.magedu.com.3600INA192.168.10.11 magedu.com.3600INSOAns1.magedu.com. dnsadmin.magedu.com. 2017100104 3600 600 259200 86400 ;; Query time: 0 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 20:14:14 CST 2017 ;; XFR size: 16 records (messages 1, bytes 365) [root@localhost ~]# ls /var/named/slaves/ magedu.com.zone
9、查看named服務狀態主從複製結果,並測試解析結果是否正常
[root@localhost ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2017-09-02 20:05:14 CST; 10min ago Process: 13105 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 13102 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 13108 (named) CGroup: /system.slice/named.service └─13108 /usr/sbin/named -u named Sep 02 20:11:53 localhost.localdomain named[13108]: automatic empty zone: B.E.F.IP6.ARPA Sep 02 20:11:53 localhost.localdomain named[13108]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Sep 02 20:11:53 localhost.localdomain named[13108]: reloading configuration succeeded Sep 02 20:11:53 localhost.localdomain named[13108]: reloading zones succeeded Sep 02 20:11:53 localhost.localdomain named[13108]: all zones loaded Sep 02 20:11:53 localhost.localdomain named[13108]: running Sep 02 20:11:53 localhost.localdomain named[13108]: zone magedu.com/IN: Transfer started. Sep 02 20:11:53 localhost.localdomain named[13108]: transfer of 'magedu.com/IN' from 192.168.10.11#53: connected using 192.168.10.12#56008 Sep 02 20:11:53 localhost.localdomain named[13108]: zone magedu.com/IN: transferred serial 2017100104 Sep 02 20:11:53 localhost.localdomain named[13108]: transfer of 'magedu.com/IN' from 192.168.10.11#53: Transfer completed: 1 messag...s/sec) Hint: Some lines were ellipsized, use -l to show in full. [root@localhost ~]# dig -t A mail.magedu.com @192.168.10.12 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A mail.magedu.com @192.168.10.12 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41990 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.magedu.com.INA ;; ANSWER SECTION: mail.magedu.com.3600INA192.168.10.12 ;; AUTHORITY SECTION: magedu.com.3600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.12#53(192.168.10.12) ;; WHEN: Sat Sep 02 20:20:39 CST 2017 ;; MSG SIZE rcvd: 94