一、详细描述一次加密通讯的过程,结合图示最佳。
普通的TCP通信无法保证数据的安全,它随时可能被第三方截获而泄漏通信双方之间的隐私,这显然是我们不希望看到的,尤其在跟用户名、密码、个人信息息息相关的通信过程(如网上银行交易、机密文件传输等等)尤其看重数据交互的隐秘性,所以我们常常用SSL协议来建立安全保密的通信,SSL协议能够保证交互双方的数据按密文方式传输,第三方在没有私钥的情况下几乎无法破解,从而到达保密的目的。究竟SSL是如何交互数据来确保安全的,很多人却不得而知,为了解答大家的疑惑,这里详细介绍一下SSL的交互过程。
1、建立TCP连接
由于SSL协议依赖于TCP连接实施,所以在SSL交互之前需要先建立TCP连接。客户端connect服务端,服务端acccept客户端,经历三次握手以后TCP连接建立。
2、客户端发送SSL请求
客户端(Client)向服务端(Server)发送自身使用的SSL版本(SSL一共有三个版本)、加密算法的相关配置、随机数据以及其在在SSL协议中需要用到的信息。
3、服务端处理SSL请求
服务器(Server)反馈给客户端(Client)自己的SSL版本、加密算法的相关配置、随机数据以及用自己的私有密钥加密的SERVER-HELLO信息。服务端(Server)紧接着将自己的证书(包含公共密钥)传递过去。同时有个可选项目,即服务端(Server)可以要求客服端(Client)发送自己的证书。
4、客户端验证服务端身份
客服端(Client)用服务端(Server)传递过来证书验证服务端(Server)的身份,如果身份未验证通过则结束本次通信。证书验证通过后利用服务端(Server)的公共密钥尝试解开被其用私有密钥加密过的SERVER-HELLO信息,如果解开失败,说明该SERVER-HELLO必然是假的,故结束本次通信。
5、客户端发送公共密钥加密过的随机数据
客户端端(Client)生成随机数据(sharedsecret),并且把这个随机数据用服务端(Server)发送过来的的公共密钥加密,此次加密过程产生本次握手中的premastersecret(这个步骤是有可能有服务端的参与的,具体情况由他们使用的加密算法决定),然后将它(premastersecret)送回给服务端(Server)。如果服务端(Server)要求需要验证客户端(Client),那么客服端(Client)也需要自己把自己的证书(包含公共密钥)传递过去,同时送一些自己签过名(私有密钥加密)的数据过去。
6、服务端用私有密钥解密加密后的随机数据并协商暗号
Server验证完client的身份之后,然后用自己的私有密钥解密得到premastersecret然后双方利用这个premastersecret来共同协商,得到mastersecret(可理解为premastersecret为双方协商的暗号,然后使用这个暗号再协商一个mastersecret用来产生真正的会话密钥用来传输数据)以此来保证数据的决对安全。
7、服务端跟客户端利用暗号生成加密算法跟密钥key
双方用mastersecret一起产生真正的sessionkey,这将是一个对称加密的key。这个key还可以用来验证数据完整性。双方再交换结束信息。握手结束。
接下来双方就可以用协商好的算法和密钥key,采用对称加密算法来通信了。
二、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
1、创建所需要的文件
[[email protected] CA]# touch index.txt [[email protected] CA]# echo 01 > serail
2、创建私钥文件
[[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #生成私钥文件 Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................................................+++ .........................................+++ e is 65537 (0x10001)
3、CA主机生成证书请求,自己为自己颁发证书
命令: openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
参数 : -new: 生成新的证书签署请求;
-x509: 专用于CA生成自签证书;
-key: 生成请求时用到的私钥文件;
-days n:证书的有效期限;单位为“天”
-out:指明 证书的保存路径
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家 State or Province Name (full name) []:shanghai #省份 Locality Name (eg, city) [Default City]:shanghai #市区 Organization Name (eg, company) [Default Company Ltd]:magedu #组织名称 Organizational Unit Name (eg, section) []:ops #部门 Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com #服务器名称 Email Address []:[email protected] #邮件地址 [[email protected] CA]# ll 总用量 24 -rw-r--r--. 1 root root 1424 10月 18 09:50 cacert.pem drwxr-xr-x. 2 root root 4096 6月 29 2015 certs drwxr-xr-x. 2 root root 4096 6月 29 2015 crl -rw-r--r--. 1 root root 0 10月 17 17:42 index.txt drwxr-xr-x. 2 root root 4096 6月 29 2015 newcerts drwx------. 2 root root 4096 10月 18 09:38 private -rw-r--r--. 1 root root 3 10月 17 17:42 serail
4、需要使用证书的主机上生成私钥文件
[[email protected] ssl]# (umask 077; openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus ................+++ ....................................+++ e is 65537 (0x10001)
5、需要使用证书的主机上生成CA请求
[[email protected] ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server‘s hostname) []:www.magedu.com Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
6、将请求文件传输给CA所在主机
[[email protected] ssl]# scp httpd.csr [email protected]:/tmp [email protected]‘s password: httpd.csr 100% 1058 1.0KB/s 00:00
7、CA签署证书
[[email protected] CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 18 02:36:27 2016 GMT Not After : Oct 18 02:36:27 2017 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = magedu organizationalUnitName = ops commonName = www.magedu.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2A:8A:76:E2:94:70:A1:CB:1A:CB:C0:32:35:A3:34:54:BB:4C:43:CA X509v3 Authority Key Identifier: keyid:C7:83:51:96:AC:82:AF:DA:35:58:02:CD:B3:75:B2:37:B8:5D:59:38 Certificate is to be certified until Oct 18 02:36:27 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
8、CA将签署过的证书发回发送请求的主机
[[email protected] CA]# scp /tmp/httpd.crt 10.18.11.30:/etc/httpd/ssl/ The authenticity of host ‘10.18.11.30 (10.18.11.30)‘ can‘t be established. ECDSA key fingerprint is 8a:97:c3:ae:80:30:d2:16:2f:3d:cc:fb:b8:f5:77:14. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘10.18.11.30‘ (ECDSA) to the list of known hosts. [email protected]‘s password: httpd.crt 100% 4628 4.5KB/s 00:00
三、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
1、安装并配置主DNS服务器正反向解析
[[email protected] ~]# yum install -y bind #安装DNS服务
[[email protected] ~]# yum install bind-utils #安装DNS测试工具
[[email protected] ~]# vim /etc/named.conf #修改主配置文件
options {
listen-on port 53 { 10.18.11.29; }; #监听在10.18.11.29上
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
// dnssec-enable yes; #注释掉dnssec相关内容
// dnssec-validation yes;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN { #添加正向解析区域
type master;
file "magedu.com.zone";
};
zone "18.10.in-addr.arpa" IN { #添加反向解析区域
type master;
file "18.10.in-addr.arpa.zone";
};
[[email protected] ~]# vim /var/named/magedu.com.zone #配置服务器正向解析
$TTL 86400
@ IN SOA ns1.magedu.com. admin.magedu.com (
20161024
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
ns1 IN A 10.18.11.29
ns2 IN A 10.18.11.30
[[email protected] named]# vim 18.10.zone #配置服务器反向解析
$TTL 86400
@ IN SOA ns1.magedu.com. admin.magedu.com (
20161024
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
11.29 IN PTR ns1.magedu.com.
11.30 IN PTR ns2.magedu.com.
11.29 IN PTR www.magedu.com.
11.30 IN PTR www.magedu.com.
11.29 IN PTR mx1.magedu.com.
11.30 IN PTR mx2.magedu.com.
[[email protected] ~]# chmod 640 /var/named/magedu.com.zone /var/named/18.10.zone #修改配置文件权限和属组
[[email protected] ~]# chown :named /var/named/magedu.com.zone /var/named/18.10.zone
[[email protected] named]# named-checkzone "magedu.com.zone" /var/named/magedu.com.zone #检测配置文件语法错误
zone magedu.com.zone/IN: loaded serial 20161024
OK
[[email protected] named]# systemctl reload named.service #重载配置文件
[[email protected]calhost named]# dig www.magedu.com @10.18.11.29 #正向解析测试
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> www.magedu.com @10.18.11.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1878
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 10.18.11.29
www.magedu.com. 86400 IN A 10.18.11.30
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 10.18.11.29
ns2.magedu.com. 86400 IN A 10.18.11.30
;; Query time: 0 msec
;; SERVER: 10.18.11.29#53(10.18.11.29)
;; WHEN: 三 10月 26 10:28:16 CST 2016
;; MSG SIZE rcvd: 143
[[email protected] named]# dig -x 10.18.11.29 @10.18.11.29 #反向解析测试
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 10.18.11.29 @10.18.11.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51511
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;29.11.18.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
29.11.18.10.in-addr.arpa. 86400 IN PTR mx1.magedu.com.
29.11.18.10.in-addr.arpa. 86400 IN PTR www.magedu.com.
29.11.18.10.in-addr.arpa. 86400 IN PTR ns1.magedu.com.
;; AUTHORITY SECTION:
11.18.10.in-addr.arpa. 86400 IN NS ns2.magedu.com.
11.18.10.in-addr.arpa. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 10.18.11.29
ns2.magedu.com. 86400 IN A 10.18.11.30
;; Query time: 0 msec
;; SERVER: 10.18.11.29#53(10.18.11.29)
;; WHEN: 三 10月 26 11:34:05 CST 2016
;; MSG SIZE rcvd: 181
2、从DNS服务器配置
[[email protected] ~]# yum install -y bind #安装DNS服务
[[email protected] ~]# yum install bind-utils #安装DNS测试工具
[[email protected] slaves]# vim /etc/named.conf
options {
listen-on port 53 { 10.18.11.30; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许任何人解析
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
//dnssec-enable yes; #注释掉dnssec相关内容
//dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[[email protected] /]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type slave; #设定为slave类型
masters { 10.18.11.29; }; #设定主DNS为10.18.11.29
file "slaves/magedu.com.zone"; #设定zone文件路径
};
zone "11.18.10.in-addr.arpa." IN {
type slave;
masters { 10.18.11.29; };
file "slaves/11.18.10.zone";
[[email protected] /]# systemctl reload named.service #重载配置
[[email protected] /]# ll /var/named/slaves/ #查看slaves下已有配置文件从主DNS同步过来
总用量 8
-rw-r--r-- 1 named named 402 10月 26 16:27 11.18.10.zone
-rw-r--r-- 1 named named 500 10月 26 15:54 magedu.com.zone
[[email protected] named]# vim /var/named/magedu.com.zone #修改主DNS正向区域配置添加一条ftp.magedu.com的A记录
$TTL 86400
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2016102402
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 10.18.11.29
ns2 IN A 10.18.11.30
mx1 IN A 10.18.11.29
mx2 IN A 10.18.11.30
www IN A 10.18.11.29
www IN A 10.18.11.30
cdn IN NS ns1.cdn
ns1.cdn IN A 10.18.11.31
ftp IN A 10.18.11.29
[[email protected] named]# vim /var/named/11.18.10.zone #修改主DNS反向区域配置添加ftp.magedu.com记录
$TTL 86400
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2016102402 #修改
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
29 IN PTR ns1.magedu.com.
30 IN PTR ns2.magedu.com.
29 IN PTR www.magedu.com.
30 IN PTR www.magedu.com.
29 IN PTR mx1.magedu.com.
30 IN PTR mx2.magedu.com.
29 IN PTR ftp.magedu.com.
[[email protected] named]# systemctl reload named.servic #重载配置文件
[[email protected] slaves]# cat /var/named/slaves/magedu.com.zone #在从DNS上查看正反区域配置新加的ftp.magedu.com的配置已同步过来
$ORIGIN .
$TTL 86400 ; 1 day
magedu.com IN SOA ns1.magedu.com. admin.magedu.com. (
2016102402 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.magedu.com.
NS ns2.magedu.com.
$ORIGIN magedu.com.
cdn NS ns1.cdn
$ORIGIN cdn.magedu.com.
ns1 A 10.18.11.31
$ORIGIN magedu.com.
ftp A 10.18.11.29
mx1 A 10.18.11.29
mx2 A 10.18.11.30
ns1 A 10.18.11.29
ns2 A 10.18.11.30
www A 10.18.11.29
A 10.18.11.30
[[email protected] slaves]# cat /var/named/slaves/11.18.10.zone
$ORIGIN .
$TTL 86400 ; 1 day
11.18.10.in-addr.arpa IN SOA ns1.magedu.com. admin.magedu.com. (
2016102402 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.magedu.com.
NS ns2.magedu.com.
$ORIGIN 11.18.10.in-addr.arpa.
29 PTR ns1.magedu.com.
PTR www.magedu.com.
PTR mx1.magedu.com.
PTR ftp.magedu.com.
30 PTR ns2.magedu.com.
PTR www.magedu.com.
PTR mx2.magedu.com.
[[email protected] named]# dig ftp.magedu.com @10.18.11.30 #测试10.18.11.30可以正常的进行解析
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> ftp.magedu.com @10.18.11.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19587
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.magedu.com. IN A
;; ANSWER SECTION:
ftp.magedu.com. 86400 IN A 10.18.11.29
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 10.18.11.29
ns2.magedu.com. 86400 IN A 10.18.11.30
;; Query time: 3 msec
;; SERVER: 10.18.11.30#53(10.18.11.30)
;; WHEN: 三 10月 26 17:25:09 CST 2016
;; MSG SIZE rcvd: 127
[[email protected] named]# dig -x 10.18.11.29 @10.18.11.30
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 10.18.11.29 @10.18.11.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38724
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;29.11.18.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
29.11.18.10.in-addr.arpa. 86400 IN PTR ns1.magedu.com.
29.11.18.10.in-addr.arpa. 86400 IN PTR mx1.magedu.com.
29.11.18.10.in-addr.arpa. 86400 IN PTR ftp.magedu.com.
29.11.18.10.in-addr.arpa. 86400 IN PTR www.magedu.com.
;; AUTHORITY SECTION:
11.18.10.in-addr.arpa. 86400 IN NS ns1.magedu.com.
11.18.10.in-addr.arpa. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 10.18.11.29
ns2.magedu.com. 86400 IN A 10.18.11.30
;; Query time: 1 msec
;; SERVER: 10.18.11.30#53(10.18.11.30)
;; WHEN: 三 10月 26 17:25:39 CST 2016
;; MSG SIZE rcvd: 199
3、子域服务器配置
[[email protected] ~]# yum install -y bind #安装DNS服务
[[email protected] ~]# yum install bind-utils #安装DNS测试工具
#修改配置主DNS配置文件
[[email protected] ~]# vim /var/named/magedu.com.zone
cdn IN NS ns1.cdn #添加两条记录
ns1.cdn IN A 10.18.11.31
#在子域服务器上添加区域配置
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com" IN { #添加正向解析区域
type master;
file "cdn.magedu.com.zone";
};
zone "11.18.10.in-addr.arpa." IN { #添加反向解析区域
type master;
file "11.18.10.zone";
};
#配置子域服务器正向区域配置文件
[[email protected] ~]# vim /var/named/cdn.magedu.com.zone
$TTL 86400
@ IN SOA ns1.cdn.magedu.com. admin.magedu.com (
2016102401
1H
5M
7D
1D )
IN NS ns1
ns1 IN A 10.18.11.31
www IN A 10.19.11.31
#配置子域服务器反向区域配置文件
[[email protected] ~]# vim /var/named/11.18.10.zone
$TTL 86400
@ IN SOA ns1.cdn.magedu.com. admin.magedu.com. (
2016102401
1H
5M
7D
1D )
IN NS ns1.cdn.magedu.com.
31 IN PTR ns1.cdn.magedu.com.
31 IN PTR www.cdn.magedu.com.
#配置主域转发
[[email protected] named]# vim /etc/named.conf #添加转发域
zone "magedu.com" IN {
type forward;
forward first;
forwarders { 10.18.11.29; };
#测试子域解析
[[email protected] named]# dig www.cdn.magedu.com @10.18.11.31 #测试子域正向解析
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> www.cdn.magedu.com @10.18.11.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1172
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cdn.magedu.com. IN A
;; ANSWER SECTION:
www.cdn.magedu.com. 86400 IN A 10.19.11.31
;; AUTHORITY SECTION:
cdn.magedu.com. 86400 IN NS ns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com. 86400 IN A 10.18.11.31
;; Query time: 0 msec
;; SERVER: 10.18.11.31#53(10.18.11.31)
;; WHEN: 四 10月 27 11:41:57 CST 2016
;; MSG SIZE rcvd: 97
[[email protected] named]# dig -x 10.18.11.31 @10.18.11.31 #测试子域反向解析
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 10.18.11.31 @10.18.11.31
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13311
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;31.11.18.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
31.11.18.10.in-addr.arpa. 86400 IN PTR ns1.cdn.magedu.com.
31.11.18.10.in-addr.arpa. 86400 IN PTR www.cdn.magedu.com.
;; AUTHORITY SECTION:
11.18.10.in-addr.arpa. 86400 IN NS ns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com. 86400 IN A 10.18.11.31
;; Query time: 0 msec
;; SERVER: 10.18.11.31#53(10.18.11.31)
;; WHEN: 四 10月 27 11:42:29 CST 2016
;; MSG SIZE rcvd: 133
4、高可用DNS方案
LVS+keepalived负载均衡架构图
| 名称 | IP |
| LVS-Master | 10.18.11.31 |
| LVS-BACKUP | 10.18.11.32 |
| LVS-VIP | 10.18.11.40 |
| DNS-master | 10.18.11.29 |
| DNS-slave | 10.18.11.30 |
配置LVS实现负载均衡
[[email protected] ~]# yum install keepalived #在两台LVS服务器上安装keepalived
[[email protected] ~]# vim /etc/keepalived/keepalived.conf #修改LVS-Master配置文件
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
[email protected]
[email protected]
}
notification_email_from [email protected]
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_1
}
vrrp_instance VI_DNS1 {
state MASTER
interface ens192 #vip绑定的网卡
virtual_router_id 51 #虚拟路由标记ID,同一组vrrp一致
priority 100 ##优先级自定义,MASTER高于BACKUP即可
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.18.11.40 #VIP
}
}
virtual_server 10.18.11.40 53 { #VIP和端口
delay_loop 6
lb_algo rr #负载调度算法,RR为轮询
lb_kind DR #LVS负载工作模式为DR
nat_mask 255.255.255.0
persistence_timeout 50 #会话保持时间,50秒内分配同一节点
protocol UDP #协议类型UDP
real_server 10.18.11.29 53 {
weight 100 #权值大小,越大权值越高
TCP_CHECK { #realserver 状态检测
connect_timeout 8 #连接超时时间8秒
nb_get_retry 3 #重试次数:3次
delay_before_retry 3 ##重试间隔3秒
connect_port 53 #检测端口
}
}
real_server 10.18.11.30 53 {
weight 100
TCP_CHECK {
connect_timeout 8
nb_get_retry 3
delay_before_retry 3
connect_port 53
}
}
}
57,1 30%
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.18.11.40
}
}
virtual_server 10.18.11.40 53 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
protocol TCP
real_server 10.18.11.29 53 {
weight 100
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 53
}
}
real_server 10.18.11.30 53 {
weight 100
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 53
}
}
}
[[email protected] ~]# vim /etc/keepalived/keepalived.conf #修改LVS-BACKUP配置
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
[email protected]
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_2
}
vrrp_instance VI_DNS1 {
state backup #状态为backup
interface ens192
virtual_router_id 51
priority 90 #优先级比master低
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.18.11.40
}
}
virtual_server 10.18.11.40 53 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
persistence_timeout 50
protocol UDP
real_server 10.18.11.29 53 {
1,1 顶端
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.18.11.40
}
}
virtual_server 10.18.11.40 53 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
# persistence_timeout 1
protocol TCP
real_server 10.18.11.29 53 {
weight 100
TCP_CHECK {
connect_timeout 8
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 10.18.11.30 53 {
weight 100
TCP_CHECK {
connect_timeout 8
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
在DNS服务器上执行脚本
#!/bin/bash
SNS_VIP=10.18.11.40
. /etc/rc.d/init.d/functions
case "$1" in
start)
ifconfig lo:0 $SNS_VIP netmask 255.255.255.255 broadcast $SNS_VIP
/sbin/route add -host $SNS_VIP dev lo:0
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p >/dev/null 2>&1
echo "RealServer Start OK"
;;
stop)
ifconfig lo:0 down
route del $SNS_VIP >/dev/null 2>&1
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "RealServer Stoped"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0
测试LVS负载均衡及高可用
[[email protected] ~]# ipvsadm -ln #在主LVS服务器上查看lvs状态如下 说明配置生效 IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.18.11.40:80 rr -> 10.18.11.29:80 Route 100 0 0 -> 10.18.11.30:80 Route 100 0 0 UDP 10.18.11.40:53 rr persistent 50 -> 10.18.11.29:53 Route 100 0 0 -> 10.18.11.30:53 Route 100 0 0 [16:49:09 [email protected] /shell]#vim dns_test.sh #运行测试脚本进行100次dns请求 #! /bin/sh for((i=1;i<=100;i++));do dig www.magedu.com @10.18.11.40 >/dev/null 2>&1 sleep 1 done [[email protected] ~]# ipvsadm -ln #查看测试结果 IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.18.11.40:53 rr -> 10.18.11.29:53 Route 100 0 0 -> 10.18.11.30:53 Route 100 0 0 UDP 10.18.11.40:53 rr -> 10.18.11.29:53 Route 100 0 50 -> 10.18.11.30:53 Route 100 0 50 [[email protected] ~]# systemctl stop named.service #关闭一台dns服务器 [[email protected] ~]# systemctl stop keepalived.service #停止LVS-Master服务 [[email protected] ~]# tail -100f /var/log/messages #在LVS-backup服务器上查看日志 Oct 28 16:46:34 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS2) Received higher prio advert Oct 28 16:46:34 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS2) Entering BACKUP STATE Oct 28 16:46:34 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS2) removing protocol VIPs. Oct 28 16:46:34 localhost Keepalived_vrrp[4068]: Netlink: error: Cannot assign requested address, type=(21), seq=1477644341, pid=0 Oct 28 16:53:01 localhost Keepalived_healthcheckers[4067]: TCP connection to [10.18.11.29]:53 failed !!! #检测到一台dns服务器挂了 Oct 28 16:53:01 localhost Keepalived_healthcheckers[4067]: Removing service [10.18.11.29]:53 from VS [10.18.11.40]:53 Oct 28 16:53:01 localhost Keepalived_healthcheckers[4067]: Remote SMTP server [192.168.200.1]:25 connected. Oct 28 16:53:31 localhost Keepalived_healthcheckers[4067]: Timeout reading data to remote SMTP server [192.168.200.1]:25. Oct 28 16:53:42 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS1) Transition to MASTER STATE #LVS-backup切换到master Oct 28 16:53:42 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS2) Transition to MASTER STATE Oct 28 16:53:43 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS1) Entering MASTER STATE Oct 28 16:53:43 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS1) setting protocol VIPs. Oct 28 16:53:43 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS1) Sending gratuitous ARPs on ens192 for 10.18.11.40 Oct 28 16:53:43 localhost Keepalived_healthcheckers[4067]: Netlink reflector reports IP 10.18.11.40 added Oct 28 16:53:43 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS2) Entering MASTER STATE Oct 28 16:53:43 localhost Keepalived_vrrp[4068]: VRRP_Instance(VI_DNS2) setting protocol VIPs.
时间: 2024-10-11 14:06:02