linux中BIND服务程序安全的加密传输TSIG机制
安全的加密传输(TISG机制)要解决的问题:
服务器之间数据配置文件传输的安全性,比如从服务器从主服务器同步数据,防止数据配置文件传输过程中遭到篡改。
整体逻辑:
主服务器中生成公钥和秘钥,从服务器中只有提供正确的秘钥,才可以从主服务器中备份数据。
以下实验中主服务器为PC1,IP为192.168.10.10. 从服务器为PC2,IP为192.168.10.20.
1、在主服务器中生成公钥私钥对
[root@PC1 named]# ls
192.168.10.arpa data linuxprobe.com.zone named.empty named.loopback
chroot dynamic named.ca named.localhost slaves
[root@PC1 named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave ## -a 指定加密算法,-b 指定秘钥长度 ,-n 指定主机类型, 执行命令后会在当前目录生成公钥和私钥文件
Kmaster-slave.+157+26932
[root@PC1 named]# ls
192.168.10.arpa dynamic linuxprobe.com.zone named.localhost
chroot Kmaster-slave.+157+26932.key named.ca named.loopback
data Kmaster-slave.+157+26932.private named.empty slaves
[root@PC1 named]# cat Kmaster-slave.+157+26932.key
master-slave. IN KEY 512 3 157 tZMuUo9wgs9epnNSGRGCZw==
[root@PC1 named]# cat Kmaster-slave.+157+26932.private ## 查看秘钥字符串
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: tZMuUo9wgs9epnNSGRGCZw==
Bits: AAA=
Created: 20201212114316
Publish: 20201212114316
Activate: 20201212114316
2、在主服务器中创建秘钥验证文件
[root@PC1 named]# cd /var/named/chroot/etc/
[root@PC1 etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "tZMuUo9wgs9epnNSGRGCZw==";
};
[root@PC1 etc]# ll transfer.key ## 查看权限、所属组
-rw-r--r--. 1 root root 79 Dec 12 20:02 transfer.key
[root@PC1 etc]# chown root:named transfer.key ## 修改所属组
[root@PC1 etc]# ll transfer.key
-rw-r--r--. 1 root named 79 Dec 12 20:02 transfer.key
[root@PC1 etc]# chmod 640 transfer.key ## 修改权限
[root@PC1 etc]# ln transfer.key /etc/transfer.key ## 在/etc 目录下创建硬链接
3、修改主服务器的主配置文件,开启并加载bind服务的秘钥验证功能
[root@PC1 etc]# vim /etc/named.conf
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9 include "/etc/transfer.key"; ## 加载秘钥验证文件
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; };
18 allow-transfer { key master-slave; }; ## 指定秘钥验证名称
19 /*
20 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
21 - If you are building a RECURSIVE (caching) DNS server, you need to enable
22 recursion.
23 - If your recursive DNS server has a public IP address, you MUST enable access
24 control to limit queries to your legitimate users. Failing to do so will
25 cause your server to become part of large scale DNS amplification
26 attacks. Implementing BCP38 within your network would greatly
27 reduce such attack surface
28 */
29 recursion yes;
30
31 dnssec-enable yes;
32 dnssec-validation yes;
33 dnssec-lookaside auto;
………………
4、重启主服务器bind服务
[root@PC1 etc]# systemctl restart named
5、进入从服务器/var/named/slave目录,清空该目录,重启bind服务,验证是否可以从主服务器备份数据
[root@PC2 slaves]# ls
192.168.10.arpa linuxprobe.com.zone
[root@PC2 slaves]# pwd
/var/named/slaves
[root@PC2 slaves]# rm -f *
[root@PC2 slaves]# ls
[root@PC2 slaves]# systemctl restart named
[root@PC2 slaves]# ls
## 以上说明在从服务器中重启bind服务,已经不能从主服务器中备份域名解析数据了(原因是没有提供秘钥及进行相关的配置)
6、在从服务器中创建秘钥认证文件
[root@PC2 slaves]# cd /var/named/chroot/etc/
[root@PC2 etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "tZMuUo9wgs9epnNSGRGCZw==";
};
[root@PC2 etc]# chown root:named transfer.key
[root@PC2 etc]# chmod 640 transfer.key
[root@PC2 etc]# ln transfer.key /etc/transfer.key
7、加载并开启从服务器的秘钥验证功能
[root@PC2 etc]# vim /etc/named.conf
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9 include "/etc/transfer.key";
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; };
…………
38 managed-keys-directory "/var/named/dynamic";
39
40 pid-file "/run/named/named.pid";
41 session-keyfile "/run/named/session.key";
42 };
43 server 192.168.10.10
44 {
45 keys { master-slave; };
46 };
47 logging {
48 channel default_debug {
49 file "data/named.run";
50 severity dynamic;
51 };
52 };
…………
8、重启从服务器的bind服务,观察是否可以实现从主服务器备份域名解析数据
[root@PC2 ~]# cd /var/named/slaves/
[root@PC2 slaves]# ls
[root@PC2 slaves]# systemctl restart named
[root@PC2 slaves]# ls ## 可以实现备份
192.168.10.arpa linuxprobe.com.zone
9、测试DNS服务功能
[root@PC2 slaves]# nslookup ## 可以提供域名解析功能
> www.linuxprobe.com
Server: 192.168.10.20
Address: 192.168.10.20#53
Name: www.linuxprobe.com
Address: 192.168.10.10
> xxx.linuxprobe.com
Server: 192.168.10.20
Address: 192.168.10.20#53
Name: xxx.linuxprobe.com
Address: 111.123.145.23
> 192.168.10.10
Server: 192.168.10.20
Address: 192.168.10.20#53
10.10.168.192.in-addr.arpa name = www.linuxprobe.com.
> 192.168.10.20
Server: 192.168.10.20
Address: 192.168.10.20#53
20.10.168.192.in-addr.arpa name = mmm.xxxxxxxx.com.
