常見加密算法原理DNS服務(wù)原理及配置

簡(jiǎn)述常見加密算法及常見加密算法原理,最好使用圖例解說(shuō)

在網(wǎng)絡(luò)通信過(guò)程中不管是通過(guò)tcp還是udp協(xié)議進(jìn)行互聯(lián)網(wǎng)中主機(jī)之間的通信時(shí),數(shù)據(jù)都是通過(guò)明文進(jìn)行傳輸?shù)?容易使傳輸?shù)臄?shù)據(jù)被人劫持,篡改等等,為了保護(hù)傳輸數(shù)據(jù),傳輸數(shù)據(jù)加密就應(yīng)運(yùn)而生了,加密數(shù)據(jù)有單向加密,對(duì)稱加密,非對(duì)稱加密等,下面介紹常見的幾種加密方式及其原理.

對(duì)稱加密:加密和解密使用同一個(gè)密鑰并將將原始數(shù)據(jù)分割成為固定大小的塊,逐個(gè)進(jìn)行加密.其安全性依賴于密鑰而不是算法,其缺陷是密鑰太多,密鑰分發(fā)困難的情況,主要的加密方式有如下幾種.
DES, 3DES, DES, Blowfish, IDEA

DES:算法為密碼體制中的對(duì)稱密碼體制,又被稱為美國(guó)數(shù)據(jù)加密標(biāo)準(zhǔn)是1972年美國(guó)IBM公司研制的對(duì)稱密碼體制加密算法。 明文按64位進(jìn)行分組,密鑰長(zhǎng)64位,分組后的明文組和56位的密鑰按位替代或交換的方法形成密文組的加密方法。

DES算法結(jié)構(gòu).jpg

把輸入的64位數(shù)據(jù)塊按位重新組合,并把輸出分為L(zhǎng)0、R0兩部分,每部分各長(zhǎng)32位,其置換規(guī)則見下


DES算法流程.jpg

非對(duì)稱加密:密鑰分為公鑰與私鑰,用公鑰加密的數(shù)據(jù),只能使用與之配對(duì)的私鑰解密,用私鑰加密的數(shù)據(jù)只能用對(duì)應(yīng)的公鑰進(jìn)行解密.
私鑰通過(guò)工具創(chuàng)建,使用者自己留存,必須保證其私密性.
公鑰從私鑰中提取產(chǎn)生,可公開給所有人
主要用途有:
數(shù)字簽名:主要在于讓接收方確認(rèn)發(fā)送方的身份
密鑰交換:發(fā)送方用對(duì)方公鑰加密一個(gè)對(duì)稱密鑰,并發(fā)送給對(duì)方
對(duì)進(jìn)行數(shù)據(jù)加密等等,主要的加密方式有以下幾種:
RSA,DSA,DSS, DSA

RSA:第一個(gè)既能用于數(shù)據(jù)加密也能用于數(shù)字簽名的算法.它易于理解和操作,也很流行.算法的名字以發(fā)明者的名字命名,RSA加密是對(duì)明文的E次方后除以N后求余數(shù)的過(guò)程,可以使用一個(gè)通式來(lái)表達(dá):


RSA加密.png

只要知道E和N任何人都可以進(jìn)行RSA加密了,所以說(shuō)E、N是RSA加密的密鑰,也就是說(shuō)E和N的組合就是公鑰,我們用(E,N)來(lái)表示公鑰

公鑰=(E,N)

RSA的解密同樣可以使用一個(gè)通式來(lái)表達(dá)


RSA解密.png

對(duì)密文進(jìn)行D次方后除以N的余數(shù)就是明文,這就是RSA解密過(guò)程。知道D和N就能進(jìn)行解密密文了,所以D和N的組合就是私鑰

私鑰=(D,N)

要生成密鑰就要知道E,D,N,L(中間過(guò)程的中間數(shù)),其中各個(gè)數(shù)要滿足如下要求

N= p * q ;p,q為質(zhì)數(shù)
L=lcm(p-1,q-1) ;L為p-1、q-1的最小公倍數(shù)
1 < E < L,gcd(E,L)=1;E,L最大公約數(shù)為1(E和L互質(zhì))
1 < D < L,E*D mod L = 1

求N
我們準(zhǔn)備兩個(gè)很小對(duì)質(zhì)數(shù),  p = 17  q = 19
N = p * q = 323

求L
L = lcm(p-1, q-1)= lcm(16,18) = 144 (144為16和18對(duì)最小公倍數(shù))

求E
求E必須要滿足2個(gè)條件:1 < E < L ,gcd(E,L)=1 
即1 < E < 144,gcd(E,144) = 1 
E和144互為質(zhì)數(shù),5顯然滿足上述2個(gè)條件 
故E = 5

此時(shí)公鑰=(E,N)= (5,323)

求D
求D也必須滿足2個(gè)條件:1 < D < L,E*D mod L = 1 
即1 < D < 144,5 * D mod 144 = 1 
顯然當(dāng)D= 29 時(shí)滿足上述兩個(gè)條件 
1 < 29 < 144 
5*29 mod 144 = 145 mod 144 = 1 

此時(shí)私鑰=(D,N)=(29,323)

根據(jù)上述結(jié)果,假設(shè)明文=123,帶入公式則密文=255,解密過(guò)程帶入解密公式即可.

單向加密:即提出數(shù)據(jù)指紋;只能加密,不能解密,主要用于驗(yàn)證數(shù)據(jù)的完整性(提取數(shù)據(jù)的特征碼)
其特性:
定長(zhǎng)輸出:無(wú)論原來(lái)的數(shù)據(jù)輸是多大的級(jí)別,輸出的加密結(jié)果長(zhǎng)度都是一樣的.
雪崩效應(yīng): 任何輸入信息的變化,哪怕僅一位,都將導(dǎo)致散列結(jié)果的明顯變化.
主要的加密方式有:
md5,sha1,sha224, sha256, sha384, sha512

md5:消息摘要算法第五版,為計(jì)算機(jī)安全領(lǐng)域廣泛使用的一種散列函數(shù),用以提供消息的完整性保護(hù)的一種加密技術(shù).

MD5算法具有以下特點(diǎn):
1、壓縮性:任意長(zhǎng)度的數(shù)據(jù),算出的MD5值長(zhǎng)度都是固定的。
2、容易計(jì)算:從原數(shù)據(jù)計(jì)算出MD5值很容易。
3、抗修改性:對(duì)原數(shù)據(jù)進(jìn)行任何改動(dòng),哪怕只修改1個(gè)字節(jié),所得到的MD5值都有很大區(qū)別。
4、強(qiáng)抗碰撞:已知原數(shù)據(jù)和其MD5值,想找到一個(gè)具有相同MD5值的數(shù)據(jù)(即偽造數(shù)據(jù))是非常困難的。

MD5的加密流程圖如下:


MD5算法流程圖.jpg

更為具體的算法計(jì)算流程詳見百科:
https://baike.baidu.com/item/MD5?fr=aladdin

搭建apache或者nginx并使用自簽證書實(shí)現(xiàn)https訪問(wèn),自簽名證書的域名自擬

在實(shí)驗(yàn)環(huán)境中為apache或者nginx做CA證書自簽可以使用openssl命令來(lái)實(shí)現(xiàn),具體步驟如下:

構(gòu)建私有CA:

  1. 生成私鑰
  2. 生成自簽證書
  3. 為CA提供所需的目錄及文件

1. 生成私鑰

[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)Generating RSA private key, 4096 bit long modulus
...................++
....................................................................................................................................................++
e is 65537 (0x10001)

#()括號(hào)起來(lái)的命令表示在子shell中運(yùn)行,而不改變當(dāng)前shell的umask值.

-----------------分割線-----------------

[root@localhost ~]# cat /etc/pki/CA/private/cakey.pem 
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA0GbTtPftdGDJFnA8x/ZOqIrL7YBtkBNc7od0O9+ZdJ87Ip5c
HqklKINaubzxR74hEYptPv4wsS9AmgYPOMEepLwSPeKE8EbQbypnQW/L7RSo+SYT
x6YK594YmyYxZJJ48xNA8OsPy+C63mqKEF/Hv34D4cCdjj7/ZE/xlrQuxR2pey5u
hYvODajc7fitDZ9M4dgYeyPuJDr2JmFT+ApoOD3aimoelf74mnJ62CvW/CakRp7C
9+Lcae5nQCTeuUuD6ictTEBxXKGyDrIrSB0HuA9POhPfISumDlcnz5SQkJvFc0ud
zdw8nJvAXvA+5ro4Lqw2szrmsv7x72/cyb0VHaei3ayupDB0pePOYykby/VsuUrR
Z9TEZB+x7Gt6LwZSVMdOXFap/wjczUfaT1pc1uV3D6g4+Vd2VjjrEq7emjDjfdOZ
GmZE2pb6Rif62nDh2SB/R8HFJu5JwIx4SIO7jGzQ5lBfF2JfWD4B+bwA41yx2YQS
GU3b9XL2D8whPWqbYyM8YXqyPN5guJ5J/1RRv6FhDZcWqYO0J02zm9PYrbZ+Gf+V
Grh8Oxoj1CCe3MLEVyfdo/RuZ56SF6fAKjSuMEViEx5fZK2l8NufIOhTWEHon2jC
F0bN5niJIzqP7/0RFL2lmkM8SjzpOGul6/0sUbJRNNaqv/7SnNxFu51Hsz8CAwEA
AQKCAgBCB+KaW1fcYPI17tgDT5J6qoeUt/V/CfOPDFISynUX03/sJxrvCA7i+EOd
yDT201Is+ZxFskqBSYSBiNv30pDAB2sMOqJ+cyGFp3zR6fdGJh6n2p23y293KhLH
zeEmiZZTBk20R/ZYVds/r6gRKhfjH61hMSN6t5E6Gm5knrCW+iACDKMuIy7lexSN
Phau00OL52lSUv8YcaoeXQY6+CkvcMG2y4rnYcMpRI6Rwco7WI8CZTlHS5Uk50nF
tCjxsvCYF1Ot7lk8zWraZy95iOEyO3+R2kv/eZICxzCw/9SSTRjRwCq+2EJIKL1a
F2sGtggpGZ23Sjlgi5DimaHuNb/jc4Xj1PTrcE5p+LkE4OmsX+BcBt5dUt1txRYn
2uVnh8x8qbKpjk1Gn7A6TSfX1YV9ALihTypFGdSc1M1SYfIbmoHdzflycym1Kuyv
/TYF0uuYO9Fj6MpRiEaQEJKjFrwIy3XfJ9l6rRKPCWOrowjmvgxywmcwgFORmUC+
XbH2ZjKHBRWPlIn1PYAoq5Vln4FuiepofXNQvPAwWG54mY5knSwzGBmyo1tj+XiJ
zI1DXdJ3hQPyqB95Z3E9LZwk7balOx0cXyLlYQNjIvma6iHKLmxdjQz3WDhqXbFx
2uVx30Kr3KHiamYn9kjP+IaJcn/T/qdNNQp7mZOTkotCaCxSwQKCAQEA/Tda+2XE
sUFDzhchUyhcIwa8TJDv3cI/8U8gU3yIrimztTj6iJRfC5g6K1yG0aaUuKJ7Tf1q
izqOV1uhxYGhWyHXajojmBXzPmyrq0Eq4ZEBPrKcq0EM6zvkYCw8g9k/9aZ0m9KQ
aHzYtgaLmEchKTXEzTtCir2fE5nhmmG/+W/WfwRfCtRlhQWukhxFDUUJgBgPz4Tb
OL+ycYkIR5UaOgzHGkQqx/4ppA5AXHN8xZe7r+3Nic+lXvE9NvuZm+DN9+jGb7Id
P9SoE3CU4MNZwLGUs47lY/fJGj0Fc2OsZmOqBcAz1dWzFdadIZADiV0SIvV8TeoE
GprTMY1q7ESMXwKCAQEA0rFYw/DOXrFD8KtEOnIPAx+n3MzJ3B+DHbsrDxx0CrYU
eZB9nlBYof1tZ/0pLzppso+8tLqDRPtU9m4ziY2G5nr3nvjOMCF2LOZhsPxFb/Wc
Z5FSlHK9O61vZcah+Gx7S41JNbTF6xZ2EEbRfFkeZM70fVC7Ofa6H8QKNuwBv7cq
j6wlxOB4Sogr6r46CdBKCtXv9gzXYC909pzyZw6MpjBmIwKeMFp4z/CgJJbhQ48x
j7Ag1H7CjssrTfkW9DXnuVTDr4lcJFF5Om7BPgh9CowL9c6T3sVdj6moYedG5W/l
flZ2r2AgOiKeO1J6W+a9fTHhPQw5s9OeDCEIluRFIQKCAQApLPQ1hzH55PQCsk4v
+JMq+vBpvvPSasD9G3HVQZ30PEHFyVMsHHxsJT/oRy6BLwZmE73bS8ckhswYtoTS
2iaD7DfcRUH+fCtGzmMIARvY/DxolqDVVEmmguG7JdZdVlmJN50krZPf+dU/nEbc
50wkKGMtQGKsrvMMO+ysrxKJnD8T/oD6ANnVTLw7dC9iXgSSeNcxVphTXRDGV5Mq
GLvgDq3dvpH6XYEl9U9P+VOjye2ySQgwTbzFeJMMutMavu6fTpHeHeeVtp3yM09y
UTHqHLZikG0K2YMxKhUV03J4X+KI9t02+34YogKBL6rzjlfhqWuiO9iY/u4y0508
eFUfAoIBAGfyQRXiXx5OnHNHO9EN5qQm4P1JN6nXDiwD5Hl/Ey0Zqb5T7/XENAYv
buOn/cKkMfN7gKE1h3/n84Hk2p5ZaZ2aO0J+A9OxHomGW9oii+txpGlgQ/qjJQMl
TNlMhyp18tpSaTUK675RBYyAM+gCW8FmbS7KPqSZOjhj0ppIE5DPQDtDthqMmCxF
RE167k1bKrxv0gR1T2jP4QeuZNU9U1zGcg2BxCOc7w+/6nJC0f4vzkbSoU/U/g3O
5J2Cb7WqRpmj3StkPEZav9F5RPNi4rXqZBgwg7mba85t6HnszYhyjSmoZMOfTCcC
X0hrJ5zhmMkEa9hfiLRUihv3zDINiqECggEBANHpYXv7fjLrtfQXlAqr8z4d12cA
YGR0wahMkE9ohyjbn4P4ybl70OVqjF0eInXtZoI70VwDRJO4yHT7fOFZrgo096AR
lKZh3epdHsgmVMBPA6/5zfOTg1uUgI6UlMf9LY6Hn2wTb4rZORjKqoEDc8Isy3y4
ilzxdOLLltaiOxpIPBBZJS29PIVQIAxfzYSWsUVAc9eTGJEbqjqcKl9zfkBSki8G
wa1nXUS25gLmrF5IEdSnQsI2GwCUwhR/T34/oQZrzv0kjdxJj9LCa5xJZuSQgAHZ
WjRjWLdaeTdwP+jugvrqCP/19wXlCa2xp5xHT36O1oCYiZTrk8zD0tsy++c=
-----END RSA PRIVATE KEY-----

2. 生成自簽證書
用生成的私鑰制作證書時(shí),會(huì)自動(dòng)從私鑰里提取公鑰來(lái)進(jìn)行加密.命令格式如下

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
-new:生成新證書簽署請(qǐng)求
-x509:生成自簽格式證書(專用于創(chuàng)建私有CA時(shí))
-key:生成請(qǐng)求時(shí)用到的私鑰文件路徑
-out:生成的請(qǐng)求文件路徑;如果自簽操作將直接生成簽署過(guò)的證書
-days:證書的有效時(shí)長(zhǎng),單位是day

[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   #國(guó)家名(簡(jiǎn)寫)
State or Province Name (full name) []:guangxi  #所在的省會(huì)城市(全名)
Locality Name (eg, city) [Default City]:nanning   # 所在的本地城市
Organization Name (eg, company) [Default Company Ltd]:maedu   #公司或者組織的名字
Organizational Unit Name (eg, section) []:ops   #所在的部門
Common Name (eg, your name or your server's hostname) []:www.maedu.com   #服務(wù)器主機(jī)名或個(gè)人申請(qǐng)的名稱
Email Address []:abd@maedu.com  #郵件地址

-----------------分割線-----------------

[root@localhost ~]# ls /etc/pki/CA/
cacert.pem  certs  crl  newcerts  private

3. 為CA提供所需的目錄及文件
要在/etc/pki/CA/目錄下創(chuàng)建certs,crl,newcerts(默認(rèn)可能不存在)三個(gè)目錄和serial,index.txt(序列號(hào)和數(shù)據(jù)庫(kù)文件)兩個(gè)文件

[root@localhost ~]# mkdir -v /etc/pki/CA/{certs,newcerts,crl}
mkdir: cannot create directory ‘/etc/pki/CA/certs’: File exists
mkdir: cannot create directory ‘/etc/pki/CA/newcerts’: File exists
mkdir: cannot create directory ‘/etc/pki/CA/crl’: File exists

-----------------分割線-----------------

[root@localhost ~]# touch   /etc/pki/CA/{serial,index.txt}
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem  certs  crl  index.txt  newcerts  private  serial

[root@localhost ~]# echo 01 > /etc/pki/CA/serial   #給定第一個(gè)證書的編號(hào)

需要向CA請(qǐng)求簽署證書:

  1. 安裝apache或者nginx(如果試驗(yàn)環(huán)境中沒有)
  2. 用到證書的主機(jī)生成私鑰
  3. 生成證書簽署請(qǐng)求
  4. 將請(qǐng)求通過(guò)可靠方式發(fā)送給CA主機(jī)
  5. 在CA主機(jī)上簽署證書
  6. 發(fā)送證書到需要簽證的主機(jī)中

1. 安裝apache或者nginx(如果試驗(yàn)環(huán)境中沒有)

[root@localhost ~]# yum -y install httpd
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.ustc.edu.cn
 * extras: mirrors.aliyun.com
 * updates: centos.ustc.edu.cn
Package httpd-2.4.6-67.el7.centos.6.x86_64 already installed and latest version
Nothing to do

2. 用到證書的主機(jī)生成私鑰
創(chuàng)建生成私鑰的目錄及生成私鑰

[root@localhost ~]# mkdir -v /etc/httpd/ssl
mkdir: cannot create directory ‘/etc/httpd/ssl’: File exists
[root@localhost ~]# cd /etc/httpd/ssl/
[root@localhost ssl]# 

-----------------分割線-----------------
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.....+++
e is 65537 (0x10001)
[root@localhost ssl]# ls 
httpd.key
#在當(dāng)前目錄下生成私鑰,

3. 生成證書簽署請(qǐng)求

[root@localhost ssl]# openssl  req  -new  -key  /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csr  -days  365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangxi
Locality Name (eg, city) [Default City]:nanning
Organization Name (eg, company) [Default Company Ltd]:maedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.maedu.com
Email Address []:adc@maedu.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#因?yàn)槭亲越–A,所以填寫的信息,國(guó)家,地區(qū),公司這些信息最好保持一致

-----------------分割線-----------------

[root@localhost ssl]# ls 
httpd.csr  httpd.key

4. 將請(qǐng)求通過(guò)可靠方式發(fā)送給CA主機(jī)
可以通過(guò)scp,等文件傳輸工具發(fā)送到CA主機(jī)上,這里是模擬環(huán)境可以用網(wǎng)絡(luò)傳輸,實(shí)際環(huán)境中不應(yīng)該用網(wǎng)絡(luò)傳輸這種不安全的方式

[root@localhost ssl]# scp httpd.csr root@192.168.109.129:/tmp/
The authenticity of host '192.168.109.129 (192.168.109.129)' can't be established.
ECDSA key fingerprint is SHA256:Yrud4cR2ciZ9YozYfnmrDIF7Gw2Z5QQYdvijKEd6ol4.
ECDSA key fingerprint is MD5:f0:c1:27:00:b9:89:9e:67:1f:65:79:7a:d4:91:cd:63.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.109.129' (ECDSA) to the list of known hosts.
root@192.168.109.129's password:    #輸入root密碼
httpd.csr                                                                       100% 1045   450.3KB/s   00:00

5. 在CA主機(jī)上簽署證書

[root@localhost ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr  6 11:08:31 2018 GMT
            Not After : Apr  6 11:08:31 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = guangxi
            organizationName          = maedu
            organizationalUnitName    = ops
            commonName                = www.maedu.com
            emailAddress              = adc@maedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D9:36:D6:04:3A:7F:C6:F5:EC:CD:1D:C7:79:84:D3:BF:0D:D4:9F:6F
            X509v3 Authority Key Identifier: 
                keyid:9E:8B:94:0E:BA:C9:37:DC:3F:65:3D:49:B6:BE:68:88:22:8E:4E:78

Certificate is to be certified until Apr  6 11:08:31 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

-----------------分割線-----------------

[root@localhost ~]# cat /etc/pki/CA/index.txt
V   190406110831Z       01  unknown /C=CN/ST=guangxi/O=maedu/OU=ops/CN=www.maedu.com/emailAddress=adc@maedu.com

# 出現(xiàn)這些信息說(shuō)明簽證成功了

6. 發(fā)送證書到需要簽證的主機(jī)中

[root@localhost ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.109.135:/etc/httpd/ssl/
The authenticity of host '192.168.109.135 (192.168.109.135)' can't be established.
ECDSA key fingerprint is SHA256:yeVsgGHQc5FmnbvOBAG4AH6NS0lCS9ahCB1uA4+UVfw.
ECDSA key fingerprint is MD5:c9:39:9d:51:c6:72:23:9b:e6:64:c9:85:0f:fb:05:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.109.135' (ECDSA) to the list of known hosts.
root@192.168.109.135's password: 
httpd.crt                                                                       100% 5844     4.4MB/s   00:00    

-----------------分割線-----------------

[root@localhost ssl]# ls
httpd.crt  httpd.csr  httpd.key
#在簽證主機(jī)上查看文件

簡(jiǎn)述DNS服務(wù)器原理,并搭建主-輔服務(wù)器

DNS是域名解析服務(wù),是一種應(yīng)用層的協(xié)議.互聯(lián)網(wǎng)中主機(jī)之間的通信都是靠IP地址進(jìn)行的,但是成千上萬(wàn)的IP地址繁雜又不方便人類記憶,DNS就是將主機(jī)的IP與對(duì)應(yīng)的服務(wù)器名稱對(duì)應(yīng)起來(lái),可以讓主機(jī)在互聯(lián)網(wǎng)中通過(guò)www.maedu.com這樣的域名訪問(wèn)互聯(lián)網(wǎng)中與之對(duì)應(yīng)IP的主機(jī)而不用一個(gè)一個(gè)IP的輸入.域名服務(wù)器可以分為:

  1. 頂級(jí)域名(一級(jí)域名): .com .cn .net .org .gov .edu等等由全球13個(gè)根服務(wù)器來(lái)維護(hù)
  2. 二級(jí)域名: baidu.com maedu.com等等
  3. 三級(jí)域名:bbs.maedu.com等等二級(jí)域名對(duì)應(yīng)的主機(jī)名稱解析

主機(jī)與域名服務(wù)器之間的域名解析查詢是遞歸查詢,域名服務(wù)器之間的查詢是迭代查詢.根據(jù)DNS名稱解析方式不同可以分為:

正向解析: 通過(guò)域名查詢對(duì)應(yīng)主機(jī)的IP地址.
反向解析: 通過(guò)已知的IP地址查詢對(duì)應(yīng)的域名.

根據(jù)DNS服務(wù)器用途不同類型可以劃分如下:

主名稱服務(wù)器: 負(fù)責(zé)解析至少一個(gè)域
輔助名稱服務(wù)器: 從主服務(wù)器里同步數(shù)據(jù),輔DNS服務(wù)器只能查詢不能修改
緩存名稱服務(wù)器: 不負(fù)責(zé)解析域名,只是從指定的服務(wù)器緩存數(shù)據(jù).

一些DNS服務(wù)配置文件的說(shuō)明及測(cè)試工具:

區(qū)域數(shù)據(jù)庫(kù)文件:

資源記錄:Resource Record, 簡(jiǎn)稱RR;
    RR_TYPE 常見類型:A, AAAA, PTR, SOA, NS, CNAME, MX
      SOA:起始授權(quán)記錄; 一個(gè)區(qū)域解析庫(kù)有且只能有一個(gè)SOA記錄,而且必須放在第一條
      NS:域名服務(wù)記錄;一個(gè)區(qū)域解析庫(kù)可以有多個(gè)NS記錄;其中一個(gè)為主
      A: Address, IPv4地址記錄,F(xiàn)QDN --> IPv4;(一個(gè)A是32位)
      AAAA:IPv6地址記錄, FQDN --> IPv6
      CNAME:別名記錄
      PTR:IP --> FQDN 反向解析
      MX:郵件交換器(優(yōu)先級(jí):0-99,數(shù)字越小優(yōu)先級(jí)越高)
      FQDN:完整主機(jī)名    

資源記錄的定義格式:
    語(yǔ)法: name    [TTL]   IN  RR_TYPE         value

SOA:
    name: 當(dāng)前區(qū)域的名字;例如”mageud.com.(正向解析)”,或者“2.3.4.in-addr.arpa.(反向解析)”
    value:有多部分組成
        (1) 當(dāng)前區(qū)域的區(qū)域名稱(也可以使用主DNS服務(wù)器名稱)
        (2) 當(dāng)前區(qū)域管理員的郵箱地址;但地址中不能使用@符號(hào),一般使用點(diǎn)號(hào)(.)來(lái)替代
        (3) 主從服務(wù)協(xié)調(diào)屬性的定義以及否定答案的TTL
                    
例如:
    magedu.com.     86400(TTL值)     IN      SOA     magedu.com.     admin.magedu.com.  (
    2017010801  ; serial,序列號(hào),主服務(wù)器數(shù)據(jù)庫(kù)內(nèi)容發(fā)生變化時(shí),其版本號(hào)遞增(這樣從服務(wù)器摘能更新數(shù)據(jù)庫(kù))
    2H(小時(shí))          ; refresh,刷新時(shí)間,從服務(wù)器間隔多久到主服務(wù)器檢查序列號(hào)更新狀況
    10M(分鐘)         ; retry,重試時(shí)間,主從服務(wù)器同步解析庫(kù)失敗時(shí),再次發(fā)起嘗試請(qǐng)求的時(shí)間間隔
    1W(周)           ; expire,過(guò)期時(shí)間,一直同步失敗多久之后停止從主服務(wù)器同步數(shù)據(jù)的時(shí)間
    1D(天)           ; negative answer ttl ,否定答案的時(shí)長(zhǎng)(一直查詢不到答案返回結(jié)果的最長(zhǎng)時(shí)間)
                    )   

NS:(一個(gè)區(qū)域可以有多個(gè)ns記錄)
    name: 當(dāng)前區(qū)域的區(qū)域名稱
    value:當(dāng)前區(qū)域的某DNS服務(wù)器的名字,例如ns.magedu.com.
                                    
    例如:
        magedu.com.     86400   IN  NS      ns1.magedu.com.

MX:(MX記錄可以有多個(gè);但每個(gè)記錄的value之前應(yīng)該有一個(gè)數(shù)字表示其優(yōu)先級(jí))
    name: 當(dāng)前區(qū)域的區(qū)域名稱
    value:當(dāng)前區(qū)域某郵件交換器的主機(jī)名
         magedu.com.        IN  MX  5   mx1.magedu.com.
         magedu.com.        IN  MX  10      mx1.magedu.com.
            
A(AAAA):
    name:某FQDN,例如www.magedu.com.
    value:某IPv4地址(IPv6地址)
         www.magedu.com.        IN  A   192.168.2.1

PTR:
    name:IP地址,有特定格式,IP反過(guò)來(lái)寫,而且加特定后綴
    value:FQND(完整主機(jī)名)
        1.2.168.192.in-addr.arpa.   IN  PTR www.magedu.com.

CNAME:
    name:FQDN格式的別名
    value:FQDN格式的正式名字
        bbs.magedu.com.     IN      CNAME  www.magedu.com.

對(duì)于上面的配置格式有以下幾點(diǎn)注意的地方:

  1. TTL可以從全局繼承
  2. @表示當(dāng)前區(qū)域的名稱
  3. 相鄰的兩條記錄其name相同時(shí),后面的可省略
  4. 對(duì)于正向解析區(qū)域來(lái)說(shuō),各MX,NS等類型的記錄的value為FQDN,這個(gè)FQDN應(yīng)該有一個(gè)A地址(IPv4地址)記錄

DNS是一種協(xié)議,在服務(wù)器中實(shí)現(xiàn)這種協(xié)議的程序是bind,而bind程序的運(yùn)行的進(jìn)程名為:named,bind的主要配置文件有:
主配置文件:/etc/named.conf

主配置文件格式:
全局配置段:
options { ... }
日志配置段:
logging { ... }
區(qū)域配置段:
zone { ... }

[root@localhost ~]# vim /etc/named.conf 

//
// named.conf
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; }; #監(jiān)聽的端口,哪些主機(jī)可以訪問(wèn)解析,
        listen-on-v6 port 53 { ::1; };#后面一定要有分號(hào)(;)結(jié)束,花括號(hào)里面有空格
        directory       "/var/named";#對(duì)應(yīng)數(shù)據(jù)庫(kù)文件的目錄位置
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; }; #運(yùn)行哪些主機(jī)請(qǐng)求查詢

        /* 
           recursion. 
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;#將自身主機(jī)作為客戶端的一種查詢方式

        dnssec-enable yes; #sec功能,初學(xué)者不熟建議關(guān)閉
        dnssec-validation yes;#同上

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;#區(qū)域類型{master(主)|slave(從)|hint(根)|forward(轉(zhuǎn)發(fā))}
        file "named.ca";#要解析的域名,正向:域名本身(maedu.com).反向:IP反向.in-addr.arpa(1.2.168.192.in-addr.arpa)
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

#注意事項(xiàng): 每個(gè)配置語(yǔ)句必須以分號(hào)結(jié)尾, 花括號(hào)前后有空格(否則語(yǔ)法錯(cuò)誤)

解析庫(kù)文件:/var/named/ZONE_NAME.zone

[root@localhost ~]# ls /var/named/
data/            named.ca         named.localhost  slaves/
dynamic/         named.empty      named.loopback   

----------------分割線----------------

[root@localhost ~]# vim /var/named/named.ca

h.root-servers.net.     3600000 IN      AAAA    2001:500:1::53
i.root-servers.net.     3600000 IN      A       192.36.148.17
i.root-servers.net.     3600000 IN      AAAA    2001:7fe::53
j.root-servers.net.     3600000 IN      A       192.58.128.30
j.root-servers.net.     3600000 IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     3600000 IN      A       193.0.14.129
k.root-servers.net.     3600000 IN      AAAA    2001:7fd::1
l.root-servers.net.     3600000 IN      A       199.7.83.42
l.root-servers.net.     3600000 IN      AAAA    2001:500:9f::42
m.root-servers.net.     3600000 IN      A       202.12.27.33
m.root-servers.net.     3600000 IN      AAAA    2001:dc3::35

;; Query time: 18 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Po kvě 22 10:14:44 CEST 2017
;; MSG SIZE  rcvd: 811

~

說(shuō)明了DNS配置格式及相關(guān)知識(shí)之后在配置DNS服務(wù)之前,在介紹一下測(cè)試工具和配置文件語(yǔ)法檢查命令.
檢查配置文件語(yǔ)法錯(cuò)誤:

named-checkconf [/etc/named.conf] (配置文件的路徑,默認(rèn)在/etc/named.conf不給路徑則默認(rèn)是當(dāng)前目錄下找配置文件)
named-checkzone ZONE_NAME ZONE_FILE 區(qū)域配置文件語(yǔ)法檢查

[root@localhost ~]# named-checkconf /etc/named.conf 
[root@localhost ~]# 
#沒有錯(cuò)誤,所以沒有提示信息

測(cè)試工具:常用的測(cè)試工具有dig, host, nslookup等,主要講解dig命令,另外兩個(gè)命令功能沒有dig強(qiáng)大不做詳解.

    dig命令:dig用于測(cè)試dns系統(tǒng),因此不會(huì)查詢hosts文件內(nèi)容.
        dig  [-t RR_TYPE]  name  [@SERVER]  [query options]
                    
        查詢選項(xiàng):
            +[no]trace:跟蹤解析過(guò)程;
            +[no]recurse:進(jìn)行遞歸解析;
                            
        反向解析測(cè)試
            dig  -x  IP
                            
        模擬完全區(qū)域傳送:
            dig  -t  axfr  DOMAIN  [@server]

[root@localhost ~]# dig -t A www.baidu.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8176
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.baidu.com.         IN  A

;; ANSWER SECTION:
www.baidu.com.      5   IN  CNAME   www.a.shifen.com.
www.a.shifen.com.   5   IN  A   183.232.231.173
www.a.shifen.com.   5   IN  A   183.232.231.172

;; Query time: 4 msec
;; SERVER: 192.168.109.2#53(192.168.109.2)
;; WHEN: Sat Apr 07 18:31:07 CST 2018
;; MSG SIZE  rcvd: 90

搭建主-輔服務(wù)器

為了保證DNS服務(wù)能夠穩(wěn)定的服務(wù),不至于單個(gè)DNS服務(wù)出現(xiàn)故障是無(wú)法使用DNS服務(wù)的情況,因此配置主輔服務(wù)器是必須的.

主DNS服務(wù)器:維護(hù)所負(fù)責(zé)解析的域數(shù)據(jù)庫(kù)的那臺(tái)服務(wù)器;可以進(jìn)行讀寫操作
輔DNS服務(wù)器:從主DNS服務(wù)器那里或其它的從DNS服務(wù)器那里“復(fù)制”一份解析庫(kù);輔DNS服務(wù)器只能查詢不能修改

1. 在主服務(wù)器中進(jìn)行配置:
配置/etc/named.conf 文件

[root@localhost slaves]# vim /etc/named.conf 

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { any; };  #監(jiān)聽主機(jī)改為any
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };  #允許查詢改為any,任何主機(jī)

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion no;  #改為no

        dnssec-enable no;  #同上
        dnssec-validation no;   #同上

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

在/etc/named.rfc1912.zones文件中加入對(duì)應(yīng)的zone

[root@localhost ~]# vim /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

zone "magedu.com" {  #添加正向解析域,
        type master;   #zone的類型是主服務(wù)器類型
        file "magedu.com";   #文件名稱,這個(gè)名聲要和/var/named/目錄下的文件名一致
        allow-query { any; };  #允許查詢的主機(jī)
        allow-transfer { slaves; };  #只允許向從服務(wù)器區(qū)域傳送
        allow-update { none; };  #不允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫(kù)文件中內(nèi)容
};

zone "1.168.192.in-addr.arpa" IN {  #添加反向解析域
        type master;
        file "192.168.1.zone";
        allow-query { any; };
        allow-transfer { slaves; };
        allow-update { none; };
};


view external {   #這里定義了一個(gè)view模版,在智能DNS中會(huì)用到的
        match-clients { slaves; };

        zone "magedu.com" IN {
                type master;
                file "magedu.com.external";
                allow-update { none; };
};
};

在/var/named目錄下創(chuàng)建magedu.com文件并輸入對(duì)應(yīng)信息

$TTL 3600   #全局TTL否定時(shí)間
$ORIGIN magedu.com.
@       IN      SOA     ns1.magedu.com. admin.magedu.com. (
        2018040806  #序列號(hào),每次修改文件都要更新
        1H  #刷新時(shí)間
        10M  #刷新失敗后重試間隔時(shí)間
        5D  #過(guò)期時(shí)間
        500 )  #否定應(yīng)答的TTL值
        IN      NS      ns1.magedu.com.  #每個(gè)NS都必須有個(gè)A記錄,
        IN      MX      10 mx1.magedu.com.
ns1     IN      A       192.168.1.105
mx1     IN      A       192.168.1.105
www     IN      A       192.168.1.105
web     IN      CNAME   www                                                          
~                                                                                                                  
~                                                                                                                  
                                                                                                              
~                                                                                                                  
~                                                                                                                  
~                                                                                                                  
~                                                                                                                  
"/var/named/magedu.com" 14L, 254C     

#  @表示當(dāng)前的區(qū)域名稱(zone_name),相鄰的兩條記錄其name相同時(shí),后面的可省略不寫的.

配置好主服務(wù)器的文件要檢查配置文件是否出錯(cuò)

[root@localhost slaves]# named-checkconf /etc/named.conf 
[root@localhost slaves]# named-checkzone  magedu.com /var/named/magedu.com 
zone magedu.com/IN: magedu.com/MX 'mail.magedu.com' has no address records (A or AAAA)
zone magedu.com/IN: loaded serial 2018040703
OK

之后要改用戶改權(quán)限,最后重啟服務(wù).

[root@localhost ~]# chown named:named /var/named/magedu.com 
[root@localhost ~]# chmod o= /var/named/magedu.com 
[root@localhost ~]# ll /var/named/magedu.com 
-rw-r-----. 1 named named 238 Apr  7 20:17 /var/named/magedu.com
[root@localhost ~]# rndc reload  #也可以使用systemctl來(lái)重啟named
server reload successful

2. 配置輔服務(wù)器:
輔服務(wù)器是要從主服務(wù)器那里同步數(shù)據(jù)的,所以只要配置好主配置文件,并在/etc/named.rfc1912.zones文件從加入對(duì)應(yīng)的從服務(wù)器zone就行了

[root@localhost slaves]# vim /etc/named.conf 

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { any; };  #監(jiān)聽主機(jī)改為any
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };  #允許查詢改為any,任何主機(jī)

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion no;  #改為no

        dnssec-enable no;  #同上
        dnssec-validation no;   #同上

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

在/etc/named.rfc1912.zones文件從加入對(duì)應(yīng)的從服務(wù)器zone

[root@localhost slaves]# vim /etc/named.rfc1912.zones 

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};


zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

zone "magedu.com" IN { #正向解析zone
        type slave; #從服務(wù)器
        file "slaves/magedu.com ";  #從服務(wù)器同步文件存放地址(/var/named/slaves/magedu.com)
        masters { 192.168.1.105; };  #主服務(wù)器IP地址,注意格式
};

zone "1.168.192.zone" IN {   #反向解析
        type slave;  #從服務(wù)器
        file "slaves/1.168.192.zone";
        masters { 192.168.1.105; };  #主服務(wù)器IP地址,注意格式是masters,前后有空格,結(jié)尾有分號(hào).
};

要檢查配置文件是否有語(yǔ)法錯(cuò)誤

[root@localhost slaves]# named-checkconf /etc/named.conf 
[root@localhost slaves]# rndc reload   #重啟成功說(shuō)明沒問(wèn)題
server reload successful

最后在主從服務(wù)器同步之前為保證實(shí)驗(yàn)正常,先主從服務(wù)器上都關(guān)掉selinux和iptables

[root@localhost slaves]# iptables -F   #清空防火墻
[root@localhost slaves]# setenforce 0
[root@localhost slaves]# getenforce 
Permissive

現(xiàn)在就可以重啟named,(先重啟主服務(wù)器在重啟從服務(wù)器,命令都一樣只是要在兩個(gè)服務(wù)器都執(zhí)行一遍)

[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# systemctl restart named

作為驗(yàn)證可以在從服務(wù)器上dig一下域名看是否能找到對(duì)應(yīng)的IP地址

[root@localhost slaves]# dig -t A www.magedu.com @192.168.1.106

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.1.106
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62422
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.            IN  A

;; ANSWER SECTION:
www.magedu.com.     86440   IN  A   192.168.1.105

;; AUTHORITY SECTION:
magedu.com.     86440   IN  NS  ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     86440   IN  A   192.168.1.105

;; Query time: 0 msec
;; SERVER: 192.168.1.106#53(192.168.1.106)
;; WHEN: Sun Apr 08 21:42:11 CST 2018
;; MSG SIZE  rcvd: 93

#看到解析成功證明同步成功了

搭建并實(shí)現(xiàn)智能DNS

智能DNS就是可以根據(jù)不同客戶端的用戶在訪問(wèn)同一域名時(shí)能返回不一樣的IP地址,比如電信的用戶訪問(wèn)某網(wǎng)站時(shí)返回電信的IP地址,網(wǎng)通的用戶訪問(wèn)同一網(wǎng)址時(shí)返回網(wǎng)通的IP地址,以加速網(wǎng)站的訪問(wèn)速度.下面簡(jiǎn)單介紹acl訪問(wèn)控制列表和view視圖功能并演示一下智能DNS.

acl的格式  
    acl  acl_name  {
            ip;
            網(wǎng)絡(luò)/子網(wǎng)掩碼;
        };
            
    例子:
        acl  mynet {
            192.168.0.0/24;
            127.0.0.0/8;
        };
#可以將一個(gè)網(wǎng)段的IP定義在一個(gè)acl里面,比如電信的做一個(gè)acl,網(wǎng)通的做一個(gè)acl,然后再view中調(diào)用不同的acl,做不同的處理.


bind有四個(gè)內(nèi)置的acl
        none:沒有一個(gè)主機(jī)
        any:任意主機(jī)
        local:本機(jī)
        localnet:本機(jī)所在的IP所屬的網(wǎng)絡(luò)
            
訪問(wèn)控制指令:
    allow-query  {};  允許查詢的主機(jī)
    allow-transfer {};  允許向哪些主機(jī)做區(qū)域傳送;默認(rèn)為向所有主機(jī);應(yīng)該配置僅允許從服務(wù)器
    allow-recursion {}; 允許哪此主機(jī)向當(dāng)前DNS服務(wù)器發(fā)起遞歸查詢請(qǐng)求
    allow-update {}; DDNS,允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫(kù)文件中內(nèi)容,這個(gè)一般每個(gè)定義的zone都要禁止掉的,
        
view:視圖
    view  VIEW_NAME {
            zone
            zone
            zone
        }
#每個(gè)view都要包含所有的zone,如果有一個(gè)zone在view的花括號(hào)外面則會(huì)報(bào)錯(cuò),        
        
    view internal  {
        match-clients { 192.169.0.0/24; };  #匹配的IP地址,也可以寫acl_name如:match-clients { "mynet";  any: }; 注意格式
        zone "magedu.com"  IN {
            type master;
            file  "magedu.com/internal";
        };
    };

1. 修改/etc/named.conf配置文件

[root@localhost named]# vim /etc/named.conf 

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

acl slaves {  #定義不同的兩個(gè)acl,當(dāng)這兩個(gè)不同的acl訪問(wèn)同一個(gè)智能DNS服務(wù)時(shí)可以做不同的處理
        192.168.1.106;
        192.168.1.108;
        127.0.0.1;
};

acl mynet {
        192.168.1.105;
        127.0.0.1/8;
};
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion no;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

/*zone "." IN {
        type hint;
        file "named.ca";
};
*/   #因?yàn)関iew要包含所有的zone,所以這個(gè)zone移動(dòng)到/etc/named.rfc1912.zones中


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2.修改/etc/named.rfc1912.zones配置文件添加不同的view


[root@localhost ~]# vim /etc/named.rfc1912.zones 

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

view internal {   #定義一個(gè)內(nèi)部的view
        match-clients { "mynet";};  #匹配mynet這個(gè)acl控制列表里的IP

zone "." IN {  #對(duì)匹配的acl所支持的zone區(qū)域
        type hint;
        file "named.ca";
};

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

zone "magedu.com" {   #內(nèi)部的mynet所支持的zone,
        type master;
        file "magedu.com";
        allow-query { any; };
        allow-transfer { slaves; };
        allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.1.zone";
        allow-query { any; };
        allow-transfer { slaves; };
        allow-update { none; };
};
};

view external {   #定義一個(gè)外部的view,
        match-clients { slaves; };  #只匹配slaves這個(gè)acl控制列表里對(duì)應(yīng)的IP

        zone "magedu.com" IN {  #slaves所對(duì)應(yīng)的zone區(qū)域
                type master;
                file "magedu.com.external";
                allow-update { none; };
};
};

3. 在/var/named目錄下編輯不同zone的配置文件
mynet這個(gè)acl控制列表的zone,當(dāng)訪問(wèn)的IP在mynet這個(gè)acl控制列表的IP范圍內(nèi)時(shí),所返回的結(jié)果如下配置:

$TTL 86440
@       IN      SOA     ns1.magedu.com. dnsadmin.magedu.com. (
                2018040806
                1H
                10M
                3D
                1D
)
        IN      NS      ns1.magedu.com.
        IN      MX      10 mx1.magedu.com.
ns1     IN      A       192.168.1.105
mx1     IN      A       192.168.1.105
www     IN      A       192.168.1.105
web     IN      CNAME   www
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
"/var/named/magedu.com" 14L, 230C

slavest這個(gè)acl控制列表的zone,當(dāng)訪問(wèn)的IP在slaves這個(gè)acl控制列表的IP范圍內(nèi)時(shí),所返回的結(jié)果如下配置:

$TTL 86440
@       IN      SOA     ns1.magedu.com. dnsadmin.magedu.com. (
                2018040806
                1H
                10M
                3D
                1D
)
        IN      NS      ns1.magedu.com.
        IN      MX      10 mx1.magedu.com.
ns1     IN      A       192.168.1.105
mx1     IN      A       192.168.1.105
www     IN      A       2.2.2.1
web     IN      CNAME   www
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
~                                                                                         
"magedu.com.external" 14L, 224C

4. 檢查語(yǔ)法,并重啟服務(wù)

[root@localhost named]# named-checkconf    #默認(rèn)可以不指定文件路徑
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl restart named
[root@localhost named]#

5. 驗(yàn)證結(jié)果
訪問(wèn)同一個(gè)DNS服務(wù)器,在mynet這個(gè)acl控制列表里的IP訪問(wèn)結(jié)果

[root@localhost named]# dig -t A www.magedu.com @192.168.1.105

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.1.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31636
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.            IN  A

;; ANSWER SECTION:
www.magedu.com.     86440   IN  A   192.168.1.105

;; AUTHORITY SECTION:
magedu.com.     86440   IN  NS  ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     86440   IN  A   192.168.1.105

;; Query time: 0 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Mon Apr 09 22:41:14 CST 2018
;; MSG SIZE  rcvd: 93


#這里返回的是/var/named/magedu.com里面定義的結(jié)果

訪問(wèn)同一個(gè)DNS服務(wù)器,在slaves這個(gè)acl控制列表里的IP訪問(wèn)結(jié)果

[root@localhost ~]# dig -t A www.magedu.com @192.168.1.105

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.1.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64278
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.            IN  A

;; ANSWER SECTION:
www.magedu.com.     86440   IN  A   2.2.2.1   #這個(gè)位置顯示就不一樣了

;; AUTHORITY SECTION:
magedu.com.     86440   IN  NS  ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     86440   IN  A   192.168.1.105

;; Query time: 1 msec
;; SERVER: 192.168.1.105#53(192.168.1.105)
;; WHEN: Mon Apr 09 22:38:55 CST 2018
;; MSG SIZE  rcvd: 93

#這里返回的是/var/named/magedu.com.external里面定義的結(jié)果
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 1. 概述 在網(wǎng)絡(luò)環(huán)境中一般用戶只需要在瀏覽器中輸入url如www.sunny.com就可以到對(duì)應(yīng)服務(wù)器獲取相應(yīng)的...
    ghbsunny閱讀 3,407評(píng)論 0 7
  • Spring Cloud為開發(fā)人員提供了快速構(gòu)建分布式系統(tǒng)中一些常見模式的工具(例如配置管理,服務(wù)發(fā)現(xiàn),斷路器,智...
    卡卡羅2017閱讀 136,568評(píng)論 19 139
  • 一、實(shí)現(xiàn)從根,com,rj.com 模擬互聯(lián)網(wǎng)的DNS架構(gòu) DNS(Domain Name System,域名系統(tǒng)...
    ssjinyao閱讀 1,625評(píng)論 0 7
  • DNS工作原理 DNS 查詢的過(guò)程 DNS( Domain Name System)是“域名系統(tǒng)”的英文縮寫,是一...
    ghbsunny閱讀 9,267評(píng)論 0 0
  • 1、第八章 Samba服務(wù)器2、第八章 NFS服務(wù)器3、第十章 Linux下DNS服務(wù)器配站點(diǎn),域名解析概念命令:...
    哈熝少主閱讀 3,906評(píng)論 0 10

友情鏈接更多精彩內(nèi)容