Cloudflare tuam txhab pej xeem DNS ntawm chaw nyob:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
Nws tau thov tias txoj cai "Privacy first" yog siv, kom cov neeg siv tau txais kev tso siab txog cov ntsiab lus ntawm lawv qhov kev thov.
Cov kev pabcuam yog qhov nthuav vim tias, ntxiv rau DNS ib txwm, nws muab sijhawm rau siv thev naus laus zis DNS-over-TLS ΠΈ DNS-over-HTTPS, uas yuav zoo heev tiv thaiv cov neeg muab kev pabcuam los ntawm kev mloog koj cov lus thov raws li txoj kev thov - thiab sau cov txheeb cais, saib xyuas, thiab tswj kev tshaj tawm. Cloudflare thov tias hnub tshaj tawm (Lub Plaub Hlis 1, 2018, lossis 04/01 hauv Asmeskas cov ntawv sau) tsis raug xaiv los ntawm lub sijhawm: nyob rau lwm hnub ntawm lub xyoo yuav "plaub units" nthuav tawm?
Txij li thaum Habr cov neeg tuaj saib yog technically paub, ntu ib txwm "vim li cas peb xav tau DNS?" Kuv yuav muab tso rau hauv qhov kawg ntawm tsab xov xwm, thiab ntawm no kuv yuav piav qhia ntau yam tseem ceeb:
Yuav siv qhov kev pabcuam tshiab li cas?
Qhov yooj yim tshaj plaws yog kom qhia cov chaw nyob saum toj no DNS neeg rau zaub mov hauv koj tus neeg siv DNS (lossis raws li kev nce hauv cov chaw ntawm DNS server hauv zos koj siv). Nws puas tsim nyog los hloov cov txiaj ntsig ib txwm? (8.8.8.8, thiab lwm yam), los yog tsawg dua (77.88.8.8 thiab lwm tus nyiam lawv) rau servers los ntawm Cloudflare - lawv yuav txiav txim siab rau koj, tab sis nws hais lus rau cov pib tshiab ceev ntawm cov lus teb, raws li Cloudflare ua haujlwm sai dua li txhua tus neeg sib tw (cia kuv qhia meej: qhov kev ntsuas tau ua los ntawm cov kev pabcuam thib peb, thiab qhov ceev rau ib tus neeg siv khoom tshwj xeeb, tau kawg, yuav txawv).
Nws yog qhov nthuav ntau dua los ua haujlwm nrog cov qauv tshiab uas qhov kev thov yoov mus rau cov neeg rau zaub mov ntawm kev sib txuas encrypted (qhov tseeb, cov lus teb rov qab los ntawm nws), uas tau hais txog DNS-over-TLS thiab DNS-over-HTTPS. Hmoov tsis zoo, lawv tsis tau txais kev txhawb nqa tawm ntawm lub thawv (cov kws sau ntawv ntseeg tias qhov no yog "tsis tau"), tab sis kev teeb tsa lawv txoj haujlwm hauv koj lub software (lossis txawm tias ntawm koj lub hardware) tsis nyuaj:
DNS dhau HTTPs (DoH)
Raws li lub npe qhia, kev sib txuas lus tshwm sim dhau HTTPS channel, uas txhais tau tias
- muaj qhov tsaws point (endpoint) - nws nyob ntawm thiab
- tus neeg siv khoom tuaj yeem xa cov lus thov thiab tau txais cov lus teb.
Kev thov tuaj yeem yog nyob rau hauv DNS Wireformat tau teev tseg hauv (xa siv POST thiab GET HTTP txoj kev), lossis hauv JSON hom (siv GET HTTP txoj kev). Rau kuv tus kheej, lub tswv yim ntawm kev ua DNS queries ntawm HTTP thov zoo li tsis xav txog, tab sis muaj ib tug rational grain nyob rau hauv nws: xws li ib tug kev thov yuav dhau ntau lub tsheb lim dej, parsing teb yog heev yooj yim, thiab generating thov txawm yooj yim dua. Cov tsev qiv ntawv paub thiab cov txheej txheem yog lub luag haujlwm rau kev ruaj ntseg.
Piv txwv cov lus nug, ncaj qha los ntawm cov ntaub ntawv:
Tau txais kev thov hauv DNS Wireformat hom
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031POST thov hauv DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Tib yam, tab sis siv JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}Pom tseeb, ob peb (yog tias muaj) routers hauv tsev tuaj yeem ua haujlwm nrog DNS zoo li qhov no, tab sis qhov no tsis tau txhais hais tias kev txhawb nqa yuav tsis tshwm sim tag kis - thiab, nthuav, ntawm no peb tuaj yeem yooj yim ua haujlwm nrog DNS hauv peb daim ntawv thov (raws li twb tau hais tseg lawm. , tsuas yog ntawm Cloudflare servers).
DNS dhau TLS
Los ntawm lub neej ntawd, cov lus nug DNS raug xa tsis tau encryption. DNS dhau TLS yog ib txoj hauv kev xa lawv hla kev sib txuas ruaj ntseg. Cloudflare txhawb DNS dhau TLS ntawm tus qauv chaw nres nkoj 853 raws li tau sau tseg . Qhov no siv daim ntawv pov thawj muab rau tus tswv tsev cloudflare-dns.com, TLS 1.2 thiab TLS 1.3 tau txais kev txhawb nqa.
Tsim kom muaj kev sib txuas thiab ua haujlwm nrog cov txheej txheem ua haujlwm zoo li no:
- Ua ntej tsim kev sib txuas rau DNS, tus neeg siv khoom khaws cov khoom siv hauv paus 64 encoded SHA256 hash ntawm cloudflare-dns.com's TLS daim ntawv pov thawj (hu ua SPKI)
- Tus neeg siv DNS tsim kev sib txuas TCP rau cloudflare-dns.com: 853
- DNS tus neeg siv khoom pib TLS kev tuav tes
- Thaum TLS tuav tes, tus tswv tsev cloudflare-dns.com nthuav qhia nws daim ntawv pov thawj TLS.
- Thaum TLS kev sib txuas tau tsim, tus neeg siv khoom DNS tuaj yeem xa cov lus nug DNS hla ib qho chaw ruaj ntseg, uas tiv thaiv kev mloog thiab kev dag ntawm kev thov thiab cov lus teb.
- Txhua qhov kev thov DNS xa mus rau TLS kev sib txuas yuav tsum ua raws li cov lus qhia raws li .
Piv txwv ntawm kev thov ntawm DNS dhau TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msQhov kev xaiv no zoo li zoo dua rau cov DNS servers hauv zos ua haujlwm rau cov kev xav tau ntawm lub network hauv zos lossis ib tus neeg siv. Muaj tseeb, kev txhawb nqa rau tus qauv tsis zoo heev, tab sis cia peb cia siab!
Ob lo lus piav qhia txog qhov peb tab tom tham txog
Cov ntawv luv DNS sawv cev rau Domain Name Service (yog li hais tias "DNS kev pabcuam" yog qhov tsis txaus ntseeg; cov lus luv twb muaj lo lus "kev pabcuam"), thiab siv los daws cov haujlwm yooj yim - kom nkag siab qhov chaw nyob IP lub npe tshwj xeeb muaj. Txhua zaus ib tug neeg nyem rau ntawm qhov txuas, lossis nkag mus rau qhov chaw nyob rau hauv qhov browser qhov chaw nyob bar (hais, ib yam dab tsi zoo li ""), tus neeg lub computer tab tom sim xyuas seb tus neeg rau zaub mov twg yuav xa daim ntawv thov kom tau txais cov ntsiab lus ntawm nplooj ntawv. Nyob rau hauv cov ntaub ntawv ntawm habrahabr.ru, cov lus teb los ntawm DNS yuav muaj qhov qhia txog tus IP chaw nyob ntawm lub vev xaib server: 178.248.237.68, thiab tom qab ntawd tus browser yuav sim hu rau tus neeg rau zaub mov nrog qhov chaw nyob IP teev.
Nyob rau hauv lem, tus neeg rau zaub mov DNS, tau txais qhov kev thov "dab tsi yog tus IP chaw nyob ntawm tus tswv tsev hu ua habrahabr.ru?", txiav txim seb nws puas paub dab tsi txog tus tswv tsev. Yog tias tsis yog, nws ua rau cov lus nug rau lwm tus DNS servers hauv ntiaj teb, thiab, ib kauj ruam dhau los, sim xyuas cov lus teb rau lo lus nug nug. Yog li ntawd, thaum nrhiav tau cov lus teb zaum kawg, cov ntaub ntawv pom tau xa mus rau tus neeg siv tseem tos, ntxiv rau nws tau muab khaws cia rau hauv cache ntawm DNS server nws tus kheej, uas yuav tso cai rau koj los teb cov lus nug zoo sib xws sai dua lwm zaus.
Ib qho teeb meem tshwm sim yog tias, thawj zaug, cov ntaub ntawv DNS lus nug raug xa mus rau qhov tseeb (uas tso cai rau ib tus neeg uas nkag mus rau hauv cov kwj deg kom cais cov lus nug DNS thiab cov lus teb tshwm sim, thiab tom qab ntawd cais lawv rau lawv tus kheej lub hom phiaj; qhov no tso cai rau lub peev xwm. txhawm rau tsom kev tshaj tawm nrog qhov tseeb rau cov neeg siv DNS, thiab qhov no yog ntau heev!). Qhov thib ob, qee tus neeg muab kev pabcuam hauv Is Taws Nem (peb yuav tsis taw tes, tab sis tsis yog qhov tsawg tshaj plaws) nyiam qhia kev tshaj tawm es tsis txhob ntawm ib lossis lwm nplooj ntawv thov (uas yog siv yooj yim heev: tsis yog tus IP chaw nyob rau kev thov rau lub npe tswv. habranabr.ru rau ib tug neeg random Nyob rau hauv txoj kev no, qhov chaw nyob ntawm tus neeg zov me nyuam lub web server raug xa rov qab, qhov twg nplooj ntawv uas muaj cov kev tshaj tawm tau txais kev pab). Thib peb, muaj cov chaw muab kev pabcuam hauv Is Taws Nem uas siv cov txheej txheem los ua kom tiav cov kev xav tau ntawm kev thaiv ib tus neeg qhov chaw los ntawm kev hloov cov lus teb DNS tseeb txog IP chaw nyob ntawm cov ntaub ntawv thaiv lub vev xaib nrog IP chaw nyob ntawm lawv cov neeg rau zaub mov uas muaj nplooj ntawv stub (yog li ntawd, nkag mus rau. cov chaw zoo li no dhau los ua qhov nyuaj dua), lossis rau qhov chaw nyob ntawm koj lub npe server uas ua haujlwm lim.
Tej zaum koj yuav tsum tso ib daim duab los ntawm lub vev xaib no , uas ua haujlwm piav qhia txog kev sib txuas rau kev pabcuam. Cov kws sau ntawv, pom tau tias, muaj kev ntseeg siab rau qhov zoo ntawm lawv cov DNS (txawm li cas los xij, nws nyuaj rau xav tias muaj dab tsi txawv ntawm Cloudflare):
Ib tus tuaj yeem nkag siab tag nrho Cloudflare, tus tsim cov kev pabcuam: lawv khwv tau lawv cov khob cij los ntawm kev txhawb nqa thiab tsim ib qho ntawm CDN nrov tshaj plaws hauv ntiaj teb (cov haujlwm uas suav nrog tsis tsuas yog cov ntsiab lus faib, tab sis kuj hosting DNS zones), thiab, vim txoj kev ntshaw ntawd, leej twg tsis paub ntau, qhia cov leej twg lawv tsis paub, rau qhov ntawd mus qhov twg nyob rau hauv lub ntiaj teb no network, feem ntau raug kev txom nyem los ntawm thaiv nws cov neeg rau zaub mov chaw nyob los ntawm peb yuav tsis hais leej twg - yog li muaj DNS uas tsis cuam tshuam los ntawm "qhia, xuav thiab scribbles" txhais tau tias muaj kev phom sij tsawg dua rau lawv cov lag luam rau lub tuam txhab. Thiab qhov zoo tshaj plaws (ib qho me me, tab sis zoo: tshwj xeeb, rau cov neeg siv khoom dawb DNS Cloudflare, hloov kho cov ntaub ntawv DNS ntawm cov peev txheej tuav ntawm lub tuam txhab DNS servers yuav sai sai) ua rau kev siv cov kev pabcuam uas tau piav qhia hauv tsab ntawv tshaj tawm txawm tias nthuav ntau dua. .
Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. thov.
Koj puas yuav siv qhov kev pabcuam tshiab?
-
Yog lawm, tsuas yog qhia nws hauv OS thiab / lossis ntawm lub router
-
Yog lawm, thiab kuv yuav siv cov txheej txheem tshiab (DNS dhau HTTPs thiab DNS dhau TLS)
-
Tsis yog, Kuv muaj cov servers tam sim no txaus (qhov no yog tus muab kev pabcuam pej xeem: Google, Yandex, thiab lwm yam)
-
Tsis yog, kuv tsis paub tias kuv tab tom siv dab tsi tam sim no
-
Kuv siv kuv tus kheej recursive DNS nrog SSL qhov ua ntej lawv
693 cov neeg siv pov npav. 191 tus neeg siv abstained.
Tau qhov twg los: www.hab.com