高速緩存dns
第三單元
高速緩存dns
一 dns
1 權威名稱服務器
存儲并提供某區域 ( 整個 DNS 域或 DNS 域的一部分 ) 的實際數據��。權威名稱服
務器的類型包括
Master : 包含原始區域數據�。有時稱作 “ 主要 ” 名稱服務器
Slave : 備份服務器 , 通過區域傳送從 Master 服務器獲得的區域數據的副本��。有時稱作 “ 次要 ”名稱服務器
2 非權威/遞歸名稱服務器
客戶端通過其查找來自權威名稱服務器的數據
3 DNS 查找
二 DNS 資源記錄
DNS 區域采用資源記錄的形式存儲信息���。每條資源記錄均具有一個類型 , 表明其保留的數據類型:
A : 名稱至 IPv4 地址
AAAA : 名稱至 IPv6 地址
CNAME : 名稱至 ” 規范名稱 “ ( 包含 A/AAAA 記錄的另一個名稱 )
PTR : IPv4/IPv6 地址至名稱
MX : 用于名稱的郵件交換器 ( 向何處發送其電子郵件 )
NS : 域名的名稱服務器
SOA :” 授權起始 “ , DNS 區域的信息 ( 管理信息 )
三 DNS 排錯
它顯示來自 DNS 查找的詳細信息 , 其中包括為什么查詢失敗 :
NOERROR : 查詢成功
NXDOMAIN : DNS 服務器提示不存在這樣的名稱
SERVFAIL : DNS 服務器停機或 DNSSEC 響應驗證失敗
REFUSED : DNS 服務器拒絕回答 ( 也許是出于訪問控制原因 )
四 緩存dns服務器
服務端:
1 yum install bind.x86_64 -y ###安裝dns###
2 systemctl stop firewalld.service ###關閉防火墻###
3 systemctl start named ###開啟服務�,若是許久沒有開啟可能是字符不夠�,在虛擬機上隨便輸入幾個字符####
4 vim /etc/named.conf ###編輯主配置文件###
修改其中幾行為:
listen-on port 53 { any; }; ###回環接口不與外界交互�,改成any###
allow-query { any; }; ###允許任何人連###
forwarders {172.25.254.250;}; ####如果高速緩存dns找不到就到172.25.254.250(權威名稱服務器)找####
5 systemctl restart named ###重啟服務###
客戶端:
1 vim /etc/resolv.conf ###在里面指明dns服務器###
2 測試:dig www.baidu.com ###dig指出關于查詢和答案的信息###
過程如下:
[root@localhost ~]# yum search dns
[root@localhost ~]# yum install bind.x86_64 -y
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# ll /etc/rndc.key ###在沒有開啟named服務的時候���,該文件不存在#####
ls: cannot access /etc/rndc.key: No such file or directory
[root@localhost ~]# systemctl start named ###開啟服務��,若是許久沒有開啟可能是字符不夠���,在虛擬機上隨便輸入幾個字符####
[root@localhost ~]# ll /etc/rndc.key
-rw-r-----. 1 root named 77 May 5 22:13 /etc/rndc.key
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# systemctl restart named ###重啟服務###
客戶端:
[root@localhost ~]# vim /etc/resolv.conf ###在里面指明dns服務器###
[root@localhost ~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47262 ###NOERROR表示查詢成功#######
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION: #####要查詢什么####
;www.baidu.com.INA
;; ANSWER SECTION: ####響應######
www.baidu.com.376INCNAMEwww.a.shifen.com. ###CNAME : 名稱至 ” 規范名稱 “####
www.a.shifen.com.300INA183.232.231.172 ###A : 名稱至 IPv4 地址####
www.a.shifen.com.300INA183.232.231.173
;; AUTHORITY SECTION:
.513219INNSk.root-servers.net.
.513219INNSc.root-servers.net.
.513219INNSa.root-servers.net.
.513219INNSg.root-servers.net.
.513219INNSi.root-servers.net.
.513219INNSh.root-servers.net.
.513219INNSm.root-servers.net.
.513219INNSe.root-servers.net.
.513219INNSf.root-servers.net.
.513219INNSb.root-servers.net.
.513219INNSl.root-servers.net.
.513219INNSd.root-servers.net.
.513219INNSj.root-servers.net.
;; Query time: 349 msec ####指出發送查詢的遞歸名稱服務器以及獲得響應所花費的時間###
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 22:17:05 EDT 2017
;; MSG SIZE rcvd: 312
五 編寫A記錄文件
服務端:
1 vim /etc/named.conf
2 vim /etc/named.rfc1912.zones
3 cd /var/named/
4 cp -p named.localhost westos.com.zone ####用模板生成A記錄配置文件�,一定要-p����,不然可能會出現權限錯誤#####
5 vim westos.com.zone ###編寫A記錄文件####
6 systemctl restart named ####重啟服務###
客戶端:
1 vim /etc/resolv.conf
2 測試: dig www.westos.com
過程如下:
服務端:
[root@server ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
[root@server ~]# vim /etc/named.rfc1912.zones
zone "westos.com" IN { ###指定要維護的域名###
type master;
file "westos.com.zone"; ###指定A記錄文件名###
allow-update { none; };
};
[root@server ~]# cd /var/named/
[root@server named]# ll
total 20
drwxrwx---. 2 named named 22 May 5 22:13 data
drwxrwx---. 2 named named 30 May 5 23:30 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 29 2014 slaves
-rw-r-----. 1 root named 349 May 5 23:29 westos.com.zone
[root@server named]# cp -p named.localhost westos.com.zone
[root@server named]# vim westos.com.zone ###編寫A記錄文件####
$TTL 1D ###指緩存一天###
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com. ###指定dns主機###
dns A 172.25.254.112 ###指定dns主機的A記錄###
www A 172.25.254.212 ###要添加的A記錄###
###第一個@符指zone“...”雙引號的內容�����,此處指westo.com;dns.westos.com.指dns服務器的名稱�����,結尾.不能少�,不然會自動補齊@符的內容###
[root@server named]# systemctl restart named
客戶端:
[root@localhost ~]# vim /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.254.112
[root@localhost ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.INA
;; ANSWER SECTION:
www.westos.com.86400INA172.25.254.212
;; AUTHORITY SECTION: ####負責域(區域)的名稱服務器###
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION: ###提供的其他信息 , 通常是關于名稱服務器#####
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 23:14:27 EDT 2017
;; MSG SIZE rcvd: 93
六 在A記錄文件中添加CNAME和MX
服務端:
vim /var/named/westos.com.zone ###編輯A記錄文件###
systemctl restart named ###重啟服務###
客戶端:
測試:dig music.westos.com
dig -t mx westos.com
過程如下:
服務器:
[root@server ~]# vim /var/named/westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.112
www A 172.25.254.212
music CNAME music.a.westos.com.
music.a A 172.25.254.111
music.a A 172.25.254.222
westos.com. MX 1 172.25.254.100.
~
[root@server ~]# systemctl restart named
[root@server ~]#
客戶端:
[root@localhost ~]# dig music.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> music.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14025
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;music.westos.com.INA
;; ANSWER SECTION:
music.westos.com.86400INCNAMEmusic.a.westos.com.
music.a.westos.com.86400INA172.25.254.111
music.a.westos.com.86400INA172.25.254.222
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 23:30:33 EDT 2017
;; MSG SIZE rcvd: 133
[root@localhost ~]# dig -t mx westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33372
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;westos.com.INMX
;; ANSWER SECTION:
westos.com.86400INMX1 172.25.254.100.
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 23:30:46 EDT 2017
;; MSG SIZE rcvd: 103
七 不同的網段使用不同的dns
服務端:
1 cp /etc/named.rfc1912.zones /etc/named.rfc1912.inter -p
2 vim /etc/named.rfc1912.inter
3 cp /var/named/westos.com.zone /var/named/westos.com.inter -p
4 vim /var/named/westos.com.inter
5 vim /etc/named.conf
6 systemctl restart named
客戶端:
測試:dig www.westos.com ###ip為172.25.254.212的客戶端####
dig www.westos.com ###ip為172.25.12.101的客戶端###
過程如下:
[root@server ~]# cp /etc/named.rfc1912.zones /etc/named.rfc1912.inter -p
[root@server ~]# vim /etc/named.rfc1912.inter
zone "westos.com" IN {
type master;
file "westos.com.inter";
allow-update { none; };
};
[root@server ~]# cp /var/named/westos.com.zone /var/named/westos.com.inter -p
[root@server ~]# vim /var/named/westos.com.inter
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.12.112
www A 172.25.12.212
music CNAME music.a.westos.com.
music.a A 172.25.12.111
music.a A 172.25.12.222
westos.com. MX 1 172.25.12.100.
~
[root@server ~]# vim /etc/named.conf
[root@server ~]# systemctl restart named
客戶端:
[root@localhost ~]# dig www.westos.com ###ip為172.25.254.212的客戶端####
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20946
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.INA
;; ANSWER SECTION:
www.westos.com.86400INA172.25.254.212
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 02:31:35 EDT 2017
;; MSG SIZE rcvd: 93
[root@localhost ~]# vim /etc/resolv.conf ###ip為172.25.12.101的客戶端###
# Generated by NetworkManager
search example.com
nameserver 172.25.12.100
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
[root@localhost ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51552
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.INA
;; ANSWER SECTION:
www.westos.com.86400INA172.25.12.212
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.12.112
;; Query time: 0 msec
;; SERVER: 172.25.12.100#53(172.25.12.100)
;; WHEN: Sat May 06 02:40:07 EDT 2017
;; MSG SIZE rcvd: 93
八 反向解析
服務端:
1 vim /etc/named.rfc1912.zones
2 cd /var/named/
3 cp -p named.loopback /var/named/westos.comNaNr
4 vim /var/named/westos.comNaNr
5 systemctl restart named
客戶端:
測試:dig -x 172.25.254.111
過程如下:
服務端:
[root@server ~]# vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN { ###將dns服務器所在網段反著寫####
type master;
file "westos.comNaNr";
allow-update { none; };
};
[root@server ~]# cd /var/named/
[root@server named]# ll
total 28
drwxrwx---. 2 named named 22 May 5 22:13 data
drwxrwx---. 2 named named 4096 May 6 03:07 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 29 2014 slaves
-rw-r-----. 1 root named 344 May 6 01:57 westos.com.inter
-rw-r-----. 1 root named 349 May 5 23:29 westos.com.zone
[root@server named]# cp -p named.loopback /var/named/westos.comNaNr
[root@server named]# vim /var/named/westos.comNaNr
[root@server named]# systemctl restart namede
客戶端:
[root@localhost ~]# dig -x 172.25.254.111
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34839
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;111.254.25.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 INPTRwww.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 03:27:08 EDT 2017
;; MSG SIZE rcvd: 118
[root@localhost ~]# dig -x 172.25.254.222
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 INPTRbbs.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 1 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 03:30:35 EDT 2017
;; MSG SIZE rcvd: 118
[root@localhost ~]# dig -x 172.25.254.222
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 INPTRbbs.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 03:30:39 EDT 2017
;; MSG SIZE rcvd: 118
九 更新dns
服務端:
1 cp -p /var/named/westos.com.zone /mnt/
2 vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.212; }; ###允許誰去更新###
};
3 systemctl restart named
4 chmod 770 /var/named/
5 setsebool -P named_write_master_zones 1
客戶端:
測試:
1 nsupdate ###添加###
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.222
> send
2 dig hello.westos.com ###查看###
3 nsupdate ###刪除####
> server 172.25.254.112
> update delete hello.westos.com
> send
過程如下:
服務端:
[root@server named]# cp -p /var/named/westos.com.zone /mnt/
[root@server named]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.212; };
};
[root@server named]# systemctl restart named
[root@server named]# chmod 770 /var/named/
[root@server named]# setsebool -P named_write_master_zones 1
客戶端:
[root@localhost ~]# nsupdate
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.222
> send
> ^C[root@localhost ~]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12735
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com.INA
;; ANSWER SECTION:
hello.westos.com.86400INA172.25.254.222
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 04:05:37 EDT 2017
;; MSG SIZE rcvd: 95
###但重啟服務時�,westos.com.zone文件內容就變了��,與緩存文件westos.com.zone.jnl同步####
恢復westos.com.zone文件:
cd /var/named
rm -fr westos.com.zone westos.com.zone.jnl ###將緩存文件和變了的文件刪除###
cp -p /mnt/westos.com.zone . ###將之前的文件復制過來###
過程如下:
[root@server named]# systemctl restart named
[root@server named]# vim /var/named/westos.com.zone
######改變后的文件內容####
$ORIGIN .
$TTL 86400 ; 1 day
westos.com IN SOA dns.westos.com. root.westos.com. (
1 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns.westos.com.
MX 1 172.25.254.100.
$ORIGIN westos.com.
music.a A 172.25.254.111
A 172.25.254.222
dns A 172.25.254.112
hello A 172.25.254.222
music CNAME music.a
www A 172.25.254.212
[root@server named]# ls
data named.empty slaves westos.com.zone
dynamic named.localhost westos.com.inter westos.com.zone.jnl
named.ca named.loopback westos.comNaNr
[root@server named]# vim /var/named/westos.com.zone
[root@server named]# rm -fr westos.com.zone westos.com.zone.jnl ###將緩存文件和變了的文件刪除###
[root@server named]# cp -p /mnt/westos.com.zone . ###將之前的文件復制過來###
[root@server named]# ls
data named.empty slaves westos.com.zone
dynamic named.localhost westos.com.inter
named.ca named.loopback westos.comNaNr
十 配置鑰匙
服務器:
1 dnssec-keygen -a HMAC-MD5 -b 256 -n HOST westoskey ###產生鑰匙����,-a指加密方式�����,-b 指加密字符長度���,-n指加密用途�,HOST指域名解析,westoskey為鑰匙名稱###
2 cat Kwestoskey.+157+22331.key
3 cp -p /etc/rndc.key /etc/westos.key ###利用模版要制作配置文件###
4 vim /etc/westos.key
5 vim /etc/named.conf
6 vim /etc/named.rfc1912.zones
7 scp Kwestoskey.+157+23921.* root@172.25.254.212:/mnt/ ###把鑰匙傳給客戶端###
客戶端:
測試:
nsupdate -k Kwestoskey.+157+23921.private
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.111
> send
> quit
[root@localhost mnt]# dig hello.westos.com
過程如下:
服務端:
[root@server named]# dnssec-keygen --help
dnssec-keygen: invalid argument --
Usage:
dnssec-keygen [options] name
Version: 9.9.4-RedHat-9.9.4-29.el7
name: owner of the key
Options:
-K <directory>: write keys into directory
-a <algorithm>:
RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA |
RSASHA256 | RSASHA512 | ECCGOST |
ECDSAP256SHA256 | ECDSAP384SHA384 |
DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |
HMAC-SHA384 | HMAC-SHA512
(default: RSASHA1, or NSEC3RSASHA1 if using -3)
-3: use NSEC3-capable algorithm
-b <key size in bits>:
RSAMD5:[512..4096]
RSASHA1:[512..4096]
NSEC3RSASHA1:[512..4096]
RSASHA256:[512..4096]
RSASHA512:[1024..4096]
DH:[128..4096]
DSA:[512..1024] and divisible by 64
NSEC3DSA:[512..1024] and divisible by 64
ECCGOST:ignored
ECDSAP256SHA256:ignored
ECDSAP384SHA384:ignored
HMAC-MD5:[1..512]
HMAC-SHA1:[1..160]
HMAC-SHA224:[1..224]
HMAC-SHA256:[1..256]
HMAC-SHA384:[1..384]
HMAC-SHA512:[1..512]
(if using the default algorithm, key size
defaults to 2048 for KSK, or 1024 for all others)
-n <nametype>: ZONE | HOST | ENTITY | USER | OTHER
(DNSKEY generation defaults to ZONE)
-c <class>: (default: IN)
-d <digest bits> (0 => max, default)
-E <engine>:
name of an OpenSSL engine to use
-f <keyflag>: KSK | REVOKE
-g <generator>: use specified generator (DH only)
-L <ttl>: default key TTL
-p <protocol>: (default: 3 [dnssec])
-r <randomdev>: a file containing random data
-s <strength>: strength value this key signs DNS records with (default: 0)
-T <rrtype>: DNSKEY | KEY (default: DNSKEY; use KEY for SIG(0))
-t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
-h: print usage and exit
-m <memory debugging mode>:
usage | trace | record | size | mctx
-v <level>: set verbosity level (0 - 10)
Timing options:
-P date/[+-]offset/none: set key publication date (default: now)
-A date/[+-]offset/none: set key activation date (default: now)
-R date/[+-]offset/none: set key revocation date
-I date/[+-]offset/none: set key inactivation date
-D date/[+-]offset/none: set key deletion date
-G: generate key only; do not set -P or -A
-C: generate a backward-compatible key, omitting all dates
-S <key>: generate a successor to an existing key
-i <interval>: prepublication interval for successor key (default: 30 days)
Output:
K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private
[root@server named]# cd /mnt/
[root@server mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westoskey
Kwestoskey.+157+23921
[root@server mnt]# ls
Kwestoskey.+157+23921.key Kwestoskey.+157+23921.private westos.com.zone
[root@server mnt]# cat Kwestoskey.+157+23921.key
westoskey. IN KEY 512 3 157 Af69mywNhRB8Vq88kiYpYw==
[root@server mnt]# cp -p /etc/rndc.key /etc/westos.key
[root@server mnt]# vim /etc/westos.key
[1]+ Stopped vim /etc/westos.key
[root@server mnt]# fg
vim /etc/westos.key
[root@server mnt]# vim /etc/westos.key
[1]+ Stopped vim /etc/westos.key
[root@server mnt]# fg
vim /etc/westos.key
[root@server mnt]# vim /etc/named.conf
[root@server mnt]# vim /etc/named.rfc1912.zones
[root@server mnt]# systemctl restart named
[root@server mnt]# scp Kwestoskey.+157+23921.* root@172.25.254.212:/mnt/
The authenticity of host '172.25.254.212 (172.25.254.212)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.212' (ECDSA) to the list of known hosts.
root@172.25.254.212's password:
Kwestoskey.+157+23921.key 100% 53 0.1KB/s 00:00
Kwestoskey.+157+23921.private 100% 165 0.2KB/s 00:00
####把鑰匙傳給客戶端###
客戶端:
[root@localhost mnt]# nsupdate -k Kwestoskey.+157+23921.private
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.111
> send
> quit
[root@localhost mnt]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com.INA
;; ANSWER SECTION:
hello.westos.com.86400INA172.25.254.111
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sun May 07 21:14:53 EDT 2017
;; MSG SIZE rcvd: 95
十一 dhcp更新dns
服務端:
1 yum install dhcp -y ###安裝dhcp###
2 cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf ##利用模版制作dhcp配置文件###
3 vim /etc/dhcp/dhcpd.conf
內容:
6 option domain-name "westos.com"; ###域名###
7 option domain-name-servers 172.25.254.112; ###dns###
8
9 default-lease-time 600;
10 max-lease-time 7200;
11 ddns-update-style interim; ###開啟dhcp上傳數據功能###
12 log-facility local7;
13 subnet 172.25.254.0 netmask 255.255.255.0 {
14 range 172.25.254.180 172.25.254.190; ##分配ip的范圍###
15 option routers 172.25.254.250; ###網關####
16 }
17 key westoskey {
18 algorithm hmac-md5;
19 secret Af69mywNhRB8Vq88kiYpYw==;
20 };
21 zone westos.com. {
22 primary 127.0.0.1; ###dns�,因為現在dns和dhcp在一臺主機上�����,故用回環接口會提高效率####
23 key westoskey;
24 }
4 systemctl restart dhcpd
5 vim /etc/named.conf
6 systemctl restart named
客戶端:
測試:
1 vim /etc/sysconfig/network-scripts/ifcfg-eth0
2 hostnamectl set-hostname helo.westos.com
3 vim /etc/resolv.conf
4 dig www.westos.com
過程如下:
服務端:
[root@server ~]# yum install dhcp -y
[root@server ~]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@server ~]# vim /etc/dhcp/dhcpd.conf
[root@server ~]# cd /mnt/
[root@server mnt]# ls
Kwestoskey.+157+23921.key Kwestoskey.+157+23921.private westos.com.zone
[root@server mnt]# cat Kwestoskey.+157+23921.key
westoskey. IN KEY 512 3 157 Af69mywNhRB8Vq88kiYpYw==
[root@server mnt]# vim /etc/dhcp/dhcpd.conf
[root@server mnt]# systemctl restart dhcpd
[root@server mnt]# vim /etc/named.conf
[root@server mnt]# systemctl restart named
客戶端:
[root@test ~]# hostname
test.westos.com
[root@test ~]# dig test.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> test.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4253
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.westos.com.INA
;; ANSWER SECTION:
test.westos.com.300INA172.25.254.180
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sun May 07 22:31:20 EDT 2017
;; MSG SIZE rcvd: 94
