DNS区域传输限制 zone transfer
DNS的主从用到的就是区域传输,
一、客户端获取域的所有配置信息
dig @30.96.8.232 imoocc.com axfr
host -T -l imoocc.com 30.96.8.232
二、为什么要做区域传输限制?
为了服务器的安全,保护信息的敏感性
建议先阅读下这篇文章,中有提到DNS数字签名的两种方式。
========================================================
方法一:基于主机的访问控制
主DNS服务器
[root@master ~]# vim /etc/named.conf
zone "imoocc.com" {
typemaster;
notifyyes;
also-notify {30.96.8.233;};
allow-transfer {none;}; //设置为不允许客户域传输
file "imoocc.com.zone";
};
[root@master ~]# service named restart
辅助DNS服务器端测试
[root@localh ~]# cd /var/named/slaves/
模拟更新主服务器的imoocc.com.zone 这个域,再切换的从服务器上
[root@localh slaves]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@localh slaves]# ls //没有传输成功
[root@slave slaves]# tail /var/log/messages
Jul 6 16:24:06 Jeson named[11601]: client 30.96.8.232#1610: received notify for zone 'imoocc.com'
Jul 6 16:24:06 Jeson named[11601]: zone imoocc.com/IN: Transfer started.
Jul 6 16:24:06 Jeson named[11601]: transfer of 'imoocc.com/IN' from 30.96.8.232#53: connected using 30.96.8.233#57604
Jul 6 16:24:06 Jeson named[11601]: transfer of 'imoocc.com/IN' from 30.96.8.232#53: resetting
Jul 6 16:24:06 Jeson named[11601]: transfer of 'imoocc.com/IN' from 30.96.8.232#53: connected using 30.96.8.233#60890
Jul 6 16:24:06 Jeson named[11601]: transfer of 'imoocc.com/IN' from 30.96.8.232#53: failed while receiving responses: REFUSED
Jul 6 16:24:06 Jeson named[11601]: transfer of 'imoocc.com/IN' from 30.96.8.232#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.040 secs (0 bytes/sec)
方法二:TSIG事务签名
1. 在主DNS服务器上生成key,并复制到辅助DNS服务器
在主服务上生成key
[root@Master named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST jeson-key
Kjeson-key.+157+09087
-a HMAC-MD5 //指定加密算法
-b 128 key //长度,128位
-n HOST tsig-key //-n HOST 名字类型为HOST,指定密钥的所有者类型。nametype的值必须是ZONE(对于 DNSSEC 区域密钥 (KEY/DNSKEY))、HOST或ENTITY(对于与主机相关的密钥 (KEY))、USER(对于与用户相关的密钥 (KEY))或OTHER(DNSKEY)。这些值不区分大小写。缺省值是 ZONE(用于生成 DNSKEY)。
key名jeson-key
生成了 Kjeson-key.+157+09087.private 的文件
[root@master ~]# vim /var/named/chroot/etc/jeson-key //secret 可以通过查看 Kjeson-key.+157+09087.private 得到。
key "jeson-key"{
Algorithm hmac-md5;
secret yZr1h2DbAHNEWl+CkV7INQ==;
};
注:上面的TSIG Key文件检查1000遍!!!
[root@master ~]# chmod 644 /var/named/chroot/etc/jeson.key
====================================================================
参考文件:
[root@master ~]# cat /var/named/chroot/etc/rndc.key
key “rndckey” {
algorithm hmac-md5;
secret “cw3DXuvc5nIwd3ClDGxINMOTllOMY7anqYQABfv7ocK7E50ohGqg4y9rYHq2″;
};
====================================================================
复制到辅助DNS服务器
从服务器新建目录
[root@Slave ~]# mkdir /var/named/chroot/etc -p
[root@Slave ~]# chown named:named /var/named/chroot/etc -R
主服务器拷贝key文件到从服务器
[root@master ~]# rsync -va /var/named/chroot/etc/jeson.key 30.96.8.233:/var/named/chroot/etc/
2.使用KEY进行区域传输限制
主DNS:
[root@master ~]# vim /var/named/chroot/etc/named.conf
zone "imoocc.com" {
typemaster;
notifyyes;
also-notify {30.96.8.232;};
allow-transfer { keyjeson-key;};
file "imoocc.com.zone";
};
include"/etc/jeson-key";
[root@master ~]# service named restart
辅助DNS:
[root@slave ~]# vim /var/named/chroot/etc/named.conf
server 30.96.8.232 {
keys {jeson-key;};
};
include "/var/named/chroot/etc/jeson-key";
zone "imoocc.com" {
typeslave;
file"slaves/imoocc.com.zone";
masters {30.96.8.232;};
};
[root@slave ~]# service named restart
========================================================================
警告:使用TSIG区域传输时,主/辅时钟必须同步!!!