DažÄdus DNS darbÄ«bas aspektus autors jau vairÄkkÄrt ir pieskÄries publicÄts kÄ daļa no emuÄra. TajÄ paÅ”Ä laikÄ galvenais uzsvars vienmÄr ir bijis uz Ŕī galvenÄ interneta pakalpojuma droŔības uzlaboÅ”anu.
VÄl nesen, neraugoties uz acÄ«mredzamo DNS trafika neaizsargÄtÄ«bu, kas lielÄkoties joprojÄm tiek nepÄrprotami pÄrraidÄ«ta uz ļaunprÄtÄ«gÄm darbÄ«bÄm no pakalpojumu sniedzÄju puses, kuri vÄlas palielinÄt savus ienÄkumus, saturÄ ievietojot reklÄmu, valsts droŔības aÄ£entÅ«rÄm un cenzÅ«rai, kÄ arÄ« vienkÄrÅ”i noziedznieki, process , neskatoties uz dažÄdu tehnoloÄ£iju klÄtbÅ«tni, piemÄram, DNSSEC/DANE, DNScrypt, DNS-over-TLS un DNS-over-HTTPS, apstÄjÄs. Un, ja serveru risinÄjumi, un daži no tiem pastÄv jau diezgan ilgu laiku, ir plaÅ”i pazÄ«stami un pieejami, to atbalsts no klientu programmatÅ«ras atstÄj daudz vÄlamo.
Par laimi, situÄcija mainÄs. Jo Ä«paÅ”i populÄrÄs pÄrlÅ«kprogrammas Firefox izstrÄdÄtÄji par plÄniem pÄc noklusÄjuma iespÄjot atbalsta režīmu (DoH) drÄ«z. Tam vajadzÄtu palÄ«dzÄt aizsargÄt WWW lietotÄja DNS trafiku no iepriekÅ”minÄtajiem draudiem, taÄu tas var radÄ«t jaunus.
1. DNS over-HTTPS problÄmas
No pirmÄ acu uzmetiena DNS-over-HTTPS masveida ievieÅ”ana interneta programmatÅ«rÄ izraisa tikai pozitÄ«vu reakciju. TomÄr velns, kÄ saka, slÄpjas detaļÄs.
PirmÄ problÄma, kas ierobežo DoH plaÅ”o izmantoÅ”anu, ir tÄ koncentrÄÅ”anÄs tikai uz tÄ«mekļa trafiku. PatieÅ”Äm, HTTP protokols un tÄ paÅ”reizÄjÄ versija HTTP/2, uz kuras balstÄs DoH, ir WWW pamatÄ. TaÄu internets nav tikai tÄ«meklis. Ir daudz populÄru pakalpojumu, piemÄram, e-pasts, dažÄdi tÅ«lÄ«tÄjie kurjeri, failu pÄrsÅ«tÄ«Å”anas sistÄmas, multivides straumÄÅ”ana utt., kas neizmanto HTTP. TÄdÄjÄdi, neskatoties uz to, ka daudzi DoH uzskata par panaceju, tas izrÄdÄs nepiemÄrots bez papildu (un nevajadzÄ«gÄm) pÅ«lÄm nekam citam, izÅemot pÄrlÅ«kprogrammas tehnoloÄ£ijas. Starp citu, DNS-over-TLS izskatÄs daudz cienÄ«gÄks kandidÄts Å”ai lomai, kas ievieÅ” standarta DNS trafika iekapsulÄÅ”anu droÅ”Ä standarta TLS protokolÄ.
OtrÄ problÄma, kas, iespÄjams, ir daudz nozÄ«mÄ«gÄka nekÄ pirmÄ, ir faktiskÄ atteikÅ”anÄs no DNS raksturÄ«gÄs decentralizÄcijas, izmantojot vienu pÄrlÅ«kprogrammas iestatÄ«jumos norÄdÄ«to DoH serveri. Jo Ä«paÅ”i Mozilla iesaka izmantot pakalpojumu no Cloudflare. LÄ«dzÄ«gu pakalpojumu atklÄja arÄ« citi ievÄrojami interneta darbinieki, jo Ä«paÅ”i Google. IzrÄdÄs, DNS-over-HTTPS ievieÅ”ana tÄdÄ formÄ, kÄdÄ tas Å”obrÄ«d tiek piedÄvÄts, tikai palielina galalietotÄju atkarÄ«bu no lielÄkajiem pakalpojumiem. Nav noslÄpums, ka informÄcija, ko var sniegt DNS vaicÄjumu analÄ«ze, var savÄkt vÄl vairÄk datu par to, kÄ arÄ« palielinÄt tÄs precizitÄti un atbilstÄ«bu.
Å ajÄ sakarÄ autors bija un paliek masveida ievieÅ”anas nevis DNS-over-HTTPS, bet gan DNS-over-TLS kopÄ ar DNSSEC/DANE kÄ universÄla, droÅ”a un tÄlÄkai interneta centralizÄcijai neveicina lÄ«dzekļa atbalstÄ«tÄjs. DNS trafika droŔības nodroÅ”inÄÅ”anai. DiemžÄl acÄ«mredzamu iemeslu dÄļ nevar gaidÄ«t Ätru DoH alternatÄ«vu masveida atbalsta ievieÅ”anu klientu programmatÅ«rÄ, un tÄ joprojÄm ir droŔības tehnoloÄ£iju entuziastu sfÄra.
Bet, tÄ kÄ mums tagad ir DoH, kÄpÄc gan to neizmantot pÄc tam, kad ir izdevies izvairÄ«ties no potenciÄlÄs korporÄciju uzraudzÄ«bas, izmantojot savus serverus, uz mÅ«su paÅ”u DNS, izmantojot HTTPS serveri?
2. DNS-over-HTTPS protokols
Ja paskatÄs uz standartu aprakstot DNS-over-HTTPS protokolu, jÅ«s varat redzÄt, ka patiesÄ«bÄ tas ir tÄ«mekļa API, kas ļauj iekapsulÄt standarta DNS pakotni HTTP/2 protokolÄ. Tas tiek Ä«stenots, izmantojot Ä«paÅ”as HTTP galvenes, kÄ arÄ« pÄrveidojot pÄrsÅ«tÄ«to DNS datu binÄro formÄtu (sk. un turpmÄkie dokumenti) formÄ, kas ļauj tos pÄrsÅ«tÄ«t un saÅemt, kÄ arÄ« strÄdÄt ar nepiecieÅ”amajiem metadatiem.
SaskaÅÄ ar standartu tiek atbalstÄ«ts tikai HTTP/2 un droÅ”s TLS savienojums.
DNS pieprasÄ«jumu var nosÅ«tÄ«t, izmantojot standarta GET un POST metodes. PirmajÄ gadÄ«jumÄ pieprasÄ«jums tiek pÄrveidots par base64URL kodÄtu virkni, bet otrajÄ - caur POST pieprasÄ«juma pamattekstu binÄrÄ formÄ. Å ajÄ gadÄ«jumÄ DNS pieprasÄ«juma un atbildes laikÄ tiek izmantots Ä«paÅ”s MIME datu tips lietojumprogramma/dns-ziÅa.
root@eprove:~ # curl -H 'accept: application/dns-message' 'https://my.domaint/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' -v
* Trying 2001:100:200:300::400:443...
* TCP_NODELAY set
* Connected to eprove.net (2001:100:200:300::400) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=my.domain
* start date: Jul 22 00:07:13 2019 GMT
* expire date: Oct 20 00:07:13 2019 GMT
* subjectAltName: host "my.domain" matched cert's "my.domain"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801441000)
> GET /dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE HTTP/2
> Host: eprove.net
> User-Agent: curl/7.65.3
> accept: application/dns-message
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: h2o/2.3.0-beta2
< content-type: application/dns-message
< cache-control: max-age=86274
< date: Thu, 12 Sep 2019 13:07:25 GMT
< strict-transport-security: max-age=15768000; includeSubDomains; preload
< content-length: 45
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 45)
* stopped the pause stream!
* Connection #0 to host eprove.net left intactPievÄrsiet uzmanÄ«bu arÄ« nosaukumam keÅ”atmiÅas kontrole: atbildÄ no tÄ«mekļa servera. ParametrÄ maksimÄlais vecums satur atgrieztÄ DNS ieraksta TTL vÄrtÄ«bu (vai minimÄlo vÄrtÄ«bu, ja tiek atgriezta to kopa).
Pamatojoties uz iepriekÅ” minÄto, DoH servera darbÄ«ba sastÄv no vairÄkiem posmiem.
- SaÅemiet HTTP pieprasÄ«jumu. Ja tas ir GET, atÅ”ifrÄjiet paketi no base64URL kodÄjuma.
- Nosūtiet Ŕo paketi DNS serverim.
- SaÅemiet atbildi no DNS servera
- SaÅemtajos ierakstos atrodiet minimÄlo TTL vÄrtÄ«bu.
- Nosūtiet atbildi klientam, izmantojot HTTP.
3. JÅ«su DNS over-HTTPS serveris
VienkÄrÅ”Äkais, ÄtrÄkais un efektÄ«vÄkais veids, kÄ palaist savu DNS-over-HTTPS serveri, ir izmantot HTTP/2 tÄ«mekļa serveri. , par kuru autors jau Ä«si rakstÄ«jis (sk.").
Å o izvÄli atbalsta fakts, ka visu jÅ«su DoH servera kodu var pilnÄ«bÄ ieviest, izmantojot tulku, kas integrÄts paÅ”Ä H2O . Papildus standarta bibliotÄkÄm, lai apmainÄ«tos ar datiem ar DNS serveri, ir nepiecieÅ”ama (mrbgem) Socket bibliotÄka, kas, par laimi, jau ir iekļauta paÅ”reizÄjÄ H2O 2.3.0-beta2 izstrÄdes versijÄ. FreeBSD portos. TomÄr nav grÅ«ti to pievienot jebkurai iepriekÅ”Äjai versijai, klonÄjot repozitoriju uz katalogu /deps pirms kompilÄcijas.
root@beta:~ # uname -v
FreeBSD 12.0-RELEASE-p10 GENERIC
root@beta:~ # cd /usr/ports/www/h2o
root@beta:/usr/ports/www/h2o # make extract
===> License MIT BSD2CLAUSE accepted by the user
===> h2o-2.2.6 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by h2o-2.2.6 for building
===> Extracting for h2o-2.2.6.
=> SHA256 Checksum OK for h2o-h2o-v2.2.6_GH0.tar.gz.
===> h2o-2.2.6 depends on file: /usr/local/bin/ruby26 - found
root@beta:/usr/ports/www/h2o # cd work/h2o-2.2.6/deps/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # git clone https://github.com/iij/mruby-socket.git
ŠŠ»Š¾Š½ŠøŃŠ¾Š²Š°Š½ŠøŠµ Š² Ā«mruby-socketĀ»ā¦
remote: Enumerating objects: 385, done.
remote: Total 385 (delta 0), reused 0 (delta 0), pack-reused 385
ŠŠ¾Š»ŃŃŠµŠ½ŠøŠµ Š¾Š±ŃŠµŠŗŃŠ¾Š²: 100% (385/385), 98.02 KiB | 647.00 KiB/s, Š³Š¾ŃŠ¾Š²Š¾.
ŠŠæŃŠµŠ“ŠµŠ»ŠµŠ½ŠøŠµ ŠøŠ·Š¼ŠµŠ½ŠµŠ½ŠøŠ¹: 100% (208/208), Š³Š¾ŃŠ¾Š²Š¾.
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # ll
total 181
drwxr-xr-x 9 root wheel 18 12 Š°Š²Š³. 16:09 brotli/
drwxr-xr-x 2 root wheel 4 12 Š°Š²Š³. 16:09 cloexec/
drwxr-xr-x 2 root wheel 5 12 Š°Š²Š³. 16:09 golombset/
drwxr-xr-x 4 root wheel 35 12 Š°Š²Š³. 16:09 klib/
drwxr-xr-x 2 root wheel 5 12 Š°Š²Š³. 16:09 libgkc/
drwxr-xr-x 4 root wheel 26 12 Š°Š²Š³. 16:09 libyrmcds/
drwxr-xr-x 13 root wheel 32 12 Š°Š²Š³. 16:09 mruby/
drwxr-xr-x 5 root wheel 11 12 Š°Š²Š³. 16:09 mruby-digest/
drwxr-xr-x 5 root wheel 10 12 Š°Š²Š³. 16:09 mruby-dir/
drwxr-xr-x 5 root wheel 10 12 Š°Š²Š³. 16:09 mruby-env/
drwxr-xr-x 4 root wheel 9 12 Š°Š²Š³. 16:09 mruby-errno/
drwxr-xr-x 5 root wheel 14 12 Š°Š²Š³. 16:09 mruby-file-stat/
drwxr-xr-x 5 root wheel 10 12 Š°Š²Š³. 16:09 mruby-iijson/
drwxr-xr-x 5 root wheel 11 12 Š°Š²Š³. 16:09 mruby-input-stream/
drwxr-xr-x 6 root wheel 11 12 Š°Š²Š³. 16:09 mruby-io/
drwxr-xr-x 5 root wheel 10 12 Š°Š²Š³. 16:09 mruby-onig-regexp/
drwxr-xr-x 4 root wheel 10 12 Š°Š²Š³. 16:09 mruby-pack/
drwxr-xr-x 5 root wheel 10 12 Š°Š²Š³. 16:09 mruby-require/
drwxr-xr-x 6 root wheel 10 12 ŃŠµŠ½Ń. 16:10 mruby-socket/
drwxr-xr-x 2 root wheel 9 12 Š°Š²Š³. 16:09 neverbleed/
drwxr-xr-x 2 root wheel 13 12 Š°Š²Š³. 16:09 picohttpparser/
drwxr-xr-x 2 root wheel 4 12 Š°Š²Š³. 16:09 picotest/
drwxr-xr-x 9 root wheel 16 12 Š°Š²Š³. 16:09 picotls/
drwxr-xr-x 4 root wheel 8 12 Š°Š²Š³. 16:09 ssl-conservatory/
drwxr-xr-x 8 root wheel 18 12 Š°Š²Š³. 16:09 yaml/
drwxr-xr-x 2 root wheel 8 12 Š°Š²Š³. 16:09 yoml/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # cd ../../..
root@beta:/usr/ports/www/h2o # make install clean
...TÄ«mekļa servera konfigurÄcija parasti ir standarta.
root@beta:/usr/ports/www/h2o # cd /usr/local/etc/h2o/
root@beta:/usr/local/etc/h2o # cat h2o.conf
# this sample config gives you a feel for how h2o can be used
# and a high-security configuration for TLS and HTTP headers
# see https://h2o.examp1e.net/ for detailed documentation
# and h2o --help for command-line options and settings
# v.20180207 (c)2018 by Max Kostikov http://kostikov.co e-mail: max@kostikov.co
user: www
pid-file: /var/run/h2o.pid
access-log:
path: /var/log/h2o/h2o-access.log
format: "%h %v %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i""
error-log: /var/log/h2o/h2o-error.log
expires: off
compress: on
file.dirlisting: off
file.send-compressed: on
file.index: [ 'index.html', 'index.php' ]
listen:
port: 80
listen:
port: 443
ssl:
cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
cipher-preference: server
dh-file: /etc/ssl/dhparams.pem
certificate-file: /usr/local/etc/letsencrypt/live/eprove.net/fullchain.pem
key-file: /usr/local/etc/letsencrypt/live/my.domain/privkey.pem
hosts:
"*.my.domain":
paths: &go_tls
"/":
redirect:
status: 301
url: https://my.domain/
"my.domain:80":
paths: *go_tls
"my.domain:443":
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
paths:
"/dns-query":
mruby.handler-file: /usr/local/etc/h2o/h2odoh.rbVienÄ«gais izÅÄmums ir URL apstrÄdÄtÄjs /dns-query par ko faktiski ir atbildÄ«gs mÅ«su DNS-over-HTTPS serveris, kas rakstÄ«ts mruby un izsaukts, izmantojot apdarinÄtÄja opciju mruby.handler-fails.
root@beta:/usr/local/etc/h2o # cat h2odoh.rb
# H2O HTTP/2 web server as DNS-over-HTTP service
# v.20190908 (c)2018-2019 Max Kostikov https://kostikov.co e-mail: max@kostikov.co
proc {|env|
if env['HTTP_ACCEPT'] == "application/dns-message"
case env['REQUEST_METHOD']
when "GET"
req = env['QUERY_STRING'].gsub(/^dns=/,'')
# base64URL decode
req = req.tr("-_", "+/")
if !req.end_with?("=") && req.length % 4 != 0
req = req.ljust((req.length + 3) & ~3, "=")
end
req = req.unpack1("m")
when "POST"
req = env['rack.input'].read
else
req = ""
end
if req.empty?
[400, { 'content-type' => 'text/plain' }, [ "Bad Request" ]]
else
# --- ask DNS server
sock = UDPSocket.new
sock.connect("localhost", 53)
sock.send(req, 0)
str = sock.recv(4096)
sock.close
# --- find lowest TTL in response
nans = str[6, 2].unpack1('n') # number of answers
if nans > 0 # no DNS failure
shift = 12
ttl = 0
while nans > 0
# process domain name compression
if str[shift].unpack1("C") < 192
shift = str.index("x00", shift) + 5
if ttl == 0 # skip question section
next
end
end
shift += 6
curttl = str[shift, 4].unpack1('N')
shift += str[shift + 4, 2].unpack1('n') + 6 # responce data size
if ttl == 0 or ttl > curttl
ttl = curttl
end
nans -= 1
end
cc = 'max-age=' + ttl.to_s
else
cc = 'no-cache'
end
[200, { 'content-type' => 'application/dns-message', 'content-length' => str.size, 'cache-control' => cc }, [ str ] ]
end
else
[415, { 'content-type' => 'text/plain' }, [ "Unsupported Media Type" ]]
end
}LÅ«dzu, Åemiet vÄrÄ, ka Å”ajÄ gadÄ«jumÄ vietÄjais keÅ”atmiÅas serveris ir atbildÄ«gs par DNS pakeÅ”u apstrÄdi no standarta FreeBSD izplatÄ«Å”anas. No droŔības viedokļa tas ir optimÄlais risinÄjums. TomÄr nekas neliedz jums to nomainÄ«t localhost uz citu DNS adresi, kuru plÄnojat izmantot.
root@beta:/usr/local/etc/h2o # local-unbound verison
usage: local-unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /var/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-p do not create a pidfile.
-v verbose (more times to increase verbosity)
Version 1.8.1
linked libs: mini-event internal (it uses select), OpenSSL 1.1.1a-freebsd 20 Nov 2018
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl
root@eprove:/usr/local/etc/h2o # sockstat -46 | grep unbound
unbound local-unbo 69749 3 udp6 ::1:53 *:*
unbound local-unbo 69749 4 tcp6 ::1:53 *:*
unbound local-unbo 69749 5 udp4 127.0.0.1:53 *:*
unbound local-unbo 69749 6 tcp4 127.0.0.1:53 *:*Atliek tikai restartÄt H2O un redzÄt, kas no tÄ sanÄks.
root@beta:/usr/local/etc/h2o # service h2o restart
Stopping h2o.
Waiting for PIDS: 69871.
Starting h2o.
start_server (pid:70532) starting now...4. TestÄÅ”ana
TÄtad, pÄrbaudÄ«sim rezultÄtus, vÄlreiz nosÅ«tot testa pieprasÄ«jumu un apskatot tÄ«kla trafiku, izmantojot utilÄ«tu tcpdump.
root@beta/usr/local/etc/h2o # curl -H 'accept: application/dns-message' 'https://my.domain/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
...
root@beta:~ # tcpdump -n -i lo0 udp port 53 -xx -XX -vv
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
16:32:40.420831 IP (tos 0x0, ttl 64, id 37575, offset 0, flags [none], proto UDP (17), length 57, bad cksum 0 (->e9ea)!)
127.0.0.1.21070 > 127.0.0.1.53: [bad udp cksum 0xfe38 -> 0x33e3!] 43981+ A? example.com. (29)
0x0000: 0200 0000 4500 0039 92c7 0000 4011 0000 ....E..9....@...
0x0010: 7f00 0001 7f00 0001 524e 0035 0025 fe38 ........RN.5.%.8
0x0020: abcd 0100 0001 0000 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01 mple.com.....
16:32:40.796507 IP (tos 0x0, ttl 64, id 37590, offset 0, flags [none], proto UDP (17), length 73, bad cksum 0 (->e9cb)!)
127.0.0.1.53 > 127.0.0.1.21070: [bad udp cksum 0xfe48 -> 0x43fa!] 43981 q: A? example.com. 1/0/0 example.com. A 93.184.216.34 (45)
0x0000: 0200 0000 4500 0049 92d6 0000 4011 0000 ....E..I....@...
0x0010: 7f00 0001 7f00 0001 0035 524e 0035 fe48 .........5RN.5.H
0x0020: abcd 8180 0001 0001 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01c0 0c00 mple.com........
0x0040: 0100 0100 0151 8000 045d b8d8 22 .....Q...].."
^C
2 packets captured
23 packets received by filter
0 packets dropped by kernelIzvade parÄda, kÄ pieprasÄ«jums atrisinÄt adresi example.com tika saÅemts un veiksmÄ«gi apstrÄdÄts DNS serverÄ«.
Tagad atliek tikai aktivizÄt mÅ«su serveri pÄrlÅ«kprogrammÄ Firefox. Lai to izdarÄ«tu, konfigurÄcijas lapÄs ir jÄmaina vairÄki iestatÄ«jumi about: config.
PirmkÄrt, Ŕī ir mÅ«su API adrese, kurÄ pÄrlÅ«kprogramma pieprasÄ«s DNS informÄciju network.trr.uri. Ir arÄ« ieteicams norÄdÄ«t domÄna IP no Ŕī URL droÅ”ai IP izŔķirtspÄjai, izmantojot paÅ”u pÄrlÅ«kprogrammu, nepiekļūstot DNS network.trr.bootstrapAddress. Un visbeidzot pats parametrs tÄ«kls.trr.režīms tostarp DoH izmantoÅ”anu. VÄrtÄ«bas iestatÄ«Å”ana uz ā3ā liks pÄrlÅ«kprogrammai vÄrda izŔķirÅ”anai izmantot tikai DNS, izmantojot HTTPS, savukÄrt uzticamÄkÄ un droÅ”Äka vÄrtÄ«ba ā2ā dos prioritÄti DoH, atstÄjot standarta DNS meklÄÅ”anu kÄ rezerves opciju.
5. PEĻŠA!
Vai raksts bija noderÄ«gs? Tad, lÅ«dzu, nekautrÄjieties un atbalstiet ar naudu, izmantojot ziedojuma veidlapu (zemÄk).
Avots: www.habr.com
