DNS master-slave tsig encrypted transmission

The BIND service program supports the TSIG encryption mechanism in order to provide the parsing service safely, and Tsig mainly uses the password encoding method to protect the zone Transfer, which means the security of the zone information between the DNS servers is ensured.

Primary DNS server ip:192.168.16.20

From the DNS server ip:192.168.16.30

1. Generate the DNS service key using Dnssec-keygen in the master server

[Email protected] ~]# dnssec-keygen-a hmac-md5-b --N HOST master-slave//-a Specifies the encryption algorithm-b Specifies the encryption length-n Specifies the type Kmaster-slave.+157+14145[[Email protected]~]# ll kmaster-slave.+157+14145. *-RW-------.1Root root AboutFeb A  .:xxkmaster-slave.+157+14145. Key-RW-------.1Root root165Feb A  .:xxkmaster-slave.+157+14145. Private[[email protected]~]#

2. Create a key validation file on the primary server

[Email protected] ~]# vim/var/named/chroot/etc/"master-slave"  { Algorithm HMAC-"drijbedx3zcds2xptpg5tg==";};

[Email protected] ~]# chown Root:named/var/named/chroot/etc/transfer.key

[Email protected] ~]# Ln/var/named/chroot/etc/transfer.key/etc/transfer.key

3, turn on the master server key verification function

[Email protected] ~]# vim/etc/named.conf////named.conf////provided by Red Hat bind package To configure the ISC bind named (8) DNS//server as a caching only nameserver (as a localhost, DNS resolver only).////see/usr/share/doc/bind*/sample/for example named configuration files.//Include"/etc/transfer.key"; Add this bar to the master serverOptions {Listen-on Port -{any;}; Listen-ON-V6 Port -{ ::1; }; Directory"/var/named"; Dump-file       "/var/named/data/cache_dump.db"; Statistics-file "/var/named/data/named_stats.txt"; Memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query {any;}; allow-transfer {Key master-slave;}; /*-If You are building a authoritative DNS server, do not enable recursion.          -If You is building a RECURSIVE (caching) DNS server, you need to enable recursion.  -If your recursive DNS server has a public IP address, you must enable access control to the limit queries to your Legitimate users. Failing to does so would cause your server to become part of the large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface*/recursion yes; DNSSEC-Enable yes; DNSSEC-validation Yes; DNSSEC-lookaside Auto; /*Path to ISC DLV key*/Bindkeys-file "/etc/named.iscdlv.key"; Managed-keys-directory"/var/named/dynamic"; PID-file "/run/named/named.pid"; Session-keyfile"/run/named/session.key";}; Logging {Channel Default_debug {file "Data/named.run";        Severity dynamic; };}; Zone"."In {type hint; file "named.ca";}; Include"/etc/named.rfc1912.zones"; include"/etc/named.root.key";

4, configuring support key verification from the server

To create a secret key file

[Email protected] ~]#SCP/var/named/chroot/etc/transfer.key [email protected]192.168.16.30:/var/named/chroot/etc/The authenticity of host'192.168.16.30 (192.168.16.30)'Aa't be established.ECDSA key fingerprint is e6:a7: $: .: -: CE: in: AC: the: 3a:b7:d1: -: 9c: -: E1. Is you sure want to continue connecting (yes/no)?Yeswarning:permanently added'192.168.16.30'(ECDSA) to the list of known hosts. [Email protected]192.168.16.30's Password:Transfer.key -% -     0.1kb/sxx:xx    

[Email protected] ~]# chown Root:named/var/named/chroot/etc/transfer.key

[Email protected] ~]# Ln/var/named/chroot/etc/transfer.key/etc/transfer.key

Edit the Master profile from the server

[[email protected] slaves]#!Vvim/etc/named.conf Options {Listen-on Port -{any;}; Listen-ON-V6 Port -{ ::1; }; Directory"/var/named"; Dump-file       "/var/named/data/cache_dump.db"; Statistics-file "/var/named/data/named_stats.txt"; Memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query {any;}; /*-If You are building a authoritative DNS server, do not enable recursion.          -If You is building a RECURSIVE (caching) DNS server, you need to enable recursion.  -If your recursive DNS server has a public IP address, you must enable access control to the limit queries to your Legitimate users. Failing to does so would cause your server to become part of the large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface*/recursion yes; DNSSEC-Enable yes; DNSSEC-validation Yes; DNSSEC-lookaside Auto; /*Path to ISC DLV key*/Bindkeys-file "/etc/named.iscdlv.key"; Managed-keys-directory"/var/named/dynamic"; PID-file "/run/named/named.pid"; Session-keyfile"/run/named/session.key";}; Server 192.168.16.20 {//"192.168.16.20" as the primary server IP address, add this bar from the server keys {master- Slave;}; }; Logging {Channel Default_debug {file "Data/named.run";        Severity dynamic; };}; Zone"."In {type hint; file "named.ca";}; Include"/etc/named.rfc1912.zones"; include"/etc/named.root.key";

5. Verify that encryption is successful

ls /var/named/slaves/rm -rf/var/named/slaves/ls /var/named/slaves/  ~ls /var/named/slaves/

DNS master-slave tsig encrypted transmission