本文章主要是针对unbound做解释。
1.首先会简单描述一下dns协议和unbound工具的功能。
2.了解如何配置本地域,转发域,RPZ防火墙,了解消息缓存,RRSET缓存,否定缓存,信任锚等功能。
3.使用bind搭建迭代查询的环境
4.搭建dnssec
DNS协议介绍和工具的功能介绍
- RFC1035各个记录格式
https://wenku.baidu.com/view/4f4a197a27284b73f242506f - DNS 报文结构和个人 DNS 解析代码实现——解决 getaddrinfo() 阻塞问题 https://segmentfault.com/a/1190000009369381
- local-zone功能介绍
https://docs.netgate.com/tnsr/en/latest/dns/local-zone.html - 否定缓存
https://zhangmingkai.cn/2019/09/rfc2308-dns-nxdomain-cache/ - RPZ防火墙
https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.3.5 - dns协议记录
https://www.ietf.org/rfc/rfc1035.txt - zone文件的格式
https://help.dyn.com/how-to-format-a-zone-file/ - bind的使用
https://docs.oracle.com/cd/E24847_01/html/E22302/dnsref-9.html - 信任锚 dnskey的原理
信任锚:相当于是一整个信任链的终点。因为对于一个域名而言,需要检验每个域名的DNSKEY和DS记录,最后到了信任锚即可验证结束。
https://blog.csdn.net/huangzx3/article/details/86526068 - ZSK和KSK
KSK与ZSK的区别
- Key
Usage
Frequency of Use
ZSK Private
Used by authoritative server to create RRSIG for zone data
Used somewhat frequently depending on the zone, whenever authoritative zone data changes or re-signing is needed
ZSK Public
Used by recursive server to validate zone data RRset
Used very frequently, whenever recursive server validates a response
KSK Private
Used by authoritative server to create RRSIG for ZSK and KSK Public (DNSKEY)
Very infrequently, whenever ZSK’s or KSK’s change (every year or every five years in our examples)
KSK Public
Used by recursive server to validate DNSKEY RRset
Used very frequently, whenever recursive server validates a DNSKEY RRset
3.了解dnssec流程
- https://zhuanlan.zhihu.com/p/355579999
4.搭建迭代查询和DNSSEC的环境
- 首先需要3台linux设备 安装bind。 我用的centos,使用systemctl restart named 启动服务。
- 查看netstat -tlpn 53端口 named在监听
- 修改/etc/named.conf
根服务器配置
(1)生成根服务器的KSK和ZSK
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
//dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
};
zone "." IN {
type master;
//file "root.master";
file "root.master.signed";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
/etc/root.master
$TTL 1000
$ORIGIN .
@ IN SOA @ root(
12169
1m
1m
1m
1m
)
. IN NS a.root.net.
a.root.net. IN A 10.82.25.77 ; 本机ip,代表本机就是DNS根服务器
com. IN NS ns1.com.
ns1.com. IN A 10.82.25.78 ; 顶级域名
;net. IN NS a.net-ns.net.
;a.net-ns.net. IN A 10.82.25.78 ; 顶级域名
ltm. IN NS a.ltm-ns.ltm.
a.ltm-ns.ltm. IN A 112.122.132.78 ; 顶级域名
www.example.com IN A 123.123.123.123
com. IN DS 13509 7 2 CDA9C9D86A96C3B6D2FDC2338D3BA6664D7AD733338CC15B276666EA7824E57E
$INCLUDE "K.+005+40566.key"
$INCLUDE "K.+005+53116.key"
/etc/root.master.signed
根据root.master生成,通过签名工具。dnssec-signzone -o . root.master 生成
- 生成跟(.)的KSK和ZSK
dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE . (注意最后有点,生成ZSK)
dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE . (注意最后有点, 生成KSK)
- 需要注意生成的算法 也就是-a指定的参数前后必须要一样。
- 生成K.+005+40566.key(公钥)和K.+005+40566.private(私钥) 后面的40566是ID,公钥和私钥是一对
- DS记录来源于顶级域名(com.)的KSK 每一个DS记录都来源于子域,而信任锚可以是DNSKEY或者DS记录,就是为了最后确认可以的保证。
dnssec-dsfromkey -2 K.+005+53116.key
com. IN DS 13509 7 2 CDA9C9D86A96C3B6D2FDC2338D3BA6664D7AD733338CC15B276666EA7824E57E
一级域名配置
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*
zone "." IN {
type hint;
file "root.hint";
};
*/
zone "com." IN {
type master;
file "com.master.signed";
};
zone "ltm." IN {
type master;
file "ltm.master";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
/var/named/com.master
$TTL 10
$ORIGIN com.
@ IN SOA @ root(
100
1m
1m
1m
1m
)
com. IN NS ns1.com.
ns1.com. IN A 10.82.25.78
example.com. 5 IN A 11.15.33.22
example.com. 5 IN ns ns.example.com.
ns.example.com. IN A 10.82.25.79
hongkong.com. IN A 10.82.25.79
hongkong.com. IN NS ns.hongkong.com.
ns.hongkong.com. IN A 10.82.25.79
hongkong.com. IN DS 17553 7 2 8168F8903A9D7B8C210BE775997DBAA391DD28732A4C287F4968A8BAAF4F72DE
$INCLUDE "Kcom.+007+43280.key"
$INCLUDE "Kcom.+007+13509.key"
主要工作
- 秘钥生成 同根域一样使用dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE com (最后改为域的名字)
dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE com
dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE com
- 签名com.master
dnssec-signzone -o com com.master
- 将DS记录放到上一级的域文件中,并重新签名dnssec-signzone
dnssec-dsfromkey -2 Kcom.+007+43280.key
结果:com. IN DS 13509 7 2 CDA9C9D86A96C3B6D2FDC2338D3BA6664D7AD733338CC15B276666EA7824E57E
将这个放到根域的zone文件中,并重新签名