Ua paʻakikī loa ke kumuhana, ʻike wau. Eia kekahi laʻana, aia kahi nui , akā ʻo ka ʻāpana IP wale nō o ka papa inoa poloka i manaʻo ʻia ma laila. E hoʻohui pū mākou i nā kāʻei kapu.
Ma muli o ka pale ʻana o nā ʻaha a me ka RKN i nā mea āpau ma ka ʻākau a me ka hema, a ke hoʻāʻo nui nei nā mea hoʻolako e hāʻule ʻole ma lalo o nā uku i hoʻopuka ʻia e Revizorro, ʻoi aku ka nui o nā poho e pili ana i ka pale ʻana. A ma waena o nā pūnaewele i hoʻopaʻa ʻia ma ke kānāwai he nui nā mea pono (hello, rutracker)
Noho au ma waho o ka mana o ka RKN, akā noho koʻu mau mākua, ʻohana a me nā hoaaloha ma ka home. No laila ua hoʻoholo ʻia e hana i kahi ala maʻalahi no ka poʻe mamao mai IT e kāpae i ka pāpā ʻana, ʻoi aku ka maikaʻi me ka ʻole o kā lākou komo ʻana.
Ma kēia memo, ʻaʻole wau e wehewehe i nā mea pūnaewele maʻamau i nā ʻanuʻu, akā e wehewehe wau i nā loina maʻamau o ke ʻano e hiki ai ke hoʻokō ʻia kēia ʻano. No laila, ʻo ka ʻike e pili ana i ka hana ʻana o ka pūnaewele ma ka laulā a ma Linux ma ke ʻano he pono.
Nā ʻano laka
ʻO ka mea mua, e hoʻomaʻamaʻa hou i ko mākou hoʻomanaʻo ʻana i ka mea i pāpā ʻia.
Nui nā ʻano laka i ka XML i hoʻoiho ʻole ʻia mai ka RKN:
- IP
- Pūnaewele
- URL
No ka maʻalahi, e hōʻemi mākou iā lākou i ʻelua: IP a me ka domain, a e huki wale mākou i ka domain mai ka pale ʻana e URL (ʻoi aku ka pololei, ua hana lākou i kēia no mākou).
kanaka maikai mai ʻike i kahi mea kupanaha , e hiki ai iā mākou ke loaʻa nā mea e pono ai mākou:
- IP:
- Nā kāʻei kapu:
Loaʻa i nā pūnaewele i pāpā ʻia
No ka hana ʻana i kēia, pono mākou i kahi VPS liʻiliʻi liʻiliʻi, ʻoi aku ka maikaʻi me nā kaʻa palena ʻole - he nui kēia mau mea no 3-5 mau kālā. Pono ʻoe e lawe iā ia ma kahi kokoke i waho i ʻole ka nui o ka ping, akā eia hou, e noʻonoʻo ʻaʻole i hui like ka Pūnaewele a me ka honua. A no ka mea ʻaʻohe SLA no 5 mau kālā, ʻoi aku ka maikaʻi o ka lawe ʻana i nā ʻāpana 2+ mai nā mea hoʻolako like ʻole no ka hoʻomanawanui hewa.
A laila, pono mākou e hoʻonohonoho i kahi tunnel i hoʻopili ʻia mai ka mea kūʻai aku i ka VPS. Hoʻohana wau iā Wireguard ma ke ʻano he wikiwiki a maʻalahi hoʻi e hoʻonohonoho. Loaʻa iaʻu nā mea hoʻokele mea kūʻai ma Linux ( a i ʻole kekahi mea ma OpenWRT). I ka hihia o kekahi Mikrotik / Cisco, hiki iā ʻoe ke hoʻohana i nā protocols i loaʻa iā lākou e like me OpenVPN a me GRE-over-IPSEC.
ʻO ka ʻike a me ka hoʻohuli ʻana i ke kaʻa o ka hoihoi
Hiki iā ʻoe, ʻoiaʻiʻo, ke hoʻopau i nā kaʻa pūnaewele āpau ma nā ʻāina ʻē. Akā, ʻo ka mea nui paha, ʻo ka wikiwiki o ka hana ʻana me nā ʻike kūloko e pilikia nui mai kēia. Eia kekahi, ʻoi aku ka kiʻekiʻe o nā koi bandwidth ma VPS.
No laila, pono mākou e hoʻokaʻawale i nā kaʻa i nā pūnaewele i hoʻopaʻa ʻia a kuhikuhi pono iā ia i ke alahele. ʻOiai inā loaʻa kekahi o nā kaʻa "ʻokoʻa" i laila, ʻoi aku ka maikaʻi ma mua o ka hoʻokele ʻana i nā mea āpau ma ke alahele.
No ka mālama ʻana i nā kaʻa, e hoʻohana mākou i ka protocol BGP a hoʻolaha i nā ala i nā pūnaewele pono mai kā mākou VPS i nā mea kūʻai aku. E lawe kākou i ka BIRD i kekahi o nā daemons BGP pono loa.
IP
Me ka pale ʻana e IP, maopopo nā mea a pau: hoʻolaha wale mākou i nā IP āpau āpau me VPS. ʻO ka pilikia aia aia ma kahi o 600 tausani subnets i ka papa inoa i hoʻi mai ka API, a ʻo ka hapa nui o lākou he /32 hosts. Hiki i kēia helu o nā ala ala ke huikau i nā mea hoʻokele mea kūʻai nāwaliwali.
No laila, i ka wā e hoʻoponopono ai i ka papa inoa, ua hoʻoholo ʻia e hōʻuluʻulu i ka pūnaewele / 24 inā loaʻa iā ia he 2 a ʻoi aku paha nā pūʻali. No laila, ua hōʻemi ʻia ka helu o nā ala i ~100 tausani. E hahai ana ka palapala no keia.
Nā kāʻei kua
ʻOi aku ka paʻakikī a he nui nā ala. No ka laʻana, hiki iā ʻoe ke hoʻouka i kahi Squid māmā ma kēlā me kēia mea hoʻokele mea kūʻai aku a hana i ka interception HTTP ma laila a nānā i ka lima lima TLS i mea e loaʻa ai ka URL i noi ʻia ma ka hihia mua a me ka domain mai SNI i ka lua.
Akā, ma muli o nā ʻano TLS1.3 + eSNI hou, ʻoi aku ka liʻiliʻi o ka nānā ʻana o HTTPS i kēlā me kēia lā. ʻAe, a ʻoi aku ka paʻakikī o ka ʻoihana ma ka ʻaoʻao o ka mea kūʻai aku - pono ʻoe e hoʻohana i ka OpenWRT.
No laila, ua hoʻoholo wau e lawe i ke ala o ka intercepting pane i nā noi DNS. Eia kekahi, hoʻomaka kekahi DNS-over-TLS / HTTPS e lele ma luna o kou poʻo, akā hiki iā mākou (no kēia manawa) ke hoʻomalu i kēia ʻāpana ma ka mea kūʻai aku - hoʻopau a hoʻohana paha i kāu kikowaena no DoT / DoH.
Pehea e hoʻopaʻa ai i ka DNS?
Maʻaneʻi hoʻi, hiki i kekahi mau ala.
- Hoʻopili i nā kaʻa DNS ma o PCAP a i ʻole NFLOG
Hoʻokomo ʻia kēia mau ʻano ʻelua o ka interception i ka pono . Akā ʻaʻole i kākoʻo ʻia no ka manawa lōʻihi a ʻoi aku ka primitive o ka hana, no laila pono ʻoe e kākau i kahi harness no ia. - ʻIkepili o nā moʻolelo kikowaena DNS
ʻO ka mea pōʻino, ʻaʻole hiki i nā recursors i ʻike iaʻu ke hoʻopaʻa i nā pane, akā noi wale nō. Ma ke kumumanaʻo, kūpono kēia, no ka mea, ʻaʻole like me nā noi, he ʻano paʻakikī nā pane a paʻakikī ke kākau iā lākou ma ke ʻano kikokikona.
ʻO ka mea pōmaikaʻi, ua kākoʻo ka nui o lākou iā DNSTap no kēia kumu.
He aha ka DNSTap?
He protocol client-server e pili ana i nā Protocol Buffers a me Frame Streams no ka hoʻololi ʻana mai kahi kikowaena DNS i kahi ʻohi o nā nīnau a me nā pane DNS i kūkulu ʻia. ʻO ka mea nui, hoʻouna ka DNS server i ka nīnau a me ka pane metadata (ʻano o ka memo, ka mea kūʻai / server IP, a me nā mea ʻē aʻe) a me nā memo DNS piha i ka palapala (binary) kahi e hana pū ai me lākou ma ka pūnaewele.
He mea nui e hoʻomaopopo i loko o ka DNSTap paradigm, hana ka DNS server ma ke ʻano he mea kūʻai aku a ʻo ka mea ʻohi e hana ma ke ʻano he kikowaena. ʻO ia hoʻi, pili ka DNS server i ka mea ʻohi, a ʻaʻole ia.
I kēia lā kākoʻo ʻia ʻo DNSTap i nā kikowaena DNS kaulana āpau. Akā, no ka laʻana, kūkulu pinepine ʻia ʻo BIND i nā māhele he nui (e like me Ubuntu LTS) no kekahi kumu me ke kākoʻo ʻole. No laila ʻaʻole mākou e hoʻopilikia i ka hui hou ʻana, akā e lawe i kahi recursor māmā a wikiwiki hoʻi - Unbound.
Pehea e hopu ai iā DNSTap?
he nui na Nā mea pono CLI no ka hana ʻana me kahi kahawai o nā hanana DNSTap, akā ʻaʻole kūpono lākou no ka hoʻoponopono ʻana i kā mākou pilikia. No laila, ua hoʻoholo wau e hana i kaʻu kaʻa ponoʻī e hana i nā mea āpau e pono ai:
algorithm hana:
- Ke hoʻokuʻu ʻia, hoʻouka ia i kahi papa inoa o nā kāʻei kapu mai kahi faila kikokikona, hoʻohuli iā lākou (habr.com -> com.habr), haʻalele i nā laina haʻihaʻi, nā kope a me nā subdomains (ʻo ia hoʻi inā loaʻa i ka papa inoa habr.com a me www.habr.com, e hoʻouka ʻia i ka mea mua wale nō) a kūkulu i kahi lāʻau prefix no ka huli wikiwiki ʻana ma kēia papa inoa
- Ma ke ʻano he kikowaena DNSTap, kali ʻo ia i kahi pilina mai kahi kikowaena DNS. Ma ke kumu, kākoʻo ia i nā kumu UNIX a me TCP, akā hiki i nā kikowaena DNS aʻu i ʻike ke hoʻohana wale i nā kumu UNIX.
- Hoʻopau mua ʻia nā ʻeke DNSTap komo i loko o kahi ʻano Protobuf, a laila ʻo ka memo DNS binary ponoʻī, aia ma kekahi o nā kahua Protobuf, ua hoʻopau ʻia i ka pae o nā moʻolelo DNS RR.
- E nānā ʻia inā aia ka host i noi ʻia (a i ʻole kona ʻāina makua) i ka papa inoa i hoʻouka ʻia, inā ʻaʻole, nānā ʻole ka pane.
- ʻO nā A/AAAA/CNAME RR wale nō i koho ʻia mai ka pane a lawe ʻia nā helu IPv4/IPv6 e pili ana iā lākou.
- Hoʻopili ʻia nā helu IP me ka TTL hiki ke hoʻonohonoho ʻia a hoʻolaha ʻia i nā hoa BGP i hoʻonohonoho ʻia
- I ka loaʻa ʻana o kahi pane e kuhikuhi ana i kahi IP i hūnā ʻia, ua hōʻano hou ʻia kāna TTL
- Ma hope o ka pau ʻana o ka TTL, wehe ʻia ke komo ʻana mai ka cache a mai nā hoʻolaha BGP
Nā hana hou aku:
- Heluhelu hou i ka papa inoa o nā kāʻei kapu e SIGHUP
- E mālama ana i ka huna huna me nā manawa ʻē aʻe dnstap-bgp ma o HTTP/JSON
- E hoʻopālua i ka cache ma ka disk (ma ka waihona BoltDB) e hoʻihoʻi i kāna mau mea ma hope o ka hoʻomaka hou ʻana
- Kākoʻo no ka hoʻololi ʻana i kahi inoa inoa pūnaewele ʻē aʻe (no ke aha e pono ai kēia e wehewehe ʻia ma lalo nei)
- Kākoʻo IPv6
Nā palena:
- ʻAʻole kākoʻo ʻia nā kāʻei kapu IDN
- Kakaʻikahi nā hoʻonohonoho BGP
Ua hōʻiliʻili au nā pūʻolo no ka hoʻokomo maʻalahi. Pono e hana ma nā OS hou loa me systemd. ʻaʻohe o lākou hilinaʻi.
ʻO ke kumuhana
No laila, e hoʻomaka kākou e hui pū i nā mea a pau. ʻO ka hopena, pono mākou e loaʻa i kahi mea e like me kēia topology pūnaewele:
ʻO ka loina o ka hana, ke manaʻo nei au, ua maopopo mai ke kiʻikuhi:
- Ua hoʻonohonoho ka mea kūʻai aku i kā mākou kikowaena e like me DNS, a pono e hele nā nīnau DNS ma luna o ka VPN. Pono kēia i hiki ʻole i ka mea hāʻawi ke hoʻohana i ka interception DNS e poloka.
- I ka wehe ʻana i ka pūnaewele, hoʻouna ka mea kūʻai aku i kahi nīnau DNS e like me "he aha nā IP o xxx.org"
- MAKAHIKI MDCCCXVI NU hoʻoholo i ka xxx.org (a i ʻole e lawe iā ia mai ka cache) a hoʻouna i kahi pane i ka mea kūʻai aku "xxx.org loaʻa ia IP a me ia ʻano", e hoʻolike like me DNSTap
- dnstap-bgp hoʻolaha i kēia mau ʻōlelo ma KAHIKO ma o BGP inā aia ke kahua ma ka papa inoa i ālai ʻia
- KAHIKO hoʻolaha i kahi ala i kēia mau IP me
next-hop selfmea hoʻokele mea hoʻohana - ʻO nā ʻeke aʻe mai ka mea kūʻai aku i kēia mau IP e hele i loko o ka tunnel
Ma ke kikowaena, no nā ala i nā wahi i ālai ʻia, hoʻohana wau i kahi papa ʻokoʻa i loko o BIRD a ʻaʻole ia e hui pū me ka OS ma kekahi ʻano.
He drawback kēia hoʻolālā: ʻo ka ʻeke SYN mua mai ka mea kūʻai aku, ʻoi aku paha ka manawa e haʻalele ai ma o ka mea hoʻolako home. ʻaʻole hoʻolaha koke ʻia ke ala. A eia nā koho e hiki ke pili i ka hana a ka mea hāʻawi i ka pale. Inā hāʻule wale ʻo ia i ke kaʻa, a laila ʻaʻohe pilikia. A inā hoʻihoʻi ʻo ia i kekahi DPI, a laila (theoretically) hiki i nā hopena kūikawā.
ʻAʻole hiki i nā mea kūʻai ke mahalo i nā hana mana DNS TTL, hiki ke hoʻohana i ka mea kūʻai aku i kekahi mau mea paʻa mai kona huna huna popopo ma mua o ka noi ʻana iā Unbound.
I ka hoʻomaʻamaʻa, ʻaʻole i hoʻopilikia ka mua a i ʻole ka lua iaʻu, akā ʻokoʻa paha kāu mileage.
Hoʻopololei kikowaena
No ka maʻalahi o ka ʻōwili ʻana, kākau wau . Hiki iā ia ke hoʻonohonoho i nā kikowaena ʻelua a me nā mea kūʻai aku e pili ana i Linux (i hoʻolālā ʻia no ka hoʻohele deb-based). ʻIke maopopo ʻia nā hoʻonohonoho a pau inventory.yml. Ua ʻoki ʻia kēia kuleana mai kaʻu puke pāʻani nui, no laila aia paha nā hewa - aloha mai 🙂
E hele kāua i nā mea nui.
ʻO BGP
He pilikia koʻikoʻi ko ka holo ʻana i ʻelua BGP daemons ma ka host hoʻokahi: ʻAʻole makemake ʻo BIRD e hoʻonohonoho i ka BGP peering me ka localhost (a i ʻole kekahi interface kūloko). Mai ka ʻōlelo a pau. ʻAʻole kōkua ʻo Googling a me ka heluhelu ʻana i nā leka uila, ʻōlelo lākou ma ka hoʻolālā ʻana. Aia paha kekahi ala, ʻaʻole i loaʻa iaʻu.
Hiki iā ʻoe ke hoʻāʻo i kahi daemon BGP ʻē aʻe, akā makemake wau iā BIRD a hoʻohana ʻia ia ma nā wahi āpau e aʻu, ʻaʻole wau makemake e hana i nā hui.
No laila, hūnā au i ka dnstap-bgp i loko o ka inoa inoa pūnaewele, i hoʻopili ʻia i ke aʻa ma o ka veth interface: ua like ia me ka paipu, ʻo nā wēlau e pili ana i nā inoa inoa like ʻole. Ma kēlā me kēia mau hopena, kau mākou i nā leka uila p2p IP pilikino i hele ʻole ma mua o ka mea hoʻokipa, no laila hiki iā lākou ke lilo i mea. ʻO kēia ka mīkini like i hoʻohana ʻia e komo i nā kaʻina hana i loko aloha e na mea a pau Docker a me nā ipu ʻē aʻe.
No keia mea i kakauia a ʻo ka hana i hōʻike ʻia ma luna nei no ka huki ʻana iā ʻoe iho e ka lauoho i kahi inoa inoa ʻē aʻe i hoʻohui ʻia i dnstap-bgp. Ma muli o kēia, pono ia e holo ma ke ʻano he kumu a hoʻopuka ʻia i ka CAP_SYS_ADMIN binary ma o ke kauoha setcap.
Palapala hōʻailona no ka hana ʻana i ka inoa inoa
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgpdnstap-bgp.conf
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]manu.conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...pākuʻina kau
Ma ka maʻamau, ma Ubuntu, ua hoʻopaʻa ʻia ka Unbound binary e ka AppArmor profile, ka mea e pāpā iā ia mai ka hoʻopili ʻana i nā ʻano kumu DNSTap āpau. Hiki iā ʻoe ke holoi i kēia ʻaoʻao, a hoʻopau paha:
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unboundPono paha kēia e hoʻohui i ka puke pāʻani. He kūpono, ʻoiaʻiʻo, e hoʻoponopono i ka ʻaoʻao a hoʻopuka i nā kuleana kūpono, akā ua palaualelo wau.
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yesHoʻoiho a hoʻoili ʻana i nā papa inoa
Hoʻoiho ia i ka papa inoa, hōʻuluʻulu i ka prefix pfx. ka mai_hoʻohui и ʻaʻole_summarize hiki iā ʻoe ke haʻi i nā IP a me nā pūnaewele e lele a ʻaʻole hōʻuluʻulu. Ua pono ia'u. aia ka subnet o kaʻu VPS i ka papa inoa 🙂
ʻO ka mea ʻakaʻaka, ʻo ka RosKomSvoboda API poloka i nā noi me ka mea hoʻohana Python paʻamau. Me he mea lā ua loaʻa i ka script-kiddy. No laila, hoʻololi mākou iā Ognelis.
I kēia manawa, hana wale ia me IPv4. liʻiliʻi ka māhele o IPv6, akā e maʻalahi ke hoʻoponopono. Inā ʻaʻole ʻoe e hoʻohana i ka manu6 pū kekahi.
rkn.py
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
Holo wau ma ka lei aliʻi i hoʻokahi manawa i ka lā, pono paha e huki iā ia i kēlā me kēia 4 hola. ʻO kēia, i koʻu manaʻo, ʻo ia ka manawa hou e koi ai ka RKN mai nā mea hoʻolako. Eia kekahi, loaʻa iā lākou kekahi mea hoʻopaʻapaʻa nui loa, hiki ke hiki koke mai.
Hana i kēia:
- Holo i ka palapala mua a hoʻohou i ka papa inoa o nā ala (
rkn_routes.list) no MANU - Hoʻouka hou i ka manu
- Hoʻohou a hoʻomaʻemaʻe i ka papa inoa o nā kikowaena no dnstap-bgp
- Hoʻouka hou i ka dnstap-bgp
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgpUa kākau ʻia lākou me ka noʻonoʻo ʻole, no laila inā ʻike ʻoe i kahi mea hiki ke hoʻomaikaʻi ʻia - e hele i laila.
Hoʻonohonoho mea kūʻai aku
Maʻaneʻi e hāʻawi wau i nā hiʻohiʻona no nā routers Linux, akā i ka hihia o Mikrotik / Cisco pono e maʻalahi.
ʻO ka mua, hoʻonohonoho mākou i ka BIRD:
manu.conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}No laila, e hoʻonohonoho mākou i nā ala i loaʻa mai BGP me ka helu routing papa helu 222.
Ma hope o kēlā, ua lawa ka noi ʻana i ka kernel e nānā i kēia pā ma mua o ka nānā ʻana i ka mea paʻamau:
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup defaultʻO nā mea āpau, e hoʻomau i ka hoʻonohonoho ʻana i ka DHCP ma ke alalai e hāʻawi i ka helu IP tunnel o ka server e like me DNS, a ua mākaukau ka hoʻolālā.
hewa
Me ka algorithm o kēia manawa no ka hana ʻana a me ka hoʻoponopono ʻana i ka papa inoa o nā kāʻei kua, e komo pū ana me nā mea ʻē aʻe, youtube.com a me kāna mau CDN.
A ke alakaʻi nei kēia i ka ʻoiaʻiʻo e hele nā wikiō āpau i ka VPN, hiki ke hoʻopaʻa i ke kahawai holoʻokoʻa. He mea kūpono paha ka hoʻohui ʻana i kahi papa inoa o nā kāʻei kapu kaulana-ka hoʻokaʻawale ʻana i ka RKN no ka manawa, ʻeleʻele nā puʻuwai. A hoʻokuʻu iā lākou i ka wā e paʻi ana.
hopena
ʻO ke ʻano i wehewehe ʻia e hiki ai iā ʻoe ke kaʻe i nā mea āpau i hoʻokō ʻia e nā mea hoʻolako.
ʻO ke kumu, dnstap-bgp hiki ke hoʻohana ʻia no kekahi kumu ʻē aʻe kahi e pono ai kahi pae o ka mana kaʻa ma muli o ka inoa domain. E hoʻomanaʻo wale i ko mākou manawa, hiki i hoʻokahi kaukani pūnaewele ke kau ma ka helu IP like (ma hope o kekahi Cloudflare, no ka laʻana), no laila he haʻahaʻa haʻahaʻa kēia ʻano.
Akā no nā pono o ke kaʻe ʻana i nā laka, ua lawa kēia.
Hoʻohui, hoʻoponopono, noi huki - hoʻokipa!
Source: www.habr.com