Linux服务及安全管理第八周作业Linux微职位
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux服务及安全管理第八周作业Linux微职位相关的知识,希望对你有一定的参考价值。
1、详细描述一次加密通讯的过程,结合图示最佳。
一次完整的加密通讯过程如下:
通讯的双方需要事先协商好单向加密算法,并交换各自的公钥
发送端加密过程
1、发送端先用单向加密算法计算出数据的特征码
2、发送端用自己的私钥加密特征码,生成数字签名,并将该数字签名附加在数据之后
3、发送端生成一个临时对称密钥,并使用该对称密钥加密整段数据(数据+数字签名)
4、发送端获取接收端的公钥,使用该公钥加密之前生成的临时对称密钥,并附加其在对称秘钥加密后的数据之后
5、将以上数据发送给对方
接收端解密过程
1、接收端先使用自己的私钥解密加密过的临时对称密钥,得到临时对称密钥
2、接收端用临时对称密钥解密加密过的数据(数据+数字签名)
3、接收端用发送端的公钥解密特征码,能解密则发送端身份得到验证
4、用相同的单向加密算法计算数据的特征码,并将其与解密得到的特征码进行比较,验证数据完整性
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
CA主机构建私有CA
1、生成私钥
[[email protected] ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus .......................................++ .......................................++ e is 65537 (0x10001)
2、生成自签证书
[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:MagEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com Email Address []:[email protected] [[email protected] ~]# ls /etc/pki/CA/ cacert.pem certs crl newcerts private
参数说明:
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
3、为CA提供所需的目录及文件
[[email protected] ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts} [[email protected] ~]# touch /etc/pki/CA/{serial,index.txt} [[email protected] ~]# echo 01 > /etc/pki/CA/serial
要用到证书进行安全通信的主机,需要向CA主机请求签署证书:
步骤(以httpd为例):
[[email protected] ~]# systemctl status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Wed 2017-07-12 21:16:38 CST; 10s ago Main PID: 3975 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─3975 /usr/sbin/httpd -DFOREGROUND ├─3976 /usr/sbin/httpd -DFOREGROUND ├─3977 /usr/sbin/httpd -DFOREGROUND ├─3978 /usr/sbin/httpd -DFOREGROUND ├─3979 /usr/sbin/httpd -DFOREGROUND └─3980 /usr/sbin/httpd -DFOREGROUND Jul 12 21:16:38 localhost.localdomain httpd[3975]: AH00558: httpd: Could not ... Jul 12 21:16:38 localhost.localdomain systemd[1]: Started The Apache HTTP Ser... Hint: Some lines were ellipsized, use -l to show in full.
1、用到证书的主机生成私钥;
[[email protected] ~]# mkdir /etc/httpd/ssl [[email protected] ~]# cd /etc/httpd/ssl [[email protected] ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .....................................+++ ..........+++ e is 65537 (0x10001)
2、生成证书签署请求
[[email protected] ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:MagEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:www.magedu.com Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] ssl]# ll total 8 -rw-r--r--. 1 root root 1058 Jul 12 21:21 httpd.csr -rw-------. 1 root root 1679 Jul 12 21:17 httpd.key
3、将请求通过可靠方式发送给CA主机;
[[email protected] ssl]# scp httpd.csr 192.168.10.10:/tmp/ The authenticity of host ‘192.168.10.10 (192.168.10.10)‘ can‘t be established. ECDSA key fingerprint is 32:15:52:1a:72:71:51:a2:c2:ad:bb:c4:b9:55:f8:e2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.10.10‘ (ECDSA) to the list of known hosts. [email protected]‘s password: httpd.csr 100% 1058 1.0KB/s 00:00
4、在CA主机上签署证书;
[[email protected] ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 12 13:24:27 2017 GMT Not After : Jul 12 13:24:27 2018 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = MagEdu organizationalUnitName = Ops commonName = www.magedu.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9A:B9:84:A8:FC:F8:06:37:A1:BD:B7:E7:E6:BD:08:35:AE:A2:2A:C6 X509v3 Authority Key Identifier: keyid:B4:63:A6:45:FF:D9:C2:7B:7A:F3:09:45:CF:F0:9C:0E:6D:26:9A:E4 Certificate is to be certified until Jul 12 13:24:27 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] ~]# cd /etc/pki/CA [[email protected] CA]# ls cacert.pem crl index.txt.attr newcerts serial certs index.txt index.txt.old private serial.old [[email protected] CA]# cat index.txt V180712132427Z01unknown/C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]
5、将CA主机签署完的证书发送给申请主机
[[email protected] CA]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/ The authenticity of host ‘192.168.10.20 (192.168.10.20)‘ can‘t be established. ECDSA key fingerprint is 93:3b:4a:9e:0e:a0:bd:84:de:a0:cb:6e:3a:9f:43:46. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.10.20‘ (ECDSA) to the list of known hosts. [email protected]‘s password: httpd.crt 100% 5881 5.7KB/s 00:00
6、查看证书中的信息:(CA主机和客户机都可以查看)
CA主机
[[email protected] CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected] 客户机 [[email protected] ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=Shanghai/O=MagEdu/OU=Ops/CN=www.magedu.com/[email protected]
3、描述DNS查询过程以及DNS服务器类别。
DNS查询过程
Client --> hosts文件 --> DNS Local Cache --> DNS Server --> recursion(递归)
自己负责解析的域:直接查询数据库并返回答案;
不是自己负责解析域:Server Cache --> iteration(迭代)
客户端键入域名后便会发起DNS查询
1、客户端查询本地hosts文件应答
2、如果本地hosts文件查询无果,则查询本地DNS缓存信息应答
3、如果本地缓存信息查询无果,则通过本机设定的DNS服务器应答(客户端到指定DNS服务器只查询一次,后续查询由指定DNS服务器完成,此为递归查询)
4、如果本机设定的DNS服务器依然查询无果,则默认DNS服务器向根DNS服务器、二级域服务器、三级域服务器依次迭代查询,并将结果应答客户端
DNS服务器类别
负责解析至少一个域:
主名称服务器:维护所负责解析的域数据库的那台服务器;读写操作均可进行
辅助名称服务器:从主DNS服务器那里或其它的从DNS服务器那里“复制”一份解析库;但只能进行读操作
不负责解析:
缓存名称服务器:可运行域名服务器软件,但是没有域名数据库软件
转发名称服务器:负责所有非本地域名的本地查询
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
实验环境:
主DNS服务器:192.168.10.11(CentOS 7.2)
从DNS服务器:192.168.10.12(CentOS 7.2)
子域DNS服务器:192.168.10.13(CentOS 7.2)
(1)、能够对一些主机名进行正向解析和逆向解析;
1、主DNS服务器安装bind程序包,并修改主配置文件/etc/named.conf全局选项如下:
[[email protected] ~]# yum install bind -y [[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };
2、检查配置文件、启动服务,并查看53端口监听状态
[[email protected] ~]# named-checkconf [[email protected] ~]# systemctl start named.service [[email protected] ~]# ss -tunl | grep :53 udp UNCONN 0 0 192.168.10.11:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 10 192.168.10.11:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:*
3、在主配置文件辅助配置文件/etc/named.rfc1912.zones中定义正向域magedu.com及反向域10.168.192.in-addr.arpa
[[email protected] ~]# vim /etc/named.rfc1912.zones zone "magedu.com" IN { type master; file "magedu.com.zone"; }; zone "10.168.192.in-addr.arpa" IN { type master; file "192.168.10.zone"; };
4、编辑正向区域解析库文件/var/named/magedu.com.zone、修改属组及权限,并检查配置文件
[[email protected] ~]# vim /var/named/magedu.com.zone $TTL 3600 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100101 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mail IN MX 20 smtp ns1 IN A 192.168.10.11 mail IN A 192.168.10.12 smtp IN A 192.168.10.13 www IN A 192.168.10.11 web IN CNAME www bbs IN A 192.168.10.12 bbs IN A 192.168.10.13 [[email protected] ~]# chown :named /var/named/magedu.com.zone [[email protected] ~]# chmod o= /var/named/magedu.com.zone [[email protected] ~]# ll /var/named/magedu.com.zone -rw-r-----. 1 root named 313 Sep 2 16:54 /var/named/magedu.com.zone [[email protected] ~]# named-checkzone magedu.com /var/named/magedu.com.zone zone magedu.com/IN: loaded serial 2017100101 OK
5、编辑正向区域解析库文件/var/named/192.168.10.zone、修改属组及权限,并检查配置文件
[[email protected] ~]# vim /var/named/192.168.10.zone $TTL 3600 $ORIGIN 10.168.192.in-addr.arpa. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100101 1H 10M 3D 1D ) IN NS ns1.magedu.com. 11 IN PTR ns1.magedu.com. 12 IN PTR mail.magedu.com. 13 IN PTR smtp.magedu.com. 11 IN PTR www.magedu.com. 12 IN PTR bbs.magedu.com. 13 IN PTR bbs.magedu.com. [[email protected] ~]# chgrp named /var/named/192.168.10.zone [[email protected] ~]# chmod o= /var/named/192.168.10.zone [[email protected] ~]# ll /var/named/192.168.10.zone -rw-r-----. 1 root named 309 Sep 2 17:05 /var/named/192.168.10.zone [[email protected] ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone magedu.com/IN: loaded serial 2017100101 zone 10.168.192.in-addr.arpa/IN: loaded serial 2017100101
6、重新加载配置文件,并测试正向解析及反向解析是否正常
[[email protected] ~]# rndc reload server reload successful [[email protected] ~]# host ns1.magedu.com 192.168.10.11 Using domain server: Name: 192.168.10.11 Address: 192.168.10.11#53 Aliases: ns1.magedu.com has address 192.168.10.11 [[email protected] ~]# dig -t A www.magedu.com @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com @192.168.10.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32622 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com.INA ;; ANSWER SECTION: www.magedu.com.3600INA192.168.10.11 ;; AUTHORITY SECTION: magedu.com.3600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 17:15:16 CST 2017 ;; MSG SIZE rcvd: 93 [[email protected] ~]# dig -x 192.168.10.13 @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.10.13 @192.168.10.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51557 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;13.10.168.192.in-addr.arpa.INPTR ;; ANSWER SECTION: 13.10.168.192.in-addr.arpa. 3600 INPTRsmtp.magedu.com. 13.10.168.192.in-addr.arpa. 3600 INPTRbbs.magedu.com. ;; AUTHORITY SECTION: 10.168.192.in-addr.arpa. 3600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 17:17:45 CST 2017 ;; MSG SIZE rcvd: 136
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
1、编辑主DNS服务器正向区域解析库文件/var/named/192.168.10.zone,添加子域项并同时修改版本号,重新加载配置文件
[[email protected] ~]# vim /var/named/magedu.com.zone $TTL 3600 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100102 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mail IN MX 20 smtp ns1 IN A 192.168.10.11 mail IN A 192.168.10.12 smtp IN A 192.168.10.13 www IN A 192.168.10.11 web IN CNAME www bbs IN A 192.168.10.12 bbs IN A 192.168.10.13 cdn IN NS ns1.cdn ns1.cdn IN A 192.168.10.13 [[email protected] ~]# systemctl reload named.service
2、子域DNS服务器安装bind程序包,并修改主配置文件/etc/named.conf全局选项如下:
[[email protected] ~]# yum install -y bind [[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };
3、检查配置文件、启动服务,并查看53端口监听状态
[[email protected] ~]# named-checkconf [[email protected] ~]# systemctl start named.service [[email protected] ~]# ss -tunl | grep :53 udp UNCONN 0 0 192.168.10.13:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:* tcp LISTEN 0 5 192.168.122.1:53 *:*
4、在主配置文件辅助配置文件/etc/named.rfc1912.zones中定义子域cdn.magedu.com及父域转发magedu.com
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 192.168.10.11; };
};5、编辑子域解析库文件/var/named/cdn.maedu.com.zone、修改属组及权限,并检查配置文件
[[email protected] ~]# vim /var/named/cdn.magedu.com.zone $TTL 3600 $ORIGIN cdn.magedu.com. @ IN SOA ns1.cdn.magedu.com. dnsadmin.magedu.com. ( 2017100101 1H 10M 3D 1D ) IN NS ns1 ns1 IN A 192.168.10.13 www IN A 192.168.10.14 forum IN A 192.168.10.15 [[email protected] ~]# chgrp named /var/named/cdn.magedu.com.zone [[email protected] ~]# chmod o= /var/named/cdn.magedu.com.zone [[email protected] ~]# ll /var/named/cdn.magedu.com.zone -rw-r-----. 1 root named 204 Sep 2 17:50 /var/named/cdn.magedu.com.zone [[email protected] ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone cdn.magedu.com/IN: loaded serial 2017100101
6、重新加载配置文件,并测试父域解析及子域解析是否正常
[[email protected] ~]# systemctl reload named.service
父域主DNS服务器解析子域测试结果:
[[email protected] ~]# dig -t A forum.cdn.magedu.com @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A forum.cdn.magedu.com @192.168.10.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3305 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;forum.cdn.magedu.com.INA ;; ANSWER SECTION: forum.cdn.magedu.com.3544INA192.168.10.15 ;; AUTHORITY SECTION: cdn.magedu.com.3544INNSns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.cdn.magedu.com.3544INA192.168.10.13 ;; Query time: 0 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 19:34:10 CST 2017 ;; MSG SIZE rcvd: 99
子域DNS服务器解析子域及父域测试结果:
[[email protected] ~]# dig -t A www.cdn.magedu.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.cdn.magedu.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26686 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cdn.magedu.com.INA ;; ANSWER SECTION: www.cdn.magedu.com.3600INA192.168.10.14 ;; AUTHORITY SECTION: cdn.magedu.com.3600INNSns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.cdn.magedu.com.3600INA192.168.10.13 ;; Query time: 3 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sat Sep 02 19:30:50 CST 2017 ;; MSG SIZE rcvd: 97 [[email protected] ~]# dig -t A www.magedu.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com.INA ;; ANSWER SECTION: www.magedu.com.3448INA192.168.10.11 ;; AUTHORITY SECTION: magedu.com.3448INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3448INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sat Sep 02 19:30:55 CST 2017 ;; MSG SIZE rcvd: 93
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
一般通过主从DNS服务器复制来确保DNS服务系统的高可用性,同时通过相关访问控制指令确保安全,实现过程如下:
1、编辑主DNS服务器主配置文件辅助配置文件/etc/named.rfc1912.zones,正向域magedu.com添加allow-transfer {};字段,确保只有授权从DNS服务器复制
[[email protected] ~]# vim /etc/named.rfc1912.zones zone "magedu.com" IN { type master; file "magedu.com.zone"; allow-transfer { 192.168.10.12; }; };
2、编辑主DNS服务器正向区域解析库文件/var/named/magedu.com.zone,添加从DNS服务器资源记录及A记录,并同时修改版本号
[[email protected] ~]# vim /var/named/magedu.com.zone $TTL 3600 $ORIGIN magedu.com. @ IN SOA ns1.magedu.com. dnsadmin.magedu.com. ( 2017100104 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mail IN MX 20 smtp ns1 IN A 192.168.10.11 mail IN A 192.168.10.12 smtp IN A 192.168.10.13 www IN A 192.168.10.11 web IN CNAME www bbs IN A 192.168.10.12 bbs IN A 192.168.10.13 cdn IN NS ns1.cdn ns1.cdn IN A 192.168.10.13 IN NS slave slave IN A 192.168.10.12
3、检查并重新加载配置文件
[[email protected] ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone magedu.com/IN: loaded serial 2017100104 zone 10.168.192.in-addr.arpa/IN: loaded serial 2017100101 [[email protected] ~]# rndc reload server reload successful
4、从DNS服务器安装bind程序包,并修改主配置文件/etc/named.conf全局选项如下:
[[email protected] ~]# yum install bind -y [[email protected] ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };
5、检查配置文件、启动服务,并查看53端口监听状态
[[email protected] ~]# named-checkconf [[email protected] ~]# systemctl start named.service [[email protected] ~]# ss -tunl | grep :53 udp UNCONN 0 0 192.168.10.12:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* tcp LISTEN 0 10 192.168.10.12:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:*
6、编辑从DNS服务器正向区域解析库文件/var/named/magedu.com.zone,添加如下字段
[[email protected] ~]# vim /etc/named.rfc1912.zones zone "magedu.com" IN { type slave; file "slaves/magedu.com.zone"; masters { 192.168.10.11; }; };
7、检查并重新加载配置文件
[[email protected] ~]# named-checkconf -z zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 [[email protected] ~]# rndc reload server reload successful
8、使用dig -t axfr模拟完全区域传送是否有效,同时查看区域解析库文件是否已经传送到从DNS服务器上
[[email protected] ~]# dig -t axfr magedu.com @192.168.10.11 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr magedu.com @192.168.10.11 ;; global options: +cmd magedu.com.3600INSOAns1.magedu.com. dnsadmin.magedu.com. 2017100104 3600 600 259200 86400 magedu.com.3600INNSns1.magedu.com. magedu.com.3600INMX10 mail.magedu.com. magedu.com.3600INMX20 smtp.magedu.com. bbs.magedu.com.3600INA192.168.10.12 bbs.magedu.com.3600INA192.168.10.13 cdn.magedu.com.3600INNSns1.cdn.magedu.com. ns1.cdn.magedu.com.3600INA192.168.10.13 ns1.cdn.magedu.com.3600INNSslave.magedu.com. mail.magedu.com.3600INA192.168.10.12 ns1.magedu.com.3600INA192.168.10.11 slave.magedu.com.3600INA192.168.10.12 smtp.magedu.com.3600INA192.168.10.13 web.magedu.com.3600INCNAMEwww.magedu.com. www.magedu.com.3600INA192.168.10.11 magedu.com.3600INSOAns1.magedu.com. dnsadmin.magedu.com. 2017100104 3600 600 259200 86400 ;; Query time: 0 msec ;; SERVER: 192.168.10.11#53(192.168.10.11) ;; WHEN: Sat Sep 02 20:14:14 CST 2017 ;; XFR size: 16 records (messages 1, bytes 365) [[email protected] ~]# ls /var/named/slaves/ magedu.com.zone
9、查看named服务状态主从复制结果,并测试解析结果是否正常
[[email protected] ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2017-09-02 20:05:14 CST; 10min ago Process: 13105 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 13102 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 13108 (named) CGroup: /system.slice/named.service └─13108 /usr/sbin/named -u named Sep 02 20:11:53 localhost.localdomain named[13108]: automatic empty zone: B.E.F.IP6.ARPA Sep 02 20:11:53 localhost.localdomain named[13108]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Sep 02 20:11:53 localhost.localdomain named[13108]: reloading configuration succeeded Sep 02 20:11:53 localhost.localdomain named[13108]: reloading zones succeeded Sep 02 20:11:53 localhost.localdomain named[13108]: all zones loaded Sep 02 20:11:53 localhost.localdomain named[13108]: running Sep 02 20:11:53 localhost.localdomain named[13108]: zone magedu.com/IN: Transfer started. Sep 02 20:11:53 localhost.localdomain named[13108]: transfer of ‘magedu.com/IN‘ from 192.168.10.11#53: connected using 192.168.10.12#56008 Sep 02 20:11:53 localhost.localdomain named[13108]: zone magedu.com/IN: transferred serial 2017100104 Sep 02 20:11:53 localhost.localdomain named[13108]: transfer of ‘magedu.com/IN‘ from 192.168.10.11#53: Transfer completed: 1 messag...s/sec) Hint: Some lines were ellipsized, use -l to show in full. [[email protected] ~]# dig -t A mail.magedu.com @192.168.10.12 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A mail.magedu.com @192.168.10.12 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41990 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.magedu.com.INA ;; ANSWER SECTION: mail.magedu.com.3600INA192.168.10.12 ;; AUTHORITY SECTION: magedu.com.3600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.10.11 ;; Query time: 1 msec ;; SERVER: 192.168.10.12#53(192.168.10.12) ;; WHEN: Sat Sep 02 20:20:39 CST 2017 ;; MSG SIZE rcvd: 94
以上是关于Linux服务及安全管理第八周作业Linux微职位的主要内容,如果未能解决你的问题,请参考以下文章