第九周作业

1、简述DNS服务器原理，并搭建主-辅服务器

DNS原理

image-20211109193741209.png

DNS通过将名称与IP进行双向映射并建立分布式数据库存储这些信息，实现名称与IP的双向解析。

客户端在访问Internet上服务器所发布的应用时，不需要直接访问服务器对应的IP，只需要访问与IP建立映射的名称，由DNS协议将名称解析为IP就能实现对应用的网络访问。

DNS对域名的解析可以分为递归查询和迭代查询，整个查询过程中，源和目的都没有发生变化的叫做递归查询；查询过程中，源不变，但目的多次变化的叫做迭代查询；DNS通过这两种方式完成整个解析。

DNS采用分布式数据库实现对域名资源记录的存储，将资源记录划分为多个级别，各级别间以.隔开，第一个级别叫做根，所有域名都起始于根。每一个上级域名服务器负责存储下一级域名的映射信息，因此任何查询从根发起都能找到域名所在的区域数据库位置。

全世界共13台IPv4根服务器，主机在安装DNS服务器端软件后，就能从配置中获取这13台根服务器的映射信息；

服务器收到的所有不属于服务器已配置的本地域的解析请求（无缓存），服务器都会从根服务器开始逐级查询。

通过逐级迭代，直到查询到该域名直接负责存储的服务器，叫做权威服务器，进而将结果反馈给客户端。

搭建主、从DNS服务器

主服务器配置：

[root@centos8mini ~]# cat /etc/named.conf | grep -E "listen|allow"
    listen-on port 53 { 127.0.0.1; localhost; };  #监听本机所有IP
    listen-on-v6 port 53 { ::1; };
    allow-query     { localhost; any;};  #允许所有主机发起的查询
    allow-transfer  { 192.168.156.204; };  #仅允许204 拉取区域数据库信息
    
[root@centos8mini ~]# cat /etc/named.rfc1912.zones | grep -A 4 mxx.com
zone "mxx.com" IN {
    type master;   #类型为master，主服务器
    file "mxx.zone";   #文件存储相对路径，绝对路径为/var/named/mxx.zone；dirname可通过/etc/named.conf修改
    allow-update { any; };  #允许远程更新该区域数据库
};

#主DNS服务器的区域数据库文件，区域数据库文件的权限要是640，所属组为named
[root@centos8mini ~]# cat /var/named/mxx.zone
$TTL 1D     #此处master决定了哪条NS记录对应的DNS服务器为master
@   IN SOA  master  admin.mxx.com. (
                    6   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
                        NS      master   #指明master的DNS服务器
                        NS      slave    #指明slave的DNS服务器，只有指明了才能让主DNS知道存在从DNS并主动更新从服务器的区域数据库
                        MX      20  mail1
                        MX      10  mail2
master                  A       192.168.156.202   #与主服务器有关的A记录
slave.mxx.com.          A       192.168.156.204   #与从服务器有关的A记录
mail1                   A       192.168.156.204
mail2                   A       192.168.156.205
www.mxx.com.            CNAME   websrv.myy.com.
shop.mxx.com.           A    192.168.156.100
ns1.myy.com.            A    192.168.133.1

#启动DNS服务
systemctl enable --now named
systemctl disable --now firewalld
setenforce 0

从服务器配置：

[root@centos8mini ~]# cat /etc/named.conf | grep -E "listen|allow"
    listen-on port 53 { 127.0.0.1; localhost; };
    listen-on-v6 port 53 { ::1; };
    allow-query     { localhost; any; };
    allow-transfer  { none; };  #从服务器不需要允许任何主机拉取区域数据库
    
[root@centos8mini ~]# cat /etc/named.rfc1912.zones | grep -A 4 mxx.com
zone "mxx.com" IN {
    type slave;   #指明当前服务器的类型是从服务器
    masters { 192.168.156.202; };  #指明当前从服务器所属的主服务器的IP地址
    file "slaves/mxx.slave";  #相对路径，当从服务器向主服务器获取到区域数据库同步时，自动存放在/var/named/slaves/mxx.slave文件中
};

#启动DNS服务
systemctl enable --now named
systemctl disable --now firewalld
setenforce 0

验证确认

named-checkconf，检查配置文件是否有错误
named-checkzone mxx.com /var/named/mxx.zone，检查区域数据库文件是否有错误


[root@centos8mini ~]# nslookup shop.mxx.com
Server:     192.168.156.204
Address:    192.168.156.204#53

Name:   shop.mxx.com
Address: 192.168.156.100

2、搭建并实现智能DNS

`一定要格外注意文件的权限是不是640和named属组，否则区域数据无效`

用一台服务器模拟

在named.conf里配置acl和view

[root@centos8mini named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// acl要先配置后调用，所以配置在最前面
// 配置acl shanghai匹配源地址是shanghai的地址
acl shanghai {
    192.168.156.207;
};

// 配置acl beijing匹配源地址是beijing的地址
acl beijing {
    192.168.156.208;
};

options {
    listen-on port 53 { 127.0.0.1; localhost; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
    allow-query     { localhost; any;};
    querylog yes;
    // allow-transfer  { 192.168.156.204; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;

    // dnssec-enable yes;
    // dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
// 这里注意，所有的zone相关配置都不能放在named.conf内
// 之前有个根域是默认放在这个文件内的，现在都要挪到zone配置文件中
// 一旦开启view，就只能使用view方式配置zone


// 配置上海和北京的view，match-clients匹配的是acl
view beijingvw {
    match-clients { beijing; };
   // 匹配到beijing acl的主机，将去查找/etc/named.rfc1912.zone.bj这个zone配置文件和相关联的zone数据库
    include "/etc/named.rfc1912.zones.bj";
};

// shanghai也是一样的配置
view shanghaivw {
    match-clients { shanghai; };
    include "/etc/named.rfc1912.zones.sh";
};

// 可以补充一个other，处理两者都匹配不到的用户，比如广东用户把DNS指向上海的时候应该怎么处理
include "/etc/named.root.key";

zone配置文件的配置

[root@centos8mini named]# cat /etc/named.rfc1912.zones.bj
// 从named.conf中挪过来的根域配置
zone "." IN {
    type hint;
    file "named.ca";
};

// 匹配到beijingvw的用户访问的是mxx.com域的话，就会去mxx.zone的zone数据库中查找RR
zone "mxx.com" IN {
    type master;
    file "mxx.zone";
    allow-update { none; };
};

// 上海是一样的配置方式
[root@centos8mini named]# cat /etc/named.rfc1912.zones.sh
zone "." IN {
    type hint;
    file "named.ca";
};

zone "mxx.com" IN {
    type master;
    file "mxx.zone.sh";
    allow-update { none; };
};

zone数据库的配置

匹配到beijing acl的，将匹配到/etc/named.rfc1912.zones.bj，将从mxx.zone中查找RR：

[root@centos8mini named]# cat /var/named/mxx.zone
$TTL 1D
@   IN SOA  master  admin.mxx.com. (
                    12  ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
                        NS      master 
                        NS      slave
shanghai                NS      shns1
                        MX      20  mail1
                        MX      10  mail2
shns1                   A       192.168.156.206
master                  A       192.168.156.202
slave.mxx.com.          A       192.168.156.204
mail1                   A       192.168.156.204
mail2                   A       192.168.156.205
www.mxx.com.            CNAME   websrv.myy.com.
// beijing用户将解析到192.168.156.100的IP
shop.mxx.com.           A    192.168.156.100

[root@centos8mini named]# cat /var/named/mxx.zone.sh
$TTL 1D
@   IN SOA  master  admin.mxx.com. (
                    12  ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
                        NS      master 
                        NS      slave
shanghai                NS      shns1
                        MX      20  mail1
                        MX      10  mail2
shns1                   A       192.168.156.206
master                  A       192.168.156.202
slave.mxx.com.          A       192.168.156.204
mail1                   A       192.168.156.204
mail2                   A       192.168.156.205
www.mxx.com.            CNAME   websrv.myy.com.
// shanghai用户将解析到192.168.156.206的IP
shop.mxx.com.           A    192.168.156.206

测试结果

207用户使用shanghai的DNS：

64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=47 ttl=64 time=0.600 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=48 ttl=64 time=0.542 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=49 ttl=64 time=0.521 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=50 ttl=64 time=0.593 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=51 ttl=64 time=0.526 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=52 ttl=64 time=0.541 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=53 ttl=64 time=0.728 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=54 ttl=64 time=0.568 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=55 ttl=64 time=0.522 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=56 ttl=64 time=0.558 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=57 ttl=64 time=0.584 ms
64 bytes from 192.168.156.206 (192.168.156.206): icmp_seq=58 ttl=64 time=0.494 ms
^C
--- shop.mxx.com ping statistics ---
58 packets transmitted, 58 received, 0% packet loss, time 58379ms
rtt min/avg/max/mdev = 0.408/0.554/0.834/0.080 ms
[root@centos8mini ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.156.207  netmask 255.255.255.0  broadcast 192.168.156.255
        inet6 fe80::ab89:796c:4162:ce44  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c2:ab:b4  txqueuelen 1000  (Ethernet)
        RX packets 10730  bytes 12018084 (11.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2601  bytes 215000 (209.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

beijing用户使用beijing的dns：

64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=53 ttl=64 time=0.627 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=54 ttl=64 time=0.460 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=55 ttl=64 time=0.528 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=56 ttl=64 time=0.703 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=57 ttl=64 time=0.482 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=58 ttl=64 time=0.512 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=59 ttl=64 time=0.651 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=60 ttl=64 time=0.626 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=61 ttl=64 time=0.596 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=62 ttl=64 time=0.606 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=63 ttl=64 time=0.586 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=64 ttl=64 time=0.493 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=65 ttl=64 time=0.730 ms
64 bytes from 192.168.156.100 (192.168.156.100): icmp_seq=66 ttl=64 time=0.644 ms
^C
--- shop.mxx.com ping statistics ---
66 packets transmitted, 66 received, 0% packet loss, time 66575ms
rtt min/avg/max/mdev = 0.405/0.581/0.730/0.075 ms
[root@centos8mini ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.156.208  netmask 255.255.255.0  broadcast 192.168.156.255
        inet6 fe80::20c:29ff:fe82:d14d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:82:d1:4d  txqueuelen 1000  (Ethernet)
        RX packets 10621  bytes 11983430 (11.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2986  bytes 243926 (238.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

非上海，非北京的，由于没有配置，所以解析不到任何记录：

[root@centos6 ~]# dig shop.mxx.com @192.168.156.202

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> shop.mxx.com @192.168.156.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28871
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;shop.mxx.com.          IN  A

;; Query time: 1 msec
;; SERVER: 192.168.156.202#53(192.168.156.202)
;; WHEN: Tue Nov 16 13:07:07 2021
;; MSG SIZE  rcvd: 30

3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口，其他端口服务全部拒绝

#OUTPUT链默认允许
iptables -A INPUT -p tcp -m multiport --dports 22,23,80,21 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT

[root@centos8mini ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m multiport --dports 22,23,80,21 -m state --state NEW -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable

[root@centos8mini ~]# ss -ntua | grep -E ":20|:21"
tcp   LISTEN     0      9                   0.0.0.0:21            0.0.0.0:*           
tcp   ESTAB      0      0           192.168.156.208:21    192.168.156.207:43336       
tcp   CLOSE-WAIT 1      0           192.168.156.208:21      192.168.156.2:12777       
tcp   TIME-WAIT  0      0           192.168.156.208:20    192.168.156.207:51223       
tcp   LISTEN     0      9                      [::]:21               [::]:*

3、NAT原理总结

局域网客户端访问公网：

SNAT：内部访问外部时，将源地址转换为公网地址，外部给内部回包时，将目的地址转回原来的源地址；

PAT：多个内部主机共享一个公网IP时，单存靠IP无法区分多台内网主机，因此额外增加端口号的转换；内部主机访问公网将源地址和源端口同时转换为公网IP和随机端口；外部给内部回包时，将目的地址和目的端口转回原来记录的源地址和源端口；

公网访问内网服务器：

DNAT：将公网IP和端口号如80，静态映射为内部主机IP和特定端口，如8080，Intenret用户可以直接访问映射后的公网IP和端口号，因为在防火墙上已经建立了静态映射，因此都会被自动转为内网主机的内网IP和端口，实现将内网主机的应用发布到公网的目的；

4、iptables实现SNAT和DNAT，并对规则持久保存。

#开启Linux转发功能
[root@centos8mini ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1                                                        
[root@centos8mini ~]# sysctl -p
net.ipv4.ip_forward = 1

#源NAT,将内部主机IP转为出接口IP
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE

#DNAT，将外部访问公网IP的80端口转为内网IP的8080端口
iptables -t nat -A PREROUTING -s 0/0 -d 192.168.156.208 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.8:8080

持久保存Iptables规则配置：

#将本机iptables配置存入/etc/sysconfig/iptables
yum -y install iptables-services
[root@centos8mini ~]# /usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@centos8mini ~]# 
[root@centos8mini ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.8.4 on Wed Nov 17 21:16:24 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Nov 17 21:16:24 2021
# Generated by iptables-save v1.8.4 on Wed Nov 17 21:16:24 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.156.208/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.8:8080
-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Nov 17 21:16:24 2021

[root@centos8mini ~]# systemctl enable --now iptables.service 
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@centos8mini ~]# 

#重启后策略依然存在
[root@centos8mini ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 6 packets, 1291 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.156.208      tcp dpt:80 to:10.0.0.8:8080

Chain INPUT (policy ACCEPT 3 packets, 359 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 41 packets, 3098 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24         

Chain OUTPUT (policy ACCEPT 41 packets, 3098 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@centos8mini ~]#

最后编辑于：2021.11.17 21:39:20

人面猴
序言：七十年代末，一起剥皮案震惊了整个滨河市，随后出现的几起案子，更是在滨河造成了极大的恐慌，老刑警刘岩，带你破解...
沈念sama阅读 217,734评论 6赞 505
死咒
序言：滨河连续发生了三起死亡事件，死亡现场离奇诡异，居然都是意外死亡，警方通过查阅死者的电脑和手机，发现死者居然都...
沈念sama阅读 92,931评论 3赞 394
救了他两次的神仙让他今天三更去死
文/潘晓璐我一进店门，熙熙楼的掌柜王于贵愁眉苦脸地迎上来，“玉大人，你说我怎么就摊上这事。” “怎么了？”我有些...
开封第一讲书人阅读 164,133评论 0赞 354
道士缉凶录：失踪的卖姜人
文/不坏的土叔我叫张陵，是天一观的道长。经常有香客问我，道长，这世上最难降的妖魔是什么？我笑而不...
开封第一讲书人阅读 58,532评论 1赞 293
港岛之恋（遗憾婚礼）
正文为了忘掉前任，我火速办了婚礼，结果婚礼上，老公的妹妹穿的比我还像新娘。我一直安慰自己，他们只是感情好，可当我...
茶点故事阅读 67,585评论 6赞 392
恶毒庶女顶嫁案：这布局不是一般人想出来的
文/花漫我一把揭开白布。她就那样静静地躺着，像睡着了一般。火红的嫁衣衬着肌肤如雪。梳的纹丝不乱的头发上，一...
开封第一讲书人阅读 51,462评论 1赞 302
城市分裂传说
那天，我揣着相机与录音，去河边找鬼。笑死，一个胖子当着我的面吹牛，可吹牛的内容都是我干的。我是一名探鬼主播，决...
沈念sama阅读 40,262评论 3赞 418
双鸳鸯连环套：你想象不到人心有多黑
文/苍兰香墨我猛地睁开眼，长吁一口气：“原来是场噩梦啊……” “哼！你这毒妇竟也来了？” 一声冷哼从身侧响起，我...
开封第一讲书人阅读 39,153评论 0赞 276
万荣杀人案实录
序言：老挝万荣一对情侣失踪，失踪者是张志新（化名）和其女友刘颖，没想到半个月后，有当地人在树林里发现了一具尸体，经...
沈念sama阅读 45,587评论 1赞 314
护林员之死
正文独居荒郊野岭守林人离奇死亡，尸身上长有42处带血的脓包…… 初始之章·张勋以下内容为张勋视角年9月15日...
茶点故事阅读 37,792评论 3赞 336
白月光启示录
正文我和宋清朗相恋三年，在试婚纱的时候发现自己被绿了。大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
茶点故事阅读 39,919评论 1赞 348
活死人
序言：一个原本活蹦乱跳的男人离奇死亡，死状恐怖，灵堂内的尸体忽然破棺而出，到底是诈尸还是另有隐情，我是刑警宁泽，带...
沈念sama阅读 35,635评论 5赞 345
日本核电站爆炸内幕
正文年R本政府宣布，位于F岛的核电站，受9级特大地震影响，放射性物质发生泄漏。R本人自食恶果不足惜，却给世界环境...
茶点故事阅读 41,237评论 3赞 329
男人毒药：我在死后第九天来索命
文/蒙蒙一、第九天我趴在偏房一处隐蔽的房顶上张望。院中可真热闹，春花似锦、人声如沸。这庄子的主人今日做“春日...
开封第一讲书人阅读 31,855评论 0赞 22
一桩弑父案，背后竟有这般阴谋
文/苍兰香墨我抬头看了看天上的太阳。三九已至，却和暖如春，着一层夹袄步出监牢的瞬间，已是汗流浃背。一阵脚步声响...
开封第一讲书人阅读 32,983评论 1赞 269
情欲美人皮
我被黑心中介骗来泰国打工，没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留，地道东北人。一个月前我还...
沈念sama阅读 48,048评论 3赞 370
代替公主和亲
正文我出身青楼，却偏偏与公主长得像，于是被迫代替她去往敌国和亲。传闻我的和亲对象是个残疾皇子，可洞房花烛夜当晚...
茶点故事阅读 44,864评论 2赞 354