ã¯ã©ãŠããã¬ã¢ç€Ÿ
- 1.1.1.1
- 1.0.0.1
- 2606ïŒ4700ïŒ4700 :: 1111
- 2606ïŒ4700ïŒ4700 :: 1001
ãŠãŒã¶ãŒãå®å¿ããŠäŸé Œå 容ãææ¡ã§ããããããã©ã€ãã·ãŒæåªå ããšããæ¹éã ãšããã
ãã®ãµãŒãã¹ã®èå³æ·±ãç¹ã¯ãéåžžã® DNS ã«å ããŠããã¯ãããžãŒã䜿çšã§ããæ©èœãæäŸããããšã§ãã DNS-over-TLS О HTTPS over DNSããã«ããããããã€ããŒããªã¯ãšã¹ãã®çµè·¯ã«æ²¿ã£ãŠãªã¯ãšã¹ããçèŽããããšãå€§å¹ ã«é²æ¢ãããçµ±èšã®åéãç£èŠãåºåã®ç®¡çãè¡ãããŸãã Cloudflare ã¯ãçºè¡šæ¥ (1 幎 2018 æ 04 æ¥ãç±³åœã®è¡šèšã§ã¯ 01/XNUMX) ã¯å¶ç¶ã«éžã°ããããã§ã¯ãªããšäž»åŒµããŠããŸãããXNUMX ã€ã®ãŠãããããçºè¡šãããã®ã¯ãäžå¹Žã®ã©ã®æ¥ã«ãªãã§ãããã?
Habr ã®èŽè¡ã¯æè¡ã«ç²ŸéããŠãããããåŸæ¥ã®ã»ã¯ã·ã§ã³ããªã DNS ãå¿ èŠã§ãã?ã æçš¿ã®æåŸã«èŒããŸãããããã§ã¯ããå®è·µçã«åœ¹ç«ã€ããšãè¿°ã¹ãŸãã
æ°ãããµãŒãã¹ã®äœ¿ãæ¹ã¯ïŒ
æãç°¡åãªæ¹æ³ã¯ãDNS ã¯ã©ã€ã¢ã³ã (ãŸãã¯äœ¿çšããããŒã«ã« DNS ãµãŒããŒã®èšå®ã®ã¢ããã¹ããªãŒã ãšããŠ) ã§äžèšã® DNS ãµãŒã㌠ã¢ãã¬ã¹ãæå®ããããšã§ãã éåžžã®å€ã眮ãæããã®ã¯æå³ããããŸãã
æå·åãããæ¥ç¶ãä»ããŠãªã¯ãšã¹ãããµãŒããŒã«éä¿¡ããã (å®éãå¿çã¯ãã®æ¥ç¶ãéããŠè¿ãããŸã)ãåè¿°ã® DNS-over-TLS ããã³ DNS-over-HTTPS ãšããæ°ããã¢ãŒãã䜿çšããããšã¯ãã¯ããã«èå³æ·±ããã®ã§ãã æ®å¿µãªããããããã¯ãããã«ããµããŒããããŠããŸãã (èè ã¯ãããããŸã ããµããŒããããŠãããšä¿¡ããŠããŸã) ãããœãããŠã§ã¢ (ãŸãã¯ããŒããŠã§ã¢) ã§ãããã®äœæ¥ãæŽçããããšã¯é£ãããããŸããã
DNS over HTTPs (DoH)
ååã瀺ãããã«ãé信㯠HTTPS ãã£ãã«çµç±ã§è¡ãããŸãã
- ã©ã³ãã£ã³ã°ãã€ã³ãïŒãšã³ããã€ã³ãïŒã®ååš - ããã¯ã¢ãã¬ã¹ã«ãããŸã
https://cloudflare-dns.com/dns-query ãš - ãªã¯ãšã¹ããéä¿¡ããã¬ã¹ãã³ã¹ãåä¿¡ã§ããã¯ã©ã€ã¢ã³ãã
ãªã¯ãšã¹ãã¯ãã§å®çŸ©ãããŠãã DNS Wireformat 圢åŒã®ããããã«ããããšãã§ããŸãã
ããã¥ã¡ã³ãããçŽæ¥åŒçšãããªã¯ãšã¹ãã®äŸ:
DNS Wireformat圢åŒã®GETãªã¯ãšã¹ã
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
DNS Wireformat圢åŒã®POSTãªã¯ãšã¹ã
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
åãã§ãããJSON ã䜿çšããŸã
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}
æããã«ããŸã㪠(å°ãªããšã XNUMX å°ã®å Žå) ããŒã ã«ãŒã¿ãŒããã®æ¹æ³ã§ DNS ãšé£æºã§ããŸãããããã¯ææ¥ãµããŒããç»å Žããªããšããæå³ã§ã¯ãããŸããããããŠèå³æ·±ãããšã«ãããã§ã¯ã¢ããªã±ãŒã·ã§ã³ã§ DNS ãšã®é£æºãå®å
šã«å®è£
ã§ããŸã (ãã§ã«èª¬æããããã«)
DNS ãªãŒã㌠TLS
ããã©ã«ãã§ã¯ãDNS ã¯ãšãªã¯æå·åãªãã§éä¿¡ãããŸãã DNS over TLS ã¯ãå®å
šãªæ¥ç¶ãä»ããŠéä¿¡ããæ¹æ³ã§ãã Cloudflareã¯ãèŠå®ã«åŸã£ãŠæšæºããŒã853ã§TLSçµç±ã®DNSããµããŒãããŸã
æ¥ç¶ã確ç«ãããããã³ã«ã«åŸã£ãŠåäœãããšã次ã®ããã«ãªããŸãã
- DNS æ¥ç¶ã確ç«ããåã«ãã¯ã©ã€ã¢ã³ãã¯ãcloudflare-dns.com ã® TLS 蚌ææž (SPKI ãšåŒã°ãã) ã® Base64 ã§ãšã³ã³ãŒãããã SHA256 ããã·ã¥ãä¿åããŸãã
- DNS ã¯ã©ã€ã¢ã³ãã¯ãcloudflare-dns.com:853 ãžã® TCP æ¥ç¶ã確ç«ããŸãã
- DNS ã¯ã©ã€ã¢ã³ãã TLS ãã³ãã·ã§ã€ã¯ãéå§ãã
- TLS ãã³ãã·ã§ã€ã¯ ããã»ã¹äžã«ãcloudflare-dns.com ãã¹ã㯠TLS 蚌ææžãæ瀺ããŸãã
- TLS æ¥ç¶ã確ç«ããããšãDNS ã¯ã©ã€ã¢ã³ãã¯å®å šãªãã£ãã«çµç±ã§ DNS èŠæ±ãéä¿¡ã§ããããã«ãªããèŠæ±ãšå¿çã®çèŽããªãããŸããé²æ¢ãããŸãã
- TLS æ¥ç¶çµç±ã§éä¿¡ããããã¹ãŠã® DNS ã¯ãšãªã¯ã
TCP çµç±ã§ DNS ãéä¿¡ãã .
DNS over TLS çµç±ã®ãªã¯ãšã¹ãã®äŸ:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 ms
ãã®ãªãã·ã§ã³ã¯ãããŒã«ã« ãããã¯ãŒã¯ãŸãã¯åäžãŠãŒã¶ãŒã®ããŒãºã«å¯Ÿå¿ããããŒã«ã« DNS ãµãŒããŒã«æé©ã§ãããšæãããŸãã 確ãã«ãæšæºã®ãµããŒãã¯ããŸãè¯ããããŸããããæåŸ ããŸãããïŒ
äŒè©±ã®å 容ã XNUMX èªã§èª¬æ
DNS ãšããç¥èªã¯ãDomain Name Service ã®ç¥ã§ã (ã€ãŸãããDNS ãµãŒãã¹ããšèšãã®ã¯ããåé·ã§ããç¥èªã«ã¯ãã§ã«ããµãŒãã¹ããšããåèªãå«ãŸããŠããŸã)ãããã¯ãç¹å®ã®ãã¹ãåãæ〠IP ã¢ãã¬ã¹ãç解ãããšããåçŽãªã¿ã¹ã¯ã解決ããããã«äœ¿çšãããŸãã ãŠãŒã¶ãŒããªã³ã¯ãã¯ãªãã¯ãããããã©ãŠã¶ã®ã¢ãã¬ã¹ ããŒã«ã¢ãã¬ã¹ãå
¥åãããã³ (ããšãã°ãã
次ã«ããhabrahabr.ru ãšããååã®ãã¹ãã® IP ã¢ãã¬ã¹ã¯äœã§ãã?ããšããèŠæ±ãåãåã£ã DNS ãµãŒããŒã¯ãæå®ããããã¹ãã«ã€ããŠäœãç¥ã£ãŠãããã©ãããå€æããŸãã ããã§ãªãå Žåã¯ãäžçäžã®ä»ã® DNS ãµãŒããŒã«ãªã¯ãšã¹ããéä¿¡ãã質åã«å¯Ÿããçãã段éçã«èŠã€ãåºãããšããŸãã ãã®çµæãæçµçãªçããèŠã€ãããšãèŠã€ãã£ãããŒã¿ã¯ãŸã ãã®çããåŸ ã£ãŠããã¯ã©ã€ã¢ã³ãã«éä¿¡ãããããã« DNS ãµãŒããŒèªäœã®ãã£ãã·ã¥ã«ä¿åãããããã次ååæ§ã®è³ªåã«ã¯ããã«éãçããããšãã§ããŸãã
ããããåé¡ã¯ããŸããDNS ã¯ãšãª ããŒã¿ãå¹³æã§éä¿¡ãããããšã§ã (ããã«ããããã©ãã£ã㯠ãããŒã«ã¢ã¯ã»ã¹ã§ãã人ã¯èª°ã§ããDNS ã¯ãšãªãšåä¿¡ããå¿çãåé¢ããç¬èªã®ç®çã§è§£æã§ããããã«ãªããŸã)ã DNS ã¯ã©ã€ã¢ã³ãã«å¯ŸããŠåºåãæ£ç¢ºã«ã¿ãŒã²ãã£ã³ã°ã§ããæ©èœã§ããããã¯éåžžã«åªããŠããŸã)ã 第äºã«ãäžéšã® ISP (æå·®ãã¯ããŸããããæãå°èŠæš¡ãª ISP ã§ã¯ãããŸãã) ã¯ãèŠæ±ãããããŒãžã®ä»£ããã«åºåã衚瀺ããåŸåããããŸã (ããã¯éåžžã«ç°¡åã«å®è£ ãããŠããŸããhabranabr.ru ã«ããã¯ãšãªã«å¯ŸããŠæå®ããã IP ã¢ãã¬ã¹ã®ä»£ããã«)ããã¹ãåãã©ã³ãã ãªäººç© ãããã£ãŠãåºåãå«ãããŒãžãæäŸããããããã€ããŒã® Web ãµãŒããŒã®ã¢ãã¬ã¹ãè¿ãããŸãã 第äžã«ããããã¯ããã Web ãªãœãŒã¹ã® IP ã¢ãã¬ã¹ã«é¢ããæ£ãã DNS å¿çããã¹ã¿ã ããŒãžãå«ããµãŒããŒã® IP ã¢ãã¬ã¹ã«çœ®ãæããããšã«ãã£ãŠãåã ã®ãµã€ãããããã¯ããããã®èŠä»¶ãæºããã¡ã«ããºã ãå®è£ ããã€ã³ã¿ãŒããã ã¢ã¯ã»ã¹ ãããã€ããŒããããŸã (çµæãšããŠããã®ãããªãµã€ãã¯èããè€éã§ã)ããŸãã¯ãã£ã«ã¿ãªã³ã°ãå®è¡ãããããã· ãµãŒããŒã®ã¢ãã¬ã¹ã«éä¿¡ãããŸãã
ããã¯ãããããµã€ãããã®åçã§ããã¯ãã§ãã
ãã®ãµãŒãã¹ã®äœæè ã§ãã Cloudflare ãå®å šã«ç解ããããšãã§ããŸãã圌ãã¯ãäžçã§æã人æ°ã®ãã CDN ãããã¯ãŒã¯ã® XNUMX 〠(ã³ã³ãã³ãã®é ä¿¡ã ãã§ãªããDNS ãŸãŒã³ã®ãã¹ãã£ã³ã°ãå«ã) ã®ç¶æãšéçºã«ãã£ãŠçèšãç«ãŠãŠããŸãããããã®é¡ãã ããç¥ããªã人ã¯ãããããæããŠãã ãã 圌ãã¯èª°ãç¥ããªãã®ããããã« ã©ããžè¡ã ã°ããŒãã« ãããã¯ãŒã¯ã§ã¯ããµãŒããŒã®ã¢ãã¬ã¹ããããã¯ããããšããåé¡ã«é »ç¹ã«æ©ãŸãããŸãã 誰ãšã¯èšããªãã§ããã - ãããã£ãŠãäŒæ¥ã«ãšã£ãŠãå«ã³å£°ãå£ç¬ãèœæžããã®åœ±é¿ãåããªã DNS ãæã€ããšã¯ãããžãã¹ãžã®æªåœ±é¿ãå°ãªãããšãæå³ããŸãã ãŸããæè¡çãªå©ç¹ (äºçŽ°ãªããšã§ãããçŽ æŽãããããšã§ããç¹ã«ãç¡æã® DNS Cloudflare ã®ã¯ã©ã€ã¢ã³ãã®å ŽåãäŒç€Ÿã® DNS ãµãŒããŒã§ãã¹ããããŠãããªãœãŒã¹ã® DNS ã¬ã³ãŒãã®æŽæ°ãå³åº§ã«è¡ãããŸã) ã«ããããã®æçš¿ã§èª¬æãããŠãããµãŒãã¹ã®äœ¿çšãããã«èå³æ·±ããã®ã«ãªããŸãã
ç»é²ãŠãŒã¶ãŒã®ã¿ãã¢ã³ã±ãŒãã«åå ã§ããŸãã
æ°ãããµãŒãã¹ãå©çšããŸãã?
-
ã¯ããOS ãã«ãŒã¿ãŒã§æå®ããã ãã§å¯èœã§ã
-
ã¯ããæ°ãããããã³ã« (DNS over HTTPs ããã³ DNS over TLS) ã䜿çšããŸãã
-
ããããçŸåšã®ãµãŒããŒã¯ååãããŸã (ããã¯å ¬å ±ãããã€ããŒã§ã: GoogleãYandex ãªã©)ã
-
ãããä»äœã䜿ã£ãŠããã®ãããåãããªã
-
ååž° DNS ãš SSL ãã³ãã«ã䜿çšããŠããŸã
693人ã®ãŠãŒã¶ãŒãæ祚ããŸããã 191 ãŠãŒã¶ãŒãæ£æš©ããŸããã
åºæïŒ habr.com