自簽名證書以及DNS服務器搭建

原創 dcrfan 2019-01-14 13:33

1.TSL鏈路通信

TLS: Transport Layer Security 安全傳輸協議,在應用層 傳輸層之間主要應用https 協議,ftps 協議等
https大體流程
客戶端A 服務端B
A ————》 (連接請求 ) B
A《———— (發送CA私鑰加密過B的公鑰,也就是安全證書)B
A (用CA公鑰解開證書得到B的公鑰)
A (生成對稱祕鑰key,並用B的公鑰加密)
A ————》(加密的祕鑰key) B
B (B用自己的私鑰解密得到對稱私鑰key)
A B後續通訊使用對稱私鑰加密通訊

2.自簽證書

搭建私有CA,用於自簽名

  1. 安裝openssl
  2. 生成CA 私鑰 
    [root@centos7 ~]#(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................................+++
..........+++
e is 65537 (0x10001)

    注意生成文件必須與/etc/pki/tls/openssl.cnf配置文件定義一致
    dir = /etc/pki/CA # Where everything is kept
    private_key = $dir/private/cakey.pem# The private key
    而且生成文件權限爲600

  3. CA服務器用自己私鑰自簽名生成證書 
    [root@centos7 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -days 7200 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:nvliu
Organizational Unit Name (eg, section) []:dcrfan
Common Name (eg, your name or your server's hostname) []:centos7
Email Address []:

    注意生成文件必須與/etc/pki/tls/openssl.cnf配置文件定義一致
    certificate = $dir/cacert.pem # The CA certificate
    定義一些國家省份信息

  4. 把該證書傳輸到windows客戶端添加信任
    1. 更改後綴爲.cer
      自簽名證書以及DNS服務器搭建
    2. 打開證書發現不受信任,點擊安裝證書
      自簽名證書以及DNS服務器搭建
    3. 選擇證書存儲路徑
      自簽名證書以及DNS服務器搭建
    4. 選擇受信任根證書
      自簽名證書以及DNS服務器搭建
    5. 然後點擊是確定安裝
      自簽名證書以及DNS服務器搭建
    6. 再次打開證書,已經被系統信任了
      自簽名證書以及DNS服務器搭建
  5. 在應用服務器上生成密鑰,放在要使用應用文件下 
    [root@localhost ~]# (umask 066; openssl genrsa -out /data/app.key 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
........................+++
e is 65537 (0x10001)

    而且生成文件權限爲600
    [root@localhost ~]# (umask 066; openssl genrsa -out /data/app.key 2048)
    Generating RSA private key, 2048 bit long modulus
    ............................................+++
    ........................+++
    e is 65537 (0x10001)

  6. 在應用服務器生成證書申請文件,然後上傳給CA服務器 
    [root@localhost ~]# openssl req -new -key /data/app.key  -out /data/app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:nvliu   
Organizational Unit Name (eg, section) []:dcrfan1
Common Name (eg, your name or your server's hostname) []:centos7.1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  7. 在CA服務器手動生成兩個文件 
    [root@centos7 ~]#echo 01 > /etc/pki/CA/serial
[root@centos7 ~]#touch /etc/pki/CA/index.txt

    這兩個位置在/etc/pki/tls/openssl.cnf 均有定義
    database = $dir/index.txt # database index file.
    serial = $dir/serial # The current serial number

  8. 在CA服務器對剛剛應用服務器傳過來申請審批,生成證書 
    [root@centos7 ~]#openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 160
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
    Serial Number: 1 (0x1)
    Validity
        Not Before: Jan  8 11:23:04 2019 GMT
        Not After : Jun 17 11:23:04 2019 GMT
    Subject:
        countryName               = cn
        stateOrProvinceName       = gd
        organizationName          = nvliu
        organizationalUnitName    = dcrfan1
        commonName                = centos7.1
    X509v3 extensions:
        X509v3 Basic Constraints: 
            CA:FALSE
        Netscape Comment: 
            OpenSSL Generated Certificate
        X509v3 Subject Key Identifier: 
            2C:54:95:C8:30:80:97:89:7E:4A:40:50:F9:64:CB:2F:2E:D9:97:EA
        X509v3 Authority Key Identifier: 
            keyid:48:8F:FB:78:84:50:F0:B0:AB:6F:2C:10:B6:03:9F:21:03:03:20:70
Certificate is to be certified until Jun 17 11:23:04 2019 GMT (160 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

    注意生成文件必須與/etc/pki/tls/openssl.cnf配置文件定義一致
    certs = $dir/certs # Where the issued certs are kept

  9. 把生成的app,crt 拷貝會應用服務器使用

3.搭建DNS架構

實驗分別準備8臺實驗機器,
192.168.0.108 遠程訪問客服端
192.168.0.109 緩存dns服務器
192.168.0.112 dcrfan.com dns主服務器
192.168.0.113 dcrfan.com dns 從服務器
192.168.0.114 com dns服務器
192.168.0.115 根dns 服務器
192.168.0.116 web 服務器
192.168.0.117 web 服務器

  1. 先搭建dns主服務器192.168.0.112 ,安裝bind服務
  2. 修改主配置文件/etc/named.conf中文件 
    options {
    //listen-on port 53 { 127.0.0.1; };     #註釋該行,讓本服務器ip監聽53端口
    allow-query     { 192.168.0.0/24; };   # 修改改行,允許該網段的ip使用dns服務器
    allow-transfer { 192.168.0.113; };  #新增改行,只允許從dns服務器拉取數據
            };
  3. 修改zone文件/etc/named.rfc1912.zones,新增一個zone,用於解析dcrfan.com域 
    zone "dcrfan.com" IN {
        type master;#定義類型爲主dns服務器
        file "dcrfan.com.zone";#定義該域數據文件位置
};
  4. 新增dns數據記錄文件dcrfan.com.zone,注意權限,讓named賬戶能讀取該文件,文件在/var/named 目錄下
    -rw-r-----. 1 root named 152 Jun 21 2007 dcrfan.com.zone 
    @       IN SOA  dns1.dcrfan.com. admin.dcrfan.com. (
                                    0       
                                    1D      
                                    1H      
                                    1W      
                                    3H )    
    NS      dns1
    NS      dns2
dns1    A       192.168.0.112
dns2    A       192.168.0.113
srv     A       192.168.0.116
srv     A       192.168.0.117
www     CNAME   srv
  5. 啓動服務,在遠程客戶端使用dig 命令測試 
    [root@centos6 ~]# dig www.dcrfan.com @192.168.0.112
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.dcrfan.com.                        IN      A
;; ANSWER SECTION:
www.dcrfan.com.         86400   IN      CNAME   srv.dcrfan.com.
srv.dcrfan.com.         86400   IN      A       192.168.0.117
srv.dcrfan.com.         86400   IN      A       192.168.0.116
;; AUTHORITY SECTION:
dcrfan.com.             86400   IN      NS      dns2.dcrfan.com.
dcrfan.com.             86400   IN      NS      dns1.dcrfan.com.
;; ADDITIONAL SECTION:
dns1.dcrfan.com.        86400   IN      A       192.168.0.112
dns2.dcrfan.com.        86400   IN      A       192.168.0.113
;; Query time: 1 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Thu Jan 10 16:09:29 2019
;; MSG SIZE  rcvd: 152
  6. 搭建從dns服務器192.168.0.113 ,安裝dns服務
  7. 修改主配置文件/etc/named.conf中文件 
    options {
    //listen-on port 53 { 127.0.0.1; };     #註釋該行,讓本服務器ip監聽53端口
    allow-query     { 192.168.0.0/24; };   # 修改改行,允許該網段的ip使用dns服務器
    allow-transfer { none; };  #新增改行,不允許任何dns服務器拉取數據
            };
  8. 修改zone文件/etc/named.rfc1912.zones,新增一個zone,用於解析dcrfan.com域 
    zone "dcrfan.com" IN {
    type slave;#定義類型是從dns服務器
    masters { 192.168.0.112; }; #指定主dns服務器
    file "slaves/dcrfan.com.slave.zone"; #dns記錄數據存放位置
};
  9. 啓動dns服務,查看dns數據文件已經同步到slaves文件夾下 
    [root@localhost ~]# ll /var/named/slaves/dcrfan.com.slave.zone  
-rw-r--r--. 1 named named 371 Jan 10 16:38 /var/named/slaves/dcrfan.com.slave.zone
  10. 在遠程客戶端使用dig 命令測試 
    [root@centos6 ~]# dig www.dcrfan.com @192.168.0.113
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.113
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38752
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.dcrfan.com.                        IN      A
;; ANSWER SECTION:
www.dcrfan.com.         86400   IN      CNAME   srv.dcrfan.com.
srv.dcrfan.com.         86400   IN      A       192.168.0.117
srv.dcrfan.com.         86400   IN      A       192.168.0.116
;; AUTHORITY SECTION:
dcrfan.com.             86400   IN      NS      dns2.dcrfan.com.
dcrfan.com.             86400   IN      NS      dns1.dcrfan.com.
;; ADDITIONAL SECTION:
dns1.dcrfan.com.        86400   IN      A       192.168.0.112
dns2.dcrfan.com.        86400   IN      A       192.168.0.113
;; Query time: 4 msec
;; SERVER: 192.168.0.113#53(192.168.0.113)
;; WHEN: Thu Jan 10 16:41:18 2019
;; MSG SIZE  rcvd: 152
  11. 配置com dns服務器192.168.0.114 ,安裝dns服務
  12. 修改主配置文件/etc/named.conf中文件 
    options {
    //listen-on port 53 { 127.0.0.1; };     #註釋該行,讓本服務器ip監聽53端口
    //allow-query     { 192.168.0.0/24; };   # 註釋改行,允許所有ip使用dns服務器
    dnssec-enable no;     
    dnssec-validation no;   #都修改爲no
            };
  13. 修改zone文件/etc/named.rfc1912.zones,新增一個zone,用於解析com域和指派dcrfan.com域(使用dns轉發) 
    zone "dcrfan.com" IN {
    type forward;
    forward first;
    forwarders { 192.168.0.112; 192.168.0.113;};
};
  14. 啓動服務,在遠程客戶端使用dig 命令測試 
    [root@centos6 ~]# dig www.dcrfan.com @192.168.0.114
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26492
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.dcrfan.com.                        IN      A
;; ANSWER SECTION:
www.dcrfan.com.         86400   IN      CNAME   srv.dcrfan.com.
srv.dcrfan.com.         86400   IN      A       192.168.0.117
srv.dcrfan.com.         86400   IN      A       192.168.0.116
;; AUTHORITY SECTION:
dcrfan.com.             86400   IN      NS      dns2.dcrfan.com.
dcrfan.com.             86400   IN      NS      dns1.dcrfan.com.
;; ADDITIONAL SECTION:
dns1.dcrfan.com.        86400   IN      A       192.168.0.112
dns2.dcrfan.com.        86400   IN      A       192.168.0.113
;; Query time: 14 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Thu Jan 10 17:18:21 2019
;; MSG SIZE  rcvd: 152
  15. 配置根 dns服務器192.168.0.115 ,安裝dns服務
  16. 修改主配置文件/etc/named.conf中文件 
    options {
    //listen-on port 53 { 127.0.0.1; };     #註釋該行,讓本服務器ip監聽53端口
    //allow-query     { 192.168.0.0/24; };   # 註釋改行,允許所有ip使用dns服務器
    dnssec-enable no;     
    dnssec-validation no;   #都修改爲no
            };
            zone "." IN {            #刪除這個根zone
    type hint;
    file "named.ca";
};
  17. 修改zone文件/etc/named.rfc1912.zones,新增一個zone,用於解析根域 
    zone "." IN {
        type master;#定義類型爲主dns服務器
        file "root.zone";#定義該域數據文件位置
};
  18. 新增dns數據記錄文件root.zone,注意權限,讓named賬戶能讀取該文件
    文件在新增dns數據記錄文件dcrfan.com.zone,注意權限,讓named賬戶能讀取該文件,文件在/var/named下
    $TTL 1D 
    @       IN SOA  dns1. admin. (
                                    0       
                                    1D      
                                    1H      
                                    1W      
                                    3H )    
    NS      dns1
com     NS      dns2           #指派com域到192.168.0.114管理
dns1    A       192.168.0.115
dns2    A       192.168.0.114
  19. 啓動服務,在遠程客戶端使用dig 命令測試 
    [root@centos6 ~]# dig www.dcrfan.com @192.168.0.115
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.115
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51669
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.dcrfan.com.                        IN      A
;; ANSWER SECTION:
www.dcrfan.com.         84281   IN      CNAME   srv.dcrfan.com.
srv.dcrfan.com.         86400   IN      A       192.168.0.117
srv.dcrfan.com.         86400   IN      A       192.168.0.116
;; AUTHORITY SECTION:
dcrfan.com.             84281   IN      NS      dns2.dcrfan.com.
dcrfan.com.             84281   IN      NS      dns1.dcrfan.com.
;; ADDITIONAL SECTION:
dns1.dcrfan.com.        84281   IN      A       192.168.0.112
dns2.dcrfan.com.        84281   IN      A       192.168.0.113
;; Query time: 14 msec
;; SERVER: 192.168.0.115#53(192.168.0.115)
;; WHEN: Thu Jan 10 17:53:40 2019
;; MSG SIZE  rcvd: 152
`
  20. 配置緩存服務器192.168.0.108 ,安裝named服務
  21. 修改主配置文件/etc/named.conf中文件 
    options {
    //listen-on port 53 { 127.0.0.1; };     #註釋該行,讓本服務器ip監聽53端口
    //allow-query     { 192.168.0.0/24; };   # 註釋改行,允許所有ip使用dns服務器
    dnssec-enable no;     
    dnssec-validation no;   #都修改爲no
            };
  22. 修改named.ca文件,讓它的根指向我們搭建跟服務器192.168.0.115 
    .                       518400  IN      NS      a.root-servers.net.
a.root-servers.net.     3600000 IN      A       192.168.0.115
  23. 啓動服務,在遠程客戶端使用dig 命令測試 
    [root@centos6 ~]# dig www.dcrfan.com @192.168.0.109
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.dcrfan.com @192.168.0.109
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41909
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.dcrfan.com.                        IN      A
;; ANSWER SECTION:
www.dcrfan.com.         83143   IN      CNAME   srv.dcrfan.com.
srv.dcrfan.com.         86400   IN      A       192.168.0.116
srv.dcrfan.com.         86400   IN      A       192.168.0.117
;; AUTHORITY SECTION:
dcrfan.com.             83143   IN      NS      dns1.dcrfan.com.
dcrfan.com.             83143   IN      NS      dns2.dcrfan.com.
;; ADDITIONAL SECTION:
dns2.dcrfan.com.        83143   IN      A       192.168.0.113
dns1.dcrfan.com.        83143   IN      A       192.168.0.112
;; Query time: 16 msec
;; SERVER: 192.168.0.109#53(192.168.0.109)
;; WHEN: Thu Jan 10 18:12:37 2019
;; MSG SIZE  rcvd: 152
  24. 然後搭建兩個web服務器測試,分別安裝httpd服務,並修改主頁,啓動服務測試
    echo dcrfan1 > /var/www/html/index.html
    echo dcrfan2 > /var/www/html/index.html
  25. 分別用ip正常訪問
    [root@centos6 ~]# curl 192.168.0.116
    dcrfan1
    [root@centos6 ~]# curl 192.168.0.117
    dcrfan2
  26. 修改客服端的dns指向緩存dns服務器192.168.0.109
    網卡中加入DNS1=192.168.0.109,重啓網絡服務測試 
    [root@centos6 ~]# curl www.dcrfan.com
dcrfan2
[root@centos6 ~]# curl www.dcrfan.com
dcrfan1
  27. 清理dns緩存,在各個dns服務器執行rndc flush命令
    停掉主dns的服務,繼續測試,從服務器可以使用 
    [root@centos6 ~]# curl www.dcrfan.com
dcrfan2
[root@centos6 ~]# curl www.dcrfan.com
dcrfan2
[root@centos6 ~]# curl www.dcrfan.com
dcrfan1

4.dnspod解析類型

  1. 在dnspod中的記錄,一般有主機記錄,記錄類型,線路類型,記錄值,MX優先值,TTL
    主機記錄:
    www 表示 解析後域名爲 www
    @表示 直接解析主域名
    表示泛解析 .域名
  2. 記錄類型
    A記錄:用來指定域名的IPv4地址,如果需要將域名指向一個IP地址需要一個A記錄
    CNAME:(別名) 如果需要將域名指向另一個域名,再由另一個域名提供ip地址,就需要添加CNAME記錄。
    TXT:在這裏可以填寫任何東西,長度限制255。絕大多數的TXT記錄是用來做SPF記錄(反垃圾郵件)。
    NS:dns服務器記錄,如果需要把子域名交給其他DNS服務器解析,就需要添加NS記錄。
    AAAA:ipv6 的A記錄
    MX:設置郵箱服務器地址解析,就需要添加MX記錄。
    顯性URL:從一個地址301重定向到另一個地址的時候,就需要添加顯性URL記錄(注:DNSPod目前只支持301重定向)。
    隱性URL:類似於顯性URL,區別在於隱性URL不會改變地址欄中的域名。
    SRV:記錄了哪臺計算機提供了哪個服務。格式爲:服務的名字、點、協議的類型
  3. 記錄值:
    A記錄填寫相應ip地址
    CNAME 填寫別名的域名
    MX 郵件服務器ip地址
    NS dns服務器域名(需要配合A記錄來指定ip地址)
  4. MX郵件記錄還要記錄MX優先值
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

部分網站打不開

179390988 2019-02-23 14:05:54

bat記錄遠程桌面連接登錄信息

jason1982 2019-02-24 12:57:09

Exchange Server 2010 POP3&IMAP設置詳解

lingping 2019-02-23 14:05:54

虛擬化技術--服務器虛擬化

dawei818 2019-02-23 14:05:39

windows 2008 全新仲裁模式

qyh282110204 2019-02-23 14:05:36

軟路由建立PPPOE服務器

ct19871125 2019-02-23 14:04:24

MySQL性能優化的21個最佳實踐

fdb2b 2019-02-23 14:01:03

centos下簡單實現日誌切割,並上傳至日誌服務器。

隨風上升 2019-02-23 13:59:02

遠程訪問及控制

曉晶 2019-02-23 13:58:40

web網站服務1

曉晶 2019-02-23 13:58:27

郵件服務器

曉晶 2019-02-23 13:58:27

web網站服務2

曉晶 2019-02-23 13:58:27

iscsi存儲

samplelife 2019-02-23 13:57:35

Nagios 3.2 監控部署(一)

samplelife 2019-02-23 13:57:35

Linux系統搭建簡單 D H C P服務

遇見ZZM 2019-02-24 12:53:29