DNS主从TSIG加密传输
2024-10-01 22:10:47
BIND服务程序为了能够安全的提供解析服务而支持了TSIG加密机制,TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer),也就是说保证了DNS服务器之间传送区域信息的安全。
主DNS服务器IP:192.168.16.20
从DNS服务器IP:192.168.16.30
1,在主服务器中使用dnssec-keygen生成DNS服务秘钥
[root@localhost ~]# dnssec-keygen -a HMAC-MD5 -b -n HOST master-slave //-a 指定加密算法 -b指定加密长度 -n 指定类型
Kmaster-slave.++
[root@localhost ~]# ll Kmaster-slave.++.*
-rw-------. root root Feb : Kmaster-slave.++.key
-rw-------. root root Feb : Kmaster-slave.++.private
[root@localhost ~]#
2,在主服务器上创建秘钥验证文件
[root@localhost ~]# vim /var/named/chroot/etc/transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "driJBeDX3zCdS2XptPG5tg==";
};
[root@localhost ~]# chown root:named /var/named/chroot/etc/transfer.key
[root@localhost ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key
3,开启主服务器秘钥验证功能
[root@localhost ~]# vim /etc/named.conf //
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/transfer.key"; //在主服务器中添加此条
options {
listen-on port { any; };
listen-on-v6 port { ::; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { key master-slave; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto; /* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
}; logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
}; zone "." IN {
type hint;
file "named.ca";
}; include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
4,配置从服务器支持秘钥验证
创建秘钥文件
[root@localhost ~]# scp /var/named/chroot/etc/transfer.key root@192.168.16.30:/var/named/chroot/etc/
The authenticity of host '192.168.16.30 (192.168.16.30)' can't be established.
ECDSA key fingerprint is e6:a7::::ce::ac::3a:b7:d1::9c::e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.16.30' (ECDSA) to the list of known hosts.
root@192.168.16.30's password:
transfer.key % .1KB/s :
[root@localhost ~]# chown root:named /var/named/chroot/etc/transfer.key
[root@localhost ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key
编辑从服务器的主配置文件
[root@localhost slaves]# !v
vim /etc/named.conf options {
listen-on port { any; };
listen-on-v6 port { ::; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
include "/etc/transfer.key";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto; /* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
server 192.168.16.20 { //"192.168.16.20"为主服务器IP地址,在从服务器中添加此条
keys { master-slave; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
}; zone "." IN {
type hint;
file "named.ca";
}; include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
5,验证是否成功加密
[root@localhost ~]# ls /var/named/slaves/
kernel.org.zone
[root@localhost ~]# rm -rf /var/named/slaves/kernel.org.zone
[root@localhost ~]# ls /var/named/slaves/
[root@localhost ~]# systemctl restart named
[root@localhost ~]# ls /var/named/slaves/
kernel.org.zone
[root@localhost ~]#
最新文章
- set、def、lambda、内置函数、文件操作
- 使用wex5得到的一些教训
- python---tuple元祖
- mybatis的物理分页:mybatis-paginator
- 在cocos2d-x中使用位图字体
- svg学习笔记(二)
- C#面向对象(二)
- 看看国外的javascript题目,你能全部做对吗?(分享)
- C++ socket programming in Linux
- spring管理事务需要注意的
- Unity应用架构设计(12)——AOP思想的实践
- Java+Tomcat + Idea + Jrebel 实现热部署
- ubuntu18.04使用SPFlashTool提示缺少libpng12.so.0
- input 呼起数字键盘
- 深入解析内存原理:SRAM的基本原理
- FDMB 增删改删 查 分页 封装
- execve函数的介绍与使用
- [Hook] 跨进程 Binder设计与实现 - 设计篇
- 怎么查看mysql的数据库编码格式
- Trie树的分析与实现