DNS主从TSIG加密传输

BIND服务程序为了能够安全的提供解析服务而支持了TSIG加密机制，TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer)，也就是说保证了DNS服务器之间传送区域信息的安全。

主DNS服务器IP：192.168.16.20

从DNS服务器IP：192.168.16.30

1，在主服务器中使用dnssec-keygen生成DNS服务秘钥

[[email protected] ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave  //-a 指定加密算法 -b指定加密长度 -n 指定类型
Kmaster-slave.+157+14145
[[email protected] ~]# ll Kmaster-slave.+157+14145.*
-rw-------. 1 root root  56 Feb 12 06:00 Kmaster-slave.+157+14145.key
-rw-------. 1 root root 165 Feb 12 06:00 Kmaster-slave.+157+14145.private
[[email protected] ~]#

2，在主服务器上创建秘钥验证文件

[[email protected] ~]# vim /var/named/chroot/etc/transfer.key

key "master-slave" {
algorithm hmac-md5;
secret "driJBeDX3zCdS2XptPG5tg==";
};

[[email protected] ~]# chown root:named /var/named/chroot/etc/transfer.key

[[email protected] ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

3，开启主服务器秘钥验证功能

[[email protected] ~]# vim /etc/named.conf 

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/transfer.key";             //在主服务器中添加此条
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        allow-transfer  { key master-slave; };
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

4，配置从服务器支持秘钥验证

创建秘钥文件

[[email protected] ~]# scp /var/named/chroot/etc/transfer.key [email protected]192.168.16.30:/var/named/chroot/etc/
The authenticity of host ‘192.168.16.30 (192.168.16.30)‘ can‘t be established.
ECDSA key fingerprint is e6:a7:36:06:53:ce:71:ac:93:3a:b7:d1:47:9c:85:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.16.30‘ (ECDSA) to the list of known hosts.
[email protected]192.168.16.30‘s password:
transfer.key                                                                                                                              100%   79     0.1KB/s   00:00

[[email protected] ~]# chown root:named /var/named/chroot/etc/transfer.key

[[email protected] ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

编辑从服务器的主配置文件

[[email protected] slaves]# !v
vim /etc/named.conf 

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
server 192.168.16.20 {                   //"192.168.16.20"为主服务器IP地址，在从服务器中添加此条
        keys { master-slave; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

5，验证是否成功加密

[[email protected] ~]# ls /var/named/slaves/
kernel.org.zone
[[email protected] ~]# rm -rf /var/named/slaves/kernel.org.zone
[[email protected] ~]# ls /var/named/slaves/
[[email protected] ~]# systemctl restart named
[[email protected] ~]# ls /var/named/slaves/
kernel.org.zone
[[email protected] ~]#

时间： 2024-07-30 13:47:44

DNS主从TSIG加密传输的相关文章

MySQL主从ssl加密传输报错解决

案例:今天实施MySQL主从+SSL加密传输时候,master为slave签署证书有一个小小问题: failedto update database TXT_DBerror number 2 一开始没留意,最后导致在slave通过证书连接master时候报错证书错误.仔细检查才看到错误. 1.报错原因: This thing happens when certificates share common data. You cannot have two certificates that lo

Centos DNS服务(二)-bind主从配置与基于TSIG加密的动态更新

DNS的主从配置 DNS从服务器也叫辅服DNS服务器,如果网络上某个节点只有一台DNS服务器的话,首先服务器的抗压能力是有限的,当压力达到一定的程度,服务器就可能会宕机罢工,其次如果这台服务器出现了硬件故障那么服务器管理的区域的域名将无法访问.为了解决这些问题,最好的办法就是使用多个DNS服务器同时工作,并实现数据的同步,这样两台服务器就都可以实现域名解析操作. 从服务器要点 1.应该为一台独立的名称服务器 2.主DNS服务器的区域解析库文件中必须有一条NS记录指向从服务器 3.从DNS服务器只

DNS递归查询、主从、加密认证、负载均衡

环境同DNS练习之正向解析. 在sishen64主机上安装必要软件 [[email protected] ~]# yum install -y bind bind-chroot bind-libs bind-utils 重启named服务编辑核心配置文件: [[email protected] ~]# vim /var/named/chroot/etc/named.conf 重启named服务: [[email protected] ~]# service named restart 查看:

架设DNS服务器（DNS主从服务器架设）

搭建DNS服务器试验要求:以workstation(92.168.1.105)作为服务器,(可以做正向解析和反向解析),以server1(192.168.1.103)作为客户机验证 #安装bind服务 yum install bind-chroot bind-utils -y bind安装好之后会产生若干程序和配置文件:常见的如下: 主程序:/usr/sbin/named 主配置文件:/etc/named.conf 区域配置文件:/etc/named.rfc.1912.zones #配置bin

搭建DNS主从服务器实现反向解析，子域，转发，智能DNS及排错和互联网DNS架构实验

1基本知识点 DNS服务 DNS:Domain Name System 应用层协议C/S,53/udp, 53/tcpBIND:Bekerley Internat Name DomainISC (www.isc.org)本地名称解析配置文件:hosts DNS域名根域一级域名:Top Level Domain: tldcom, edu, mil, gov, net, org, int,arpa三类:组织域.国家域(.cn, .ca, .hk, .tw).反向域二级域名三级域名最多127级域名I

DNS主从服务,子域授权,view视图,日志系统,压力测试rsync配置

DNS主从服务,子域授权,view视图,日志系统,压力测试 DNS性能测试工具queryperfDNS查询过程: DNS主从建立: 环境: 主服务器:10.140.165.93 从服务器:10.140.165.169 关闭防火墙,关闭selinux. 主服务器建立: [[email protected] ~]# yum -y install bind-util bind #安装bind服务 [[email protected] ~]# vim /etc/named.conf #编辑主配置文件 o

SQL Server 2008, 2008 R2, 2012 and 2014 完全支持TLS1.2加密传输

SQL Server 2008, 2008 R2, 2012 and 2014 完全支持TLS1.2加密传输微软高兴地宣布所有主流SQL Server客户端驱动和SQL Server发行版已经支持Transport Layer Security 1.2简称TLS 1.2. 发布时间是 2016年1月29日,这次发布提供了SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 and SQL Server 2014对TLS1.2的完全支持. 支持

JavaMail实现收发邮件（五）使用SSL实现加密传输

一概念简介 Secure Socket Layer,为Netscape所研发,用以保障在Internet上数据传输之安全,利用数据加密(Encryption)技术,可确保数据在网络上之传输过程中不会被截取及窃听.一般通用之规格为40 bit之安全标准,美国则已推出128 bit之更高安全标准,但限制出境.只要3.0版本以上之I.E.或Netscape浏览器即可支持SSL.当前版本为3.0.它已被广泛地用于Web浏览器与服务器之间的身份认证和加密数据传输.(PS:来至百度百科) 二在JavaM

使用Bind9搭建DNS主从服务器

一.前提互联网中的主机是基于ip地址来联系通信的,而ip地址不太容易记住,所以为了方便访问网络中的主机,人们为主机分配一个名称.通过将每台主机的名称与它的ip地址建立一个一对一的映射,在访问网络中的主机时,可以直接使用主机的名称.而提供这种映射与查询的系统就叫名称解析系统,现在常用的为DNS(Domin Name System)系统. 二.使用Bind9搭建DNS主从服务器在实际的工作中,可能需要我们自己配置的就是本地DNS服务器. 一套完整的DNS需要提供正向解析与反向解析的功能.