ʻO Cloudflare Company DNS lehulehu ma nā helu wahi:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 :: 1111
- 2606: 4700: 4700 :: 1001
Ua ʻōlelo ʻia ua hoʻohana ʻia kahi kulekele "Privacy first", i hiki i nā mea hoʻohana ke hōʻoluʻolu e pili ana i ka ʻike o kā lākou noi.
He mea hoihoi ka lawelawe no ka mea, me ka DNS maʻamau, hāʻawi ia i ka manawa e hoʻohana ai i nā ʻenehana DNS-over-TLS и DNS-over-HTTPS, ʻo ia ka mea e pale nui ai i nā mea hoʻolako mai ka hoʻolohe ʻana i kāu mau noi ma ke ala noi - a me ka hōʻiliʻili ʻana i nā helu, ka nānā ʻana, a me ka mālama ʻana i ka hoʻolaha. Ua ʻōlelo ʻo Cloudflare ʻaʻole i koho wale ʻia ka lā hoʻolaha (ʻApelila 1, 2018, a i ʻole 04/01 ma ka helu ʻAmelika) ma ka manawa wale nō: ma ka lā hea o ka makahiki e hōʻike ʻia ai "ʻehā mau ʻāpana"?
No ka mea ʻike loea ʻo Habr, ʻo ka ʻāpana kuʻuna "no ke aha mākou e pono ai iā DNS?" E kau wau ma ka hope o ka pou, a eia wau e wehewehe i nā mea pono e pono ai:
Pehea e hoʻohana ai i ka lawelawe hou?
ʻO ka mea maʻalahi, ʻo ia ke kuhikuhi i nā helu kikowaena DNS ma luna o kāu mea kūʻai DNS (a i ʻole he upstream i nā hoʻonohonoho o ka server DNS kūloko āu e hoʻohana ai). He mea kūpono ke pani i nā waiwai maʻamau? (8.8.8.8, etc.), a emi iki paha (77.88.8.8 a me nā mea ʻē aʻe e like me lākou) i nā kikowaena mai Cloudflare - e hoʻoholo lākou no ʻoe, akā ʻōlelo ia no ka mea hoʻomaka. ka wikiwiki o nā pane, e like me ka hana ʻana o Cloudflare ma mua o nā mea hoʻokūkū āpau (e wehewehe wau: ua hana ʻia nā ana e kahi lawelawe ʻaoʻao ʻekolu, a ʻo ka wikiwiki i kahi mea kūʻai aku, ʻoiaʻiʻo, ʻokoʻa paha).
ʻOi aku ka maikaʻi o ka hana ʻana me nā ʻano hou kahi e lele ai ka noi i ke kikowaena ma o kahi pilina paʻa (ʻoiaʻiʻo, ua hoʻihoʻi ʻia ka pane ma o ia), ka DNS-over-TLS a me DNS-over-HTTPS. ʻO ka mea pōʻino, ʻaʻole kākoʻo ʻia lākou ma waho o ka pahu (manaʻo ka poʻe kākau ʻo "akā") kēia, akā ʻaʻole paʻakikī ka hoʻonohonoho ʻana i kā lākou hana ma kāu polokalamu (a i ʻole ma kāu hāmeʻa).
DNS ma luna o HTTPs (DoH)
E like me ka manaʻo o ka inoa, hiki ke kamaʻilio ma kahi ala HTTPS, ʻo ia hoʻi
- ke alo o kahi pae ʻāina (hopena) - aia ma a
- he mea kūʻai aku hiki ke hoʻouna i nā noi a loaʻa nā pane.
Hiki ke noi ʻia ma ka DNS Wireformat i wehewehe ʻia ma (hoʻouna ʻia me ka hoʻohana ʻana i nā ala POST a me GET HTTP), a i ʻole ma ke ʻano JSON (me ka hoʻohana ʻana i ke ala GET HTTP). Noʻu iho, ʻo ka manaʻo o ka hana ʻana i nā nīnau DNS ma o nā noi HTTP he mea i manaʻo ʻole ʻia, akā aia kahi hua kūpono i loko o ia mea: e hala kēia noi i nā ʻōnaehana kānana kaʻa, maʻalahi nā pane parsing, a ʻoi aku ka maʻalahi o ka hana ʻana i nā noi. ʻO nā hale waihona puke a me nā protocols ke kuleana no ka palekana.
Nā nīnau laʻana, pololei mai ka palapala:
E kiʻi i ka noi ma ka format DNS Wireformat
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031Noi POST ma DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
ʻO ia, akā me ka hoʻohana ʻana iā JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}ʻIke loa, liʻiliʻi (inā loaʻa) nā mea hoʻokele home e hiki ke hana me DNS e like me kēia, akā ʻaʻole kēia manaʻo ʻaʻole e ʻike ʻia ke kākoʻo i ka lā ʻapōpō - a, hoihoi, hiki iā mākou ke hoʻokō maʻalahi i ka hana me DNS i kā mākou noi (e like me ka mea i hala. , ma nā kikowaena Cloudflare wale nō).
DNS ma luna o TLS
Ma ka paʻamau, hoʻouna ʻia nā nīnau DNS me ka hoʻopili ʻole. ʻO DNS ma luna o TLS kahi ala e hoʻouna ai iā lākou ma kahi pilina paʻa. Kākoʻo ʻo Cloudflare i ka DNS ma luna o TLS ma ke awa maʻamau 853 e like me ka mea i kuhikuhi ʻia . Hoʻohana kēia i kahi palapala hōʻoia i hāʻawi ʻia no ka host cloudflare-dns.com, kākoʻo ʻia ʻo TLS 1.2 a me TLS 1.3.
ʻO ka hoʻokumu ʻana i kahi pilina a me ka hana ʻana me ka protocol e like me kēia:
- Ma mua o ka hoʻokumu ʻana i kahi pilina me DNS, mālama ka mea kūʻai aku i kahi base64 i hoʻopaʻa ʻia SHA256 hash o cloudflare-dns.com's TLS palapala (kapa ʻia ʻo SPKI)
- Hoʻokumu ka mea kūʻai DNS i kahi pilina TCP i cloudflare-dns.com:853
- Hoʻomaka ka mea kūʻai DNS i ke kaʻina hana lima lima TLS
- I ka wā o ka lulu lima TLS, hōʻike ka mea hoʻokipa cloudflare-dns.com i kāna palapala TLS.
- Ke hoʻokumu ʻia ka pilina TLS, hiki i ka mea kūʻai aku DNS ke hoʻouna i nā nīnau DNS ma luna o kahi ala paʻa, kahi e pale ai i ka lohe ʻana a me ka hoʻopunipuni ʻana i nā noi a me nā pane.
- Pono nā noi DNS a pau i hoʻouna ʻia ma luna o kahi pilina TLS me ka kikoʻī e like me .
Ka laʻana o kahi noi ma o DNS ma luna o TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msʻOi aku ka maikaʻi o kēia koho no nā kikowaena DNS kūloko e lawelawe ana i nā pono o kahi pūnaewele kūloko a i ʻole kahi mea hoʻohana hoʻokahi. ʻOiaʻiʻo, ʻaʻole maikaʻi loa ke kākoʻo no ka maʻamau, akā e lana ka manaʻolana!
ʻElua mau huaʻōlelo wehewehe o kā mākou e kamaʻilio nei
ʻO ka DNS abbreviation ke kū nei no ka Domain Name Service (no laila ʻoi aku ka nui o ka "DNS service"; aia ka acronym i ka huaʻōlelo "lawelawe"), a hoʻohana ʻia e hoʻoponopono i kahi hana maʻalahi - e hoʻomaopopo i ka IP address i loaʻa i kahi inoa host kikoʻī. I kēlā me kēia manawa e kaomi ai ke kanaka i kahi loulou, a i ʻole ke komo ʻana i kahi helu wahi i loko o ka pahu helu wahi o ka polokalamu kele pūnaewele (e ʻōlelo, e like me ""), ke ho'āʻo nei ka lolouila o ke kanaka e noʻonoʻo i kahi kikowaena e hoʻouna ai i kahi noi e loaʻa nā ʻike o kahi ʻaoʻao. Ma ka hihia o habrahabr.ru, e loaʻa i ka pane mai ka DNS kahi hōʻailona o ka IP address o ka pūnaewele pūnaewele: 178.248.237.68, a laila e ho'āʻo ka polokalamu kele pūnaewele e hoʻokaʻaʻike i ke kikowaena me ka helu IP i kuhikuhiʻia.
Ma ka huli ʻana, ua loaʻa i ka server DNS, i ka loaʻa ʻana o ka noi "he aha ka IP address o ka mea hoʻokipa i kapa ʻia ʻo habrahabr.ru?", E hoʻoholo inā ʻike ʻo ia i kekahi mea e pili ana i ka host i kuhikuhi ʻia. Inā ʻaʻole, hana ia i kahi nīnau i nā kikowaena DNS ʻē aʻe ma ka honua, a, i kēlā me kēia pae, e hoʻāʻo e ʻike i ka pane i ka nīnau i nīnau ʻia. ʻO ka hopena, i ka loaʻa ʻana o ka pane hope, hoʻouna ʻia ka ʻikepili i loaʻa i ka mea kūʻai aku e kali nei, a mālama ʻia i loko o ka cache o ka server DNS ponoʻī, e hiki ai iā ʻoe ke pane i kahi nīnau like me ka wikiwiki aʻe.
ʻO ka pilikia maʻamau, ʻo ka mea mua, ua hoʻouna ʻia ka ʻikepili hulina DNS ma kahi maʻemaʻe (e hiki ai i kekahi ke komo i ke kahawai kaʻa e hoʻokaʻawale i nā nīnau DNS a me nā pane i hopena ʻia, a laila e hoʻokaʻawale iā lākou no kā lākou hana ponoʻī; ʻae kēia i ka hiki e kuhikuhi i ka hoʻolaha me ka pololei no ka mea kūʻai aku DNS, a he nui loa kēia!). ʻO ka lua, ʻo kekahi mau mea hoʻolako pūnaewele (ʻaʻole mākou e kuhikuhi i nā manamana lima, akā ʻaʻole nā mea liʻiliʻi loa) e hōʻike i ka hoʻolaha ma mua o kahi ʻaoʻao i noi ʻia (kahi i hoʻokō maʻalahi ʻia: ma kahi o ka helu IP i kuhikuhi ʻia no kahi noi no ka inoa hoʻokipa. habranabr.ru i kahi kanaka maʻamau Ma kēia ʻano, hoʻihoʻi ʻia ka helu o ka mea hoʻolako pūnaewele pūnaewele, kahi e lawelawe ʻia ai ka ʻaoʻao i loaʻa ka hoʻolaha). ʻO ke kolu, aia nā mea hoʻolako pūnaewele e hoʻokō i kahi hana no ka hoʻokō ʻana i nā koi no ka hoʻopaʻa ʻana i nā pūnaewele pākahi ma o ka hoʻololi ʻana i nā pane DNS kūpono e pili ana i nā helu IP o nā kumuwaiwai pūnaewele i hoʻopaʻa ʻia me ka IP address o kā lākou kikowaena i loaʻa nā ʻaoʻao stub (no ka hopena, ke komo i ka. ʻoi aku ka paʻakikī o ia mau pūnaewele), a i ʻole i ka helu o kāu kikowaena proxy e hana ana i ka kānana.
Pono paha ʻoe e kau i kahi kiʻi mai ka pūnaewele puni honua , e wehewehe ana i ka pili ana i ka lawelawe. ʻO nā mea kākau, ʻike ʻia, hilinaʻi loa i ka maikaʻi o kā lākou DNS (akā, paʻakikī ke manaʻo i kekahi mea ʻē aʻe mai Cloudflare):
Hiki i kekahi ke hoʻomaopopo loa iā Cloudflare, ka mea nāna i hana i ka lawelawe: loaʻa iā lākou kā lākou berena ma ke kākoʻo ʻana a me ka hoʻomohala ʻana i kekahi o nā pūnaewele CDN kaulana loa i ka honua (ʻo nā hana o ia mea ʻaʻole wale ka hoʻolaha ʻana i ka ʻike, akā hoʻokipa pū kekahi i nā wahi DNS), a, no ka makemake o ia poe , ka mea ike ole, e ao aku ia poe ka mea a lakou i ike ole ai, i kēlā kahi e hele ai ma ka pūnaewele puni honua, pilikia pinepine i ka pale ʻana i kāna mau helu kikowaena e ʻaʻole mākou e ʻōlelo ʻo wai - no laila, ʻo ka loaʻa ʻana o kahi DNS ʻaʻole i hoʻohuli ʻia e ka "hoʻōho, nā kīwī a me nā scribbles" ʻoi aku ka liʻiliʻi o ka pōʻino i kā lākou ʻoihana no kahi hui. A ʻo nā pono ʻenehana (kahi mea liʻiliʻi, akā maikaʻi: ʻo ia hoʻi, no nā mea kūʻai aku o ka DNS Cloudflare manuahi, e hoʻonui koke i nā moʻolelo DNS o nā kumuwaiwai i mālama ʻia ma nā kikowaena DNS o ka hui) e hoʻohana koke i ka lawelawe i wehewehe ʻia ma ka pou. .
Hiki i nā mea hoʻohana i hoʻopaʻa inoa ʻia ke komo i ka noiʻi. , e 'oluʻolu.
E hoʻohana ana ʻoe i ka lawelawe hou?
-
ʻAe, ma ka wehewehe ʻana iā ia ma ka OS a/a i ʻole ma ke alalai
-
ʻAe, a e hoʻohana wau i nā protocol hou (DNS ma luna o HTTPs a me DNS ma TLS)
-
ʻAʻole, lawa kaʻu mau kikowaena o kēia manawa (he mea hoʻolako lehulehu kēia: Google, Yandex, etc.)
-
ʻAʻole, ʻaʻole maopopo iaʻu kaʻu mea e hoʻohana nei i kēia manawa
-
Hoʻohana wau i kaʻu DNS recursive me kahi tunnel SSL ma mua o lākou
693 mea hoʻohana i koho. 191 mea hoʻohana i hōʻole.
Source: www.habr.com