bind服务程序为提供安全的解析服务,对TSIG(见RFC 2845)加密机制提供了支持。TSIG主要是利用了密码编码的方式来保护区域信息的传输(Zone Transfer),即TSIG加密机制保证了DNS服务器之间传输域名区域信息的安全性。
1.查看从服务器从主服务器中获取到的数据配置文件,并清除文件。
[root@dsrw slaves]# ls -al /var/named/slaves
total 8
drwxrwx---. 2 named named 50 Dec 22 22:36 .
drwxrwx--T. 6 root named 141 Dec 22 22:27 ..
-rw-r--r--. 1 named named 308 Dec 22 22:36 192.168.10.arpa
-rw-r--r--. 1 named named 225 Dec 22 22:36 dsrw.com.zone
[root@dsrw slaves]# rm -rf /var/named/slaves/*
[root@dsrw slaves]# ls -al /var/named/slaves
total 0
drwxrwx---. 2 named named 6 Dec 22 22:53 .
drwxrwx--T. 6 root named 141 Dec 22 22:27 ..2.使用dnssec-keygen命令在主服务器中生成密钥用于生成安全的DNS。
dnssec-keygen命令的常用参数
-a:指定加密算法,包括RSA MD5 RSA、RSA SHA1、DSA、NSEC3RSASHA1 、NSEC3DSA 等
-b:密钥长度(HMAC MD5 的密钥长度在 1 512 位之间)
-n:密钥的类型(HOST 表示与主机相关)
[root@dsrw ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+00525
[root@dsrw ~]# ls -l Kmaster-slave.+157+00525.*
-rw-------. 1 root root 56 12月 22 23:41 Kmaster-slave.+157+00525.key
-rw-------. 1 root root 165 12月 22 23:41 Kmaster-slave.+157+00525.private
[root@dsrw ~]# cat Kmaster-slave.+157+00525.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: PoWKDbgeVEopIWe/2ES+Tg==
Bits: AAA=
Created: 20221222154117
Publish: 20221222154117
Activate: 202212221541173.在主服务器中创建密钥验证文件。
[root@dsrw ~]# cd /var/named/chroot/etc
[root@dsrw etc]# vim transfer.key
Key "master-slave" {
algorithm hmac-md5;
secret "PoWKDbgeVEopIWe/2ES+Tg==";
};
[root@dsrw etc]# chown root:named transfer.key
[root@dsrw etc]# chmod 640 transfer.key
[root@dsrw etc]# ln transfer.key /etc/transfer.key4.开启并加载bind服务的密钥验证功能
[root@dsrw ~]# vim /etc/named.conf
include "/etc/transfer.Key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
allow-transfer {key master-slave;};
[root@dsrw ~]# systemctl restart named5.清空DNS从服务器同步目录中所有的数据配置文件,再次重启bind服务程序,已经不能自动获取到数据配置文件了。
[root@dsrw ~]# rm -rf /var/named/slaves/*
[root@dsrw ~]# systemctl restart named
[root@dsrw ~]# ls -al /var/named/slaves
total 0
drwxrwx---. 2 named named 6 Dec 22 23:42 .
drwxrwx--T. 6 root named 141 Dec 22 23:52 ..6.配置从服务器,使其支持密钥验证。
[root@dsrw ~]# cd /var/named/chroot/etc/
[root@dsrw etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "PoWKDbgeVEopIWe/2ES+Tg==";
};
[root@dsrw etc]# chown root:named transfer.key
[root@dsrw etc]# chmod 640 transfer.key
[root@dsrw etc]# ln transfer.key /etc/transfer.key7.开启并加载从服务器的密钥验证功能。
[root@dsrw etc]# vim /etc/named.conf
include "/etc/transfer.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
server 192.168.10.2
{
keys { master-slave; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
DNS从服务器同步域名区域数据。
[root@dsrw etc]# systemctl restart named
[root@dsrw etc]# ls /var/named/slaves/
192.168.10.arpa dsrw.com.zone8.配置从服务器DNS服务器地址为本机IP地址,进行解析测试。
[root@dsrw var]# nslookup www.dsrw.com
Server: 192.168.10.7
Address: 192.168.10.7#53
Name: www.dsrw.com
Address: 192.168.10.2
[root@dsrw var]# nslookup 192.168.10.2
2.10.168.192.in-addr.arpa name = www.dsrw.com.
2.10.168.192.in-addr.arpa name = ns.dsrw.com.8.配置主服务器DNS服务器地址为本机IP地址,进行解析测试。
[root@dsrw etc]# nslookup www.dsrw.com
Server: 192.168.10.2
Address: 192.168.10.2#53
Name: www.dsrw.com
Address: 192.168.10.2
[root@dsrw etc]# nslookup 192.168.10.2
2.10.168.192.in-addr.arpa name = ns.dsrw.com.
2.10.168.192.in-addr.arpa name = www.dsrw.com.© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容