Kamfanin Cloudflare jama'a DNS a adireshi:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
An ce manufar ita ce "Sirri ta farko" don masu amfani su sami kwanciyar hankali game da abubuwan da ke cikin buƙatun su.
Sabis ɗin yana da ban sha'awa a cikin hakan, ban da DNS na yau da kullun, yana ba da damar yin amfani da fasaha DNS-over-TLS и DNS-over-HTTPS, wanda zai hana masu samarwa da yawa sauraron buƙatun ku a kan hanyar buƙatun - da tattara ƙididdiga, saka idanu, sarrafa talla. Cloudflare yayi iƙirarin cewa ranar sanarwar (Afrilu 1, 2018, ko 04/01 a cikin bayanin Amurka) ba a zaɓi kwatsam ba: wace rana ce ta shekara za a gabatar da "raka'a huɗu"?
Tun da masu sauraron Habr suna da basirar fasaha, sashin gargajiya "me yasa kuke buƙatar DNS?" Zan sanya shi a karshen sakon, amma a nan zan bayyana abubuwa masu amfani a zahiri:
Yadda ake amfani da sabon sabis?
Abu mafi sauƙi shine a saka adiresoshin uwar garken DNS na sama a cikin abokin ciniki na DNS ɗinku (ko azaman sama a cikin saitunan uwar garken DNS na gida da kuke amfani da su). Shin yana da ma'ana don maye gurbin dabi'un da aka saba (8.8.8.8, da dai sauransu), ko kaɗan kaɗan (77.88.8.8 da sauransu kamar su) zuwa sabobin daga Cloudflare - za su yanke shawara a gare ku, amma yayi magana don mafari. saurin amsawa, bisa ga abin da Cloudflare ya fi sauri fiye da duk masu fafatawa (Zan fayyace: sabis na ɓangare na uku ya ɗauki ma'auni, kuma saurin zuwa takamaiman abokin ciniki, ba shakka, na iya bambanta).
Yana da matukar ban sha'awa don yin aiki tare da sababbin hanyoyin da buƙatun ke tashi zuwa uwar garken akan haɗin da aka ɓoye (a zahiri, ana mayar da martani ta hanyarsa), DNS-over-TLS da aka ambata da DNS-over-HTTPS. Abin takaici, ba a tallafa musu ba "daga cikin akwatin" (marubuta sun yi imanin cewa wannan "har yanzu"), amma ba shi da wahala a tsara aikin su a cikin software (ko ma akan kayan aikin ku):
DNS akan HTTPs (DoH)
Kamar yadda sunan ke nunawa, sadarwa yana gudana akan tashar HTTPS, wanda ke nufin
- kasancewar wurin saukowa (ƙarshen ƙarshen) - yana samuwa a adireshin kuma
- abokin ciniki wanda zai iya aika buƙatu da karɓar amsa.
Buƙatun na iya kasancewa ko dai a cikin tsarin Wireformat na DNS da aka ayyana a ciki (an aika ta amfani da hanyoyin POST da GET HTTP), ko a tsarin JSON (ta amfani da hanyar GET HTTP). A gare ni da kaina, ra'ayin yin buƙatun DNS ta hanyar buƙatun HTTP ya yi kama da ba zato ba tsammani, amma akwai hatsi mai ma'ana a ciki: irin wannan buƙatar za ta wuce tsarin tace zirga-zirga da yawa, amsa amsa yana da sauƙi, kuma samar da buƙatun ya fi sauƙi. Laburaren da aka saba da su da ka'idoji suna da alhakin tsaro.
Nemi misalai, kai tsaye daga takaddun:
SAMU buƙatar a tsarin Wireformat na DNS
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031Buƙatar POST a tsarin Wireformat na DNS
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Haka ne amma amfani da JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}Babu shakka, na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida (idan akalla ɗaya) na iya aiki tare da DNS ta wannan hanyar, amma wannan ba yana nufin cewa tallafin ba zai bayyana gobe ba - kuma, abin sha'awa, a nan za mu iya aiwatar da aiki tare da DNS a cikin aikace-aikacen mu (kamar yadda muka riga muka gani). , kawai akan sabobin Cloudflare).
DNS akan TLS
Ta hanyar tsoho, ana watsa tambayoyin DNS ba tare da ɓoyewa ba. DNS akan TLS hanya ce ta aika su akan amintaccen haɗi. Cloudflare yana goyan bayan DNS akan TLS akan daidaitaccen tashar jiragen ruwa 853 kamar yadda aka tsara . Wannan yana amfani da takaddun shaida da aka bayar don mai watsa shiri na cloudflare-dns.com, ana tallafawa TLS 1.2 da TLS 1.3.
Ƙirƙirar haɗi da aiki bisa ga ka'idar yana tafiya kamar haka:
- Kafin kafa haɗin yanar gizo na DNS, abokin ciniki yana adana bayanan SHA64 hash na base256 na takaddun shaida TLS (wanda ake kira SPKI)
- Abokin ciniki na DNS ya kafa haɗin TCP zuwa Cloudflare-dns.com:853
- Abokin ciniki na DNS ya fara musafaha TLS
- Yayin aiwatar da musafaha na TLS, mai masaukin baki Cloudflare-dns.com yana gabatar da takardar shaidar TLS.
- Da zarar an kafa haɗin TLS, abokin ciniki na DNS zai iya aika buƙatun DNS akan tashoshi mai tsaro, wanda ke hana buƙatu da amsawa daga sauraren buƙatun da zuƙowa.
- Duk tambayoyin DNS da aka aika akan haɗin TLS dole ne su bi .
Misalin buƙata ta hanyar DNS akan TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msWannan zaɓi yana da alama yana aiki mafi kyau don sabar DNS na gida wanda ke ba da bukatun cibiyar sadarwar gida ko mai amfani guda ɗaya. Gaskiya, tare da goyon bayan ma'auni ba shi da kyau sosai, amma - bari mu yi fata!
Kalmomi biyu na bayanin abin da tattaunawar ta kunsa
Gajartawar DNS tana nufin Sabis na Sunan yanki (don haka ana cewa “sabis na DNS” yana da ɗan ƙaranci, gajarta ta riga ta ƙunshi kalmar “sabis”), kuma ana amfani da ita don magance aiki mai sauƙi - don fahimtar menene adireshin IP na wani sunan mai masauki. Duk lokacin da mutum ya danna hanyar haɗi, ko ya shigar da adireshi a mashigin adireshi na burauza (ka ce, wani abu kamar ""), Kwamfutar ɗan adam tana ƙoƙarin gano ko wane uwar garken zai aika da buƙatun don samun abubuwan da ke cikin shafin. Game da habrahabr.ru, amsa daga DNS zai ƙunshi alamar adireshin IP na sabar yanar gizo: 178.248.237.68, sannan mai bincike zai riga ya yi ƙoƙarin tuntuɓar sabar tare da adireshin IP da aka ƙayyade.
Bi da bi, uwar garken DNS, bayan samun buƙatar "menene adireshin IP na rundunar mai suna habrahabr.ru?", Yana ƙayyade ko ya san wani abu game da ƙayyadaddun rundunar. Idan ba haka ba, yana yin buƙatu zuwa wasu sabobin DNS a duniya, kuma, mataki-mataki, yana ƙoƙarin gano amsar tambayar da aka yi. Sakamakon haka, bayan samun amsar ƙarshe, ana aika bayanan da aka samo ga abokin ciniki har yanzu yana jiran su, ƙari kuma ana adana su a cikin cache na uwar garken DNS da kanta, wanda zai ba ku damar amsa irin wannan tambaya da sauri a gaba.
Matsala ta gama gari ita ce, da farko, ana watsa bayanan tambayar DNS a sarari (wanda ke ba duk wanda ke da damar yin amfani da zirga-zirgar ababen hawa damar keɓance tambayoyin DNS da martanin da suka karɓa sannan a rarraba su don dalilai na kansu; ikon yin tallan tallace-tallace tare da daidaito don abokin ciniki na DNS, wanda yake da yawa!). Na biyu, wasu ISPs (ba za mu nuna yatsu ba, amma ba mafi ƙanƙanta ba) suna nuna tallace-tallace maimakon ɗaya ko wani shafin da ake buƙata (wanda aka aiwatar da shi a sauƙaƙe: maimakon ƙayyadadden adireshin IP don tambaya ta habranabr.ru). Sunan mai watsa shiri, mutum bazuwar Don haka, ana mayar da adireshin sabar gidan yanar gizon mai bayarwa, inda ake ba da shafin da ke ɗauke da talla). Na uku, akwai masu ba da damar Intanet waɗanda ke aiwatar da hanyar cika buƙatun don toshe rukunin yanar gizo ɗaya ta hanyar maye gurbin daidaitattun martanin DNS game da adiresoshin IP na albarkatun yanar gizon da aka toshe tare da adireshin IP na sabar su mai ɗauke da shafuka masu taurin kai (a sakamakon haka, samun dama ga irin waɗannan rukunin yanar gizon sun fi rikitarwa), ko zuwa adireshin uwar garken wakili wanda ke yin tacewa.
Wataƙila wannan ya zama hoto daga rukunin yanar gizon. , ana amfani dashi don bayyana haɗin kai zuwa sabis. Marubutan suna da alama suna da kwarin gwiwa game da ingancin DNS ɗin su (duk da haka, yana da wahala a jira wani abu daga Cloudflare):
Mutum zai iya fahimtar Cloudflare, mahaliccin sabis ɗin: suna samun gurasar su ta hanyar kiyayewa da haɓaka ɗayan shahararrun cibiyoyin sadarwa na CDN a duniya (waɗanda ayyuka sun haɗa da ba kawai rarraba abun ciki ba, har ma da karɓar wuraren DNS), kuma, saboda sha'awar wadancan, wanda ba shi da ilimi sosai, koya wa annan wanda basu sani ba, ga haka inda zan je a cikin hanyar sadarwa ta duniya, galibi suna fama da toshe adiresoshin sabobin su daga kada mu ce wanene - don haka samun DNS wanda ba "kururuwa, bugu da rubutu" ga kamfani yana nufin rage cutar da kasuwancin su ba. Kuma fa'idodin fasaha (wani ɗan ƙaramin abu, amma mai kyau: musamman, ga abokan ciniki na Cloudflare na kyauta na DNS, sabunta bayanan DNS na albarkatun da aka shirya akan sabar DNS na kamfanin zai zama nan take) yin amfani da sabis ɗin da aka bayyana a cikin gidan ya fi ban sha'awa.
Masu amfani da rajista kawai za su iya shiga cikin binciken. don Allah.
Za ku yi amfani da sabon sabis ɗin?
-
Ee, ta hanyar tantance shi a cikin OS da / ko akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa
-
Ee, kuma zan yi amfani da sababbin ladabi (DNS akan HTTPs da DNS akan TLS)
-
A'a, Ina da isassun sabobin na yanzu (wannan mai ba da sabis na jama'a: Google, Yandex, da sauransu)
-
A'a, ban ma san abin da nake amfani da shi ba a yanzu
-
Ina amfani da DNS na maimaitawa tare da rami SSL zuwa gare su
Masu amfani 693 sun kada kuri'a. 191 mai amfani ya ƙi.
source: www.habr.com