week11
1、详细描述一次加密通讯的过程,结合图示最佳。 2、描述创建私有CA的过程,以及为客户端发来的证书请求进行颁发证书。 3、描述DNS查询过程以及DNS服务器类别。 4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP) (1)、能够对一些主机名进行正向解析和逆向解析; (2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名; (3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程;
题目1:
A-->B加密通信过程: 1.A生成数据; 2.A先使用单向加密算法计算出这段数据的特征码; 3.A使用自己的私钥加密加密这段特征码并附加在数据后面; 4.A生成一个临时的对称秘钥,并使用此临时秘钥(对称加密算法)加密整段数据; 5.A获取B的公钥,然后使用B的公钥加密之前的数据,然后发送给A; 6.B收到A发来的数据; 7.B使用自己的私钥解密这段数据,得到A的对称秘钥;(秘钥交换) 8.B使用此对称秘钥解密数据,得到加密后的数据内容;(数据加密) 9.B使用A的公钥解密加密之前得到的数据(数据+特征码+单向加密算法),实现身份验证; 10.B使用同样的单向加密算法计算数据的特征码,然后进行比较,从而实现数据完整性校验;
题目2:
构建私有CA:
1)生成私钥
[root@director3 ~]# yum -y install openssl
[root@director3 CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
2)生成自签证书并自签
[root@director3 CA]# openssl req -new -x509 -key /etc/pki/CA/private/ca-key.pem \
-out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:director3
Email Address []:
3)为CA提供所需的目录及文件
[root@director3 CA]# mkdir /etc/pki/CA/{certs,crl,newcerts}
[root@director3 CA]# touch /etc/pki/CA/{serial,index.txt}
[root@director3 CA]# echo 01 > /etc/pki/CA/serial
为客户端颁发证书过程(以apache为例):
1)生成一个私钥
[root@apache client]# (umask 077;openssl genrsa -out /tmp/client/http.key 4096)
2)生成一个证书签署请求
[root@apache client]# openssl req -new -key /tmp/client/http.key -out /tmp/client/http.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:Test
Organizational Unit Name (eg, section) []:Test1
Common Name (eg, your name or your server's hostname) []:apache.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3)将此客户端的证书请求通过可靠方式发送到CA上,让CA签署;
[root@apache client]# scp /tmp/client/http.csr director3:~
4)在CA上签署证书请求
[root@director3 CA]# openssl ca -in /root/http.csr -out /etc/pki/CA/certs/http.csr -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (DevOPS) and the request (Test)
5)将签署的证书传给客户端
题目3:
DNS查询过程:
分为两段式查询:递归查询+迭代查询
递归查询:客户端首先向本地DNS发起查询,最终的查询结果由本地DNS返回;客户端只发出一次查询请求;
迭代查询:本地DNS开始向根DNS服务器发出查询请求;如果查询不到,会向对应的顶级域发出查询请求,
依次递归,直到得到解析结果(正常解析或无法解析);
DNS服务器类别:
主DNS服务器;
辅助DNS服务器;
缓存DNS服务器;
转发DNS服务器;
题目4:
(1)
安装bind软件:
[root@ns1 ~]# yum -y install bind bind-utils
编辑/etc/named.conf配置文件,修改添加如下几项:
listen-on port 53 { any; };
allow-query { 10.0.0.0/24; };
dnssec-enable no;
dnssec-validation no;
include "/etc/named.magedu.com" ;
创建及修改magedu.com域配置文件:
[root@ns1 ~]# (umask 027;touch /etc/named.magedu.com)
[root@ns1 ~]# chgrp named /etc/named.magedu.com
[root@ns1 ~]# cat /etc/named.magedu.com
zone "magedu.com" IN {
type master;
file "db.magedu.com";
};
zone "0.0.10.in-addr.arpa" IN {
type master;
file "db.reverse";
};
创建域正向及反向解析文件:
[root@ns1 ~]# touch /var/named/{db.magedu.com,db.reverse}
[root@ns1 ~]# chgrp -R named /var/named/
正向解析文件:
[root@ns1 ~]# cat /var/named/db.magedu.com
$ORIGIN magedu.com.
$TTL 1D
@IN SOAns1.magedu.com. admin.magedu.com. (
2016110401
6H
1H
1W
1D)
NS ns1
MX 10 mail
ns1 A 10.0.0.5
www A 10.0.0.3
ftp A 10.0.0.2
mail A 10.0.0.6
php CNAME www
cdn NS ns.cdn
ns.cdn A 10.0.0.4
反向解析文件:
[root@ns1 ~]# cat /var/named/db.reverse
$TTL 1D
@IN SOAns1.magedu.com. admin.magedu.com. (
2016110410; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS ns1.magedu.com.
MX 10 mail.magedu.com.
5 PTR ns1.magedu.com.
4 PTR ns.cdn.magedu.com.
2 PTR ftp.magedu.com.
3 PTR www.magedu.com.
3 PTR php.magedu.com.
6 PTR mail.magedu.com.
检查配置:
[root@ns1 ~]# named-checkconf
[root@ns1 ~]# named-checkzone magedu.com /var/named/db.magedu.com
[root@ns1 ~]# named-checkzone 0.0.10.in-addr.arpa db.reverse
启动服务:
[root@ns1 ~]# systemctl start named.service
测试:
正向解析:
[root@ns1 ~]# nslookup -q=NS magedu.com 10.0.0.5
Server:10.0.0.5
Address:10.0.0.5#53
magedu.comnameserver = ns1.magedu.com.
[root@ns1 ~]# nslookup -q=A www.magedu.com 10.0.0.5
Server:10.0.0.5
Address:10.0.0.5#53
Name:www.magedu.com
Address: 10.0.0.3
反向解析:
[root@ns1 ~]# nslookup -q=PTR 10.0.0.3 10.0.0.5
Server:10.0.0.5
Address:10.0.0.5#53
3.0.0.10.in-addr.arpaname = www.magedu.com.
3.0.0.10.in-addr.arpaname = php.magedu.com.
(2)
修改(1)中db.magedu.com文件,添加如下记录:
cdn NS ns.cdn
ns.cdn A 10.0.0.4
重启服务:
[root@ns1 ~]# systemctl restart named.service
在ns.cdn.magedu.com主机上安装bind,bind-utils;
修改配置文件/etc/named.conf;
添加cdn.magedu.com域的配置文件及解析文件;如下:
配置文件:
[root@ns ~]# cat /etc/named.cdn.magedu.com
zone "cdn.magedu.com" IN {
type master;
file "db.cdn.magedu.com";
};
解析文件:
[root@ns ~]# cat /var/named/db.cdn.magedu.com
$ORIGIN cdn.magedu.com.
$TTL 1D
@ IN SOA ns.cdn.magedu.com. admin.cdn.magedu.com. (
2016110433
6H
1H
1W
1D)
NS ns
MX 10 mail
ns A 10.0.0.4
www A 10.0.0.8
检查配置及启动服务:
[root@ns ~]# systemctl start named.service
测试:
在ns.cdn.magedu.com主机上测试:
[root@ns ~]# dig -t A www.cdn.magedu.com @10.0.0.4
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.cdn.magedu.com @10.0.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21374
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cdn.magedu.com.INA
;; ANSWER SECTION:
www.cdn.magedu.com.86400INA10.0.0.8
;; AUTHORITY SECTION:
cdn.magedu.com.86400INNSns.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns.cdn.magedu.com.86400INA10.0.0.4
;; Query time: 1 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Fri Oct 21 09:35:34 CST 2016
;; MSG SIZE rcvd: 96
在ns1.magedu.com主机上测试:
[root@ns1 ~]# dig -t NS cdn.magedu.com @10.0.0.5
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t NS cdn.magedu.com @10.0.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18288
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cdn.magedu.com.INNS
;; ANSWER SECTION:
cdn.magedu.com.86400INNSns.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns.cdn.magedu.com.86400INA10.0.0.4
;; Query time: 2 msec
;; SERVER: 10.0.0.5#53(10.0.0.5)
;; WHEN: Fri Nov 04 16:03:09 CST 2016
;; MSG SIZE rcvd: 76
[root@ns1 ~]# dig -t A www.cdn.magedu.com @10.0.0.5
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.cdn.magedu.com @10.0.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35925
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cdn.magedu.com.INA
;; ANSWER SECTION:
www.cdn.magedu.com.86400INA10.0.0.8
;; AUTHORITY SECTION:
cdn.magedu.com.86376INNSns.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns.cdn.magedu.com.86376INA10.0.0.4
;; Query time: 2 msec
;; SERVER: 10.0.0.5#53(10.0.0.5)
;; WHEN: Fri Nov 04 16:03:33 CST 2016
;; MSG SIZE rcvd: 96
(3)
为了保证DNS服务的高可用性,可以采取主从架构,一主多从;或对DNS服务做HA;
本例采取一主一从架构:
ns1.magedu.com 主dns服务器
ns2.magedu.com 辅助dns服务器
备注:初始化(2)中的子域
首先时间需要保持同步
分别在两台主机上安装chrony,启动chronyd服务;
修改ns1主机上的正向解析记录,添加:
NS ns2
ns2 A 10.0.0.4
在ns2上安装bind,bind9;
修改配置文件基本类似ns1:
添加配置文件:
[root@ns2 ~]# cat /etc/named.slave.magedu.com
zone "magedu.com" IN {
type slave;
file "slaves/magedu.com.zone";
masters { 10.0.0.5; };
};
检查配置文件并启动服务:
[root@ns2 ~]# systemctl start named.service
查看slaves目录下是否生成域解析文件:
[root@ns2 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 540 Nov 4 16:22 magedu.com.zone
此时说明dns主从复制成功;也可以在dns slave主机上测试解析:
[root@ns2 ~]# dig -t A www.magedu.com @10.0.0.4
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.magedu.com @10.0.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30244
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.86400INA10.0.0.3
;; AUTHORITY SECTION:
magedu.com.86400INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com.86400INA10.0.0.5
;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Fri Nov 04 16:24:41 CST 2016
;; MSG SIZE rcvd: 93
原创文章,作者:devon,如若转载,请注明出处:http://www.178linux.com/57447
评论列表(1条)
具体的操作步骤挺不错的,在做DNS主从的时候,能添加些注意事项会更好,比如每次修改下时间戳会更好.