DNS主从TSIG加密传输
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DNS主从TSIG加密传输相关的知识,希望对你有一定的参考价值。
BIND服务程序为了能够安全的提供解析服务而支持了TSIG加密机制,TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer),也就是说保证了DNS服务器之间传送区域信息的安全。
主DNS服务器IP:192.168.16.20
从DNS服务器IP:192.168.16.30
1,在主服务器中使用dnssec-keygen生成DNS服务秘钥
[[email protected] ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave //-a 指定加密算法 -b指定加密长度 -n 指定类型 Kmaster-slave.+157+14145 [[email protected] ~]# ll Kmaster-slave.+157+14145.* -rw-------. 1 root root 56 Feb 12 06:00 Kmaster-slave.+157+14145.key -rw-------. 1 root root 165 Feb 12 06:00 Kmaster-slave.+157+14145.private [[email protected] ~]#
2,在主服务器上创建秘钥验证文件
[[email protected] ~]# vim /var/named/chroot/etc/transfer.key key "master-slave" { algorithm hmac-md5; secret "driJBeDX3zCdS2XptPG5tg=="; };
[[email protected] ~]# chown root:named /var/named/chroot/etc/transfer.key
[[email protected] ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key
3,开启主服务器秘钥验证功能
[[email protected] ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // include "/etc/transfer.key"; //在主服务器中添加此条 options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-transfer { key master-slave; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
4,配置从服务器支持秘钥验证
创建秘钥文件
[[email protected] ~]# scp /var/named/chroot/etc/transfer.key [email protected]192.168.16.30:/var/named/chroot/etc/ The authenticity of host ‘192.168.16.30 (192.168.16.30)‘ can‘t be established. ECDSA key fingerprint is e6:a7:36:06:53:ce:71:ac:93:3a:b7:d1:47:9c:85:e1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.16.30‘ (ECDSA) to the list of known hosts. [email protected]192.168.16.30‘s password: transfer.key 100% 79 0.1KB/s 00:00
[[email protected] ~]# chown root:named /var/named/chroot/etc/transfer.key
[[email protected] ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key
编辑从服务器的主配置文件
[[email protected] slaves]# !v vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; server 192.168.16.20 { //"192.168.16.20"为主服务器IP地址,在从服务器中添加此条 keys { master-slave; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
5,验证是否成功加密
[[email protected] ~]# ls /var/named/slaves/ kernel.org.zone [[email protected]calhost ~]# rm -rf /var/named/slaves/kernel.org.zone [[email protected] ~]# ls /var/named/slaves/ [[email protected] ~]# systemctl restart named [[email protected] ~]# ls /var/named/slaves/ kernel.org.zone [[email protected] ~]#
以上是关于DNS主从TSIG加密传输的主要内容,如果未能解决你的问题,请参考以下文章
bind9在多view情况下通过TSIG key实现主dns和多个辅DNS的同步传输
linux[基础]-33-[dns服务器]-[正反向域名解析]-[01]