Shulou(Shulou.com)06/02 Report--

Unit 3

Cache dns

One dns

1 authoritative name server

Stores and provides the actual data for an area (the entire DNS domain or part of the DNS domain). Authoritative name service

The types of servers include

Master: contains the original zone data. Sometimes called "primary" name server

Slave: a backup server that transmits copies of zone data obtained from a Master server through a zone. Sometimes called a "secondary" name server

2 non-authoritative / recursive name server

The client uses it to find data from the authoritative name server

3 DNS lookup

II. DNS resource records

The DNS area stores information in the form of resource records. Each resource record has a type indicating the type of data it retains:

A: name to IPv4 address

AAAA: name to IPv6 address

CNAME: name to "canonical name" (contains another name of the A/AAAA record)

PTR: IPv4/IPv6 address to name

MX: the mail exchanger for the name (where to send its email)

NS: name server for domain name

SOA: "Authorization initiation", information in the DNS area (management information)

Three DNS troubleshooting

It displays details from the DNS lookup, including why the query failed:

NOERROR: query succeeded

NXDOMAIN: DNS server prompts that such a name does not exist

SERVFAIL: DNS server downtime or DNSSEC response verification failed

REFUSED: the DNS server refuses to answer (perhaps for access control reasons)

Quad cache dns server

Server:

1 yum install bind.x86_64-y # install dns###

2 systemctl stop firewalld.service # turn off firewall #

3 systemctl start named # enable the service. If it is not enabled for a long time, it may be not enough characters. Enter a few characters # on the virtual machine.

4 vim / etc/named.conf # Edit the main configuration file #

Modify several of these behaviors:

Listen-on port 53 {any;}; # Loopback interface does not interact with the outside world and is changed to any###

Allow-query {any;}; # allow anyone to connect #

Forwarders {172.25.254.250;}; # if the cache dns cannot be found, go to 172.25.254.250 (authoritative name server) to find #

5 systemctl restart named # restart service #

Client:

1 vim / etc/resolv.conf # specify the dns server #

2 Test: dig www.baidu.com # # dig indicates information about queries and answers #

The process is as follows:

[root@localhost ~] # yum search dns

[root@localhost ~] # yum install bind.x86_64-y

[root@localhost ~] # systemctl stop firewalld.service

[root@localhost ~] # ll / etc/rndc.key # # when the named service is not enabled, the file does not exist #

Ls: cannot access / etc/rndc.key: No such file or directory

[root@localhost ~] # systemctl start named # # enable the service. If it is not enabled for a long time, it may not have enough characters. Enter a few characters # on the virtual machine.

[root@localhost ~] # ll / etc/rndc.key

-rw-r-. 1 root named 77 May 5 22:13 / etc/rndc.key

[root@localhost ~] # vim / etc/named.conf

[root@localhost ~] # systemctl restart named # restart service #

Client:

[root@localhost ~] # vim / etc/resolv.conf # # specify dns server #

[root@localhost ~] # dig www.baidu.com

; DiG 9.9.4-RedHat-9.9.4-14.el7 www.baidu.com

;; global options: + cmd

;; Got answer:

;;-> HEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADER update add hello.westos.com 86400 A 172.25.254.222

> send

2 dig hello.westos.com # View #

3 nsupdate # delete #

> server 172.25.254.112

> update delete hello.westos.com

> send

The process is as follows:

Server:

[root@server named] # cp-p / var/named/westos.com.zone / mnt/

[root@server named] # vim / etc/named.rfc1912.zones

Zone "westos.com" IN {

Type master

File "westos.com.zone"

Allow-update {172.25.254.212;}

}

[root@server named] # systemctl restart named

[root@server named] # chmod 770 / var/named/

[root@server named] # setsebool-P named_write_master_zones 1

Client:

[root@localhost ~] # nsupdate

> server 172.25.254.112

> update add hello.westos.com 86400 A 172.25.254.222

> send

> ^ C [root@localhost ~] # dig hello.westos.com

; DiG 9.9.4-RedHat-9.9.4-14.el7 hello.westos.com

;; global options: + cmd

;; Got answer:

;;-> HEADER update add hello.westos.com 86400 A 172.25.254.111

> send

> quit

[root@localhost mnt] # dig hello.westos.com

The process is as follows:

Server:

[root@server named] # dnssec-keygen-- help

Dnssec-keygen: invalid argument--

Usage:

Dnssec-keygen [options] name

Version: 9.9.4-RedHat-9.9.4-29.el7

Name: owner of the key

Options:

-K: write keys into directory

-a:

RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA |

RSASHA256 | RSASHA512 | ECCGOST |

ECDSAP256SHA256 | ECDSAP384SHA384 |

DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |

HMAC-SHA384 | HMAC-SHA512

(default: RSASHA1, or NSEC3RSASHA1 if using-3)

-3: use NSEC3-capable algorithm

-b:

RSAMD5: [512..4096]

RSASHA1: [512..4096]

NSEC3RSASHA1: [512..4096]

RSASHA256: [512..4096]

RSASHA512: [1024..4096]

DH: [128..4096]

DSA: [512..1024] and divisible by 64

NSEC3DSA: [512..1024] and divisible by 64

ECCGOST:ignored

ECDSAP256SHA256:ignored

ECDSAP384SHA384:ignored

HMAC-MD5: [1..512]

HMAC-SHA1: [1..160]

HMAC-SHA224: [1..224]

HMAC-SHA256: [1..256]

HMAC-SHA384: [1..384]

HMAC-SHA512: [1..512]

(if using the default algorithm, key size

Defaults to 2048 for KSK, or 1024 for all others)

-n: ZONE | HOST | ENTITY | USER | OTHER

(DNSKEY generation defaults to ZONE)

C: (default: IN)

-d (0 = > max, default)

-E:

Name of an OpenSSL engine to use

-f: KSK | REVOKE

-g: use specified generator (DH only)

-L: default key TTL

-p: (default: 3 [dnssec])

-r: a file containing random data

-s: strength value this key signs DNS records with (default: 0)

-T: DNSKEY | KEY (default: DNSKEY; use KEY for SIG (0))

-t: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)

-h: print usage and exit

-m:

Usage | trace | record | size | mctx

-v: set verbosity level (0-10)

Timing options:

-P date/ [+ -] offset/none: set key publication date (default: now)

-A date/ [+ -] offset/none: set key activation date (default: now)

-R date/ [+ -] offset/none: set key revocation date

-I date/ [+ -] offset/none: set key inactivation date

-D date/ [+ -] offset/none: set key deletion date

-G: generate key only; do not set-P or-A

-C: generate a backward-compatible key, omitting all dates

-S: generate a successor to an existing key

-I: prepublication interval for successor key (default: 30 days)

Output:

K++.key, K++.private

[root@server named] # cd / mnt/

[root@server mnt] # dnssec-keygen-a HMAC-MD5-b 128-n HOST westoskey

Kwestoskey.+157+23921

[root@server mnt] # ls

Kwestoskey.+157+23921.key Kwestoskey.+157+23921.private westos.com.zone

[root@server mnt] # cat Kwestoskey.+157+23921.key

Westoskey. IN KEY 512 3 157 Af69mywNhRB8Vq88kiYpYw==

[root@server mnt] # cp-p / etc/rndc.key / etc/westos.key

[root@server mnt] # vim / etc/westos.key

[1] + Stopped vim / etc/westos.key

[root@server mnt] # fg

Vim / etc/westos.key

[root@server mnt] # vim / etc/westos.key

[1] + Stopped vim / etc/westos.key

[root@server mnt] # fg

Vim / etc/westos.key

[root@server mnt] # vim / etc/named.conf

[root@server mnt] # vim / etc/named.rfc1912.zones

[root@server mnt] # systemctl restart named

[root@server mnt] # scp Kwestoskey.+157+23921.* root@172.25.254.212:/mnt/

The authenticity of host '172.25.254.212 (172.25.254.212)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? Yes

Warning: Permanently added '172.25.254.212' (ECDSA) to the list of known hosts.

Root@172.25.254.212's password:

Kwestoskey.+157+23921.key 100% 53 0.1KB/s 00:00

Kwestoskey.+157+23921.private 100% 165 0.2KB/s 00:00

# pass the key to the client #

Client:

[root@localhost mnt] # nsupdate-k Kwestoskey.+157+23921.private

> server 172.25.254.112

> update add hello.westos.com 86400 A 172.25.254.111

> send

> quit

[root@localhost mnt] # dig hello.westos.com

; DiG 9.9.4-RedHat-9.9.4-14.el7 hello.westos.com

;; global options: + cmd

;; Got answer:

;;-> > HEADERHEADER

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.