1.什么是dns

IP地址:用于标记机器在网络中的地址信息,保证数据不会发错给别的人。

  • IP地址划分:
    • A类,ip范围0.0.0.0~126.255.255.255,A类地址主要分配给超大型网络环境的公司,例如苹果公司。
    • B类,ip范围128.0.0.0~191.255.255.255,主要分配给有大规模局域网数量的公司
    • C类,ip范围192.0.0.0~223.255.255.255,主要分配给如校园网等小型局域网
    • D类和E类地址比较特殊,D类属于广播地址,E类属于保留地址

  • 局域网与公网的IP地址

    • 公网地址:相当于快递地址的省市县小区单元。全国唯一的门牌号
    • 局域网地址:相当于某个小区的门牌号,用于某个群体内数据交换。离开群体就失效了。

      域名与ip的关系

  • 域名相当于电话簿中的姓名,ip相当于电话簿中的电话号码

    DNS服务器:

  • 记录了域名与ip 的对用关系

  • 通过 nslookup 命令查询域名解析关系 ``` [root@localhost ~]# nslookup baidu.com Server: 172.16.238.1 Address: 172.16.238.1#53

Non-authoritative answer: Name: baidu.com Address: 220.181.38.148 Name: baidu.com Address: 220.181.38.251

  2. - 通过ping命令查看域名解析关系

ping [root@localhost ~]# ping baidu.com PING baidu.com (220.181.38.148) 56(84) bytes of data.

  1. <a name="lKKSc"></a>
  2. ### linux中的dns配置文件
  4. - 本地dns解析文件 /etc/hosts 。解析优先级高于网络dns服务器
  5. - /etc/resolv.conf  存储互联网dns服务器地址
  6. <a name="iYTOA"></a>
  7. ### DNS劫持
  9. - DNS服务器地址被篡改,被篡改的DNS服务器存储错误的IP与域名的关系,造成用户访问恶意的网址
  10. <a name="Y3cpu"></a>
  11. ### DNS解析流程
  13. - 1.查找本地缓存
  14. - 2.查找本地hosts文件是否存在记录
  15. - 3.查找首选DNS服务器
  16. - 4.查找更大的DNS服务器
  18. <a name="jzILO"></a>
  19. ### DNS域名解析服务
  21. - DNS(Domain Name System,域名系统).用于管理和解析域名与 IP 地址对应关系的技术.
  22. - 能够接受用 户输入的域名或 IP 地址,然后自动查找与之匹配(或者说具有映射关系)的 IP 地址或域名, 即将域名解析为 IP 地址(正向解析),或将 IP 地址解析为域名(反向解析).
  23. - DNS 域名解析服务采用了类 似目录树的层次结构来记录域名与 IP 地址之间的对应关系,从而形成了一个分布式的数据库 系统
  24. <a name="7Rxjv"></a>
  25. ### DNS 服务器搭建
  26. 小型的域名解析需求,使用 dnsmasq工具<br />大型的域名解析使用bind工具
  28. - dnsmasq
  29.    - 安装:yum install dnsmasq -y
  30.    - 主配置文件: /etc/dnsmasq.conf
  31.    - 用户自定义域名和ip的对应关系存放在: /etc/dnsmasq.hosts 文件中,该文件需要手动创建
  32.    - dnsmasq的上游DNS服务器地址:/etc/resolv.dnsmaaq.conf
  33. - 配置dnsmasq。
  34.    - 指定上游DNS服务器地址配置文件

resolv-file=/etc/resolv.dnsmaaq.conf

  2.    - 设置自定义域名解析服务

address=/baidu.com/123.206.16.61 address=/taobao.com/123.206.16.61

  2.    -   定义dnsmasq监听的地址,默认是监控本机的所有网卡上。局域网内主机若要使用dnsmasq服务时,指定本机的IP地址

listen-address=192.168.178.180

  2.    - 本地域名配置文件(不支持泛域名),添加内部需要解析的地址和域名(重新加载即可生效)

addn-hosts=/etc/dnsmasq.hosts

  2.    - 记录dns 日志服务器、设置日志记录

log-queries log-facility=/var/log/dnsmasq.log

包含其他文件夹下所有配置文件

conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

  2. - 内部解析配置

添加需要内部解析的域名

[root@local-pyyu ~]# cat /etc/dnsmasq.hosts 123.206.16.61 testchaoge.com

  2. - 添加上游DNS服务器地址

[root@local-pyyu ~]# cat /etc/resolv.dnsmasq.conf nameserver 223.5.5.5 nameserver 223.6.6.6

  2. - 配置日志切割

[root@local-pyyu ~]# cat /etc/logrotate.d/dnsmasq /var/log/dnsmasq.log { daily copytruncate missingok rotate 30 compress notifempty dateext size 200M }

  2. <a name="FrczN"></a>
  3. # dnsmasq.conf 文件

Configuration file for dnsmasq.

#

Format is one option per line, legal options are the same

as the long options legal on the command line. See

“/usr/sbin/dnsmasq —help” or “man 8 dnsmasq” for details.

Listen on this specific port instead of the standard DNS port

(53). Setting this to zero completely disables DNS function,

leaving only DHCP and/or TFTP.

port=5353

The following two options make you a better netizen, since they

tell dnsmasq to filter out queries which the public DNS cannot

answer, and which load the servers (especially the root servers)

unnecessarily. If you have a dial-on-demand link they also stop

these requests from bringing up the link unnecessarily.

Never forward plain names (without a dot or domain part)

domain-needed

Never forward addresses in the non-routed address spaces.

bogus-priv

Uncomment these to enable DNSSEC validation and caching:

(Requires dnsmasq to be built with DNSSEC option.)

conf-file=/usr/share/dnsmasq/trust-anchors.conf

dnssec

Replies which are not DNSSEC signed may be legitimate, because the domain

is unsigned, or may be forgeries. Setting this option tells dnsmasq to

check that an unsigned reply is OK, by finding a secure proof that a DS

record somewhere between the root and the domain does not exist.

The cost of setting this is that even queries in unsigned domains will need

one or more extra DNS queries to verify.

dnssec-check-unsigned

Uncomment this to filter useless windows-originated DNS requests

which can trigger dial-on-demand links needlessly.

Note that (amongst other things) this blocks all SRV requests,

so don’t use it if you use eg Kerberos, SIP, XMMP or Google-talk.

This option only affects forwarding, SRV records originating for

dnsmasq (via srv-host= lines) are not suppressed by it.

filterwin2k

Change this line if you want dns to get its upstream servers from

somewhere other that /etc/resolv.conf

resolv-file=

By default, dnsmasq will send queries to any of the upstream

servers it knows about and tries to favour servers to are known

to be up. Uncommenting this forces dnsmasq to try each query

with each server strictly in the order they appear in

/etc/resolv.conf

strict-order

If you don’t want dnsmasq to read /etc/resolv.conf or any other

file, getting its servers from this file instead (see below), then

uncomment this.

no-resolv

If you don’t want dnsmasq to poll /etc/resolv.conf or other resolv

files for changes and re-read them then uncomment this.

no-poll

Add other name servers here, with domain specs if they are for

non-public domains.

server=/localnet/192.168.0.1

Example of routing PTR queries to nameservers: this will send all

address->name queries for 192.168.3/24 to nameserver 10.1.2.3

server=/3.168.192.in-addr.arpa/10.1.2.3

Add local-only domains here, queries in these domains are answered

from /etc/hosts or DHCP only.

local=/localnet/

Add domains which you want to force to an IP address here.

The example below send any host in double-click.net to a local

web-server.

address=/double-click.net/127.0.0.1

—address (and —server) work with IPv6 addresses too.

address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83

Add the IPs of all queries to yahoo.com, google.com, and their

subdomains to the vpn and search ipsets:

ipset=/yahoo.com/google.com/vpn,search

You can control how dnsmasq talks to a server: this forces

queries to 10.1.2.3 to be routed via eth1

server=10.1.2.3@eth1

and this sets the source (ie local) address used to talk to

10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that

IP on the machine, obviously).

server=10.1.2.3@192.168.1.1#55

If you want dnsmasq to change uid and gid to something other

than the default, edit the following lines.

user=dnsmasq group=dnsmasq

If you want dnsmasq to listen for DHCP and DNS requests only on

specified interfaces (and the loopback) give the name of the

interface (eg eth0) here.

Repeat the line for more than one interface.

interface=

Or you can specify which interface not to listen on

except-interface=

Or which to listen on by address (remember to include 127.0.0.1 if

you use this.)

listen-address=

If you want dnsmasq to provide only DNS service on an interface,

configure it as shown above, and then use the following line to

disable DHCP and TFTP on it.

no-dhcp-interface=

On systems which support it, dnsmasq binds the wildcard address,

even when it is listening on only some interfaces. It then discards

requests that it shouldn’t reply to. This has the advantage of

working even when interfaces come and go and change address. If you

want dnsmasq to really bind only the interfaces it is listening on,

uncomment this option. About the only time you may need this is when

running another nameserver on the same machine.

bind-interfaces

If you don’t want dnsmasq to read /etc/hosts, uncomment the

following line.

no-hosts

or if you want it to read another file, as well as /etc/hosts, use

this.

addn-hosts=/etc/banner_add_hosts

Set this (and domain: see below) if you want to have a domain

automatically added to simple names in a hosts-file.

expand-hosts

Set the domain for dnsmasq. this is optional, but if it is set, it

does the following things.

1) Allows DHCP hosts to have fully qualified domain names, as long

as the domain part matches this setting.

2) Sets the “domain” DHCP option thereby potentially setting the

domain of all systems configured by DHCP

3) Provides the domain part for “expand-hosts”

domain=thekelleys.org.uk

Set a different domain for a particular subnet

domain=wireless.thekelleys.org.uk,192.168.2.0/24

Same idea, but range rather then subnet

domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200

Uncomment this to enable the integrated DHCP server, you need

to supply the range of addresses available for lease and optionally

a lease time. If you have more than one network, you will need to

repeat this for each network on which you want to supply DHCP

service.

dhcp-range=192.168.0.50,192.168.0.150,12h

This is an example of a DHCP range where the netmask is given. This

is needed for networks we reach the dnsmasq DHCP server via a relay

agent. If you don’t know what a DHCP relay agent is, you probably

don’t need to worry about this.

dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h

This is an example of a DHCP range which sets a tag, so that

some DHCP options may be set only for this network.

dhcp-range=set:red,192.168.0.50,192.168.0.150

Use this DHCP range only when the tag “green” is set.

dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h

Specify a subnet which can’t be used for dynamic address allocation,

is available for hosts with matching —dhcp-host lines. Note that

dhcp-host declarations will be ignored unless there is a dhcp-range

of some type for the subnet in question.

In this case the netmask is implied (it comes from the network

configuration on the machine running dnsmasq) it is possible to give

an explicit netmask instead.

dhcp-range=192.168.0.0,static

Enable DHCPv6. Note that the prefix-length does not need to be specified

and defaults to 64 if missing/

dhcp-range=1234::2, 1234::500, 64, 12h

Do Router Advertisements, BUT NOT DHCP for this subnet.

dhcp-range=1234::, ra-only

Do Router Advertisements, BUT NOT DHCP for this subnet, also try and

add names to the DNS for the IPv6 address of SLAAC-configured dual-stack

hosts. Use the DHCPv4 lease to derive the name, network segment and

MAC address and assume that the host will also have an

IPv6 address calculated using the SLAAC algorithm.

dhcp-range=1234::, ra-names

Do Router Advertisements, BUT NOT DHCP for this subnet.

Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)

dhcp-range=1234::, ra-only, 48h

Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA

so that clients can use SLAAC addresses as well as DHCP ones.

dhcp-range=1234::2, 1234::500, slaac

Do Router Advertisements and stateless DHCP for this subnet. Clients will

not get addresses from DHCP, but they will get other configuration information.

They will use SLAAC for addresses.

dhcp-range=1234::, ra-stateless

Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses

from DHCPv4 leases.

dhcp-range=1234::, ra-stateless, ra-names

Do router advertisements for all subnets where we’re doing DHCPv6

Unless overridden by ra-stateless, ra-names, et al, the router

advertisements will have the M and O bits set, so that the clients

get addresses and configuration from DHCPv6, and the A bit reset, so the

clients don’t use SLAAC addresses.

enable-ra

Supply parameters for specified hosts using DHCP. There are lots

of valid alternatives, so we will give examples of each. Note that

IP addresses DO NOT have to be in the range given above, they just

need to be on the same network. The order of the parameters in these

do not matter, it’s permissible to give name, address and MAC in any

order.

Always allocate the host with Ethernet address 11:22:33:44:55:66

The IP address 192.168.0.60

dhcp-host=11:22:33:44:55:66,192.168.0.60

Always set the name of the host with hardware address

11:22:33:44:55:66 to be “fred”

dhcp-host=11:22:33:44:55:66,fred

Always give the host with Ethernet address 11:22:33:44:55:66

the name fred and IP address 192.168.0.60 and lease time 45 minutes

dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m

Give a host with Ethernet address 11:22:33:44:55:66 or

12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume

that these two Ethernet interfaces will never be in use at the same

time, and give the IP address to the second, even if it is already

in use by the first. Useful for laptops with wired and wireless

addresses.

dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60

Give the machine which says its name is “bert” IP address

192.168.0.70 and an infinite lease

dhcp-host=bert,192.168.0.70,infinite

Always give the host with client identifier 01:02:02:04

the IP address 192.168.0.60

dhcp-host=id:01:02:02:04,192.168.0.60

Always give the InfiniBand interface with hardware address

80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the

ip address 192.168.0.61. The client id is derived from the prefix

ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of

hex digits of the hardware address.

dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61

Always give the host with client identifier “marjorie”

the IP address 192.168.0.60

dhcp-host=id:marjorie,192.168.0.60

Enable the address given for “judge” in /etc/hosts

to be given to a machine presenting the name “judge” when

it asks for a DHCP lease.

dhcp-host=judge

Never offer DHCP service to a machine whose Ethernet

address is 11:22:33:44:55:66

dhcp-host=11:22:33:44:55:66,ignore

Ignore any client-id presented by the machine with Ethernet

address 11:22:33:44:55:66. This is useful to prevent a machine

being treated differently when running under different OS’s or

between PXE boot and OS boot.

dhcp-host=11:22:33:44:55:66,id:*

Send extra options which are tagged as “red” to

the machine with Ethernet address 11:22:33:44:55:66

dhcp-host=11:22:33:44:55:66,set:red

Send extra options which are tagged as “red” to

any machine with Ethernet address starting 11:22:33:

dhcp-host=11:22:33:::*,set:red

Give a fixed IPv6 address and name to client with

DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2

Note the MAC addresses CANNOT be used to identify DHCPv6 clients.

Note also that the [] around the IPv6 address are obligatory.

dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]

Ignore any clients which are not specified in dhcp-host lines

or /etc/ethers. Equivalent to ISC “deny unknown-clients”.

This relies on the special “known” tag which is set when

a host is matched.

dhcp-ignore=tag:!known

Send extra options which are tagged as “red” to any machine whose

DHCP vendorclass string includes the substring “Linux”

dhcp-vendorclass=set:red,Linux

Send extra options which are tagged as “red” to any machine one

of whose DHCP userclass strings includes the substring “accounts”

dhcp-userclass=set:red,accounts

Send extra options which are tagged as “red” to any machine whose

MAC address matches the pattern.

dhcp-mac=set:red,00:60:8C:::*

If this line is uncommented, dnsmasq will read /etc/ethers and act

on the ethernet-address/IP pairs found there just as if they had

been given as —dhcp-host options. Useful if you keep

MAC-address/host mappings there for other purposes.

read-ethers

Send options to hosts which ask for a DHCP lease.

See RFC 2132 for details of available options.

Common options can be given to dnsmasq by name:

run “dnsmasq —help dhcp” to get a list.

Note that all the common settings, such as netmask and

broadcast address, DNS server and default route, are given

sane defaults by dnsmasq. You very likely will not need

any dhcp-options. If you use Windows clients and Samba, there

are some options which are recommended, they are detailed at the

end of this section.

Override the default route supplied by dnsmasq, which assumes the

router is the same machine as the one running dnsmasq.

dhcp-option=3,1.2.3.4

Do the same thing, but using the option name

dhcp-option=option:router,1.2.3.4

Override the default route supplied by dnsmasq and send no default

route at all. Note that this only works for the options sent by

default (1, 3, 6, 12, 28) the same line will send a zero-length option

for all other option numbers.

dhcp-option=3

Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5

dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5

Send DHCPv6 option. Note [] around IPv6 addresses.

dhcp-option=option6:dns-server,[1234::77],[1234::88]

Send DHCPv6 option for namservers as the machine running

dnsmasq and another.

dhcp-option=option6:dns-server,[::],[1234::88]

Ask client to poll for option changes every six hours. (RFC4242)

dhcp-option=option6:information-refresh-time,6h

Set option 58 client renewal time (T1). Defaults to half of the

lease time if not specified. (RFC2132)

dhcp-option=option:T1,1m

Set option 59 rebinding time (T2). Defaults to 7/8 of the

lease time if not specified. (RFC2132)

dhcp-option=option:T2,2m

Set the NTP time server address to be the same machine as

is running dnsmasq

dhcp-option=42,0.0.0.0

Set the NIS domain name to “welly”

dhcp-option=40,welly

Set the default time-to-live to 50

dhcp-option=23,50

Set the “all subnets are local” flag

dhcp-option=27,1

Send the etherboot magic flag and then etherboot options (a string).

dhcp-option=128,e4:45:74:68:00:00

dhcp-option=129,NIC=eepro100

Specify an option which will only be sent to the “red” network

(see dhcp-range for the declaration of the “red” network)

Note that the tag: part must precede the option: part.

dhcp-option = tag:red, option:ntp-server, 192.168.1.1

The following DHCP options set up dnsmasq in the same way as is specified

for the ISC dhcpcd in

http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt

adapted for a typical dnsmasq installation where the host running

dnsmasq is also the host running samba.

you may want to uncomment some or all of them if you use

Windows clients and Samba.

dhcp-option=19,0 # option ip-forwarding off

dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)

dhcp-option=45,0.0.0.0 # netbios datagram distribution server

dhcp-option=46,8 # netbios node type

Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.

dhcp-option=252,”\n”

Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client

probably doesn’t support this……

dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com

Send RFC-3442 classless static routes (note the netmask encoding)

dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8

Send vendor-class specific options encapsulated in DHCP option 43.

The meaning of the options is defined by the vendor-class so

options are sent only when the client supplied vendor class

matches the class given here. (A substring match is OK, so “MSFT”

matches “MSFT” and “MSFT 5.0”). This example sets the

mtftp address to 0.0.0.0 for PXEClients.

dhcp-option=vendor:PXEClient,1,0.0.0.0

Send microsoft-specific option to tell windows to release the DHCP lease

when it shuts down. Note the “i” flag, to tell dnsmasq to send the

value as a four-byte integer - that’s what microsoft wants. See

http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true

dhcp-option=vendor:MSFT,2,1i

Send the Encapsulated-vendor-class ID needed by some configurations of

Etherboot to allow is to recognise the DHCP server.

dhcp-option=vendor:Etherboot,60,”Etherboot”

Send options to PXELinux. Note that we need to send the options even

though they don’t appear in the parameter request list, so we need

to use dhcp-option-force here.

See http://syslinux.zytor.com/pxe.php#special for details.

Magic number - needed before anything else is recognised

dhcp-option-force=208,f1:00:74:7e

Configuration file name

dhcp-option-force=209,configs/common

Path prefix

dhcp-option-force=210,/tftpboot/pxelinux/files/

Reboot time. (Note ‘i’ to send 32-bit value)

dhcp-option-force=211,30i

Set the boot filename for netboot/PXE. You will only need

this if you want to boot machines over the network and you will need

a TFTP server; either dnsmasq’s built-in TFTP server or an

external one. (See below for how to enable the TFTP server.)

dhcp-boot=pxelinux.0

The same as above, but use custom tftp-server instead machine running dnsmasq

dhcp-boot=pxelinux,server.name,192.168.1.100

Boot for iPXE. The idea is to send two different

filenames, the first loads iPXE, and the second tells iPXE what to

load. The dhcp-match sets the ipxe tag for requests from iPXE.

dhcp-boot=undionly.kpxe

dhcp-match=set:ipxe,175 # iPXE sends a 175 option.

dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php

Encapsulated options for iPXE. All the options are

encapsulated within option 175

dhcp-option=encap:175, 1, 5b # priority code

dhcp-option=encap:175, 176, 1b # no-proxydhcp

dhcp-option=encap:175, 177, string # bus-id

dhcp-option=encap:175, 189, 1b # BIOS drive code

dhcp-option=encap:175, 190, user # iSCSI username

dhcp-option=encap:175, 191, pass # iSCSI password

Test for the architecture of a netboot client. PXE clients are

supposed to send their architecture as option 93. (See RFC 4578)

dhcp-match=peecees, option:client-arch, 0 #x86-32

dhcp-match=itanics, option:client-arch, 2 #IA64

dhcp-match=hammers, option:client-arch, 6 #x86-64

dhcp-match=mactels, option:client-arch, 7 #EFI x86-64

Do real PXE, rather than just booting a single file, this is an

alternative to dhcp-boot.

pxe-prompt=”What system shall I netboot?”

or with timeout before first available action is taken:

pxe-prompt=”Press F8 for menu.”, 60

Available boot services. for PXE.

pxe-service=x86PC, “Boot from local disk”

Loads /pxelinux.0 from dnsmasq TFTP server.

pxe-service=x86PC, “Install Linux”, pxelinux

Loads /pxelinux.0 from TFTP server at 1.2.3.4.

Beware this fails on old PXE ROMS.

pxe-service=x86PC, “Install Linux”, pxelinux, 1.2.3.4

Use bootserver on network, found my multicast or broadcast.

pxe-service=x86PC, “Install windows from RIS server”, 1

Use bootserver at a known IP address.

pxe-service=x86PC, “Install windows from RIS server”, 1, 1.2.3.4

If you have multicast-FTP available,

information for that can be passed in a similar way using options 1

to 5. See page 19 of

http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf

Enable dnsmasq’s built-in TFTP server

enable-tftp

Set the root directory for files available via FTP.

tftp-root=/var/ftpd

Do not abort if the tftp-root is unavailable

tftp-no-fail

Make the TFTP server more secure: with this set, only files owned by

the user dnsmasq is running as will be send over the net.

tftp-secure

This option stops dnsmasq from negotiating a larger blocksize for TFTP

transfers. It will slow things down, but may rescue some broken TFTP

clients.

tftp-no-blocksize

Set the boot file name only when the “red” tag is set.

dhcp-boot=tag:red,pxelinux.red-net

An example of dhcp-boot with an external TFTP server: the name and IP

address of the server are given after the filename.

Can fail with old PXE ROMS. Overridden by —pxe-service.

dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3

If there are multiple external tftp servers having a same name

(using /etc/hosts) then that name can be specified as the

tftp_servername (the third option to dhcp-boot) and in that

case dnsmasq resolves this name and returns the resultant IP

addresses in round robin fashion. This facility can be used to

load balance the tftp load among a set of servers.

dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name

Set the limit on DHCP leases, the default is 150

dhcp-lease-max=150

The DHCP server needs somewhere on disk to keep its lease database.

This defaults to a sane location, but if you want to change it, use

the line below.

dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases

Set the DHCP server to authoritative mode. In this mode it will barge in

and take over the lease for any client which broadcasts on the network,

whether it has a record of the lease or not. This avoids long timeouts

when a machine wakes up on a new network. DO NOT enable this if there’s

the slightest chance that you might end up accidentally configuring a DHCP

server for your campus/company accidentally. The ISC server uses

the same option, and this URL provides more information:

http://www.isc.org/files/auth.html

dhcp-authoritative

Run an executable when a DHCP lease is created or destroyed.

The arguments sent to the script are “add” or “del”,

then the MAC address, the IP address and finally the hostname

if there is one.

dhcp-script=/bin/echo

Set the cachesize here.

cache-size=150

If you want to disable negative caching, uncomment this.

no-negcache

Normally responses which come from /etc/hosts and the DHCP lease

file have Time-To-Live set as zero, which conventionally means

do not cache further. If you are happy to trade lower load on the

server for potentially stale date, you can set a time-to-live (in

seconds) here.

local-ttl=

If you want dnsmasq to detect attempts by Verisign to send queries

to unregistered .com and .net hosts to its sitefinder service and

have dnsmasq instead return the correct NXDOMAIN response, uncomment

this line. You can add similar lines to do the same for other

registries which have implemented wildcard A records.

bogus-nxdomain=64.94.110.11

If you want to fix up DNS results from upstream servers, use the

alias option. This only works for IPv4.

This alias makes a result of 1.2.3.4 appear as 5.6.7.8

alias=1.2.3.4,5.6.7.8

and this maps 1.2.3.x to 5.6.7.x

alias=1.2.3.0,5.6.7.0,255.255.255.0

and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40

alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0

Change these lines if you want dnsmasq to serve MX records.

Return an MX record named “maildomain.com” with target

servermachine.com and preference 50

mx-host=maildomain.com,servermachine.com,50

Set the default target for MX records created using the localmx option.

mx-target=servermachine.com

Return an MX record pointing to the mx-target for all local

machines.

localmx

Return an MX record pointing to itself for all local machines.

selfmx

Change the following lines if you want dnsmasq to serve SRV

records. These are useful if you want to serve ldap requests for

Active Directory and other windows-originated DNS requests.

See RFC 2782.

You may add multiple srv-host lines.

The fields are ,,,,

If the domain part if missing from the name (so that is just has the

service and protocol sections) then the domain given by the domain=

config option is used. (Note that expand-hosts does not need to be

set for this to work.)

A SRV record sending LDAP for the example.com domain to

ldapserver.example.com port 389

srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

A SRV record sending LDAP for the example.com domain to

ldapserver.example.com port 389 (using domain=)

domain=example.com

srv-host=_ldap._tcp,ldapserver.example.com,389

Two SRV records for LDAP, each with different priorities

srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1

srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

A SRV record indicating that there is no LDAP server for the domain

example.com

srv-host=_ldap._tcp.example.com

The following line shows how to make dnsmasq serve an arbitrary PTR

record. This is useful for DNS-SD. (Note that the

domain-name expansion done for SRV records _does_not

occur for PTR records.)

ptr-record=_http._tcp.dns-sd-services,”New Employee Page._http._tcp.dns-sd-services”

Change the following lines to enable dnsmasq to serve TXT records.

These are used for things like SPF and zeroconf. (Note that the

domain-name expansion done for SRV records _does_not

occur for TXT records.)

Example SPF.

txt-record=example.com,”v=spf1 a -all”

Example zeroconf

txt-record=_http._tcp.example.com,name=value,paper=A4

Provide an alias for a “local” DNS name. Note that this only works

for targets which are names from DHCP or /etc/hosts. Give host

“bert” another name, bertrand

cname=bertand,bert

For debugging purposes, log each DNS query as it passes through

dnsmasq.

log-queries

Log lots of extra information about DHCP transactions.

log-dhcp

Include another lot of configuration options.

conf-file=/etc/dnsmasq.more.conf

conf-dir=/etc/dnsmasq.d

Include all the files in a directory except those ending in .bak

conf-dir=/etc/dnsmasq.d,.bak

Include all files in a directory which end in .conf

conf-dir=/etc/dnsmasq.d/,*.conf

Include all files in /etc/dnsmasq.d except RPM backup files

conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig [root@localhost ~]#

  3. <a name="B6399"></a>
  4. # sshd.
  5. <a name="rFxIm"></a>
  6. ## SSH概念:
  8. - SSH是一套网络协议,目的在于安全的网络服务与加密远程登录。实现了SSH协议的最主流的开源软件OpenSSH
  9. <a name="zWaTg"></a>
  10. ## 数据加密:
  12. - 对称加密(私钥加密)
  13.    - 加密、解密使用同一套密钥
  14.    - 对称加密强度很高,难以破解,问题是当机器数量较多的时候,大量的发送密钥,难以保证密钥安全性,一旦某一个Client被窃取密钥,其他机器的安全性也就崩塌了
  16. - 非对称加密(公钥加密)
  17.    - 非对称加密分为:公钥(Public Key)与私钥(Private Key)。使用公钥加密后的密文,只能使用对应的私钥才能解开,破解的可能性很低。
  18.    - 此种方式是私钥放在Server端,即使client在登录的时候,传输数据被窃取,黑客也没有私钥进行解密,因此保证了数据安全。
  19. <a name="gU2qO"></a>
  20. ## 中间人攻击
  22. - 黑客通过拦截客户端请求,向客户端发送黑客自己的公钥。客户端在未识别的情况下,用黑客的公钥加密自己的账户信息再次发送给黑客服务器,黑客通过服务器自己的私钥解密客户信息后,便可使用客户信息登录正确的服务器,从而对服务器造成危害。
  23. <a name="ymKwL"></a>
  24. ### 确保Server目标服务器的正确
  26. 1. 基于口令验证。
  27.    - SSH的公私钥都是基于命令在本地生成的,没法公认,因此只能通过Client端自行的对公钥确认。对于新登录的机器,SSh会提示远程主机的指纹信息

(base) ygq@ygqdeiMac-Pro ~ % ssh root@115.28.208.197
The authenticity of host ‘115.28.208.197 (115.28.208.197)’ can’t be established. ECDSA key fingerprint is SHA256:+rxde5X6XmrnH/j2QFyRfwjTfvb80RIRuKucPGL3qTU. Are you sure you want to continue connecting (yes/no/[fingerprint])? 

  2.    - 根据公钥获取远程主机的指纹信息

(base) ygq@ygqdeiMac-Pro ~ % ssh-keyscan 115.28.208.197 |grep ecdsa

115.28.208.197:22 SSH-2.0-OpenSSH_7.4

115.28.208.197:22 SSH-2.0-OpenSSH_7.4

115.28.208.197:22 SSH-2.0-OpenSSH_7.4

115.28.208.197 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyKMa96hLtNxubCyiMegJZjboisFMYOrjRGpeWpyCp6Tprgl5xT15cuYqV3CvBWAMcmtr8ue8mw2CtcVIYZB5A=

  2.    - 登录服务器后查询服务器的指纹信息

[root@sclq001 ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyKMa96hLtNxubCyiMegJZjboisFMYOrjRGpeWpyCp6Tprgl5xT15cuYqV3CvBWAMcmtr8ue8mw2CtcVIYZB5A= root@sclq001

  1. <a name="hwjjB"></a>
  2. ### ssh 配置文件
  3. 和linux用户有关的ssh配置文件存在在路径`$HOME/.ssh/`

[root@sclq001 .ssh]# ls -a -l 总用量 8 drwx——— 2 root root 4096 6月 23 03:43 . dr-xr-x—-. 6 root root 4096 8月 12 10:33 .. -rw———- 1 root root 0 8月 12 09:34 authorized_keys ```

  • Known_hosts:当Client接收Server的公钥以后,Server的公钥信息会放在Client$HOME/.ssh/known_hosts文件中,下次再次连接的时候,系统能够识别出Server的公钥已经存在了本地,因此可以跳过警告部分,直接提示输入密码了
  • authorized_keys:Server远程主机将用户的公钥,保存在已登录用户的$HOME/.ssh/authorized_keys文件中。
  • id_rsa:私钥文件

  • id_rsa.pub:公钥文件

    基于公钥登录

  • 登录流程

    • client发送自己的公钥给server,写入server的authorized_keys
    • server端接收到client的连接请求后,在自己的authorized_keys文件中匹配client的公钥信息pubkey,并且生成一个随机数R,使用client的公钥pibkey针对该随机数R进行加密,得到一个加密后的随机数pubkey(R)
    • client通过私钥进行解密得到随机数R,再对随机数R和当前会话的sessionkey采用MD5生成摘要Digest1,再发送给server端
    • server端会对随机数R和当前client的sessionkey用同样摘要算法生成Digest2
    • 结果比较client发来的Digest1与Digest2是否一致,正确则完成认证