1、画出TSL链路的通信图
2、如何让浏览器识别自签的证书
- windons环境中:
windons+r输入mmc–>控制台–>文件–>添加/删除管理单元–>证书–>添加–>证书-当前用户–>确定
---->受信任的根证书颁发机构–>所有任务–>导入–>选择证书–>安装证书
- linux(centos7)环境:
- ca证书的转换(cer转pem), 如vmar.cer转换为vmwar.pem
openssl x509 -inform der -in /root/pkg/vmwar.cer -out /root/pkg/vmwar.pem
2.ca证书导入到linux证书库:
cat /root/pkg/vmwar.pem >> /etc/pki/tls/certs/ca-bundle.crt
3、搭建DNS服务器
①安装DNS服务器软件
yum install -y bind
②配置相关文件
修改DNS主配置文件/etc/named.conf 参数
listen-on port 53 { localhost; }; #监听地址改为localhost
allow-query { any; }; #允许访问改any
修改后检测语法错误: named-checkconf [/etc/named.conf]
③定义区域(正和反)
在/etc/named.rfc1912.zone添加
zone "benny.com" IN {
tpye master;
file "benny.com.zone";
};
};
zone "0.0.10.in-addr.arpa" IN {
tpye master;
file "0.0.10.in-addr.arpa.zone";
};
④定义区域解析库文件(主要记录为PTR)
-
正向区域解析库文件
[root@benny~]#vim /var/named/benny.com.zone $TTL 86400 @ IN SOA ns1 admin.benny.com. ( 2019091500 1H 5M 1W 1D ) IN NS ns1 bIN MX 10 mx1 IN MX 10 mx2 ns1 IN A 10.0.0.10 mx1 IN A 10.0.0.50 mx2 IN A 10.0.0.51 www IN A 192.168.3.4权限及属组修改:
chgrp named /var/named/benny.com.zone chgrp named /var/named/benny.com.zone语法检查
named-checkzone benny.com.zone /var/named/benny.com.zone named-checkconf -
反向区域解析库文件
vim /var/named/0.0.10.in-addr.arpa.zone $TTL 86400 @ IN SOA dnsserver admin.benny.com. ( 2019091443 3H 10M 1D 1H ) IN NS dnsserver dnsserver A 192.168.34.7 7 PTR dnsserver.benny.com. 10 PTR www.benny.com. 200 PTR blog.benny.com.权限及属组修改:
chgrp named /var/named/0.0.10.in-addr.arpa.zone chgrp named /var/named/0.0.10.in-addr.arpa.zone语法检查
named-checkzone 0.0.10.in-addr.arpa.zone /var/named/0.0.10.in-addr named-checkconf
⑤让服务器重载配置文件和区域数据文件
rndc reload
⑥检测
正向解析检测1
[root@benny~]#dig benny.com @10.0.0.10
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> benny.com @10.0.0.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54091
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;benny.com. IN A
;; AUTHORITY SECTION:
benny.com. 86400 IN SOA ns1.benny.com. admin.benny.com. 2019091500 3600 300 604800 86400
;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: 六 9月 14 21:39:39 CST 2019
;; MSG SIZE rcvd: 84
反向解析
[root@benny~]#dig -x 10.0.0.200 @10.0.0.10
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> -x 10.0.0.200 @10.0.0.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53494
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;200.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
200.0.0.10.in-addr.arpa. 86400 IN PTR blog.benny.com.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 86400 IN NS dnsserver.0.0.10.in-addr.arpa.
;; ADDITIONAL SECTION:
dnsserver.0.0.10.in-addr.arpa. 86400 IN A 192.168.34.7
;; Query time: 0 msec
;; SERVER: 10.0.0.10#53(10.0.0.10)
;; WHEN: 六 9月 14 21:50:41 CST 2019
;; MSG SIZE rcvd: 120
4、熟悉DNSPOD的解析类型
-
SOA:Start Of Authority,起始授权记录; 一个区域解析库有且只能有一个SOA记录,而且必须放在第一条;
-
NS:Name Service,域名服务记录;一个区域解析库可以有多个NS记录;其中一个为主的;
A: Address, 地址记录,FQDN --> IPv4;
AAAA:地址记录, FQDN --> IPv6;
CNAME:Canonical Name,别名记录;
PTR:Pointer,IP --> FQDN(辅助解析)
-
MX:Mail eXchanger,邮件交换器;
优先级:0-99,数字越小优先级越高;A: Address, 地址记录,FQDN --> IPv4;
AAAA:地址记录, FQDN --> IPv6;
CNAME:Canonical Name,别名记录;
PTR:Pointer,IP --> FQDN(辅助解析)
-
MX:Mail eXchanger,邮件交换器;
优先级:0-99,数字越小优先级越高; -
TXT记录:对域名进行标识和说明,绝大多数的TXT记录是用来做SPF记录(反垃圾邮件)
305
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
