Shulou(Shulou.com)06/02 Report--

DNSSEC technology can provide security for communication between DNS servers. When a DNS server receives a resource record message from another DNS server, the DNS server checks whether the record in the message has been tampered with and whether the message is sent by a truly authorized DNS server rather than by a fake DNS server. let me put it another way. DNSSEC technology makes the resource records such as IP addresses obtained by DNS clients true and correct. As shown in the following figure:

DNSSEC verifies whether the response of the DNS server is true through digital signature and encryption key. In order to make the DNS server have the DNSSEC security function, it is necessary to sign the zone according to the area of the authorized DNS server, and then the unauthorized DNS server can have the function of verification. After the area of the authorized DNS server is signed, the system will create a new RRSIG (resource record digital signature) record for each resource record in the area, and the authorized DNS server will transmit the record together with its RRSIG record to the unauthorized DNS server. The unauthorized DNS server uses the public key of the authorized DNS server to verify whether the record has been tampered with.

DNSSEC example exercise: the experimental environment and process copy the contents of teacher Dai Youwei's windows server 2012 Network Management and Station Book.

The experiment shows that: first, configure the IP and other parameters of each host, configure DNS1 as a cache server and set up a transponder, establish a zone sec.com on DNS2, and add a host record (www.sec.com----192.168.8.254) for testing.

DNSSEC experiment steps:

1. Sign the zone on the authorization server DNS2 of the zone sec.com (turn on the DNSSEC function of the region). After signing, many DNSSEC-related records will be generated, including RRSIG, DNSKEY (key), and so on.

two。 Import DNSKEY (public key of DNS2) to DNS1

3. Establish a policy on the DNS client to force the client computer to request DNS1 to verify the message records received from DNS2 (configured in Group Policy)

Forensics data: forensics the data of DNS1 verification DNS2, and crawl the data packet, as shown below:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.