αααα»αα αα»α Cloudflare
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
αααααΆααααααααααΌαααΆααααα·ααΆαααΆααΆ "ααΆαα―αααααΆαα»ααα·α" ααΌα ααααα’αααααααΎααααΆααα’αΆα ααΆαααΆααααααααααΆαααααα»αα α·αααα’αααΈααααΉαααΆαααααααΎαααααα½αααα
ααααΆαααααα½αα±ααα αΆααα’αΆαααααααα αααα»ααααααααααααΈααΎ DNS ααααααΆααΆαααααααΌααααααααΆααααα»αααΆαααααΎααααΆαααα αα αααα·ααααΆ DNS-over-TLS ΠΈ DNS-over-HTTPS ααααααΉαααΆααΆααα’ααααααααααααΆαααΆαα αααΎαααΈααΆααα½α ααααΆααααααΎααααα’αααααΆααααααααααααΎ - αα·ααααααΌααααα·αα· αααα½ααα·αα·ααα αααααααααααΆαααααΆαααΆαα·αααααααα Cloudflare α’αα’αΆαααΆααΆαααα·α ααααααααΆααααααΆα (ααααααΈ 1 ααααααΆ ααααΆα 2018 α¬ααααααΈ 04/01 ααΆαααααΆαααααΆααααααα’αΆαααα·α) αα·αααααΌαααΆαααααΎαααΎααααα αααααααα ααΎ "αα½αααααΏα" ααΉααααα αΆααα ααααααΆααααααααααααααΆα?
αααααΆααααααα·ααααααα Habr ααΆαααΆαααααααΆαααααααα αα ααααα ααααααααααααΈ "α ααα»α’αααΈααΆαααΆα’αααααααΌαααΆα DNS?" αααα»αααΉαααΆααααΆαα α α»ααααα ααααααΆααααααΆα ααα»αααααα ααΈααααααα»αααΉααααααΆααα’αααΈα’αααΈαααααΆααααααααααααααααααα
ααΎααααΌαααααΎααααΆααααααααΈαααααααααΆ?
α’αααΈαααααΆαααααααα»αααΊααααΌααααααΆααα’αΆααααααΆααααΆαααΈααα DNS ααΆαααΎαα
αααα»ααααΆαααΈαααααα DNS ααααα’ααα (α¬ααΌα
αα
αααα»αααΆαααααααααααΆαααΈααα DNS ααΌαααααΆααααα’αααααααΎ) α ααΎααΆααα ααα»αααααααα»αααΆααααα½ααααααααααααΆα
ααΆαα½αα±ααα αΆααα’αΆααααααααΆααααα»αααΆαααααΎααΆαααΆαα½αααααααααΈαααααααΎα ααα αΎααα ααΆαααααΆαααΈαααααΆααααααΆααααααΆαααααααΆαα’αα·αααααΈα (ααΆααα·α ααΆαααααΎαααααΉααααααααααα·αααΆααααααΆ) DNS-over-TLS αα·α DNS-over-HTTPS αααααΆααααααΆααα ααΆα’αα»αα αα½ααααα·αααααΌαααΆαααΆαααα "αααα αααα’αα" (α’ααααα·ααααααΏααΆααα "αα·αααΆαα") ααα»ααααααΆαα·ααα·ααΆααααα»αααΆααααα αααΆαααΆααααααα½ααααα αααα»ααααααα·ααΈααααα’ααα (α¬ααΌααααΈαααα ααΎαααααααΉαααααα’ααα)α
DNS ααΎ HTTPs (DoH)
ααΌα ααααααααααΆααααα αΆα ααΆαααααΆααααααααΎαα‘αΎαααΎαααααΆα HTTPS αααααΆααααααΆ
- ααααααΆαααα
ααα»α
α
α»αα
α (α
ααα»α
αααα
αα) - ααΆααΆαααΈααΆαααα
α’αΆααααααΆα
https://cloudflare-dns.com/dns-query αα·α - α’αα·αα·αααααα’αΆα ααααΎααααΎ αα·αααα½αααΆαααααΎαααα
ααααΎα’αΆα
ααΆααα
αααα»ααααααα DNS Wireformat αααααΆαααααααααα»α
ααααΎαα»αα§ααΆα ααααααααααΆααααΈα―αααΆαα
ααα½αααααΎααΆαααααα DNS Wireformat
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
ααααΎαααα αααααα»ααααααα DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
ααΌα ααααΆ ααα»ααααααααΎ JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}
ααΆααααααα ααααααααααααααααααα½α (ααααα·αααΎαααΆαα αα
ααΆαααα½α) α’αΆα
ααααΎαααΆαααΆαα½α DNS ααΆαααααααα ααα»ααααααααα·αααΆααααααΆααΆαααΆααααααΉααα·αααα
α‘αΎααα
ααααααα’ααααααα - α αΎααα½αα±ααα
αΆααα’αΆαααααααα
ααΈααα ααΎαα’αΆα
α’αα»ααααααΆαααααΎααΆαααΆαα½α DNS αα
αααα»ααααααα·ααΈααααααΎα (ααΌα
ααααα½α
α αΎαα
DNS ααΎ TLS
ααΆαααααΆαααΎα αααα½α DNS ααααΌαααΆααααααΌααααααααΆαααΆαα’αα·αααααΈαα DNS ααΎ TLS ααΊααΆαα·ααΈαα½αααΎααααΈαααααΌααα½αααααΆαααΆααααααΆαααααααΆααα»ααααα·ααΆαα Cloudflare ααΆαααα DNS ααΎ TLS αα
ααΎα
ααααααααααΆα 853 ααΌα
αααααΆαααααα
ααΆαβαααααΎαβααΆαβαααααΆααβαα·αβααΆαβααααΎβααΆαβαααβαααβααΆαβαα·ααΈααΆαβααΆαβα’αααΈβαα½αβααΌα βαααβ:
- αα»αααααααααΎαααΆαααααΆαα DNS α’αα·αα·αααααααΆαα»αααΌα SHA64 αααααΆαα’αα·αααΌα base256 αααα·ααααΆαααααα TLS αααα cloudflare-dns.com (α α ααΆ SPKI)
- αααΆαααΈαααααα DNS αααααΎαααΆαααααΆαα TCP αα cloudflare-dns.com:853
- αααΆαααΈαααααα DNS αααα½α ααααΎαααΆαα αΆαααα TLS
- αααα»αα’αα‘α»ααααααααΎαααΆαα αΆαααα TLS αααΆαααΈα cloudflare-dns.com αααα αΆααα·ααααΆαααααα TLS ααααααΆα
- αα ααααααααΆααααααΆαα TLS ααααΌαααΆααααααΎαα‘αΎα ααααααΆαααΈαααααα DNS α’αΆα ααααΎαααα½α DNS ααΆααααααΆααα»ααααα·ααΆα αααααΆαααΆαααααΎ αα·αααΆαααααΎαααααΈααΆααα½α ααααΆαα αα·αααααααααααα
- ααΆαααααα½α DNS αααααααΎααΆαααΆααααααΆαα TLS ααααΌαααααααααΆα
ααααΎ DNS ααΎ TCP .
α§ααΆα αααααααααΎααΆαααα DNS ααΎ TLSα
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 ms
αααααΎααααα αΆααααΌα ααΆααααΎαααΆαααα’αααα»ααααααΆαααααΆαααΈααα DNS ααΌαααααΆαααααααααΎαααααΌαααΆααααααααΆαααΌαααααΆα α¬α’αααααααΎααααΆαααααα½αα αα·αβα αΎαβαααβααΆαβααΆαβααΆααααβααΈβαααααααΆαβααΊβαα·αβααα’βααααΆααβααΆααβααα»αααα - ααΌαβα±ααβαααααΉαβ!
ααΆαααααΈαααααΆαααααααα’αααΈα’αααΈαααααΆαααααααΆααΊα’αααΈ
α’ααααααΆαα DNS ααααΆαα±αα Domain Name Service (ααΌα
αααααα·ααΆαααΆ "ααααΆ DNS" ααΊα α½ααααααΆα α’ααααααΆααααΆαααΆααα "ααααΆ" αα½α
α αΎα) α αΎαααααΌαααΆαααααΎααΎααααΈαααααααΆααα·α
αα
ααΆαααΆαααααα½α - ααΎααααΈαααααΈα’αΆααααααΆα IP αααααααααααΆαααΈαααΆααααΆαααα½αααΆαα ααΆααααααααααα»αααααααΆααα
α»α
ααΎααα α¬αααα
αΌαα’αΆααααααΆααα
αααα»ααααΆαα’αΆααααααΆααααααααααα·ααΈαα»ααα (αα·ααΆαααΆα’αααΈαα½αααΌα
ααΆ "
αα αααα»αααααααΆαααΈααα DNS αααααΆαααα½αααααΎ "ααΎα’αααΈααΆα’αΆααααααΆα IP αααααααΆαααΈααααααΆααααααααΆ habrahabr.ru?" αααααααΆααΎααΆααΉαα’αααΈα’αααΈαααΆαααΈααααααΆααααααΆααα ααααα·αααΎαα·αααΆααα ααΆααααΎααααΎαα ααΆαααααΆαααΈααα DNS αααααααααα αααα»ααα·ααααα α αΎααα½αααα αΆαααααα ααααΆααΆααααααααα ααααΎαα αααααααα½ααααααΆααα½αα ααΆαααααα αα ααααααααααα ααααΎαα α»αααααα αα·αααααααααααΆαααααΎαααααΌαααΆαααααΎαα α’αα·αα·ααααααα αααααα αΆααα½ααα ααΌαααΉαααααΌαααΆααααααΆαα»ααααα»αααααΆαααααααΆαααααααΆαααΈααα DNS αααα½αα―α αααααΉαα’αα»ααααΆαα±ααα’αααααααΎααααα½αααααααααααΆααΆαααΏαααΆααα»ααα ααααααααα
αααα αΆααΌαα αα½αααΊααΆ ααΆααααΌα αα·αααααααααα½α DNS ααααΌαααΆααααααΌααααα αααΆααααΆαα (ααααααααα±ααααααΆααααΆαααααααΆααα·αααα·α αΌαααααΎαααΆαααα αΌαα ααΆα α αααααααΆααααα»αααΆαααααααα½α DNS αα·αααΆαααααΎαααααααα½αααααα½αααΆα α αΎααααααΆααααααααα½αααΆαααααΆαααααααααααααΆαααααα½ααααααα½ααα ααααααααα±αα αααααααΆααααα»αααΆααααααααααα ααΆαααααΆαααΆαα·αααααααααΆαα½αααΉαααΆαααααΉαααααΌααααααΆαααααΆαααΈαααααα DNS αααααΆαα αααΎαααΆαα!) ααΈααΈα ISPs αα½αα ααα½α (ααΎαααΉααα·αα ααα’α»ααααα ααα»αααααα·ααααααΌα αααα»ααα) ααΆαααααααααα αΆαααΆαααααΆαααΆαα·ααααααααααα½αα±ααααααααααααΆαααααΎαα»ααα½α α¬αααααααα (αααααααΌαααΆαα’αα»αααααααΆαααΆααααα αααα½αα±ααα’αΆααααααΆα IP αααααΆααααααΆαααααααΆαααααα½αααα habranabr.ru ααααααααΆαααΈα ααΆααα»αααα ααααα ααΌα ααααα’αΆααααααΆααααααΆαααΈαααααα αααααααααα’ααααααααααααΆααααΌαααΆααααα‘αααααα·α αααααααααααααΆαααΆαααααΆαααΆαα·αααααααααααΌαααΆααααααΎ)α ααΈααΈ ααΆαα’ααααααααααΆαα αΌαααααΎα’ααΈαααΊαα·ααααα’αα»ααααααααααΆααααααΆααααααααααααΌαααΆααααααΆααααΆααααααααΆααααα αααααααΈαα½ααααααααα½αααΆαααααΎααα DNS ααααΉαααααΌαα’αααΈα’αΆααααααΆα IP ααααααΆαααα ααααααααααααΌαααΆαααΆααΆααααΆαα½αααΉαα’αΆααααααΆα IP αααααΆαααΈααααααααα½ααααααααΆαααααα stub (ααΆαααααα ααΆαα αΌαααααΎαα ααΆαα ααα αααααααααααααΆαααααααα»αααααΆααα½αα±ααααααααααΆαα) α¬αα ααΆααα’αΆααααααΆααααααΆαααΈαααααααΌααααΈααααα’ααααααααααΎααΆαααααα
ααααααα ααααΆααΌαααΆαααΈααα αααααα
ααα»αααααααΆααα’αΆα αααα αααΆααααΈ Cloudflare αααααΆα’ααααααααΎαααααΆααααα αα½αααααααΆααααααααααααα½αααααααααααΆ αα·αα’αα·αααααααααΆα CDN ααααααα·αααααα»ααα½ααα αααα»ααα·ααααα (αα»αααΆαααααα½ααααα αΌααα·αααααΉαααααΆαα ααα αΆαααΆαα·ααΆααα»αααααααααα»αααααααααΆαααααα ααααααα DNS) αα·ααααααΆα ααααααααΆααααΆααααα’αααααΆααααα, ααααα·αααΌααααααααα’αααααΆααααα α’αααααΆαααα·αααΉααα αααα ααααΌαβαα ααΆ αα αααα»ααααααΆαααα ααΆααΉαααΆααααα½αααααΈααΆααααααααΆααα’αΆααααααΆααααααΆαααΈααααααααα½αααααΈ αα»ααα·ααΆαααΆα’αααααΆ - ααΌα ααααααΆαααΆα DNS ααααα·αααααΌαααΆααααααΆααααα "ααΆαααααα α α½α αα·ααααααα’αααα" αααααΆαααααα»αα αα»αααα ααΆααααααΆαα·αααΌαααΆααααααααααΆαααααα’αΆααΈααααααααααα½αααα α αΎααα»ααααααααα·αα αα ααααα (αα·α αα½α ααα»ααααααα’α ααΆαα·ααααααααΆααα’αα·αα·αααααα DNS Cloudflare α₯ααα·ααααα ααΆαααααΎαα αα α»ααααααααΆααα·αααααα DNS ααααααΆααααααΆααααα αααα ααΎαααΆαααΈααα DNS αααααααα»αα αα»αααΉαααΆαααΆααα αααα α½α) ααααΎα±ααααΆαααααΎααααΆααααααΆαααααααααΆααα·αααααΆαα αααα»αααΆααααα ααααΆαααααα½αα±ααα αΆααα’αΆααααααα
ααΆαααα’αααααααΎααααΆαααααααΆαα
α»ααααααααα»ααααααααα’αΆα
α
αΌααα½ααααα»αααΆααααααααα·αααα
ααΎα’αααααΉαααααΎααααΆααααααααΈαα?
-
ααΆα / α αΆααααααααΆαααααααααΆααααΆαα αααα»α OS αα·α / α¬αα ααΎααααααα
-
ααΆα/α αΆα α αΎααααα»αααΉαααααΎαα·ααΈααΆαααααΈ (DNS ααΎ HTTPs αα·α DNS ααΎ TLS)
-
αα αααα»αααΆααααΆαααΈααααα αα α»αααααααααααααααΆαα (αααααΊααΆα’ααααααααααααΆααΆααΆαααα Google, Yandex ααα)
-
αα αααα»ααα·αααΉαααΆαααα»ααααα»αααααΎα’αααΈαα ααααααααα
-
αααα»αααααΎ DNS α‘αΎααα·ααααααααα»αααΆαα½αααΉαααααΌαααΌααααααααΈ SSL ααααα½αααα
α’αααααααΎααααΆαα 693 ααΆααααΆαααααααααα α’αααααααΎααααΆαα 191 ααΆααααααΌαααΆαα αΆαααΆααα
ααααα: www.habr.com