加密算法與DNS服務搭建
1、 簡述常見加密算法及常見加密算法原理,最好使用圖例解說
常見加密算法:
對稱加密:加密和解密使用同一個密鑰;
DES:Data Encryption Standard;
3DES:Triple DES;
AES:Advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)
Blowfish
Twofish
DEA
RC6
CAST5
特性:
1、加密、解密使用同一個密鑰;
2、將原始數據分割成為固定大小的塊,逐個進行加密;
缺陷:
1、密鑰過多;
2、密鑰分發困難;
-
公鑰加密:密鑰分為公鑰與私鑰
公鑰:從私鑰中提取產生;可公開給所有人;pubkey
特點:用公鑰加密的數據,只能使用與之配對兒的私鑰解密;反之亦然;
用途:
數字簽名:主要在於讓接收方確認發送方的身份;
密鑰交換:發送方用對方公鑰加密一個對稱密鑰,並發送給對方;
數據加密
算法:RSA, DSA, ELGamal
DSS: Digital Signature Standard
DSA:Digital Signature Algorithm
-
單向加密:即提出數據指紋;只能加密,不能解密;
特性:定長輸出、雪崩效應;
功能:完整性;
算法:
md5:Message Digest 5, 128bits
sha1:Secure Hash Algorithm 1, 160bits -
密鑰交換: IKE(Internet Key Exchange)
公鑰加密
DH(Deffie-Hellman)
A:p, g
B:p, gA: x --> p^x%g ==> B A: (p^y%g)^x=p^yx%g B: y --> p^y%g ==> A B: (p^x%g)^y=p^xy%g
-
2、 搭建apache或者nginx並使用自簽證書實現https訪問,自簽名證書的域名自擬
此次我采用的是兩Centos 7系統,CA主機為192.168.10.10,WEB主機為192.168.10.20
CA主機上創建私有CA
[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...+++
......+++
e is 65537 (0x10001)
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 36You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guanxi
Locality Name (eg, city) [Default City]:liuzhou
Organization Name (eg, company) [Default Company Ltd]:ops
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server‘s hostname) []:xiaochen.com
Email Address []:
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem certs crl newcerts private
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# touch {serial,index.txt}
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cat serial
01
[root@localhost ~]# rz
[root@localhost ~]# ls
anaconda-ks.cfg httpd.csr
[root@localhost ~]# openssl ca -in ./httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 12 14:18:27 2018 GMT
Not After : Nov 12 14:18:27 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = guanxi
organizationName = ops
organizationalUnitName = dev
commonName = xiaochen.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EB:53:54:71:C5:02:D9:8D:61:A9:0B:0A:9B:38:CE:38:DB:E1:E1:DF
X509v3 Authority Key Identifier:
keyid:29:78:85:34:33:F9:88:E4:43:87:DC:4C:67:26:EB:05:48:29:E8:38
Certificate is to be certified until Nov 12 14:18:27 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# ls
anaconda-ks.cfg httpd.csr
[root@localhost ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guanxi/O=ops/OU=dev/CN=xiaochen.com
[root@localhost ~]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/
[email protected]‘s password:
httpd.crt 100% 4431 2.2MB/s 00:00
WEB主機上配置相關服務
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# yum -y install mod_ssl openssl
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out ./httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guanxi
Locality Name (eg, city) [Default City]:liuzhou
Organization Name (eg, company) [Default Company Ltd]:ops
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server‘s hostname) []:xiaochen.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost ~]# vi /var/www/html/index.html
[root@localhost ~]# systemctl restart httpd.service
Web頁面訪問
-
3、簡述DNS服務器原理,並搭建主-輔服務器
-
DNS服務器原理:
DNS也就是Domain Name Service的縮寫,它的作用就是通過域名查找IP地址。DNS查詢的類型對DNS於客戶端來說是遞歸查詢,對於DNS服務器端來說,絕大多數是叠代查詢,在它的解析中,從名稱到IP的查詢叫做正向解析,而從IP到名稱的查詢叫做反向解析。如果DNS服務器至少解析了一個或一個以上的域叫做DNS主服務器或者DNS輔助服務器,如果不負責任何解析叫做DNS緩存服務器。現全球一共分布了13臺DNS根服務器,名稱為A至M。 -
域名解析過程:
- 客戶訪問時,查找自己的hosts文件,有則返回,無則查找DNS服務器。
2.DNS服務器查找中先從頂級域到二級域,分別獲取他們的IP地址,然後最終獲得域名的IP地址,找到服務器。
- 客戶訪問時,查找自己的hosts文件,有則返回,無則查找DNS服務器。
- DNS區域數據庫文件:
資源記錄(resource record 簡稱rr)的類型有以下幾種:
SOA:起始授權記錄,只能有一個,必須放在第一條
NS:域名服務記錄,其中一個為主,可以有多個
A:IPV4地址記錄
AAAA:IPV6地址記錄
CNAME:別名記錄
PTR:反向解析記錄
MX:郵件交換器
搭建主-輔服務器
安裝軟件
[root@localhost ~]# yum -y install bind
[root@localhost ~]# yum -y install bind-utils
[root@localhost ~]# systemctl start named
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9952/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 9952/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1099/master
tcp6 0 0 ::1:53 :::* LISTEN 9952/named
tcp6 0 0 :::22 :::* LISTEN 960/sshd
tcp6 0 0 ::1:953 :::* LISTEN 9952/named
tcp6 0 0 ::1:25 :::* LISTEN 1099/master
udp 0 0 127.0.0.1:53 0.0.0.0:* 9952/named
udp6 0 0 ::1:53 :::* 9952/named
配置環境:
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.10
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator‘s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.10.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置解析一個正向區域
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
};
[root@localhost ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111301
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.10.10
MX1 IN A 192.168.10.20
MX2 IN A 192.168.10.20
www IN A 192.168.10.10
web IN CNAME www
[root@localhost ~]# chgrp named /var/named/test.com.zone
[root@localhost ~]# chmod o= /var/named/test.com.zone
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111301
OK
DNS主服務器正向解析測試
[root@localhost ~]# dig -t -A www.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:20:40 CST 2018
;; MSG SIZE rcvd: 91
[root@localhost ~]# dig -t -A web.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A web.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;web.test.com. IN A
;; ANSWER SECTION:
web.test.com. 3600 IN CNAME www.test.com.
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:21:07 CST 2018
;; MSG SIZE rcvd: 109
配置反向區域
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "10.168.192.in-addr.arpa" IN {
type master;
file "192.168.10.zone";
};
[root@localhost ~]# cat /var/named/192.168.10.zone
$TTL 3600
$ORIGIN 10.168.192.in-addr.arpa.
@ IN SOA ns1.test.com. nsadmin.test.com. (
2018111301
1H
10M
3D
12H )
IN NS ns1.test.com.
10 IN PTR ns1.test.com.
20 IN PTR mx1.test.com.
20 IN PTR mx2.test.com.
10 IN PTR www.test.com.
[root@localhost ~]# chgrp named /var/named/192.168.10.zone
[root@localhost ~]# chmod o= /var/named/192.168.10.zone
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone 10.168.192.in-addr.arpa /var/named/192.168.10.zone
zone 10.168.192.in-addr.arpa/IN: loaded serial 2018111301
OK
主服務器反向測試
[root@localhost ~]# dig -x 192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2714
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 3600 IN PTR www.test.com.
10.10.168.192.in-addr.arpa. 3600 IN PTR ns1.test.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:37:57 CST 2018
;; MSG SIZE rcvd: 129
設置輔DNS服務器
[root@localhost ~]# yum -y install bind bind-utils
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.20
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
file "slaves/test.com.zone";
masters { 192.168.10.10; };
};
在主服務器上添加內容
[root@localhost ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111309
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.10.10
ns2 IN A 192.168.10.20
MX1 IN A 192.168.10.21
MX2 IN A 192.168.10.22
www IN A 192.168.10.10
web IN CNAME www
pop3 IN A 192.168.10.25
[root@localhost ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111309
OK
[root@localhost ~]# rndc reload
server reload successful
測試輔助服務器
[root@localhost slaves]# dig -t A www.test.com @192.168.10.20
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t A www.test.com @192.168.10.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45851
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns2.test.com.
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Thu May 31 23:20:16 EDT 2018
;; MSG SIZE rcvd: 125
輔助服務器反向解析IP
[root@localhost ~]# dig -x 192.168.10.10 @192.168.10.20
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -x 192.168.10.10 @192.168.10.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 3600 IN PTR ns1.test.com.
10.10.168.192.in-addr.arpa. 3600 IN PTR www.test.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600 IN NS ns2.test.com.
10.168.192.in-addr.arpa. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 1 msec
;; SERVER: 192.168.10.11#53(192.168.10.20
;; WHEN: Fri Jun 01 02:25:17 EDT 2018
;; MSG SIZE rcvd: 163
至此,主輔DNS服務器搭建完成
-
4、搭建並實現智能DNS
以192.168.10.10為例搭建智能DNS
修改DNS的named.conf的配置文件
view internal {
match-clients { 192.168.10.10; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view external {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
建立兩份數據文件
[root@localhost ~]# cat /var/named/test.com/internal
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111602
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 1.1.1.1
web IN CNAME www
bbs IN A 1.1.1.2
bbs IN A 1.1.1.3
[root@localhost ~]# cat /var/named/test.com/external
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111501
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 192.168.10.10
web IN CNAME www
bbs IN A 192.168.10.20
bbs IN A 192.168.10.20
設置權限
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone test.com /var/named/test.com/internal
zone test.com/IN: loaded serial 2018111602
OK
[root@localhost ~]# named-checkzone test.com /var/named/test.com/external
zone test.com/IN: loaded serial 2018111501
OK
[root@localhost ~]# chgrp named /var/named/test.com/{internal,external}
[root@localhost ~]# chmod o= /var/named/test.com/{internal,external}
[root@localhost ~]# rndc reload
server reload successful
解析內網IP
[root@localhost ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns2.test.com.
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 14:58:57 CST 2018
;; MSG SIZE rcvd: 125
解析外網IP
[root@localhost ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 1.1.1.1
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
test.com. 3600 IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 15:19:01 CST 2018
;; MSG SIZE rcvd: 125
加密算法與DNS服務搭建