IT技术互动交流平台

DNS主从服务器之基于TSIG安全区域传送

作者:huakai201 的BLOG  发布日期:2012-10-29 10:05:00

主DNS服务器,如果有根区域,就相当于具备了缓存服务器的功能,一般服务器为了减轻压力的话,可以把根区域注释,只负责解析我们对外的网站域名解析

缓存服务器:只提供根解析,也就是客户机来我这里我直接给你查询本地DNS缓存,如果没有就找根,然后把查询结果缓存下来,以便下次其他客户访问不用再找根,我觉得有点像路由器,通常我们上网可以把ip指向运营商的公网ip,也可以直接指向路由器地址,他负责跟你查询你的请求,配置文件只需要定义根区域即可(仅代表个人观点,欢迎指错)

实验项目:

1. 搭建平台,rhel-5.8,vmaware8版本的虚拟机,DNS版本Bind97,使用rpm包的方式安装,(yum)

2. 实验前的准备,关闭selinux

1) 立即生效 setenforce [0|1] 0(开启)1(不允许)getenforce 查看状态

2)永久关闭 vi /etc/selinux/config SELINUX=disabled(关闭)| permissiv (不允许)| disabled(关闭)

#如果不关闭,在开启服务的时候会出现权限拒绝之类的错误,目前只发现这一处影响

3. 实验目的,

1) 建立主DNS服务器,

2) 建立从DNS服务器,

3) 子域授权

4) Bind View

5) 安全防范及性能测试以及测试工具的使用

一,搭建主dns服务器;

主机名:ns.huakai.com nameserver=127.0.0.1 search haukai.com

IP:172.16.8.1

1.安装bind97,(redhat为了向下兼容默认安装了bind,但是版本较老,卸载老版本,安装新版本,

[root@ns ~]# yum list | grep bind

Unable to read consumer identity

bind-libs.i386 30:9.3.6-20.P1.el5 installed

bind-utils.i386 30:9.3.6-20.P1.el5 installed

[root@ns ~]# rpm -e bind-utils

[root@ns ~]# rpm -e bind-libs #卸载旧版本的utils和libs

[root@ns ~]# yum install bind97 bind97-utils bind97-libs –y

Bind97:dns主程序 bind97-utils:提供测试工具,host,nslookup,dig等

2.配置/etc/named.conf

options {

directory "/var/named";

};

zone "." IN {

type master;

file "named.ca";

};

zone "localhost" IN { #本地正向区域

type master;

file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" IN { #本地反向区域

type master;

file "127.0.0.zone";

};

zone "huakai.com" IN {

type master;

file "huakai.com.zone";

};

zone "8.16.172.in-addr.arpa" IN {

type master;

file "172.16.8.zone";

};

3.建立区域数据文件

/var/named/localhost.zone

$TTL 86400

@ IN SOA localhost. admin.localhost. (

2012102001 ;serial

12H ;refresh

1H ;retry

30D ;expire

1D ) ;minimum

IN NS localhost.

localhost. IN A 127.0.0.1

/var/named/127.0.0.zone

$TTL 86400

@ IN SOA localhost. amdin.localhost. (

2012102001

12H

1H

30D

1D )

IN NS localhost.

1 IN PTR localhost.

/var/named/haukai.com.zone

$TTL 86400

@ IN SOA ns.huakai.com. admin.huakai.com. (

2012102001

12H

1H

30D

1D )

IN NS ns.huakai.com.

ns IN A 172.16.8.1

/var/named/172.16.8.zone

$TTL 86400

@ IN SOA ns.huakai.com. admin.huakai.com. (

2012102001

12H

1H

30D

1D )

IN NS ns.huakai.com.

ns IN PTR 172.16.8.1

4,启动dns

Service named start

如果启动失败,可以查看错误日志,tail /var/log/messages

Dig –t ns.huakai.com @127.0.0.1

二,搭建从DNS服务器

主机名:ns2.huakai.com nameserver=127.0.0.1 search haukai.com

IP:172.16.8.2

1. 安装bind97,步骤同上,

[root@ns ~]# yum list | grep bind

Unable to read consumer identity

bind-libs.i386 30:9.3.6-20.P1.el5 installed

bind-utils.i386 30:9.3.6-20.P1.el5 installed

[root@ns ~]# rpm -e bind-utils

[root@ns ~]# rpm -e bind-libs #卸载旧版本的utils和libs

[root@ns ~]# yum install bind97 bind97-utils bind97-libs –y

2. 配置named.conf文件

(1)配置主DNS服务器,改动如下内容

zone "huakai.com" IN {

type master;

file "huakai.com.zone";

allow-transfer { 127.0.0/8 ; 172.16.8/16 ; };

};

zone "8.16.172.in-addr.arpa" IN {

type master;

file "172.16.8.zone";

allow-transfer { 127.0.0/8; 172.16.8/16 ; };

(2)配置从DNS服务器,如下内容

options {

directory "/var/named";

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "127.0.0.zone";

};

zone "huakai.com" IN {

type slave;

file "slaves/huakai.com.zone";

masters { 172.16.8.1; };

};

zone "8.16.172.in-addr.arpa" IN {

type slave;

file "slaves/172.16.8.zone";

masters { 172.16.8.1; };

};

3配置本地正向区域,和本地反向区域数据文件同上,

Localhost.zon 127.0.0.zone

4.启动bind服务

Dig –t A ns.huakai.com 测试如果有错,查看日志

查看/var/named/slaves/有huakai.zone和172.16.8.zone文件

三,子域授权

1. 开启一个新的虚拟机,ip=172.16.8.3 hostname=ns.tech.huakai.com

2. 在父域huakai.com,添加几条资源记录

$ORIGIN tech.huakai.com.

IN NS ns.tech.huakai.com.

ns.tech.huakai.com. IN A 172.16.8.3

3. 在子域服务器安装dns,设置/etc/named.conf配置文件

options {

directory "/var/named";

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "localhost.zone";

};

zone "tech.huakai.com" IN {

type master;

file "tech.huakai.com.zone";

};

zone "8.16.172.in-addr.arpa" IN {

type master;

file "172.16.8.zone";

};

4. 区域数据文件,根上面的一样,只需要更改huakai.com为tech.huakai.com即可

启动,测试

Dia –t A ns.tech.huakai.com

四,bind view

1.依旧使用bind97的版本,需要添加一个ip,以及修改主配置文件即可

添加一个IP,eth0:0 192.168.0.177

2,主配置文件named.conf为如下:

options {

directory "/var/named";

};

view "huakai" {

match-clients { 172.16.8.0/16; }; #符合某条件的客户机

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "127.0.0.zone";

};

zone "huakai.com" IN {

type master;

file "huakai.com.huakai";

// allow-transfer { 127.0.0/8 ; 172.16.8/16 ; };

};

};

view "kaihua" {

match-clients { 192.168.0.0/24; };

zone "huakai.com" IN {

type master;

file "huakai.com.kaihua";

// allow-transfer { 127.0.0/8 ; 172.16.8/16 ; };

};

};

3.建立huakai.com.huakai区域文件,

$TTL 86400

@ IN SOA ns.huakai.com. admin.huakai.com. (

2012102001

12H

1H

30D

1D )

IN NS ns.huakai.com.

ns IN A 127.0.0.1

建立huakai.com.kaihua区域文件

$TTL 86400

@ IN SOA ns.huakai.com. admin.huakai.com. (

2012102001

12H

1H

30D

1D )

IN NS ns.huakai.com.

ns IN A 192.168.0.177

5. 重启服务,测试结果,主要看红色部分,

Winxp:ip为192,。168.0.204

C:\Documents and Settings\Administrator>nslookup

Default Server: instructor.example.com

Address: 192.168.0.254

> server 192.168.0.177

Default Server: server77.example.com

Address: 192.168.0.177

> ns.huakai.com

Server: server77.example.com

Address: 192.168.0.177

DNS request timed out.

timeout was 2 seconds.

Name: ns.huakai.com

Address: 192.168.0.177

Rhel5.ip172.16.8.1

[root@ns named]# dig -t A ns.huakai.com @172.16.8.1

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A ns.huakai.com @172.16.8.1

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64216

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;ns.huakai.com. IN A

;; ANSWER SECTION:

ns.huakai.com. 86400 IN A 172.16.8.1

;; AUTHORITY SECTION:

huakai.com. 86400 IN NS ns.huakai.com.

;; Query time: 1 msec

;; SERVER: 172.16.8.1#53(172.16.8.1)

;; WHEN: Sat Oct 20 23:32:19 2012

;; MSG SIZE rcvd: 61

四.安全功能,

1.查看到bind的版本号,

在全局设置: version “none”或者写个假的版本号

2.使用日志功能,

3.使用TSIG

首先我们看如何开启日志功能,

首先我们演示TSIG的使用,区域传送,环境相同,

主服务器:

IP :172.16.8.1 HOSTNAME ns.huakai.com

从服务器:

IP :172.16.8.2 HOSTNAME ns2.huakai.com

1.由于TSIG的实现是基于密钥,所以首先生成密钥,

dnssec-keygen -a hmac-md5 -b 128 -n HOST ns-ns2.huakai.com.

scp –p Kns-ns2.huakai.com.+157+03998.* 172.16.8.2:/etc/named

2.配置主服务器的named.conf如下,这里只做正向区域传送,且区域数据文件相同,参考上面,不再重复

options {

directory "/var/named";

};

key "ns-ns2.huakai.com." {

algorithm hmac-md5;

secret "luoOvRoQunzCL1vakQKZhQ==";

};

server 172.16.8.2 {

keys { ns-ns2.huakai.com.; };

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "127.0.0.zone";

};

zone "huakai.com" IN {

type master;

file "huakai.com.huakai";

allow-transfer { key "ns-ns2.huakai.com." ; };

};

配置从服务器的named.conf,如下,

options {

directory "/var/named";

};

key "ns-ns2.huakai.com." {

algorithm hmac-md5;

secret "luoOvRoQunzCL1vakQKZhQ==";

};

server 172.16.8.1 {

keys { ns-ns2.huakai.com; };

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "127.0.0.zone";

};

zone "huakai.com" IN {

type slave;

file "slaves/huakai.com.huakai";

masters { 172.16.8.1; };

};

3启动named服务,显示成功,但是查看/var/named/slaves下没有出现huakai.com.huakai的数据文件,

Tail /var/log/messages Oct 21 14:21:53 ns named[11036]: zone huakai.com/IN: refresh: failure trying master 172.16.8.1#53 (source 0.0.0.0#0): clocks are unsynchronized

大致意思就是时钟错误,使用date设置相同时间,然后重启服务,正常

再次查看日志:

o ct 21 14:40:43 ns named[11036]: zone huakai.com/IN: transferred serial 2012102002: TSIG 'ns-ns2.huakai.com'

Oct 21 14:40:43 ns named[11036]: transfer of 'huakai.com/IN' from 172.16.8.1#53: Transfer completed: 1 messages, 4 records, 216 bytes, 0.015 secs (14400 bytes/sec)

 www.it165.net

错误指南:笔者做DNS相关实验的时候,出错最多的是在区域数据文件,语法错误,所以注意微小操作和查看日志是笔者最大的收获!

 

延伸阅读:

Tag标签: DNS主从服务器   TSIG安全区  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规