Directory:Bind easy Tutorial (1): Installation and basic configurationBind Easy Tutorial (2): Bind view ConfigurationBind easy Tutorial (3): DNSSEC configuration (This article)DNSSec, with a half-and-a-half name called DNS security extension . To say a little better, it is to sign the domain name authentication, to ensure the integrity and correctness of the domain name, will not be modified.
Note: If you have any questions about the content described in this article, contact Jimmy Xu.
DNSSEC has been released for a short time, and the root server has been supported. The. org domain and some ccTLD have been fully deployed. However, it is a pity that the DNS system provided by the domain name registrar rarely supports this security extension, so you have to do it yourself.
This article mainly describes the operation steps, which are hardly
DNSSEC Based on hybrid encryption mechanism
SymmetricEncryptionEncryption andDecryptionShare the sameKey, Also known as the single-key algorithm. It requires the sender and receiver to jointly agree on a key before secure communication. The security of symmetric encryption algorithms depends on shared keys. symmetric encryption algorithms have the advantages of Public algorithms, low computing workload, fast encryption speed, and high encryption effic
DNS is used whenever you use the Internet. Every time you send an email or surf the web, you have to rely on DNS. DNS is responsible for mapping between host names and Internet addresses, which is handled by the computer, and latency occurs if the process of connecting to a DNS server is delayed or if the DNS server resolves an address for an excessive length of time. And if you can speed up domain resolution in some way, you can speed up surfing the internet, here is an acceleration method: use
DNS is used whenever you use the Internet. Every time you send an email or surf the internet, you must rely on DNS. DNS is responsible for the ing between host names and interconnected network addresses, which is handled by computers. If the connection to the DNS server is delayed, or if the DNS server resolves an address too long, the access will be delayed. If domain name resolution can be accelerated in some way, the speed of surfing the Internet can be accelerated. The following describes a
Some friends may already know the opendns service, but I did know it through a foreigner's blog today. This website provides free DNS resolution, which is faster, safer, and smarter than the average ISP:
FasterThe two features ensure that opendns is faster. First, it has a large and intelligent cache, which ensures that users can make profits from the huge opendns
DNS is used whenever you use the Internet. Every time you send an email or surf the web, you have to rely on DNS. DNS is responsible for mapping between host names and Internet addresses, which is handled by the computer, and latency occurs if the process of connecting to a DNS server is delayed or if the DNS server resolves an address for an excessive length of time. And if you can speed up domain resolution in some way, you can speed up surfing the internet, here is an acceleration method: use
expects. There is also a more dangerous scenario in which some organizations, for some purpose, steer unsuspecting users to a Web server that criticizes the newspaper, or deliberately tampered with the contents of the newspaper or even falsely reports the events in a defamatory manner.
To address this problem, the IETF is embarking on a security extension protocol in the DNS protocol, the so-called Domain Name System security Protocol (SECURITY,DNSSEC
anyone who wants to learn. Today, we can all connect to the Internet.
But you must remember that when you connect to the Internet, your computer becomes the target of an attack. Become the target of viruses, Trojans, and other programs.
For this reason, it is recommended that anti-virus and anti-spyware be used to protect computers connected to the Internet. In some cases, even using these software cannot completely guarantee your security. It is always a good idea to add another security layer
Use the hosts file on the local machine to solve the problem of slow opendns
Because the Gae part of GFW can be solved temporarily by using opendns, but sometimes it is intolerable to use opendns to resolve the slow speed of domestic websites. However, in order to access x.appspot.com, you have to set the DNS server to the o
bit of this stuff. Therefore, ldns goes to the Domain Name Server for help.
! Export image_1cqdvfa3bgjl1igd1e2bc1u1oan33.png-698.3kb] [1]
# DNS port number
> DNS port: 53
# DNS Cache service establishment
### Preparations
> Rpm-Qa | grep-W bind-chroot ==> two software packages must be installed.
### Main configuration file
> Vim/etc/named. conf ==> DNS master configuration file (the main configuration file is available after the software package is installed)
'''
Options {Listen-on port 53 {192
, responsible for and client communication) and name server (domain name authoritative server, storage rrsets, responsible and resolver communication) are faced with a very large number of query requests every day? Have you thought about it? Domain name parsing is a very short process, if TCP is used, then the process of connection building and demolition is much longer than the query process.I:...... If you use TCP, then each of the relevant server consumes the compute resources will be crazy,
In XP, I had a long time ago when I was very upset with the DNS hijacking of China Telecom. I always transferred Google.com to Google.cn, and got the wrong domain name and gave it a "114 search". The entire super hooligans of China Telecom. Therefore, in XP, it is easy to set all DNS servers as OpenDNS servers. It is also very easy to set in Ubutu. You can also set it in Ubuntu, such as "Main Menu", "system", "system management", and "network". In "DN
, attackers can use similar methods to obtain information about the client. Attackers can achieve this in various ways, including phishing emails and direct queries.
The problem described in VU #800113 this time is that most DNS Cache servers have one or all of these two vulnerabilities.
After talking about the attack principle, I think more people will be concerned about the following: what can we do?
If you are a desktop user, the best way is to wait for the company or ISP staff to correct the
The BIND service program supports the TSIG encryption mechanism in order to provide the parsing service safely, and Tsig mainly uses the password encoding method to protect the zone Transfer, which means the security of the zone information between the DNS servers is ensured.Primary DNS server ip:192.168.16.20From the DNS server ip:192.168.16.301. Generate the DNS service key using Dnssec-keygen in the master server[Email protected] ~]#
the working directory for BindAllow-query defines a host that can allow DNS queries, typically configured as any, to allow DNS lookups for all hosts.Recursion Yes whether recursive queries (two queries in DNS resolution, recursive queries, and iterative queries) are generally set to Yes.Dnssec-enable Yes supports DNSSEC switches (DNSSEC technology: A series of DNS security authentication mechanisms provide
Security issues in the DNS protocol
DNS is a distributed domain name resolution system that converts domain names, IP addresses, email services, and so on through the cache technology and tree-based hierarchical authorization structure, however, the DNS Service and the domain name resolution server adopt a non-connection UDP protocol, so it is impossible to confirm the data source and whether the data is tampered with. This poses a major security risk and causes frequent attacks to the DNS serve
Build a master-slave DNS Server Based on CentOS 6
1. Switch to the root user
2. bind is installed on two servers.
yuminstallbind
3. Compare the bind versions of the two servers
4. Modify the master configuration file information. We recommend that you back up the master configuration file and modify it later.
Cp/etc/named. conf/etc/named. conf. bakvi/etc/named. confoptions {listen-onport53 {127.0.0.1;}; // only listen to the 53 port listen-on-v6port53 of the Local Machine {: 1 ;}; directory "/v
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.