Ụlọ ọrụ Cloudflare DNS ọha na adreesị:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
Ekwuru na amụma a bụ "Nzuzo mbụ" ka ndị ọrụ wee nwee udo nke uche gbasara ọdịnaya nke arịrịọ ha.
Ọrụ ahụ na-adọrọ mmasị na, na mgbakwunye na DNS na-emebu, ọ na-enye ikike iji teknụzụ DNS-over-TLS и DNS-over-HTTPS, nke ga-egbochi nke ukwuu ndị na-enye ọrụ ige ntị na arịrịọ gị n'ụzọ nke arịrịọ - ma nakọta ọnụ ọgụgụ, nyochaa, jikwaa mgbasa ozi. Cloudflare na-ekwu na ụbọchị nke ọkwa (April 1, 2018, ma ọ bụ 04/01 na American notation) ahọrọghị na mberede: kedu ụbọchị ọzọ nke afọ ka a ga-ewepụta "nkeji anọ"?
Ebe ọ bụ na ndị na-ege ntị Habr bụ ndị maara nke ọma, ngalaba ọdịnala "gịnị mere i ji chọọ DNS?" M ga-etinye ya na njedebe nke post ahụ, mana ebe a, m ga-ekwupụta ihe bara uru karịa:
Kedu ka esi eji ọrụ ọhụrụ ahụ?
Ihe kachasị mfe bụ ịkọwa adreesị sava DNS dị n'elu na onye ahịa DNS gị (ma ọ bụ dị ka elu na ntọala nke sava DNS mpaghara ị na-eji). Ọ bụ ihe ezi uche dị na ya iji dochie ụkpụrụ ndị a na-emebu (8.8.8.8, wdg), ma ọ bụ ntakịrị ntakịrị (77.88.8.8 na ndị ọzọ dị ka ha) na sava si Cloudflare - ha ga-ekpebi gị, ma na-ekwu maka onye mbido. ọsọ nzaghachi, dịka nke Cloudflare si dị ngwa karịa ndị asọmpi niile (M ga-akọwapụta: ọrụ ndị ọzọ na-ewere nha ndị ahụ, na ọsọ ọsọ na onye ahịa kpọmkwem, n'ezie, nwere ike ịdị iche).
Ọ bụ ihe na-adọrọ mmasị karị ịrụ ọrụ na ụdị ọhụrụ nke arịrịọ ahụ na-efega na ihe nkesa na njikọ ezoro ezo (n'ezie, a na-eweghachi nzaghachi site na ya), DNS-over-TLS a kpọtụrụ aha na DNS-over-HTTPS. N'ụzọ dị mwute, anaghị akwado ha "site na igbe" (ndị edemede kwenyere na nke a bụ "ma"), mana ọ naghị esiri ike ịhazi ọrụ ha na ngwanrọ gị (ma ọ bụ ọbụna na ngwaike gị):
DNS karịrị HTTPs (DoH)
Dị ka aha ahụ na-egosi, nkwurịta okwu na-ewere ọnọdụ n'elu ọwa HTTPS, nke pụtara
- ọnụnọ nke ebe ọdịda (njedebe) - ọ dị na adreesị na
- onye ahịa nwere ike izipu arịrịọ wee nweta nzaghachi.
Arịrịọ nwere ike ịbụ na usoro Wireformat DNS akọwapụtara na ya (zitere site na iji ụzọ POST na GET HTTP), ma ọ bụ n'ụdị JSON (iji usoro GET HTTP). Maka mụ onwe m, echiche nke ịrịọ arịrịọ DNS site na arịrịọ HTTP yiri ihe a na-atụghị anya ya, mana enwere ọka n'ime ya: arịrịọ dị otú ahụ ga-agafe ọtụtụ usoro nzacha okporo ụzọ, nzaghachi nzaghachi dị mfe, na ịmepụta arịrịọ dị mfe. Ọbá akwụkwọ na protocol ndị a na-emebu bụ maka nchekwa.
Rịọ ọmụmaatụ, ozugbo site na akwụkwọ:
Nweta arịrịọ n'ụdị Wireformat DNS
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031Arịrịọ POST na usoro Wireformat DNS
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Otu ma na-eji JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}N'ụzọ doro anya, obere (ma ọ bụrụ na ọ dịkarịa ala otu) rawụta ụlọ nwere ike ịrụ ọrụ na DNS n'ụzọ dị otú a, mana nke a apụtaghị na nkwado agaghị apụta echi - na, n'ụzọ na-akpali mmasị, ebe a, anyị nwere ike mejuputa na-arụ ọrụ na DNS na ngwa anyị (dị ka ugbua. , naanị na sava Cloudflare).
DNS karịrị TLS
Site na ndabara, a na-ebufe ajụjụ DNS na-enweghị ezoro ezo. DNS n'elu TLS bụ ụzọ iji zipu ha na njikọ echekwara. Cloudflare na-akwado DNS n'elu TLS na ọkọlọtọ ọdụ ụgbọ mmiri 853 dị ka edepụtara ya . Nke a na-eji asambodo enyere maka Cloudflare-dns.com host, TLS 1.2 na TLS 1.3 na-akwado.
Ịmepụta njikọ na ịrụ ọrụ dịka protocol si dị na-aga ihe dị ka nke a:
- Tupu ịmepụta njikọ DNS, onye ahịa ahụ na-echekwa base64 nke SHA256 hash nke Cloudflare-dns.com's TLS (nke a na-akpọ SPKI)
- Onye ahịa DNS na-ewepụta njikọ TCP na Cloudflare-dns.com:853
- Onye ahịa DNS na-ebuli aka TLS
- N'oge usoro aka aka TLS, onye ọrụ Cloudflare-dns.com na-enye asambodo TLS ya.
- Ozugbo etinyere njikọ TLS, onye ahịa DNS nwere ike izipu arịrịọ DNS n'elu ọwa echekwara, nke na-egbochi arịrịọ na nzaghachi site na ntị na soofed.
- Ajụjụ DNS niile ezitere na njikọ TLS ga-agbasorịrị nke a .
Ihe atụ nke arịrịọ site na DNS n'elu TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msNhọrọ a yiri ka ọ na-arụ ọrụ kacha mma maka sava DNS mpaghara na-ejere mkpa nke netwọkụ mpaghara ma ọ bụ otu onye ọrụ. N'ezie, site na nkwado nke ọkọlọtọ adịghị mma, ma - ka anyị nwee olileanya!
Okwu abụọ nke nkọwa ihe mkparịta ụka ahụ gbasara
Mbiri nke DNS na-anọchite anya Ọrụ Aha ngalaba (nke a na-ekwu "ọrụ DNS" dị ntakịrị, ndebiri enweelarị okwu ahụ bụ "ọrụ"), a na-ejikwa ya dozie ọrụ dị mfe - ịghọta ihe adreesị IP otu aha nnabata nwere. Mgbe ọ bụla mmadụ pịrị na njikọ, ma ọ bụ tinye adreesị n'ime ihe nchọgharị ihe nchọgharị (kwuo, ihe dị ka ""), Kọmputa mmadụ na-agbalị ịchọpụta nke nkesa ga-eziga arịrịọ iji nweta ọdịnaya nke ibe ahụ. N'ihe banyere habrahabr.ru, nzaghachi sitere na DNS ga-enwe ihe ngosi nke adreesị IP nke sava weebụ: 178.248.237.68, mgbe ahụ ihe nchọgharị ahụ ga-agbalịrị ịkpọtụrụ sava ahụ na adreesị IP akọwapụtara.
N'aka nke ya, ihe nkesa DNS, mgbe ọ natara arịrịọ "Gịnị bụ adreesị IP nke onye ọbịa aha ya bụ habrahabr.ru?", na-ekpebi ma ọ maara ihe ọ bụla gbasara onye ọbịa ahụ akọwapụtara. Ọ bụrụ na ọ bụghị, ọ na-arịọ arịrịọ maka sava DNS ndị ọzọ na ụwa, na, nzọụkwụ site na nzọụkwụ, na-agbalị ịchọta azịza nke ajụjụ a jụrụ. N'ihi ya, mgbe ịchọtara azịza ikpeazụ, a na-ezigara onye ahịa ahụ data ahụ ka na-echere ha, gbakwunyere na echekwara ya na cache nke sava DNS n'onwe ya, nke ga-enye gị ohere ịza ajụjụ yiri nke ahụ ngwa ngwa oge ọzọ.
Nsogbu a na-ahụkarị bụ na, nke mbụ, a na-ebufe data ajụjụ DNS n'ụzọ doro anya (nke na-enye onye ọ bụla nwere ohere ịnweta okporo ụzọ okporo ụzọ ike ikewapụ ajụjụ DNS na azịza ha nwetara wee tụgharịa ya maka ebumnuche nke ya; nke a na-enye. ike iji kwado mgbasa ozi n'ụzọ ziri ezi maka onye ahịa DNS, nke dị ọtụtụ!). Nke abuo, ụfọdụ ISPs (anyị agaghị atụ mkpịsị aka, mana ọ bụghị ndị kacha nta) na-egosi mgbasa ozi kama ịbụ otu ma ọ bụ ibe ọzọ achọrọ (nke a na-emejuputa ya nke ọma: kama adreesị IP akọwapụtara maka ajụjụ habranabr.ru. Aha nnabata, onye na-enweghị usoro Ya mere, a na-eweghachi adreesị nke sava weebụ nke onye na-eweta ya, ebe a na-eziga ibe mgbasa ozi nwere). Nke atọ, enwere ndị na-enye ohere ịntanetị na-emejuputa usoro maka imezu ihe achọrọ maka igbochi saịtị nke ọ bụla site na dochie azịza DNS ziri ezi banyere adreesị IP nke ihe ntanetị egbochiri na adreesị IP nke ihe nkesa ha nwere ibe stub (n'ihi ya, ịnweta ya. saịtị ndị dị otú ahụ gbagwojuru anya karịa), ma ọ bụ adreesị nke ihe nkesa proxy gị nke na-eme nzacha.
Nke a kwesịrị ịbụ foto sitere na saịtị ahụ. , ejiri kọwaa njikọ na ọrụ ahụ. Ndị ode akwụkwọ ahụ yiri ka ha nwere ntụkwasị obi na ogo DNS ha (agbanyeghị, ọ siri ike ịtụ anya ihe ọ bụla ọzọ sitere na Cloudflare):
Otu onye nwere ike ịghọta nke ọma Cloudflare, onye okike nke ọrụ ahụ: ha na-enweta nri ha site n'ịkwado na ịmepụta otu netwọk CDN kachasị ewu ewu n'ụwa (nke ọrụ na-agụnye ọ bụghị nanị na-ekesa ọdịnaya, kamakwa na-akwado mpaghara DNS), na, n'ihi nhọrọ nke ndị ahụ, onye na-amachaghị nke ọma, kuziere ndị ahụ ndị ha na-amaghị, na nke ahụ ebe aga na netwọk zuru ụwa ọnụ, ọtụtụ mgbe na-ata ahụhụ site na igbochi adreesị nke sava ha ka anyị ghara ikwu onye - ya mere inwe DNS nke "mkpu, whistles na scribbles" na-adịghị emetụta maka ụlọ ọrụ pụtara obere mmebi na azụmahịa ha. Na teknuzu uru (a trifle, ma mara mma: akpan akpan, n'ihi na ndị ahịa nke free DNS Cloudflare, emelite DNS ndekọ nke akụrụngwa kwadoro na ụlọ ọrụ DNS sava ga-abụ ozugbo) na-eme ka iji ọrụ akọwara na post ọbụna ihe na-akpali.
Naanị ndị ọrụ edebanyere aha nwere ike isonye na nyocha a. , Biko.
Ị ga-eji ọrụ ọhụrụ ahụ?
-
Ee, site na ịkọwapụta ya na OS na / ma ọ bụ na rawụta
-
Ee, m ga-eji ụkpụrụ ọhụrụ (DNS n'elu HTTPs na DNS n'elu TLS)
-
Mba, enwere m sava dị ugbu a zuru oke (nke a bụ onye na-eweta ọha: Google, Yandex, wdg.)
-
Mba, amaghị m ihe m na-eji ugbu a
-
M na-eji DNS m na-emegharị ugboro ugboro nwere ọwara SSL nye ha
Ndị ọrụ 693 tụrụ vootu. 191 onye ọrụ anabataghị.
isi: www.habr.com