1. 程式人生 > >Linux服務及安全管理第八周作業【Linux微職位】

Linux服務及安全管理第八周作業【Linux微職位】

加密解密技術;ca;dns

1、詳細描述一次加密通訊的過程,結合圖示最佳。

一次完整的加密通訊過程如下:

通訊的雙方需要事先協商好單向加密算法,並交換各自的公鑰

發送端加密過程

1、發送端先用單向加密算法計算出數據的特征碼

2、發送端用自己的私鑰加密特征碼,生成數字簽名,並將該數字簽名附加在數據之後

3、發送端生成一個臨時對稱密鑰,並使用該對稱密鑰加密整段數據(數據+數字簽名)

4、發送端獲取接收端的公鑰,使用該公鑰加密之前生成的臨時對稱密鑰,並附加其在對稱秘鑰加密後的數據之後

5、將以上數據發送給對方

接收端解密過程

1、接收端先使用自己的私鑰解密加密過的臨時對稱密鑰,得到臨時對稱密鑰

2、接收端用臨時對稱密鑰解密加密過的數據(數據+數字簽名)

3、接收端用發送端的公鑰解密特征碼,能解密則發送端身份得到驗證

4、用相同的單向加密算法計算數據的特征碼,並將其與解密得到的特征碼進行比較,驗證數據完整性



2、描述創建私有CA的過程,以及為客戶端發來的證書請求進行辦法證書。

CA主機構建私有CA

1、生成私鑰

[[email protected] ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.......................................++
.......................................++
e is 65537 (0x10001)

2、生成自簽證書

[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:MagEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:[email protected]
[[email protected] ~]# ls /etc/pki/CA/
cacert.pem  certs  crl  newcerts  private

參數說明:

-new:生成新證書簽署請求;

-x509:生成自簽格式證書,專用於創建私有CA時;

-key:生成請求時用到的私有文件路徑;

-out:生成的請求文件路徑;如果自簽操作將直接生成簽署過的證書;

-days:證書的有效時長,單位是day;


3、為CA提供所需的目錄及文件

[[email protected] ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[[email protected] ~]# touch /etc/pki/CA/{serial,index.txt}
[[email protected] ~]# echo 01 > /etc/pki/CA/serial


要用到證書進行安全通信的主機,需要向CA主機請求簽署證書:

步驟(以httpd為例):

[[email protected] ~]# systemctl status httpd.service 
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Wed 2017-07-12 21:16:38 CST; 10s ago
 Main PID: 3975 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─3975 /usr/sbin/httpd -DFOREGROUND
           ├─3976 /usr/sbin/httpd -DFOREGROUND
           ├─3977 /usr/sbin/httpd -DFOREGROUND
           ├─3978 /usr/sbin/httpd -DFOREGROUND
           ├─3979 /usr/sbin/httpd -DFOREGROUND
           └─3980 /usr/sbin/httpd -DFOREGROUND
Jul 12 21:16:38 localhost.localdomain httpd[3975]: AH00558: httpd: Could not ...
Jul 12 21:16:38 localhost.localdomain systemd[1]: Started The Apache HTTP Ser...
Hint: Some lines were ellipsized, use -l to show in full.


1、用到證書的主機生成私鑰;

[[email protected] ~]# mkdir /etc/httpd/ssl
[[email protected] ~]# cd /etc/httpd/ssl
[[email protected] ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................................+++
..........+++
e is 65537 (0x10001)


2、生成證書簽署請求

[[email protected] ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:MagEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:www.magedu.com
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ssl]# ll
total 8
-rw-r--r--. 1 root root 1058 Jul 12 21:21 httpd.csr
-rw-------. 1 root root 1679 Jul 12 21:17 httpd.key


3、將請求通過可靠方式發送給CA主機;

[[email protected] ssl]# scp httpd.csr 192.168.10.10:/tmp/
The authenticity of host ‘192.168.10.10 (192.168.10.10)‘ can‘t be established.
ECDSA key fingerprint is 32:15:52:1a:72:71:51:a2:c2:ad:bb:c4:b9:55:f8:e2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.10.10‘ (ECDSA) to the list of known hosts.
[email protected]‘s password: 
httpd.csr                                     100% 1058     1.0KB/s   00:00


4、在CA主機上簽署證書;

[[email protected] ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 12 13:24:27 2017 GMT
            Not After : Jul 12 13:24:27 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MagEdu
            organizationalUnitName    = Ops
            commonName                = www.magedu.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                9A:B9:84:A8:FC:F8:06:37:A1:BD:B7:E7:E6:BD:08:35:AE:A2:2A:C6
            X509v3 Authority Key Identifier: 
                keyid:B4:63:A6:45:FF:D9:C2:7B:7A:F3:09:45:CF:F0:9C:0E:6D:26:9A:E4
Certificate is to be certified until Jul 12 13:24:27 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# ls
cacert.pem  crl        index.txt.attr  newcerts  serial
certs       index.txt  index.txt.old   private   serial.old
[[email protected] CA]# cat index.txt
V180712132427Z01unknown/C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]


5、將CA主機簽署完的證書發送給申請主機

[[email protected] CA]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/
The authenticity of host ‘192.168.10.20 (192.168.10.20)‘ can‘t be established.
ECDSA key fingerprint is 93:3b:4a:9e:0e:a0:bd:84:de:a0:cb:6e:3a:9f:43:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.10.20‘ (ECDSA) to the list of known hosts.
[email protected]‘s password: 
httpd.crt                                               100% 5881     5.7KB/s   00:00


6、查看證書中的信息:(CA主機和客戶機都可以查看)

CA主機

[[email protected] CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]
客戶機
[[email protected] ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]



3、描述DNS查詢過程以及DNS服務器類別。

DNS查詢過程

Client --> hosts文件 --> DNS Local Cache --> DNS Server --> recursion(遞歸)

自己負責解析的域:直接查詢數據庫並返回答案;

不是自己負責解析域:Server Cache --> iteration(叠代)

客戶端鍵入域名後便會發起DNS查詢

1、客戶端查詢本地hosts文件應答

2、如果本地hosts文件查詢無果,則查詢本地DNS緩存信息應答

3、如果本地緩存信息查詢無果,則通過本機設定的DNS服務器應答(客戶端到指定DNS服務器只查詢一次,後續查詢由指定DNS服務器完成,此為遞歸查詢)

4、如果本機設定的DNS服務器依然查詢無果,則默認DNS服務器向根DNS服務器、二級域服務器、三級域服務器依次叠代查詢,並將結果應答客戶端


DNS服務器類別

負責解析至少一個域:

主名稱服務器:維護所負責解析的域數據庫的那臺服務器;讀寫操作均可進行

輔助名稱服務器:從主DNS服務器那裏或其它的從DNS服務器那裏“復制”一份解析庫;但只能進行讀操作

不負責解析:

緩存名稱服務器:可運行域名服務器軟件,但是沒有域名數據庫軟件

轉發名稱服務器:負責所有非本地域名的本地查詢



4、搭建一套DNS服務器,負責解析magedu.com域名(自行設定主機名及IP)

實驗環境:

主DNS服務器:192.168.10.11(CentOS 7.2)

從DNS服務器:192.168.10.12(CentOS 7.2)

子域DNS服務器:192.168.10.13(CentOS 7.2)

(1)、能夠對一些主機名進行正向解析和逆向解析;

1、主DNS服務器安裝bind程序包,並修改主配置文件/etc/named.conf全局選項如下:

[[email protected] ~]# yum install bind -y
[[email protected] ~]# vim /etc/named.conf
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

2、檢查配置文件、啟動服務,並查看53端口監聽狀態

[[email protected] ~]# named-checkconf
[[email protected] ~]# systemctl start named.service
[[email protected] ~]# ss -tunl | grep :53
udp    UNCONN     0      0      192.168.10.11:53                    *:*                  
udp    UNCONN     0      0      127.0.0.1:53                    *:*
tcp    LISTEN     0      10     192.168.10.11:53                    *:*                  
tcp    LISTEN     0      10     127.0.0.1:53                    *:*

3、在主配置文件輔助配置文件/etc/named.rfc1912.zones中定義正向域magedu.com及反向域10.168.192.in-addr.arpa

[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type master;
        file "magedu.com.zone";
};
zone "10.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.10.zone";
};

4、編輯正向區域解析庫文件/var/named/magedu.com.zone、修改屬組及權限,並檢查配置文件

[[email protected] ~]# vim /var/named/magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@       IN      SOA     ns1.magedu.com.         dnsadmin.magedu.com. (
                2017100101
                1H
                10M
                3D
                1D )
        IN      NS      ns1
        IN      MX 10   mail
        IN      MX 20   smtp
ns1     IN      A       192.168.10.11
mail    IN      A       192.168.10.12
smtp    IN      A       192.168.10.13
www     IN      A       192.168.10.11
web     IN      CNAME   www
bbs     IN      A       192.168.10.12
bbs     IN      A       192.168.10.13
[[email protected] ~]# chown :named /var/named/magedu.com.zone
[[email protected] ~]# chmod o= /var/named/magedu.com.zone
[[email protected] ~]# ll /var/named/magedu.com.zone
-rw-r-----. 1 root named 313 Sep  2 16:54 /var/named/magedu.com.zone
[[email protected] ~]# named-checkzone magedu.com /var/named/magedu.com.zone 
zone magedu.com/IN: loaded serial 2017100101
OK

5、編輯正向區域解析庫文件/var/named/192.168.10.zone、修改屬組及權限,並檢查配置文件

[[email protected] ~]# vim /var/named/192.168.10.zone
$TTL 3600
$ORIGIN 10.168.192.in-addr.arpa.
@       IN      SOA     ns1.magedu.com.         dnsadmin.magedu.com. (
                2017100101
                1H
                10M
                3D
                1D )
        IN      NS      ns1.magedu.com.
11      IN      PTR     ns1.magedu.com.
12      IN      PTR     mail.magedu.com.
13      IN      PTR     smtp.magedu.com.
11      IN      PTR     www.magedu.com.
12      IN      PTR     bbs.magedu.com.
13      IN      PTR     bbs.magedu.com.
[[email protected] ~]# chgrp named /var/named/192.168.10.zone
[[email protected] ~]# chmod o= /var/named/192.168.10.zone
[[email protected] ~]# ll /var/named/192.168.10.zone
-rw-r-----. 1 root named 309 Sep  2 17:05 /var/named/192.168.10.zone
[[email protected] ~]# named-checkconf -z
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone magedu.com/IN: loaded serial 2017100101
zone 10.168.192.in-addr.arpa/IN: loaded serial 2017100101

6、重新加載配置文件,並測試正向解析及反向解析是否正常

[[email protected] ~]# rndc reload
server reload successful
[[email protected] ~]# host ns1.magedu.com 192.168.10.11
Using domain server:
Name: 192.168.10.11
Address: 192.168.10.11#53
Aliases: 
ns1.magedu.com has address 192.168.10.11
[[email protected] ~]# dig -t A www.magedu.com @192.168.10.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com @192.168.10.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32622
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.3600INA192.168.10.11
;; AUTHORITY SECTION:
magedu.com.3600INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.3600INA192.168.10.11
;; Query time: 1 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Sat Sep 02 17:15:16 CST 2017
;; MSG SIZE  rcvd: 93
[[email protected] ~]# dig -x 192.168.10.13 @192.168.10.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.10.13 @192.168.10.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51557
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;13.10.168.192.in-addr.arpa.INPTR
;; ANSWER SECTION:
13.10.168.192.in-addr.arpa. 3600 INPTRsmtp.magedu.com.
13.10.168.192.in-addr.arpa. 3600 INPTRbbs.magedu.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.3600INA192.168.10.11
;; Query time: 1 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Sat Sep 02 17:17:45 CST 2017
;; MSG SIZE  rcvd: 136



(2)、對子域cdn.magedu.com進行子域授權,子域負責解析對應子域中的主機名;

1、編輯主DNS服務器正向區域解析庫文件/var/named/192.168.10.zone,添加子域項並同時修改版本號,重新加載配置文件

[[email protected] ~]# vim /var/named/magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@       IN      SOA     ns1.magedu.com.         dnsadmin.magedu.com. (
                2017100102
                1H
                10M
                3D
                1D )
        IN      NS      ns1
        IN      MX 10   mail
        IN      MX 20   smtp
ns1     IN      A       192.168.10.11
mail    IN      A       192.168.10.12
smtp    IN      A       192.168.10.13
www     IN      A       192.168.10.11
web     IN      CNAME   www
bbs     IN      A       192.168.10.12
bbs     IN      A       192.168.10.13
cdn     IN      NS      ns1.cdn
ns1.cdn IN      A       192.168.10.13
[[email protected] ~]# systemctl reload named.service

2、子域DNS服務器安裝bind程序包,並修改主配置文件/etc/named.conf全局選項如下:

[[email protected] ~]# yum install -y bind
[[email protected] ~]# vim /etc/named.conf
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

3、檢查配置文件、啟動服務,並查看53端口監聽狀態

[[email protected] ~]# named-checkconf
[[email protected] ~]# systemctl start named.service
[[email protected] ~]# ss -tunl | grep :53
udp    UNCONN     0      0      192.168.10.13:53                    *:*                  
udp    UNCONN     0      0      127.0.0.1:53                    *:*
tcp    LISTEN     0      10     127.0.0.1:53                    *:*                  
tcp    LISTEN     0      5      192.168.122.1:53                    *:*

4、在主配置文件輔助配置文件/etc/named.rfc1912.zones中定義子域cdn.magedu.com及父域轉發magedu.com

zone "cdn.magedu.com" IN {
        type master;
        file "cdn.magedu.com.zone";
};
zone "magedu.com" IN {
        type forward;
        forward only;
        forwarders { 192.168.10.11; };
};

5、編輯子域解析庫文件/var/named/cdn.maedu.com.zone、修改屬組及權限,並檢查配置文件

[[email protected] ~]# vim /var/named/cdn.magedu.com.zone
$TTL 3600
$ORIGIN cdn.magedu.com.
@       IN      SOA     ns1.cdn.magedu.com.     dnsadmin.magedu.com. (
                2017100101
                1H
                10M
                3D
                1D )
        IN      NS      ns1
ns1     IN      A       192.168.10.13
www     IN      A       192.168.10.14
forum   IN      A       192.168.10.15
[[email protected] ~]# chgrp named /var/named/cdn.magedu.com.zone
[[email protected] ~]# chmod o= /var/named/cdn.magedu.com.zone
[[email protected] ~]# ll /var/named/cdn.magedu.com.zone
-rw-r-----. 1 root named 204 Sep  2 17:50 /var/named/cdn.magedu.com.zone
[[email protected] ~]# named-checkconf -z
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone cdn.magedu.com/IN: loaded serial 2017100101

6、重新加載配置文件,並測試父域解析及子域解析是否正常

[[email protected] ~]# systemctl reload named.service

父域主DNS服務器解析子域測試結果:

[[email protected] ~]# dig -t A forum.cdn.magedu.com @192.168.10.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A forum.cdn.magedu.com @192.168.10.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3305
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;forum.cdn.magedu.com.INA
;; ANSWER SECTION:
forum.cdn.magedu.com.3544INA192.168.10.15
;; AUTHORITY SECTION:
cdn.magedu.com.3544INNSns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com.3544INA192.168.10.13
;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Sat Sep 02 19:34:10 CST 2017
;; MSG SIZE  rcvd: 99


子域DNS服務器解析子域及父域測試結果:

[[email protected] ~]# dig -t A www.cdn.magedu.com @192.168.10.13
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.cdn.magedu.com @192.168.10.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26686
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cdn.magedu.com.INA
;; ANSWER SECTION:
www.cdn.magedu.com.3600INA192.168.10.14
;; AUTHORITY SECTION:
cdn.magedu.com.3600INNSns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com.3600INA192.168.10.13
;; Query time: 3 msec
;; SERVER: 192.168.10.13#53(192.168.10.13)
;; WHEN: Sat Sep 02 19:30:50 CST 2017
;; MSG SIZE  rcvd: 97
[[email protected] ~]# dig -t A www.magedu.com @192.168.10.13
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com @192.168.10.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35531
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.3448INA192.168.10.11
;; AUTHORITY SECTION:
magedu.com.3448INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.3448INA192.168.10.11
;; Query time: 1 msec
;; SERVER: 192.168.10.13#53(192.168.10.13)
;; WHEN: Sat Sep 02 19:30:55 CST 2017
;; MSG SIZE  rcvd: 93


(3)、為了保證DNS服務系統的高可用性,請設計一套方案,並寫出詳細的實施過程

一般通過主從DNS服務器復制來確保DNS服務系統的高可用性,同時通過相關訪問控制指令確保安全,實現過程如下:

1、編輯主DNS服務器主配置文件輔助配置文件/etc/named.rfc1912.zones,正向域magedu.com添加allow-transfer {};字段,確保只有授權從DNS服務器復制

[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type master;
        file "magedu.com.zone";
        allow-transfer { 192.168.10.12; };
};

2、編輯主DNS服務器正向區域解析庫文件/var/named/magedu.com.zone,添加從DNS服務器資源記錄及A記錄,並同時修改版本號

[[email protected] ~]# vim /var/named/magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@       IN      SOA     ns1.magedu.com.         dnsadmin.magedu.com. (
                2017100104
                1H
                10M
                3D
                1D )
        IN      NS      ns1
        IN      MX 10   mail
        IN      MX 20   smtp
ns1     IN      A       192.168.10.11
mail    IN      A       192.168.10.12
smtp    IN      A       192.168.10.13
www     IN      A       192.168.10.11
web     IN      CNAME   www
bbs     IN      A       192.168.10.12
bbs     IN      A       192.168.10.13
cdn     IN      NS      ns1.cdn
ns1.cdn IN      A       192.168.10.13
        IN      NS      slave
slave   IN      A       192.168.10.12

3、檢查並重新加載配置文件

[[email protected] ~]# named-checkconf -z
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone magedu.com/IN: loaded serial 2017100104
zone 10.168.192.in-addr.arpa/IN: loaded serial 2017100101
[[email protected] ~]# rndc reload
server reload successful

4、從DNS服務器安裝bind程序包,並修改主配置文件/etc/named.conf全局選項如下:

[[email protected] ~]# yum install bind -y
[[email protected] ~]# vim /etc/named.conf
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

5、檢查配置文件、啟動服務,並查看53端口監聽狀態

[[email protected] ~]# named-checkconf
[[email protected] ~]# systemctl start named.service
[[email protected] ~]# ss -tunl | grep :53
udp    UNCONN     0      0      192.168.10.12:53                    *:*                  
udp    UNCONN     0      0      127.0.0.1:53                    *:*
tcp    LISTEN     0      10     192.168.10.12:53                    *:*                  
tcp    LISTEN     0      10     127.0.0.1:53                    *:*

6、編輯從DNS服務器正向區域解析庫文件/var/named/magedu.com.zone,添加如下字段

[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type slave;
        file "slaves/magedu.com.zone";
        masters { 192.168.10.11; };
};

7、檢查並重新加載配置文件

[[email protected] ~]# named-checkconf -z
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
[[email protected] ~]# rndc reload
server reload successful

8、使用dig -t axfr模擬完全區域傳送是否有效,同時查看區域解析庫文件是否已經傳送到從DNS服務器上

[[email protected] ~]# dig -t axfr magedu.com @192.168.10.11
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr magedu.com @192.168.10.11
;; global options: +cmd
magedu.com.3600INSOAns1.magedu.com. dnsadmin.magedu.com. 2017100104 3600 600 259200 86400
magedu.com.3600INNSns1.magedu.com.
magedu.com.3600INMX10 mail.magedu.com.
magedu.com.3600INMX20 smtp.magedu.com.
bbs.magedu.com.3600INA192.168.10.12
bbs.magedu.com.3600INA192.168.10.13
cdn.magedu.com.3600INNSns1.cdn.magedu.com.
ns1.cdn.magedu.com.3600INA192.168.10.13
ns1.cdn.magedu.com.3600INNSslave.magedu.com.
mail.magedu.com.3600INA192.168.10.12
ns1.magedu.com.3600INA192.168.10.11
slave.magedu.com.3600INA192.168.10.12
smtp.magedu.com.3600INA192.168.10.13
web.magedu.com.3600INCNAMEwww.magedu.com.
www.magedu.com.3600INA192.168.10.11
magedu.com.3600INSOAns1.magedu.com. dnsadmin.magedu.com. 2017100104 3600 600 259200 86400
;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Sat Sep 02 20:14:14 CST 2017
;; XFR size: 16 records (messages 1, bytes 365)
[[email protected] ~]# ls /var/named/slaves/
magedu.com.zone

9、查看named服務狀態主從復制結果,並測試解析結果是否正常

[[email protected] ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-09-02 20:05:14 CST; 10min ago
  Process: 13105 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 13102 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 13108 (named)
   CGroup: /system.slice/named.service
           └─13108 /usr/sbin/named -u named
Sep 02 20:11:53 localhost.localdomain named[13108]: automatic empty zone: B.E.F.IP6.ARPA
Sep 02 20:11:53 localhost.localdomain named[13108]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Sep 02 20:11:53 localhost.localdomain named[13108]: reloading configuration succeeded
Sep 02 20:11:53 localhost.localdomain named[13108]: reloading zones succeeded
Sep 02 20:11:53 localhost.localdomain named[13108]: all zones loaded
Sep 02 20:11:53 localhost.localdomain named[13108]: running
Sep 02 20:11:53 localhost.localdomain named[13108]: zone magedu.com/IN: Transfer started.
Sep 02 20:11:53 localhost.localdomain named[13108]: transfer of ‘magedu.com/IN‘ from 192.168.10.11#53: connected using 192.168.10.12#56008
Sep 02 20:11:53 localhost.localdomain named[13108]: zone magedu.com/IN: transferred serial 2017100104
Sep 02 20:11:53 localhost.localdomain named[13108]: transfer of ‘magedu.com/IN‘ from 192.168.10.11#53: Transfer completed: 1 messag...s/sec)
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]# dig -t A mail.magedu.com @192.168.10.12
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A mail.magedu.com @192.168.10.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41990
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.magedu.com.INA
;; ANSWER SECTION:
mail.magedu.com.3600INA192.168.10.12
;; AUTHORITY SECTION:
magedu.com.3600INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.3600INA192.168.10.11
;; Query time: 1 msec
;; SERVER: 192.168.10.12#53(192.168.10.12)
;; WHEN: Sat Sep 02 20:20:39 CST 2017
;; MSG SIZE  rcvd: 94


Linux服務及安全管理第八周作業【Linux微職位】