加密演算法與DNS服務搭建
阿新 • • 發佈:2018-11-16
-
1、 簡述常見加密演算法及常見加密演算法原理,最好使用圖例解說
常見加密演算法:
-
對稱加密:加密和解密使用同一個金鑰;
DES:Data Encryption Standard;
3DES:Triple DES;
AES:Advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)
Blowfish
Twofish
DEA
RC6
CAST5
特性:
1、加密、解密使用同一個金鑰;
2、將原始資料分割成為固定大小的塊,逐個進行加密;
缺陷:
1、金鑰過多;
2、金鑰分發困難;
-
公鑰加密:金鑰分為公鑰與私鑰
公鑰:從私鑰中提取產生;可公開給所有人;pubkey
私鑰:通過工具建立,使用者自己留存,必須保證其私密性;secret key;
特點:用公鑰加密的資料,只能使用與之配對兒的私鑰解密;反之亦然;
用途:
數字簽名:主要在於讓接收方確認傳送方的身份;
金鑰交換:傳送方用對方公鑰加密一個對稱金鑰,併發送給對方;
資料加密
演算法:RSA, DSA, ELGamal
DSS: Digital Signature Standard
DSA:Digital Signature Algorithm
-
單向加密:即提出資料指紋;只能加密,不能解密;
特性:定長輸出、雪崩效應;
功能:完整性;
演算法:
md5:Message Digest 5, 128bits
sha1:Secure Hash Algorithm 1, 160bits
sha224, sha256, sha384, sha512 -
金鑰交換: IKE(Internet Key Exchange)
公鑰加密
DH(Deffie-Hellman)
A:p, g
B:p, gA: x --> p^x%g ==> B A: (p^y%g)^x=p^yx%g B: y --> p^y%g ==> A B: (p^x%g)^y=p^xy%g
-
2、 搭建apache或者nginx並使用自簽證書實現https訪問,自簽名證書的域名自擬
此次我採用的是兩Centos 7系統,CA主機為192.168.10.10,WEB主機為192.168.10.20
CA主機上建立私有CA
[[email protected] ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...+++
......+++
e is 65537 (0x10001)
[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 36You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guanxi
Locality Name (eg, city) [Default City]:liuzhou
Organization Name (eg, company) [Default Company Ltd]:ops
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:xiaochen.com
Email Address []:
[[email protected] ~]# ls /etc/pki/CA/
cacert.pem certs crl newcerts private
[[email protected] ~]# cd /etc/pki/CA/
[[email protected] CA]# touch {serial,index.txt}
[[email protected] CA]# echo 01 > serial
[[email protected] CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[[email protected] CA]# cat serial
01
[[email protected] ~]# rz
[[email protected] ~]# ls
anaconda-ks.cfg httpd.csr
[[email protected] ~]# openssl ca -in ./httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 12 14:18:27 2018 GMT
Not After : Nov 12 14:18:27 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = guanxi
organizationName = ops
organizationalUnitName = dev
commonName = xiaochen.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EB:53:54:71:C5:02:D9:8D:61:A9:0B:0A:9B:38:CE:38:DB:E1:E1:DF
X509v3 Authority Key Identifier:
keyid:29:78:85:34:33:F9:88:E4:43:87:DC:4C:67:26:EB:05:48:29:E8:38
Certificate is to be certified until Nov 12 14:18:27 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] ~]# ls
anaconda-ks.cfg httpd.csr
[[email protected] ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guanxi/O=ops/OU=dev/CN=xiaochen.com
[[email protected] ~]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/
[email protected]'s password:
httpd.crt 100% 4431 2.2MB/s 00:00 WEB主機上配置相關服務
[[email protected] ~]# yum -y install httpd
[[email protected] ~]# yum -y install mod_ssl openssl
[[email protected] ~]# cd /etc/httpd/
[[email protected] httpd]# ls
conf conf.d conf.modules.d logs modules run
[[email protected] httpd]# mkdir ssl
[[email protected] httpd]# cd ssl/
[[email protected] ssl]# (umask 077;openssl genrsa -out ./httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
[[email protected] ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guanxi
Locality Name (eg, city) [Default City]:liuzhou
Organization Name (eg, company) [Default Company Ltd]:ops
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:xiaochen.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[[email protected] ~]# vi /var/www/html/index.html
[[email protected] ~]# systemctl restart httpd.serviceWeb頁面訪問
-
3、簡述DNS伺服器原理,並搭建主-輔伺服器
-
DNS伺服器原理:
DNS也就是Domain Name Service的縮寫,它的作用就是通過域名查詢IP地址。DNS查詢的型別對DNS於客戶端來說是遞迴查詢,對於DNS伺服器端來說,絕大多數是迭代查詢,在它的解析中,從名稱到IP的查詢叫做正向解析,而從IP到名稱的查詢叫做反向解析。如果DNS伺服器至少解析了一個或一個以上的域叫做DNS主伺服器或者DNS輔助伺服器,如果不負責任何解析叫做DNS快取伺服器。現全球一共分佈了13臺DNS根伺服器,名稱為A至M。 -
域名解析過程:
- 客戶訪問時,查詢自己的hosts檔案,有則返回,無則查詢DNS伺服器。
2.DNS伺服器查詢中先從頂級域到二級域,分別獲取他們的IP地址,然後最終獲得域名的IP地址,找到伺服器。
- 客戶訪問時,查詢自己的hosts檔案,有則返回,無則查詢DNS伺服器。
- DNS區域資料庫檔案:
資源記錄(resource record 簡稱rr)的型別有以下幾種:
SOA:起始授權記錄,只能有一個,必須放在第一條
NS:域名服務記錄,其中一個為主,可以有多個
A:IPV4地址記錄
AAAA:IPV6地址記錄
CNAME:別名記錄
PTR:反向解析記錄
MX:郵件交換器
搭建主-輔伺服器
安裝軟體
[[email protected] ~]# yum -y install bind
[[email protected] ~]# yum -y install bind-utils
[[email protected] ~]# systemctl start named
[[email protected] ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9952/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 9952/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1099/master
tcp6 0 0 ::1:53 :::* LISTEN 9952/named
tcp6 0 0 :::22 :::* LISTEN 960/sshd
tcp6 0 0 ::1:953 :::* LISTEN 9952/named
tcp6 0 0 ::1:25 :::* LISTEN 1099/master
udp 0 0 127.0.0.1:53 0.0.0.0:* 9952/named
udp6 0 0 ::1:53 :::* 9952/named 配置環境:
[[email protected] ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.10
[[email protected] ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.10.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";配置解析一個正向區域
[[email protected] ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
};
[[email protected] ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111301
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.10.10
MX1 IN A 192.168.10.20
MX2 IN A 192.168.10.20
www IN A 192.168.10.10
web IN CNAME www
[[email protected] ~]# chgrp named /var/named/test.com.zone
[[email protected] ~]# chmod o= /var/named/test.com.zone
[[email protected] ~]# named-checkconf
[[email protected] ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111301
OKDNS主伺服器正向解析測試
[[email protected] ~]# dig -t -A www.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:20:40 CST 2018
;; MSG SIZE rcvd: 91
[[email protected] ~]# dig -t -A web.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A web.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;web.test.com. IN A
;; ANSWER SECTION:
web.test.com. 3600 IN CNAME www.test.com.
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:21:07 CST 2018
;; MSG SIZE rcvd: 109配置反向區域
[[email protected] ~]# vi /etc/named.rfc1912.zones
zone "10.168.192.in-addr.arpa" IN {
type master;
file "192.168.10.zone";
};
[[email protected] ~]# cat /var/named/192.168.10.zone
$TTL 3600
$ORIGIN 10.168.192.in-addr.arpa.
@ IN SOA ns1.test.com. nsadmin.test.com. (
2018111301
1H
10M
3D
12H )
IN NS ns1.test.com.
10 IN PTR ns1.test.com.
20 IN PTR mx1.test.com.
20 IN PTR mx2.test.com.
10 IN PTR www.test.com.
[[email protected] ~]# chgrp named /var/named/192.168.10.zone
[[email protected] ~]# chmod o= /var/named/192.168.10.zone
[[email protected] ~]# named-checkconf
[[email protected] ~]# named-checkzone 10.168.192.in-addr.arpa /var/named/192.168.10.zone
zone 10.168.192.in-addr.arpa/IN: loaded serial 2018111301
OK主伺服器反向測試
[[email protected] ~]# dig -x 192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2714
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 3600 IN PTR www.test.com.
10.10.168.192.in-addr.arpa. 3600 IN PTR ns1.test.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:37:57 CST 2018
;; MSG SIZE rcvd: 129設定輔DNS伺服器
[[email protected] ~]# yum -y install bind bind-utils
[[email protected] ~]# systemctl start named.service
[[email protected] ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.20
[[email protected] ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
file "slaves/test.com.zone";
masters { 192.168.10.10; };
};在主伺服器上新增內容
[[email protected] ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111309
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.10.10
ns2 IN A 192.168.10.20
MX1 IN A 192.168.10.21
MX2 IN A 192.168.10.22
www IN A 192.168.10.10
web IN CNAME www
pop3 IN A 192.168.10.25
[[email protected] ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111309
OK
[[email protected] ~]# rndc reload
server reload successful測試輔助伺服器
[[email protected] slaves]# dig -t A www.test.com @192.168.10.20
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t A www.test.com @192.168.10.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45851
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns2.test.com.
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Thu May 31 23:20:16 EDT 2018
;; MSG SIZE rcvd: 125輔助伺服器反向解析IP
[[email protected] ~]# dig -x 192.168.10.10 @192.168.10.20
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -x 192.168.10.10 @192.168.10.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 3600 IN PTR ns1.test.com.
10.10.168.192.in-addr.arpa. 3600 IN PTR www.test.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600 IN NS ns2.test.com.
10.168.192.in-addr.arpa. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 1 msec
;; SERVER: 192.168.10.11#53(192.168.10.20
;; WHEN: Fri Jun 01 02:25:17 EDT 2018
;; MSG SIZE rcvd: 163至此,主輔DNS伺服器搭建完成
-
4、搭建並實現智慧DNS
以192.168.10.10為例搭建智慧DNS
修改DNS的named.conf的配置檔案
view internal {
match-clients { 192.168.10.10; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view external {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};建立兩份資料檔案
[[email protected] ~]# cat /var/named/test.com/internal
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111602
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 1.1.1.1
web IN CNAME www
bbs IN A 1.1.1.2
bbs IN A 1.1.1.3
[[email protected] ~]# cat /var/named/test.com/external
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111501
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 192.168.10.10
web IN CNAME www
bbs IN A 192.168.10.20
bbs IN A 192.168.10.20設定許可權
[[email protected] ~]# named-checkconf
[[email protected] ~]# named-checkzone test.com /var/named/test.com/internal
zone test.com/IN: loaded serial 2018111602
OK
[[email protected] ~]# named-checkzone test.com /var/named/test.com/external
zone test.com/IN: loaded serial 2018111501
OK
[[email protected] ~]# chgrp named /var/named/test.com/{internal,external}
[[email protected] ~]# chmod o= /var/named/test.com/{internal,external}
[[email protected] ~]# rndc reload
server reload successful解析內網IP
[[email protected] ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns2.test.com.
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 14:58:57 CST 2018
;; MSG SIZE rcvd: 125解析外網IP
[[email protected] ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 1.1.1.1
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
test.com. 3600 IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 15:19:01 CST 2018
;; MSG SIZE rcvd: 125