ãã®è©±é¡ã¯ããªãèããããŠããã®ã¯æ¿ç¥ããŠããŸãã ããšãã°ãçŽ æŽããããã®ããããŸã
è£å€æãš RKN ããããããã®ãå³ãå·Šããããã¯ããŠããããããã€ããŒã¯ Revizorro ãçºè¡ãã眰éã«è©²åœããªãããã«æžåœã«åªåããŠãããšããäºå®ã«ããããããã¯ã«é¢é£ããæ倱ã¯éåžžã«å€§ãããªããŸãã ãããŠããåæ³çã«ããããã¯ããããµã€ãã®äžã«ã¯ã䟿å©ãªãµã€ãããããããããŸã (ããã«ã¡ã¯ãrutracker)
ç§ã¯ RKN ã®ç®¡èœå€ã«äœãã§ããŸããã䞡芪ã芪æãå人ã¯å®¶ã«æ®ããŸããã ããã§ãIT ããé¢ãã人ã ããã§ããã°ãŸã£ããåå ããã«ãããã¯ãåé¿ããç°¡åãªæ¹æ³ãèãåºãããšã«ããŸããã
ãã®ããŒãã§ã¯ããããã¯ãŒã¯ã®åºæ¬çãªããšã段éçã«èª¬æããã®ã§ã¯ãªãããã®ã¹ããŒã ãå®è£ ããæ¹æ³ã®äžè¬ååã説æããŸãã ãããã£ãŠããããã¯ãŒã¯ãäžè¬çã«ã©ã®ããã«æ©èœããããç¹ã« Linux ã§ã©ã®ããã«æ©èœãããã«ã€ããŠã®ç¥èãå¿ é ã§ãã
ããã¯ã®çš®é¡
ãŸããäœããããã¯ãããŠããããæãåºããŠã¿ãŸãããã
RKN ããã¢ã³ããŒãããã XML ã«ã¯ãããã€ãã®ã¿ã€ãã®ããã¯ããããŸãã
- IP
- ÐПЌеМ
- URL
ç°¡åã«ããããã«ããããã IP ãšãã¡ã€ã³ã® XNUMX ã€ã«æžãããURL ã«ãããããã¯ãããã¡ã€ã³ãåçŽã«åãåºããŸã (ããæ£ç¢ºã«ã¯ãããã¯ãã§ã«è¡ãããŠããŸã)ã
ããã®è¯ã人ãã¡
- IPã¢ãã¬ã¹ïŒ
https://api.reserve-rbl.ru/api/v2/ips/json - ãã¡ã€ã³:
https://api.reserve-rbl.ru/api/v2/domains/json
ãããã¯ããããµã€ããžã®ã¢ã¯ã»ã¹
ãããè¡ãã«ã¯ãã§ããã°ãã©ãã£ãã¯ãç¡å¶éã®å°èŠæš¡ãªæµ·å€ VPS ãå¿ èŠã§ãããããã®å€ã㯠3 ïœ 5 ãã«ã§å ¥æã§ããŸãã ping ãããŸã倧ãããªããªãããã«ãæµ·å€ã«è¿ãå Žæã§æ¥ç¶ããå¿ èŠããããŸãããã€ã³ã¿ãŒããããšå°çãå¿ ãããäžèŽãããšã¯éããªãããšãèæ ®ããŠãã ããã ãŸãã5 ãã«ã«ã¯ SLA ããªããããèé害æ§ã確ä¿ããã«ã¯ãããŸããŸãªãããã€ããŒãã 2 ã€ä»¥äžãè³Œå ¥ããããšããå§ãããŸãã
次ã«ãã¯ã©ã€ã¢ã³ã ã«ãŒã¿ãŒãã VPS ãžã®æå·åããããã³ãã«ãèšå®ããå¿
èŠããããŸãã ç§ã¯ã»ããã¢ãããæãéããŠç°¡å㪠Wireguard ã䜿çšããŠããŸãã Linux ããŒã¹ã®ã¯ã©ã€ã¢ã³ã ã«ãŒã¿ãŒããããŸã (
察象ã®ãã©ãã£ãã¯ã®èå¥ãšãªãã€ã¬ã¯ã
ãã¡ãããæµ·å€ãçµç±ãããã¹ãŠã®ã€ã³ã¿ãŒããã ãã©ãã£ãã¯ããªãã«ããããšãã§ããŸãã ãããããããããããŒã«ã« ã³ã³ãã³ãã®æäœé床ã¯ããã«ãã£ãŠå€§ããäœäžããã§ãããã ããã«ãVPS ã§ã®åž¯åå¹ èŠä»¶ã¯ããã«é«ããªããŸãã
ãããã£ãŠãäœããã®æ¹æ³ã§ãã©ãã£ãã¯ããããã¯ããããµã€ãã«å²ãåœãŠãéžæçã«ãã³ãã«ã«éä¿¡ããå¿ èŠããããŸãã ããšããäœåãªã亀éã®äžéšãããã«å°éãããšããŠãããã¹ãŠããã³ãã«ãééããããã¯ã¯ããã«åªããŠããŸãã
ãã©ãã£ãã¯ã管çããããã«ãBGP ãããã³ã«ã䜿çšããVPS ããã¯ã©ã€ã¢ã³ãã«å¿ èŠãªãããã¯ãŒã¯ãžã®ã«ãŒããã¢ããŠã³ã¹ããŸãã æãæ©èœçã§äŸ¿å©ãª BGP ããŒã¢ã³ã® XNUMX ã€ãšã㊠BIRD ãåãäžããŸãããã
IP
IP ã«ãããããã¯ã§ã¯ããã¹ãŠãæ確ã«ãªããŸãããããã¯ããããã¹ãŠã® IP ã VPS ã§ã¢ããŠã³ã¹ããã ãã§ãã åé¡ã¯ãAPI ãè¿ããªã¹ãã«ã¯çŽ 600 äžã®ãµãããããããããã®å€§éšåã /32 ãã¹ãã§ããããšã§ãã ãã®ã«ãŒãæ°ã«ããã匱ãã¯ã©ã€ã¢ã³ã ã«ãŒã¿ãŒãæ··ä¹±ããå¯èœæ§ããããŸãã
ãã®ããããªã¹ããåŠçããéããã¹ãã24å°ä»¥äžããå Žåã¯ãããã¯ãŒã¯/2ãŸã§ãéèšããããšãšããŸããã ãããã£ãŠãã«ãŒãã®æ°ã¯çŽ 100 ãŸã§æžå°ããŸããã ãã®ã¹ã¯ãªããã¯æ¬¡ã®ãšããã§ãã
ãã¡ã€ã³
ããã¯ãã£ãšè€éã§ãããã€ãã®æ¹æ³ããããŸãã ããšãã°ãåã¯ã©ã€ã¢ã³ã ã«ãŒã¿ãŒã«ééç㪠Squid ãã€ã³ã¹ããŒã«ãããã㧠HTTP ã€ã³ã¿ãŒã»ãããå®è¡ããTLS ãã³ãã·ã§ã€ã¯ãèŠããŠãæåã®ã±ãŒã¹ã§ã¯èŠæ±ããã URL ãååŸããXNUMX çªç®ã®ã±ãŒã¹ã§ã¯ SNI ãããã¡ã€ã³ãååŸã§ããŸãã
ããããããããçš®é¡ã®æ°ãã TLS1.3 + eSNI ã®ããã§ãHTTPS åæã¯æ¥ã«æ¥ã«çŸå®çã§ã¯ãªããªãã€ã€ãããŸãã ã¯ããã¯ã©ã€ã¢ã³ãåŽã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã¯ãŸããŸãè€éã«ãªã£ãŠããŸããå°ãªããšã OpenWRT ã䜿çšããå¿ èŠããããŸãã
ããã§ãDNS ã¯ãšãªã«å¯Ÿããå¿çãååãããšããæ¹æ³ããšãããšã«ããŸããã ããã§ããDNS-over-TLS / HTTPS ãé äžã«æµ®ãã³å§ããŸããããã®éšå㯠(ä»ã®ãšãã) ã¯ã©ã€ã¢ã³ãã§å¶åŸ¡ã§ããŸãããããç¡å¹ã«ããããDoT / DoH ã«ç¬èªã®ãµãŒããŒã䜿çšããŸãã
DNSãååããã«ã¯ã©ãããã°ããã§ãã?
ããã§ããããã€ãã®ã¢ãããŒããèããããŸãã
- PCAP ãŸã㯠NFLOG ãä»ãã DNS ãã©ãã£ãã¯ã®åå
ãããã®ååæ¹æ³ã¯ã©ã¡ãããŠãŒãã£ãªãã£ã«å®è£ ãããŠããŸããã·ãããã ã ãã ããé·ãéãµããŒããããŠããããæ©èœãéåžžã«åå§çã§ãããããäŸç¶ãšããŠããŒãã¹ãäœæããå¿ èŠããããŸãã - DNSãµãŒããŒãã°ã®åæ
æ®å¿µãªãããç§ãç¥ã£ãŠãããªã«ãŒãµãŒã¯å¿çããã°ã«èšé²ããããšãã§ããããªã¯ãšã¹ãã®ã¿ããã°ã«èšé²ããããšãã§ããŸãã ãªã¯ãšã¹ããšã¯ç°ãªããåçã¯è€éãªæ§é ãæã¡ãããã¹ã圢åŒã§èšè¿°ããã®ãé£ãããããããã¯ååãšããŠè«ççã§ãã DNSã¿ãã
幞ããªããšã«ããããã®å€ãã¯ãã§ã«ãã®ç®çã®ããã« DNSTap ããµããŒãããŠããŸãã
DNSã¿ãããšã¯äœã§ãã?
ããã¯ãDNS ãµãŒããŒããæ§é åããã DNS ã¯ãšãªãšå¿çã®ã³ã¬ã¯ã¿ãŒã«è»¢éããããã®ããããã³ã« ãããã¡ãŒãšãã¬ãŒã ã¹ããªãŒã ã«åºã¥ãã¯ã©ã€ã¢ã³ã/ãµãŒã㌠ãããã³ã«ã§ãã åºæ¬çã«ãDNS ãµãŒããŒã¯ãã¯ãšãªãšå¿çã®ã¡ã¿ããŒã¿ (ã¡ãã»ãŒãžã®çš®é¡ãã¯ã©ã€ã¢ã³ã/ãµãŒã㌠IP ãªã©) ã«å ããŠããããã¯ãŒã¯äžã§é£æºããå®å šãª DNS ã¡ãã»ãŒãžã (ãã€ããª) 圢åŒã§éä¿¡ããŸãã
DNSTap ãã©ãã€ã ã§ã¯ãDNS ãµãŒããŒãã¯ã©ã€ã¢ã³ããšããŠæ©èœããã³ã¬ã¯ã¿ãŒããµãŒããŒãšããŠæ©èœããããšãç解ããããšãéèŠã§ãã ã€ãŸããDNS ãµãŒããŒã¯ã³ã¬ã¯ã¿ãŒã«æ¥ç¶ããŸããããã®éã¯ãããŸããã
çŸåšãDNSTap ã¯ãã¹ãŠã®äžè¬ç㪠DNS ãµãŒããŒã§ãµããŒããããŠããŸãã ããããããšãã°ãå€ãã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ (Ubuntu LTS ãªã©) ã® BIND ã¯ãäœããã®çç±ã§ãµããŒããªãã§æ§ç¯ãããããšããããããŸãã ãããã£ãŠãåã¢ã»ã³ããªãæ°ã«ããã®ã§ã¯ãªãããã軜éã§é«éãªãªã«ãŒãµãŒãUnbound ã䜿çšããŸãããã
DNSTapããã£ããããã«ã¯ã©ãããã°ããã§ãã?
ãã
äœæ¥ã¢ã«ãŽãªãºã :
- èµ·åãããšãããã¹ã ãã¡ã€ã«ãããã¡ã€ã³ã®ãªã¹ããèªã¿èŸŒã¿ãããããå転ã (habr.com -> com.habr)ãç Žç·ãéè€ããµããã¡ã€ã³ãé€å€ããŸã (ã€ãŸãããªã¹ãã« habr.com ãš www.habr.com ãå«ãŸããŠããå Žåãæåã®ãã®ã ããããŒããããŸã)ããã®ãªã¹ããé«éã«æ€çŽ¢ããããã®ãã¬ãã£ãã¯ã¹ ããªãŒãæ§ç¯ããŸãã
- DNSTap ãµãŒããŒãšããŠæ©èœããDNS ãµãŒããŒããã®æ¥ç¶ãåŸ ã¡ãŸãã ååãšããŠãUNIX ãœã±ãããš TCP ãœã±ããã®äž¡æ¹ããµããŒãããŠããŸãããç§ãç¥ã£ãŠãã DNS ãµãŒããŒã¯ UNIX ãœã±ããã®ã¿ã䜿çšã§ããŸã
- åä¿¡ DNSTap ãã±ããã¯ããŸã Protobuf æ§é ã«éã·ãªã¢ã«åããã次㫠Protobuf ãã£ãŒã«ãã® XNUMX ã€ã«ãããã€ã㪠DNS ã¡ãã»ãŒãžèªäœã DNS RR ã¬ã³ãŒãã®ã¬ãã«ãŸã§è§£æãããŸãã
- èŠæ±ããããã¹ã (ãŸãã¯ãã®èŠªãã¡ã€ã³) ãããŒãããããªã¹ãã«ãããã©ããããã§ãã¯ãããããã§ãªãå Žåãå¿çã¯ç¡èŠãããŸãã
- A/AAAA/CNAME RR ã®ã¿ãå¿çããéžæããã察å¿ãã IPv4/IPv6 ã¢ãã¬ã¹ããããããæœåºãããŸãã
- IP ã¢ãã¬ã¹ã¯æ§æå¯èœãª TTL ã§ãã£ãã·ã¥ãããæ§æããããã¹ãŠã® BGP ãã¢ã«ã¢ããã¿ã€ãºãããŸãã
- ãã§ã«ãã£ãã·ã¥ãããŠãã IP ãæãå¿çãåä¿¡ãããšããã® TTL ãæŽæ°ãããŸã
- TTL ã®æå¹æéãåãããšããšã³ããªã¯ãã£ãã·ã¥ããã³ BGP ã¢ããŠã³ã¹ã¡ã³ãããåé€ãããŸãã
è¿œå æ©èœ:
- SIGHUP ã«ãããã¡ã€ã³ã®ãªã¹ãã®åèªã¿åã
- ãã£ãã·ã¥ãä»ã®ã€ã³ã¹ã¿ã³ã¹ãšåæããã dnstap-bgp HTTP/JSONçµç±
- ãã£ã¹ã¯ (BoltDB ããŒã¿ããŒã¹å ) ã«ãã£ãã·ã¥ãè€è£œããŠãåèµ·ååŸã«ãã®å 容ã埩å ããŸãã
- å¥ã®ãããã¯ãŒã¯åå空éãžã®åãæ¿ãã®ãµããŒã (ãããå¿ èŠãªçç±ã¯åŸè¿°ããŸã)
- IPv6ã®ãµããŒã
å¶éäºé ïŒ
- IDN ãã¡ã€ã³ã¯ãŸã ãµããŒããããŠããŸãã
- BGPèšå®ãã»ãšãã©ãªã
ç§ãéããŸãã
ã¹ããŒã
ããã§ã¯ããã¹ãŠã®ã³ã³ããŒãã³ããäžç·ã«çµã¿ç«ãŠå§ããŸãããã çµæãšããŠã次ã®ãããªãããã¯ãŒã¯ ããããžãåŸãããã¯ãã§ãã
ä»äºã®ããžãã¯ã¯ã次ã®å³ããæããã ãšæããŸãã
- ã¯ã©ã€ã¢ã³ãã®ãµãŒããŒã¯ DNS ãšããŠæ§æãããŠãããDNS ã¯ãšãªã VPN çµç±ã§è¡ãããå¿ èŠããããŸãã ããã¯ããããã€ããŒã DNS ã€ã³ã¿ãŒã»ããã䜿çšããŠãããã¯ã§ããªãããã«ããããã«å¿ èŠã§ãã
- ãµã€ããéããšãã¯ã©ã€ã¢ã³ãã¯ãxxx.org ã® IP ã¯äœã§ãããã®ãã㪠DNS ã¯ãšãªãéä¿¡ããŸãã
- ãã€ã³ããããŠããªã xxx.org ã解決ã (ãŸãã¯ãã£ãã·ã¥ããååŸã)ããxxx.org ã«ã¯ããããã® IP ããããŸãããšããå¿çãã¯ã©ã€ã¢ã³ãã«éä¿¡ããããã DNSTap çµç±ã§äžŠè¡ããŠè€è£œããŸãã
- dnstap-bgp ãããã®ã¢ãã¬ã¹ã ã§çºè¡šããŸã ããŒã ãã¡ã€ã³ããããã¯ãªã¹ãã«èŒã£ãŠããå Žå㯠BGP çµç±
- ããŒã ãããã® IP ãžã®ã«ãŒããã¢ããã¿ã€ãºããŸãã
next-hop self
ã¯ã©ã€ã¢ã³ãã«ãŒã¿ãŒ - ã¯ã©ã€ã¢ã³ããããããã® IP ãžã®åŸç¶ã®ãã±ããã¯ãã³ãã«ãééããŸãã
ãµãŒããŒäžã§ã¯ããããã¯ããããµã€ããžã®ã«ãŒããšããŠãBIRD å ã®å¥ã®ããŒãã«ã䜿çšããŠãããOS ãšã¯ãŸã£ãã亀差ããŸããã
ãã®æ¹åŒã«ã¯æ¬ ç¹ããããŸããã¯ã©ã€ã¢ã³ãããã®æåã® SYN ãã±ããã¯ãåœå ãããã€ããŒãçµç±ããŠéä¿¡ããããŸã§ã«æéããããå¯èœæ§ãé«ããªããŸãã ã«ãŒãã¯ããã«ã¯çºè¡šãããŸããã ããã§ããããã€ããŒããããã¯ãè¡ãæ¹æ³ã«å¿ããŠãªãã·ã§ã³ãå¯èœã§ãã ãã©ãã£ãã¯ãããããããã ãã§ããã°åé¡ã¯ãããŸããã ãããŠããããäœããã® DPI ã«ãªãã€ã¬ã¯ããããšã(çè«çã«ã¯) ç¹æ®å¹æãå¯èœã«ãªããŸãã
ãŸããã¯ã©ã€ã¢ã³ãã DNS TTL ã®å¥è·¡ãå°éããŠããªãå¯èœæ§ãããããã®å Žåãã¯ã©ã€ã¢ã³ã㯠Unbound ãèŠæ±ãã代ããã«ãè ã£ããã£ãã·ã¥ããã®å€ããšã³ããªã䜿çšããå¯èœæ§ããããŸãã
å®éã«ã¯ãXNUMX ã€ç®ã XNUMX ã€ç®ãåé¡ã¯çºçããŸããã§ããããç¶æ³ã¯äººã«ãã£ãŠç°ãªããããããŸããã
ãµãŒããŒã®ãã¥ãŒãã³ã°
転ãããããããããã«ãç§ã¯æžããŸãã
äž»ãªã³ã³ããŒãã³ããèŠãŠã¿ãŸãããã
BGP
åããã¹ãäžã§ XNUMX ã€ã® BGP ããŒã¢ã³ãå®è¡ããããšã«ã¯æ ¹æ¬çãªåé¡ããããŸããããã¯ãBIRD ãããŒã«ã«ãã¹ã (ãŸãã¯ä»»æã®ããŒã«ã« ã€ã³ã¿ãŒãã§ã€ã¹) ãšã® BGP ãã¢ãªã³ã°ãã»ããã¢ããããããªããšããããšã§ãã ãŸã£ãããã®èšèããã ã°ãŒã°ã«ã§èª¿ã¹ãããã¡ãŒãªã³ã°ãªã¹ããèªãã ãããŠã圹ã«ç«ãããããã¯ä»æ§ã ãšåœŒãã¯äž»åŒµããŠããŸãã ããããäœãæ¹æ³ãããã®ã§ãããããèŠã€ãããŸããã§ããã
å¥ã® BGP ããŒã¢ã³ãè©Šãããšãã§ããŸãããç§ã¯ BIRD ã奜ãã§ãã©ãã§ãããã䜿çšããŠããããããšã³ãã£ãã£ãçæããããããŸããã
ãããã£ãŠããããã¯ãŒã¯åå空éå ã« dnstap-bgp ãé ããŸããããããã¯ãŒã¯åå空éã¯ãveth ã€ã³ã¿ãŒãã§ã€ã¹ãä»ããŠã«ãŒãã«æ¥ç¶ãããŠããŸããããã¯ãã€ãã®ãããªãã®ã§ããã®ç«¯ãããŸããŸãªåå空éã«çªãåºãŠããŸãã ãããã®äž¡ç«¯ã«ã¯ããã¹ããè¶ ããªããã©ã€ããŒã p2p IP ã¢ãã¬ã¹ãèšå®ãããŠãããããä»»æã®ã¢ãã¬ã¹ã䜿çšã§ããŸãã ããã¯ãå éšã®ããã»ã¹ã«ã¢ã¯ã»ã¹ããããã«äœ¿çšãããã¡ã«ããºã ãšåãã§ã ã¿ããªã«æãããŠã Docker ããã³ãã®ä»ã®ã³ã³ãããŒã
ãã®ããã«æžãããã®ã¯ã
ããŒã ã¹ããŒã¹ãäœæããããã®ãµã³ãã«ã¹ã¯ãªãã
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgp
dnstap-bgp.conf
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]
é³¥.conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}
rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...
DNS
Ubuntu ã®ããã©ã«ãã§ã¯ãUnbound ãã€ããªã¯ AppArmor ãããã¡ã€ã«ã«ãã£ãŠã¯ã©ã³ããããããããçš®é¡ã® DNSTap ãœã±ãããžã®æ¥ç¶ãçŠæ¢ãããŸãã ãã®ãããã¡ã€ã«ã¯åé€ããããç¡å¹ã«ããããšãã§ããŸãã
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unbound
ããã¯ãããããã¬ã€ããã¯ã«è¿œå ãããã¯ãã§ãã ãã¡ãããããã£ãŒã«ãä¿®æ£ããŠå¿ èŠãªæš©å©ãçºè¡ããã®ãçæ³ã§ãããç§ã¯æ ãè ã§ããã
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yes
ãªã¹ãã®ããŠã³ããŒããšåŠç
ãªã¹ããããŠã³ããŒããããã¬ãã£ãã¯ã¹ãŸã§åèšããŸã FXã 㧠远å ããªãã§ãã ãã О èŠçŽããªãã§ãã ãã IP ãšãããã¯ãŒã¯ã«èŠçŽãã¹ãããããããèŠçŽããªãããã«æ瀺ã§ããŸãã ãããå¿
èŠã ã£ããã§ãã ç§ã® VPS ã®ãµããããã¯ãããã¯ãªã¹ãã«å
¥ã£ãŠããŸãã ð
é¢çœãã®ã¯ãRosKomSvoboda API ãããã©ã«ãã® Python ãŠãŒã¶ãŒ ãšãŒãžã§ã³ãã«ãããªã¯ãšã¹ãããããã¯ããããšã§ãã ã¹ã¯ãªããããã£ã¯ãããç解ããããã§ãã ããã§ããªã°ããªã¹ã«å€æŽããŸãã
ä»ã®ãšãããIPv4 ã§ã®ã¿åäœããŸãã IPv6 ã®ã·ã§ã¢ã¯å°ããã§ãããä¿®æ£ããã®ã¯ç°¡åã§ãã Bird6 ã䜿çšããå¿ èŠãããå Žåãé€ããŸãã
rkn.py
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
ç§ã¯ 4 æ¥ XNUMX åãªã¥ãŒãºãæŒããŸãããXNUMX æéããšã«åŒã䟡å€ããããããããŸããã ç§ã®èãã§ã¯ããã㯠RKN ããããã€ããŒã«èŠæ±ããæŽæ°æéã§ãã ããã«ãä»ã®è¶
ç·æ¥ããããã³ã°ããããããæ©ãå°çããå¯èœæ§ããããŸãã
次ã®ããšãè¡ããŸãã
- æåã®ã¹ã¯ãªãããå®è¡ããã«ãŒãã®ãªã¹ããæŽæ°ããŸã (
rkn_routes.list
) ããŒãçš - ãªããŒãããŒã
- dnstap-bgp ã®ãã¡ã€ã³ã®ãªã¹ããæŽæ°ããŠã¯ãªãŒã³ã¢ããããŸãã
- dnstap-bgp ããªããŒããã
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgp
ãããã¯æ·±ãèããã«æžããããã®ãªã®ã§ãæ¹åã§ããç¹ãããã°ããããè©ŠããŠãã ããã
ã¯ã©ã€ã¢ã³ãã®ã»ããã¢ãã
ããã§ã¯ Linux ã«ãŒã¿ãŒã®äŸã瀺ããŸãããMikrotik/Cisco ã®å Žåã¯ããã«ç°¡åã«ãªãã¯ãã§ãã
ãŸããBIRD ãã»ããã¢ããããŸãã
é³¥.conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}
ãããã£ãŠãBGP ããåä¿¡ããã«ãŒããã«ãŒãã« ã«ãŒãã£ã³ã° ããŒãã«çªå· 222 ãšåæããŸãã
ãã®åŸãããã©ã«ãã®ãã¬ãŒãã確èªããåã«ããã®ãã¬ãŒãã確èªããããã«ã«ãŒãã«ã«èŠæ±ããã ãã§ååã§ãã
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup default
ããšã¯ããµãŒããŒã®ãã³ãã« IP ã¢ãã¬ã¹ã DNS ãšããŠé åžããããã«ã«ãŒã¿ãŒäžã§ DHCP ãæ§æããã ãã§ãã¹ããŒã ã®æºåã¯å®äºã§ãã
å¶éäºé
ãã¡ã€ã³ã®ãªã¹ããçæããã³åŠçããçŸåšã®ã¢ã«ãŽãªãºã ã«ã¯ããšããã次ã®ãã®ãå«ãŸããŸãã youtube.com
ãšãã® CDNã
ããã«ããããã¹ãŠã®ãããªã VPN ãçµç±ããããšã«ãªãããã£ã³ãã«å šäœãè©°ãŸãå¯èœæ§ããããŸãã ãããããåœåã®é RKN ããããã¯ãã人æ°ã®ããé€å€ãã¡ã€ã³ã®ãªã¹ããäœæãã䟡å€ã¯ããã§ãããããæ ¹æ§ã¯èãã§ãã ãããŠè§£ææã«ããããã¹ãããããŸãã
ãŸãšã
説æãããŠããæ¹æ³ã䜿çšãããšããããã€ããŒãçŸåšå®è£ ããŠããã»ãŒãã¹ãŠã®ãããã¯ããã€ãã¹ã§ããŸãã
åççã«ã¯ã dnstap-bgp ãã¡ã€ã³åã«åºã¥ããŠããçšåºŠã®ãã©ãã£ãã¯å¶åŸ¡ãå¿ èŠãªä»ã®ç®çã«ã䜿çšã§ããŸãã çŸåšã§ã¯ãXNUMX ã®ãµã€ããåã IP ã¢ãã¬ã¹ã«ãã³ã°ã¢ããããå¯èœæ§ããããã (ããšãã°ãäžéšã® Cloudflare ã®èåŸã§)ããã®æ¹æ³ã®ç²ŸåºŠã¯ããªãäœãããšã«æ³šæããŠãã ããã
ããããããã¯ããã€ãã¹ããå¿ èŠãããå Žåã«ã¯ãããã§ååã§ãã
è¿œå ãç·šéããã« ãªã¯ãšã¹ã - ãããã!
åºæïŒ habr.com