May 24, 2021 That's what Linux should learn
As mentioned repeatedly earlier, domain name resolution services are an important part of the Internet infrastructure, and almost all network applications rely on DNS to function properly. If DNS services fail, users will not be able to find and use them even if Web sites or e-mail system services, etc., are functioning properly.
The vast majority of DNS servers on the Internet (more than 95%) are built on BIND domain name resolution services, which support TSIG (RFC 2845) encryption mechanisms in order to provide secure resolution services. TSIG mainly uses password encoding to protect the transmission of regional information (Zone Transfer), that is, TSIG encryption mechanism to ensure the security of domain name region information transmission between DNS servers.
The next experiment still used two servers in Table 13-2.
The book is back. The data profile obtained from the primary server can be seen before the bind service program is provisioned from the server and restarted.
Host Name Operating System IP Address Main Server RHEL 7 192.168.10.10 FROM SERVER RHEL 7 192.168.10.20 (root@linuxprobe s/ ls -al /var/named/slaves/total 12 drwxrwx---. 2 named named 54 Jun 7 16:02 . d rwxr-x---. 6 root named 4096 Jun 7 15:58 .. - rw-r--r--. 1 named named 432 Jun 7 16:02 192.168.10.arpa -rw-r--r--. 1 named named 439 Jun 7 16:02 linuxprobe.com.zone (root@linuxprobe s) rm -rf /var/named/slaves/s Step 1: Generate a key on the primary server. The dnssec-keygen command is used to generate a secure DNS service key in the format of "dnssec-keygen " ( parameters) , commonly used parameters and functions as shown in Table 13-3.
Table 13-3 Common parameters for dnssec-keygen commands
Parameter Action -a Specifies encryption algorithms, including RSAMD5 (RSA), RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, etc. -b Key Length (HMAC-MD) The key length of 5 is between 1 and 512 bits) - the type of key (HOST indicates host-related) uses the following command to generate a key file for the 128-bit HMAC-MD5 algorithm with the host name master-slave. After executing this command, the public and private key files are generated by default in the current directory, and we need to record the values behind key parameters in the private key file and write them to the transport profile later.
[root@linuxprobe ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave Kmaster-slave.+157+46845 [root@linuxprobe ~]# ls -al Kmaster-slave.+157+46845.* -rw-------. 1 root root 56 Jun 7 16:06 Kmaster-slave.+157+46845.key -rw-------. 1 root root 165 Jun 7 16:06 Kmaster-slave.-157-46845.private (root@linuxprobe- cat Kmaster-slave.-157-46845.private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: 1X EEL3tG5DNLOw,1WHfE3Q, Bits: AAA=Created: 20170607080621 Publish: 20170607080621 Active: 20170607080621 Step 2: Create a key verification file in the primary server. E nter the directory used by the bind service program to hold the profile and write the newly generated key name, encryption algorithm, and private key encryption string to the tansfer.key transport profile in the following format. For security reasons, we need to modify the group that belongs to the file to named, set the file permissions a little smaller, and then make the file a hard link to the /etc directory.
[root@linuxprobe ~]# cd /var/named/chroot/etc/ [root@linuxprobe etc]# vim transfer.key key "master-slave" { algorithm hmac-md5; s ecret "1XEEL3tG5DNLOw+1WHfE3Q=="; } ; s tep root@linuxprobe 3: Turn on and load the root@linuxprobe key verification function of the Bind service.key.key root@linuxprobe etc.key /etc.key The key validation file needs to be loaded in the primary profile of the primary server first, and then set up so that only DNS servers with master-slave key authentication are allowed to synchronize the data profile:
[root@linuxprobe ~]# vim /etc/named.conf 1 // 2 // named.conf 3 // 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 5 // server as a caching only nameserver (as a localhost DNS resolver only). 6 // 7 // See /usr/share/doc/bind*/sample/ for example named configuration files. 8 // 9 include "/etc/transfer.key"; 1 0 options { 11 listen-on port 53 { any; } ; 1 2 listen-on-v6 port 53 { ::1; } ; 1 3 directory "/var/named"; 1 4 dump-file "/var/named/data/cache_dump.db"; 1 5 statistics-file "/var/named/data/named_stats.txt"; 1 6 memstatistics-file "/var/named/data/named_mem_stats.txt"; 1 7 allow-query { any; } ; 1 8 allow-transfer { key master-slave; } ; . ................. O mit some of the output information... T he root@linuxprobe key encryption transfer capability of the DNS primary server has been configured by the time of the systemctl restart namedd. At this point, emptying dns from the server to synchronize all the data profiles in the directory, and then restarting the bind service program again, you can no 20 automatically get the data profiles as you just did.
root@linuxprobe step 4: Configure from the server to root@linuxprobe root@linuxprobe support key verification. The method of configuring DNS from the server and the primary server is much the same, requiring the creation of a key authentication file in the profile directory of the bind service provider, setting the appropriate permissions, and then making the file a hard link to the /etc directory.
[root@linuxprobe ~]# cd /var/named/chroot/etc [root@linuxprobe etc]# vim transfer.key key "master-slave" { algorithm hmac-md5; s ecret "1XEEL3tG5DNLOw+1WHfE3Q=="; } ; s tep [email protected] 5: Turn on and load the root@linuxprobe key verification function from the server by turning on and loading the key verification function from the server.key.key.key root@linuxprobe T his step is also to load the key authentication file in the main profile and then write the IP address and key name of the primary server in the specified format. Note that parameters such as key names should not be too far ahead, about the 43rd line is more appropriate, otherwise the bind service program will be because the preset parameters are not loaded and error:
[root@linuxprobe etc]# vim /etc/named.conf 1 // 2 // named.conf 3 // 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 5 // server as a caching only nameserver (as a localhost DNS resolver only). 6 // 7 // See /usr/share/doc/bind /sample/ for example named configuration files. 8 // 9 include "/etc/transfer.key"; 10 options { 11 listen-on port 53 { 127.0.0.1; }; 12 listen-on-v6 port 53 { ::1; }; 13 directory "/var/named"; 14 dump-file "/var/named/data/cache_dump.db"; 15 statistics-file "/var/named/data/named_stats.txt"; 16 memstatistics-file "/var/named/data/named_mem_stats.txt"; 17 allow-query { localhost; }; 18 19 / 20 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 21 - If you are building a RECURSIVE (caching) DNS server, you need to enable 22 recursion. 23 - If your recursive DNS server has a public IP address, you MUST enable access 24 control to limit queries to your legitimate users. Failing to do so will 25 cause your server to become part of large scale DNS amplification 26 attacks. I mplementing BCP38 within your network would greatly 27 reduce such attack surface 28 / 29 recursion yes; 3 0 31 dnssec-enable yes; 3 2 dnssec-validation yes; 3 3 dnssec-lookaside auto; 3 4 35 / Path to ISC DLV key */ 36 bindkeys-file "/etc/named.iscdlv.key"; 3 7 38 managed-keys-directory "/var/named/dynamic"; 3 9 40 pid-file "/run/named/named.pid"; 4 1 session-keyfile "/run/named/session.key"; 4 2 }; 4 3 server 192.168.10.10 44 { 45 keys { master-slave; } ; 4 6 }; 4 7 logging { 48 channel default_debug { 49 file "data/named.run"; 5 0 severity dynamic; 5 1 }; 5 2 }; 5 3 54 zone "." I N { 55 type hint; 5 6 file "named.ca"; 5 7 }; 5 8 59 include "/etc/named.rfc1912.zones"; 6 0 include "/etc/named.root.key"; S tep 61: DNS synchronizes domain name zone data from the server. B oth servers' bind service programs are now configured and matched to the same key authentication file. Then restart the bind service program from the server and you'll find that you can sync smoothly to the data profile again.
Is root@linuxprobe there a problem with the systemctl restart named s.root@linuxprobe s.ls /var/named/slaves/192.168.10.arpa linuxprobe.com.zone? Ask bold questions!
Because readers have different hardware or operation errors may lead to experimental configuration errors, please be patient and take a closer look at the operation steps, do not be discouraged
Linux technical exchange please add Group A: 560843 (full), Group B: 340829 (recommended), Group C: 463590 (recommended), click here to view the national group.
This group features: through password verification to ensure that each group member is "Linux should learn" readers, more targeted, from time to time free to receive customized gifts.