1、详细描述一次加密通讯的过程,结合图示最佳。
发送者:
1.使用单项加密算法提取生成数据的特征码
2.使用自己的私钥加密特征码附加在数据后面
3.生成用于对称加密的临时密钥
4.用此临时密钥加密数据和已经使用私钥加密后的特征码
5.使用接收方的公钥加密此临时密钥,附加在对称后的数据后方
接收方:
1.使用自己的私钥解密的临时秘钥;从而获得对方的对称密钥
2.使用对称密钥解密对称加密的数据和私钥加密的特征码密文;从而获得数据和特征码密文
3.使用发送方的公钥解密特征码密文,从而获得从计算成生成的特征码
4.使用与对方同样的单项加密算法计算特征码,并与解密而来的进行比较
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
创建私有CA
1.生成私钥:
(umask 077;openssl genrsa -out /tmp/cakey.pem 4096)
2.生成自签证书;
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
-new 生成新证书签署请求
-x509 生成自谦格式证书,专用于创建私有CA时
-key 生成请求时用到的私有文件路径
-out 生成的请求文件路径;如果自签操作将直接生成签署过的证书
-day 证书的有效时常;
3.为CA提供所需的目录及文件;
mkdir -pv /etc/pki/CA/{certs,crl,newserts}
touch /etc/pki/CA/{serical,index.txt}
echo 01 > /etc/pki/CA/serical
为客户端的请求颁发证书
httpd为例
1.用到的证书的主机生成私钥
mkdir /etc/httpd/ssl
cd /etc/httpd/ssl
(umask 077;openssl genrsa -out /etc/httpd/ssl/http.key 2048)
2.生成证书签署的请求
openssl req -new -x509 -key /etc/httpd/ssl/http.key -out /etc/httpd/ssl/http.csr -days 365
3.将请求通过可靠方式发送给CA主机
4.在CA主机上签署证书;
openssl ca -in /path/httpd.csr -out /etc/pki/CA/certs/httpd.crt -day 365
查看证书中的信息:
openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
3、描述DNS查询过程以及DNS服务器类别。
DNS查询过程:
Client –> hosts文件 –> DNS Service –> Local Cache –> DNS Server (recursion) –> Server Cache –> iteration(迭代)
我们以www.magedu.com为例(此处有广告,你懂得)
1.客户端发起请求;
2.本机先查询本地host文件,是否有www.magedu.com和IP的对应关系;若有直接反馈,若没有则进行第二部
3.本机向指定NS1.server发起查询请求,NS1在收到请求后,查看缓存记录,是否有相关的解析记录,若有直接反馈,若没有则进行第三部;
4.NS1会主动向根域名服务器发起查询请求,但是由于根服务器只记录了.com的相关信息,则告知NS1你可以去.com查询,并告知NS1,.com的地址;
5.NS1通过.com服务器给予的回应,告知magedu.com的记录地址,但没有www.magedu.com;于是让其去magedu.com查询;
6.NS1通过向magedu.com发起请求得到www.magedu.com的IP地址并缓存下来;
7.NS1向客户端告知www.magedu.com的IP地址,解析完成
DNS服务器的类别
负责解析至少一个域:
主名称服务器;
辅助名称服务器;
不负责域解析:
缓存名称服务器
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
安装DNS包:
[root@node1 ~]# yum -y install bind*
修改配置文件
[root@localhost ~]# vim /etc/named.conf
listen-on port 53 { any; };
dnssec-enable no;
dnssec-validation no;
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
zone "31.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.31";
};
配置正向,反向定义域
[root@localhost ~]# vim /var/named/magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. nsadmin.magedu.com. (
2017053003
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.31.100
www IN A 192.168.31.110
bbs IN A 192.168.31.110
[root@localhost ~]# vim /var/named/192.168.31.zone
$TTL 3600
$ORIGIN 31.168.192.in-addr.arpa.
@ IN SOA ns1.magedu.com nsadmin.magedu.com (
2017053101
1H
10M
3D
12H )
IN NS ns1.magedu.com.
100 IN PTR ns1.magedu.com.
110 IN PTR www.magedu.com.
110 IN PTR bbs.magedu.com.
添加文件权限
[root@localhost ~]# chgrp named /var/named/magedu.com.zone [root@localhost ~]# chmod o= /var/named/magedu.com.zone [root@localhost ~]# chgrp named /var/named/192.168.31.zone [root@localhost ~]# chmod o= /var/named/192.168.31.zone
检测语法,及区域文件测试
[root@localhost ~]# named-checkconf [root@localhost ~]# named-checkzone "magedu.com" /var/named/magedu.com.zone zone magedu.com/IN: loaded serial 2017053003 OK [root@localhost ~]# named-checkzone "31.168.192.in-addr.arpa" /var/named/named.192.168.31 zone 31.168.192.in-addr.arpa/IN: loaded serial 2017053101 OK [root@localhost ~]# rndc status version: 9.9.4-RedHat-9.9.4-38.el7_3.3 <id:8f9657aa> CPUs found: 4 worker threads: 4 UDP listeners per interface: 4 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running
测试正向解析
[root@localhost ~]# dig -t A www.magedu.com @192.168.31.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -t A www.magedu.com @192.168.31.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42995 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 3600 IN A 192.168.31.110 ;; AUTHORITY SECTION: magedu.com. 3600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 3600 IN A 192.168.31.100 ;; Query time: 0 msec ;; SERVER: 192.168.31.100#53(192.168.31.100) ;; WHEN: Mon Jun 05 01:20:21 EDT 2017 ;; MSG SIZE rcvd: 93
测试反向解析
[root@localhost ~]# dig -x 192.168.31.110 @192.168.31.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -x 192.168.31.110 @192.168.31.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38254 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;110.31.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 110.31.168.192.in-addr.arpa. 3600 IN PTR bbs.magedu.com. 110.31.168.192.in-addr.arpa. 3600 IN PTR www.magedu.com. ;; AUTHORITY SECTION: 31.168.192.in-addr.arpa. 3600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 3600 IN A 192.168.31.100 ;; Query time: 0 msec ;; SERVER: 192.168.31.100#53(192.168.31.100) ;; WHEN: Mon Jun 05 01:35:02 EDT 2017 ;; MSG SIZE rcvd: 136
配置从DNS服务器
从DNS服务器配置:(其从服务器named.conf配置与主服务器相同,如dns安装包,服务启动等)
[root@localhost slaves]# vim /etc/named.rfc1912.zones
添加
zone "magedu.com" IN {
type slave;
file "slaves/magedu.com.zone";
masters { 192.168.31.100; };
};
修改主DNS服务器配置:
[root@localhost ~]# vim /etc/named.rfc1912.zones
添加:
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 192.168.31.101; };
};
[root@localhost ~]# vim /var/named/magedu.com.zone
添加:
IN NS ns2
ns2 IN A 192.168.31.101
重启主从DNS服务器named.service服务
从DNS服务器测试
[root@localhost slaves]# dig -t A www.magedu.com @192.168.31.101 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -t A www.magedu.com @192.168.31.101 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6402 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 3600 IN A 192.168.31.110 ;; AUTHORITY SECTION: magedu.com. 3600 IN NS ns1.magedu.com. magedu.com. 3600 IN NS ns2.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 3600 IN A 192.168.31.100 ns2.magedu.com. 3600 IN A 192.168.31.101 ;; Query time: 0 msec ;; SERVER: 192.168.31.101#53(192.168.31.101) ;; WHEN: Mon Jun 05 07:44:48 EDT 2017 ;; MSG SIZE rcvd: 127 同步文件如下: [root@localhost slaves]# ls magedu.com.zone
子域授权
子域服务器安装更新包
[root@localhost ~]# yum install -y bind*
启动服务并查看状态
[root@localhost ~]# systemctl start named
[root@localhost ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2017-06-05 10:00:24 EDT; 10s ago
Process: 2365 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2362 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 2368 (named)
CGroup: /system.slice/named.service
└─2368 /usr/sbin/named -u named
Jun 05 10:00:24 localhost.localdomain named[2368]: managed-keys-zone: journal file is out of date: removing journal file
Jun 05 10:00:24 localhost.localdomain named[2368]: managed-keys-zone: loaded serial 2
Jun 05 10:00:24 localhost.localdomain named[2368]: zone 0.in-addr.arpa/IN: loaded serial 0
Jun 05 10:00:24 localhost.localdomain named[2368]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jun 05 10:00:24 localhost.localdomain named[2368]: zone localhost/IN: loaded serial 0
Jun 05 10:00:24 localhost.localdomain named[2368]: zone localhost.localdomain/IN: loaded serial 0
Jun 05 10:00:24 localhost.localdomain named[2368]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jun 05 10:00:24 localhost.localdomain named[2368]: all zones loaded
Jun 05 10:00:24 localhost.localdomain named[2368]: running
Jun 05 10:00:24 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
配置子域服务器授权
[root@localhost ~]# vim /etc/named.conf
listen-on port 53 { any; };
dnssec-enable no;
dnssec-validation no;
[root@localhost ~]# vim /etc/named.rfc1912.zones
添加
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
[root@localhost ~]# vim /var/named/cdn.magedu.com.zone
$TTL 3600
$ORIGIN cdn.magedu.com.
@ IN SOA ns1.cdn.magedu.com. nsadmin.cdn.magedu.com. (
2017060501
1H
10M
1D
2H )
IN NS ns1
ns1 IN A 192.168.31.103
www IN A 192.168.31.103
添加权限
[root@localhost ~]# chgrp named /var/named/cdn.magedu.com.zone [root@localhost ~]# chmod o= /var/named/cdn.magedu.com.zone
配置主服务器,并reload服务
[root@localhost ~]# vim /var/named/magedu.com.zone 添加 cdn IN NS ns1.cdn ns1.cdn IN A 192.168.31.103 [root@localhost ~]# rndc reload
测试子域配置语法及验证
[root@localhost ~]# named-checkconf [root@localhost ~]# named-checkzone cdn.magedu.com /var/named/cdn.magedu.com.zone zone cdn.magedu.com/IN: loaded serial 2017060501 OK [root@localhost ~]# dig -t A www.cdn.magedu.com @192.168.31.103 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> -t A www.cdn.magedu.com @192.168.31.103 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cdn.magedu.com. IN A ;; ANSWER SECTION: www.cdn.magedu.com. 3600 IN A 192.168.31.103 ;; AUTHORITY SECTION: cdn.magedu.com. 3600 IN NS ns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.cdn.magedu.com. 3600 IN A 192.168.31.103 ;; Query time: 0 msec ;; SERVER: 192.168.31.103#53(192.168.31.103) ;; WHEN: Mon Jun 05 10:09:07 EDT 2017 ;; MSG SIZE rcvd: 97
原创文章,作者:lyj821202,如若转载,请注明出处:http://www.178linux.com/69881
