DNS主从TSIG加密传输

于 2016-02-11 22:47:00 发布
阅读量200 收藏
点赞数
文章标签: 运维 开发工具
原文链接:http://www.cnblogs.com/fishhh/p/5186722.html
版权

BIND服务程序为了能够安全的提供解析服务而支持了TSIG加密机制,TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer),也就是说保证了DNS服务器之间传送区域信息的安全。

主DNS服务器IP:192.168.16.20

从DNS服务器IP:192.168.16.30

1,在主服务器中使用dnssec-keygen生成DNS服务秘钥

[root@localhost ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave  //-a 指定加密算法 -b指定加密长度 -n 指定类型  
Kmaster-slave.+157+14145
[root@localhost ~]# ll Kmaster-slave.+157+14145.*
-rw-------. 1 root root  56 Feb 12 06:00 Kmaster-slave.+157+14145.key
-rw-------. 1 root root 165 Feb 12 06:00 Kmaster-slave.+157+14145.private
[root@localhost ~]#

2,在主服务器上创建秘钥验证文件

[root@localhost ~]# vim /var/named/chroot/etc/transfer.key

key "master-slave" {
algorithm hmac-md5;
secret "driJBeDX3zCdS2XptPG5tg==";
};

  [root@localhost ~]# chown root:named /var/named/chroot/etc/transfer.key

  [root@localhost ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

3,开启主服务器秘钥验证功能

[root@localhost ~]# vim /etc/named.conf 

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/transfer.key";             //在主服务器中添加此条
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        allow-transfer  { key master-slave; }; 
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

4,配置从服务器支持秘钥验证

创建秘钥文件

[root@localhost ~]# scp /var/named/chroot/etc/transfer.key root@192.168.16.30:/var/named/chroot/etc/
The authenticity of host '192.168.16.30 (192.168.16.30)' can't be established.
ECDSA key fingerprint is e6:a7:36:06:53:ce:71:ac:93:3a:b7:d1:47:9c:85:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.16.30' (ECDSA) to the list of known hosts.
root@192.168.16.30's password: 
transfer.key                                                                                                                              100%   79     0.1KB/s   00:00

  [root@localhost ~]# chown root:named /var/named/chroot/etc/transfer.key

  [root@localhost ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

编辑从服务器的主配置文件

[root@localhost slaves]# !v
vim /etc/named.conf 

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        include "/etc/transfer.key";
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
server 192.168.16.20 {                   //"192.168.16.20"为主服务器IP地址,在从服务器中添加此条
        keys { master-slave; };   
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

5,验证是否成功加密

[root@localhost ~]# ls /var/named/slaves/
kernel.org.zone
[root@localhost ~]# rm -rf /var/named/slaves/kernel.org.zone 
[root@localhost ~]# ls /var/named/slaves/
[root@localhost ~]# systemctl restart named
[root@localhost ~]# ls /var/named/slaves/
kernel.org.zone
[root@localhost ~]#

 

转载于:https://www.cnblogs.com/fishhh/p/5186722.html

weixin_30498921
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值