DNS áá¯ááºáá±á¬ááºáá»ááºá á¡áá»áá¯ážáá»áá¯ážáá±á¬ ááá¹ááá»á¬ážááᯠá
á¬áá±ážáá°á á¡ááŒáááºááŒááẠááááœá±á·áá²á·ááŒá®ážááŒá
áºáááºá
áááŒá¬áá±ážáá®á¡ááá á¡áá»á¬ážá
á¯ááŸá¬ DNS á¡ááœá¬ážá¡áá¬á áááºááŸá¬ážáá±á¬ á¡á¬ážáááºážáá»ááºááŸááá±áá±á¬áºáááºážá á¡áá»á¬ážá
á¯ááŸá¬ ááŸááºážááŸááºážáááºážáááºáž áááá¬áááºááŸá¬ážá
áœá¬ áá¯ááºááœáŸáá·áºáá±ááá·áº á¡ááŒá±á¬ááºážá¡áá¬áá»á¬ážá á¡á
áá¯ážááá¯á¶ááŒá¯á¶áá±ážá¡á±áá»ááºá
á®áá»á¬ážááŸáá·áº áááºáá¬ááŒááºáá±á¬ááºááŒááºážááŒáá·áº áááºážááá¯á·á áááºááœá±ááᯠááá¯ážááŒáá·áºáá¬á
á±ááẠááŸá¬ááœá±áá±áá±á¬ áááºáá±á¬ááºááŸá¯áá±ážáá°áá»á¬ážáááºá០áááá¯áá¬ážá¡ááºáá±á¬ áá¯ááºáááºáá»á¬ážáá®ááá¯á· áá±ážááá¯á·áá²á·áááºá ááŒá
áºá
ááºá ááá¯ážááá¯ážáá¬ááááºáá±á¬ááºá
áá¶áá±á¬ááºážáá±á¬ááºáá
áœá¬á á¡ááŒá±á¡áá±áá»á¬ážááŒá±á¬ááºážáá²áá±áááºá á¡áá°ážáááŒáá·áºá áá¬áááºááŒá®áž Firefox browser á developer áá»á¬áž
1. DNS-over-HTTPS ááŒá¿áá¬áá»á¬áž
ááááá áºáá»ááºááœááºá á¡ááºáá¬áááºáá±á¬á·ááºáá²ááºááá¯á· DNS-over-HTTPS á¡á á¯ááá¯ááºá¡ááŒá¯á¶ááá¯ááºááááºáááºááŒááºážááẠá¡ááŒá¯ááá±á¬áá±á¬ááºáá±á¬áá¯á¶á·ááŒááºááŸá¯ááá¯áᬠááŒá áºá á±áááºá ááá¯á·áá±á¬áº áá°ááá¯á·ááŒá±á¬ááá·áºá¡ááá¯ááºáž áá¬ááºáááºááẠá¡áá±ážá áááºá¡áá»ááºá¡áááºáá»á¬ážáá²ááœáẠááŸááá±áááºá
DoH ááá»ááºáá»ááºááŒáá·áºááŒáá·áºá¡áá¯á¶ážááŒá¯ááŸá¯áááºáááºááá¯ááá·áºáááºááá·áºááááá¯á¶ážááŒá¿áá¬ááŸá¬áááºážááááºáááºážááŒá±á¬ááºážáá±á«áºááœááºáá¬á¡á¬áá¯á¶á áá¯ááºááŒááºážááŒá áºáááºá á¡ááŸááºááŸá¬á HTTP áááá¯ááá¯áá±á¬ááŸáá·áº DoH ááá¯á¡ááŒá±áá¶ááá·áº áááºážááááºááŸááá¬ážááŸááºáž HTTP/2 ááẠWWW áá¡ááŒá±áá¶ááŒá áºáááºá ááá¯á·áá±á¬áº á¡ááºáá¬áááºááẠáááºáá áºáá¯áááºážááá¯ááºáá«á HTTP ááá¯á¡áá¯á¶ážáááŒá¯áá±á¬ á¡á®ážáá±ážááºá á¡áá»áá¯ážáá»áá¯ážáá±á¬ instant messengersá ááá¯ááºááœáŸá²ááŒá±á¬ááºážááŸá¯á áá áºá áá¬ááºáá®áá®áá®áᬠstreaming á áááºááá¯á·áá²á·ááá¯á·áá±á¬ áá¬áááºááŒá®ážáááºáá±á¬ááºááŸá¯áá»á¬ážá áœá¬ááŸááá«áááºá ááá¯á·ááŒá±á¬áá·áºá DoH á¡áá»á¬ážá á¯ááẠpanacea á¡ááŒá áºáá¶áá°áá¬ážáá±á¬áºáááºážá ááá±á¬ááºáá¬áááºážááá¬áá»á¬ážááŸááœá²á á¡ááŒá¬ážá¡áá¬áá»á¬ážá¡ááœáẠáááºáá±á¬ááºáž (áááá¯á¡ááºáá²) á¡á¬ážá áá¯ááºáá¯ááºááŒááºážáááŸááá² áááºážááẠá¡áá¯á¶ážáá»áááááá¯ááºáá±á¬ááºá¡á±á¬ááºááŒá áºáá¬áááºá á áá¬ážáá ááºá DNS-over-TLS ááẠáá¯á¶ááŒá¯á¶áá±á¬ á ᶠTLS áááá¯ááá¯áá±á¬ááœáẠá ᶠDNS á¡ááœá¬ážá¡áá¬á áááºááºáá±á«ááºážááᯠá¡áá±á¬ááºá¡áááºáá±á¬áºááá·áº á€á¡áááºážááá¹áá¡ááœáẠááá¯ááá¯ááá¯ááºáááºáá±á¬ ááá¯ááºá á¬ážááŸááºáá±á¬ááºážáá áºáŠážááŸáá·áº áá°áá«áááºá
áááááŒá¿áá¬ááẠáá»á¬ážá áœá¬ááá¯áááá¬ááá¯ááºáá»á±ááŸáááá·áº áá¯áááááŒá¿áá¬ááŸá¬ ááá±á¬ááºáá¬áááºáááºáá»á¬ážááœáẠáááºááŸááºáá¬ážááá·áº DoH áá¬áá¬áá áºáá¯áááºážááᯠá¡áá¯á¶ážááŒá¯ááŒááºážááŒáá·áº áá®ááá¯ááºážááŒáá·áº DNS á ááœá±ážáá¬áá«áááá¯áá»á¯ááºááá¯ááºááŸá¯áá»áŸá±á¬á·áá»ááŒááºážááᯠá¡ááŸááºáááẠá áœáá·áºááœáŸááºááŒááºážááŒá áºáááºá á¡áá°ážáááŒáá·áºá Mozilla ááẠCloudflare á០áááºáá±á¬ááºááŸá¯ááᯠá¡áá¯á¶ážááŒá¯ááẠá¡ááŒá¶ááŒá¯áá¬ážáááºá á¡áá¬ážáá° áááºáá±á¬ááºááŸá¯ááᯠá¡ááŒá¬ážáá±á¬ áááºááŸá¬ážáá±á¬ á¡ááºáá¬ááẠáá¯áá¹ááá¯ááºáá»á¬áž á¡áá°ážáááŒáá·áº Google ááŸáááºáž ááœáŸáá·áºáááºáá²á·áááºá áááºááŸá á¡ááá¯ááŒá¯áá¬ážááá·áº áá¯á¶á á¶ááŒáá·áº DNS-over-HTTPS ááᯠá¡áá±á¬ááºá¡áááºáá±á¬áºááŒááºážááẠá¡ááŒá®ážáá¯á¶ážáááºáá±á¬ááºááŸá¯áá»á¬ážáá±á«áºááœáẠáá¯á¶ážá áœá²áá°áá»á¬ážá ááŸá®ááá¯ááŸá¯ááá¯áᬠááá¯ážááŒáá·áºá á±ááŒá±á¬ááºáž ááœá±á·ááŸáááá«áááºá DNS á á¯á¶á ááºážáá±ážááŒááºážááŸá¯áá»á¬ážááᯠááœá²ááŒááºážá áááºááŒá¬ááŒááºážááŒáá·áº áá±ážá áœááºážááá¯ááºáá±á¬ á¡áá»ááºá¡áááºáá»á¬ážááẠáááºážááŸáá·áºáááºáááºááá·áº á¡áá»ááºá¡áááºáá»á¬ážááᯠááá¯ááá¯á á¯áá±á¬ááºážááá¯ááºááá·áºá¡ááŒáẠáááºážááááá»ááŸá¯ááŸáá·áº áááºá ááºááŸá¯ááᯠááá¯ážááŒáá·áºá á±ááá¯ááºáááºááŸá¬ áá»áŸáá¯á·ááŸááºáá¬ážááŒááºážáááŸááá«á
á€ááá á¹á ááŸáá·áº áááºáááºá á á¬áá±ážáá°ááẠDNS-over-HTTPS ááá¯ááºáá±á¬áºáááºážá DNS-over-TLS ááŸáá·áº DNSSEC/DANE ááŸáá·áº universal á¡ááŒá áºá áá¯á¶ááŒá¯á¶ááŒá®áž á¡ááºáá¬áááºá áá±á¬ááºáááºáááá¯áá»á¯ááºááá¯ááºááŸá¯ááᯠá¡áá±á¬ááºá¡áá°áááŒá¯áá±á¬ á¡áááá¹áá«ááºááŸá¬á DNS á¡ááœá¬ážá¡áá¬ááá¯á¶ááŒá¯á¶áá±ážááá¯áá±áá»á¬á á±áááºá áá¶ááá±á¬ááºážá áœá¬áá²á áááá¬áááºááŸá¬ážáá±á¬á¡ááŒá±á¬ááºážááŒáá»ááºáá»á¬ážá¡ááœááºá áá¯á¶ážá áœá²áá°áá±á¬á·ááºáá²ááºááá¯á· DoH á¡ááŒá¬ážááœá±ážáá»ááºá áá¬áá»á¬ážá¡ááœáẠá¡á á¯ááá¯ááºá¡ááŒá¯á¶ááá¯ááºáá¶á·ááá¯ážááŸá¯á¡ááŒá±á¬ááºá¡ááŒá¬ážááááºáááºááŸá¯ááᯠááá»áŸá±á¬áºááá·áºááá¯ááºáá²á áááºážááẠáá¯á¶ááŒá¯á¶áá±ážáááºážááá¬ááᯠááŸá áºáááºáá°áá»á¬ážá¡ááœáẠááá¯ááááºážá¡ááŒá áºááŒá áºáá±áá²ááŒá áºáááºá
ááá¯á·áá±á¬áº ááᯠáá»áœááºá¯ááºááá¯á·ááœáẠDoH ááŸááá±ááŒá®ááŒá áºáá±á¬ááŒá±á¬áá·áºá áá±á¬áºááá¯áá±ážááŸááºážáá»á¬ážá áááºážááá¯á·ááá¬áá¬áá»á¬ážááŸáá áºááá·áº áá»áœááºá¯ááºááá¯á·áááá¯ááºááá¯áẠDNS-over-HTTPS áá¬áá¬ááá¯á· áá±á¬áºááá¯áá±ážááŸááºážáá»á¬ážá ááŒá áºááá¯ááºáá»á±ááŸááá±á¬ á á±á¬áá·áºááŒáá·áºááŒááºážá០ááœááºááŒá±á¬ááºááŒá®ážáá±á¬áẠá¡áááºááŒá±á¬áá·áº áááºážááá¯ááá¯á¶ážááŒááááºážá
2. DNS-over-HTTPS áááá¯ááá¯áá±á¬
á
á¶ááŸá¯ááºážááá¯ááŒáá·áºáááº
á á¶ááŸá¯ááºážá¡á HTTP/2 ááŸáá·áº áá¯á¶ááŒá¯á¶áá±á¬ TLS áá»áááºáááºááŸá¯ááá¯áᬠáá¶á·ááá¯ážáá¬ážáááºá
DNS áá±á¬ááºážááá¯ááŸá¯ááᯠá ᶠGET ááŸáá·áº POST áááºážáááºážáá»á¬ážááᯠá¡áá¯á¶ážááŒá¯á áá¯ááºáá±á¬ááºááá¯ááºáááºá áááááá á¹á ááœááºá áá±á¬ááºážááá¯áá»ááºá¡á¬áž base64URL-áá¯ááºááŸááºáá¬ážáá±á¬á á¬ááŒá±á¬ááºážá¡ááŒá ẠááŒá±á¬ááºážáá²ááŒá®áž áá¯áááááœááºá POST áá±á¬ááºážááá¯áá»ááºáááá¯ááºáááºááŸáá áºááá·áº binary áá¯á¶á á¶ááŒáá·áº ááŒá±á¬ááºážáá²áá«áááºá á€ááá á¹á ááœááºá DNS áá±á¬ááºážááá¯ááŸá¯ááŸáá·áº áá¯á¶á·ááŒááºááŸá¯á¡ááœááºáž á¡áá°áž MIME áá±áá¬á¡áá»áá¯ážá¡á á¬ážááᯠá¡áá¯á¶ážááŒá¯áááºá application/dns-áááºáá±á·ááºá».
root@eprove:~ # curl -H 'accept: application/dns-message' 'https://my.domaint/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' -v
* Trying 2001:100:200:300::400:443...
* TCP_NODELAY set
* Connected to eprove.net (2001:100:200:300::400) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=my.domain
* start date: Jul 22 00:07:13 2019 GMT
* expire date: Oct 20 00:07:13 2019 GMT
* subjectAltName: host "my.domain" matched cert's "my.domain"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801441000)
> GET /dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE HTTP/2
> Host: eprove.net
> User-Agent: curl/7.65.3
> accept: application/dns-message
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: h2o/2.3.0-beta2
< content-type: application/dns-message
< cache-control: max-age=86274
< date: Thu, 12 Sep 2019 13:07:25 GMT
< strict-transport-security: max-age=15768000; includeSubDomains; preload
< content-length: 45
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 45)
* stopped the pause stream!
* Connection #0 to host eprove.net left intact
áá±á«ááºážá ááºááá¯áááºáž á¡á¬áá¯á¶á áá¯ááºáá«á áááºááŸáºááááºážáá»á¯ááºááŸá¯- áááºáá¬áá¬ááŸáá¯á¶á·ááŒááºááŸá¯áá ááá·áºáááºáá»ááºá á¡áá»á¬ážáá¯á¶áž-á¡ááẠááŒááºááá¯á·áá±ááá·áº DNS ááŸááºáááºážá¡ááœáẠTTL áááºááá¯áž áá«ááŸááááºá (ááá¯á·ááá¯áẠáááºážááá¯á·á¡áááºá០áá áºá¡á¯ááºááᯠááŒááºáá±ážáá»áŸáẠá¡áááºážáá¯á¶ážáááºááá¯áž)á
á¡áááºáá«á¡áá»ááºáá»á¬ážá¡áá±á«áºá¡ááŒá±áá¶á DoH áá¬áá¬áá áºáá¯ááá¯ááºáá±á¬ááºááŸá¯ááẠá¡ááá·áºáá»á¬ážá áœá¬áá«áááºáááºá
- HTTP áá±á¬ááºážááá¯áá»ááºááᯠáááºáá¶áá«á áááºážááẠGET ááŒá áºáá«á áááºáááºááᯠbase64URL áá¯ááºááŒáá·áº áá¯ááºááŒáá·áº áá¯ááºáá¯ááºáá«á
- á€á¡áá¯ááºááᯠDNS áá¬áá¬ááá¯á· ááá¯á·áá«á
- DNS áá¬áá¬á០áá¯á¶á·ááŒááºáá»ááºááᯠááá°áá«á
- áááºáá¶áááŸááá±á¬ááŸááºáááºážáá»á¬ážááœáẠá¡áááºážáá¯á¶áž TTL áááºááá¯ážááᯠááŸá¬áá«á
- HTTP ááŸáá áºááá·áº áá¯á¶ážá áœá²áá°áᶠáá¯á¶á·ááŒááºááŸá¯áá áºáᯠááŒááºáá±ážáá«á
3. ááá·áºááá¯ááºááá¯áẠDNS-over-HTTPS áá¬áá¬
ááá·áºááá¯ááºááá¯áẠDNS-over-HTTPS áá¬áá¬ááᯠáá¯ááºáá±á¬ááºááẠá¡ááá¯ážááŸááºážáá¯á¶ážá á¡ááŒááºáááºáá¯á¶ážááŸáá·áº á¡áááá±á¬ááºáá¯á¶ážáááºážáááºážááŸá¬ HTTP/2 áááºáá¬áá¬ááᯠá¡áá¯á¶ážááŒá¯ááŒááºážááŒá
áºáááºá
ááá·áºááá¯ááºááá¯áẠDoH áá¬áá¬ááá¯ááºá¡á¬ážáá¯á¶ážááᯠH2O ááá¯ááºááá¯ááºáá±á«ááºážá
ááºáá¬ážáá±á¬ á
áá¬ážááŒááºááᯠá¡áá¯á¶ážááŒá¯á á€ááœá±ážáá»ááºááŸá¯ááᯠáá¶á·ááá¯ážáá±ážáá«áááºá
root@beta:~ # uname -v
FreeBSD 12.0-RELEASE-p10 GENERIC
root@beta:~ # cd /usr/ports/www/h2o
root@beta:/usr/ports/www/h2o # make extract
===> License MIT BSD2CLAUSE accepted by the user
===> h2o-2.2.6 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by h2o-2.2.6 for building
===> Extracting for h2o-2.2.6.
=> SHA256 Checksum OK for h2o-h2o-v2.2.6_GH0.tar.gz.
===> h2o-2.2.6 depends on file: /usr/local/bin/ruby26 - found
root@beta:/usr/ports/www/h2o # cd work/h2o-2.2.6/deps/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # git clone https://github.com/iij/mruby-socket.git
ÐлПМОÑПваМОе в «mruby-socket»âŠ
remote: Enumerating objects: 385, done.
remote: Total 385 (delta 0), reused 0 (delta 0), pack-reused 385
ÐПлÑÑеМОе ПбÑекÑПв: 100% (385/385), 98.02 KiB | 647.00 KiB/s, гПÑПвП.
ÐпÑеЎелеМОе ОзЌеМеМОй: 100% (208/208), гПÑПвП.
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # ll
total 181
drwxr-xr-x 9 root wheel 18 12 авг. 16:09 brotli/
drwxr-xr-x 2 root wheel 4 12 авг. 16:09 cloexec/
drwxr-xr-x 2 root wheel 5 12 авг. 16:09 golombset/
drwxr-xr-x 4 root wheel 35 12 авг. 16:09 klib/
drwxr-xr-x 2 root wheel 5 12 авг. 16:09 libgkc/
drwxr-xr-x 4 root wheel 26 12 авг. 16:09 libyrmcds/
drwxr-xr-x 13 root wheel 32 12 авг. 16:09 mruby/
drwxr-xr-x 5 root wheel 11 12 авг. 16:09 mruby-digest/
drwxr-xr-x 5 root wheel 10 12 авг. 16:09 mruby-dir/
drwxr-xr-x 5 root wheel 10 12 авг. 16:09 mruby-env/
drwxr-xr-x 4 root wheel 9 12 авг. 16:09 mruby-errno/
drwxr-xr-x 5 root wheel 14 12 авг. 16:09 mruby-file-stat/
drwxr-xr-x 5 root wheel 10 12 авг. 16:09 mruby-iijson/
drwxr-xr-x 5 root wheel 11 12 авг. 16:09 mruby-input-stream/
drwxr-xr-x 6 root wheel 11 12 авг. 16:09 mruby-io/
drwxr-xr-x 5 root wheel 10 12 авг. 16:09 mruby-onig-regexp/
drwxr-xr-x 4 root wheel 10 12 авг. 16:09 mruby-pack/
drwxr-xr-x 5 root wheel 10 12 авг. 16:09 mruby-require/
drwxr-xr-x 6 root wheel 10 12 ÑеМÑ. 16:10 mruby-socket/
drwxr-xr-x 2 root wheel 9 12 авг. 16:09 neverbleed/
drwxr-xr-x 2 root wheel 13 12 авг. 16:09 picohttpparser/
drwxr-xr-x 2 root wheel 4 12 авг. 16:09 picotest/
drwxr-xr-x 9 root wheel 16 12 авг. 16:09 picotls/
drwxr-xr-x 4 root wheel 8 12 авг. 16:09 ssl-conservatory/
drwxr-xr-x 8 root wheel 18 12 авг. 16:09 yaml/
drwxr-xr-x 2 root wheel 8 12 авг. 16:09 yoml/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # cd ../../..
root@beta:/usr/ports/www/h2o # make install clean
...
áááºáá¬áᬠááœá²á·á ááºážááŸá¯áá¯á¶á á¶ááẠáá±áá¯áá»á¡á¬ážááŒáá·áº á á¶ááŒá áºáááºá
root@beta:/usr/ports/www/h2o # cd /usr/local/etc/h2o/
root@beta:/usr/local/etc/h2o # cat h2o.conf
# this sample config gives you a feel for how h2o can be used
# and a high-security configuration for TLS and HTTP headers
# see https://h2o.examp1e.net/ for detailed documentation
# and h2o --help for command-line options and settings
# v.20180207 (c)2018 by Max Kostikov http://kostikov.co e-mail: [email protected]
user: www
pid-file: /var/run/h2o.pid
access-log:
path: /var/log/h2o/h2o-access.log
format: "%h %v %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i""
error-log: /var/log/h2o/h2o-error.log
expires: off
compress: on
file.dirlisting: off
file.send-compressed: on
file.index: [ 'index.html', 'index.php' ]
listen:
port: 80
listen:
port: 443
ssl:
cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
cipher-preference: server
dh-file: /etc/ssl/dhparams.pem
certificate-file: /usr/local/etc/letsencrypt/live/eprove.net/fullchain.pem
key-file: /usr/local/etc/letsencrypt/live/my.domain/privkey.pem
hosts:
"*.my.domain":
paths: &go_tls
"/":
redirect:
status: 301
url: https://my.domain/
"my.domain:80":
paths: *go_tls
"my.domain:443":
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
paths:
"/dns-query":
mruby.handler-file: /usr/local/etc/h2o/h2odoh.rb
áá áºáá¯áááºážáá±á¬ááŒáœááºážáá»ááºááŸá¬ URL ááá¯ááºááœááºáá°ááŒá áºáááºá /dns-query mruby ááŒáá·áºáá±ážáá¬ážááŒá®áž handler option ááŸáááá·áºáá±á«áºáá¬ážáá±á¬áá»áœááºá¯ááºááá¯á·á DNS-over-HTTPS áá¬áá¬ááẠá¡ááŸááºáááẠáá¬áááºááŸááá«áááºá mruby.handler-ááá¯ááº.
root@beta:/usr/local/etc/h2o # cat h2odoh.rb
# H2O HTTP/2 web server as DNS-over-HTTP service
# v.20190908 (c)2018-2019 Max Kostikov https://kostikov.co e-mail: [email protected]
proc {|env|
if env['HTTP_ACCEPT'] == "application/dns-message"
case env['REQUEST_METHOD']
when "GET"
req = env['QUERY_STRING'].gsub(/^dns=/,'')
# base64URL decode
req = req.tr("-_", "+/")
if !req.end_with?("=") && req.length % 4 != 0
req = req.ljust((req.length + 3) & ~3, "=")
end
req = req.unpack1("m")
when "POST"
req = env['rack.input'].read
else
req = ""
end
if req.empty?
[400, { 'content-type' => 'text/plain' }, [ "Bad Request" ]]
else
# --- ask DNS server
sock = UDPSocket.new
sock.connect("localhost", 53)
sock.send(req, 0)
str = sock.recv(4096)
sock.close
# --- find lowest TTL in response
nans = str[6, 2].unpack1('n') # number of answers
if nans > 0 # no DNS failure
shift = 12
ttl = 0
while nans > 0
# process domain name compression
if str[shift].unpack1("C") < 192
shift = str.index("x00", shift) + 5
if ttl == 0 # skip question section
next
end
end
shift += 6
curttl = str[shift, 4].unpack1('N')
shift += str[shift + 4, 2].unpack1('n') + 6 # responce data size
if ttl == 0 or ttl > curttl
ttl = curttl
end
nans -= 1
end
cc = 'max-age=' + ttl.to_s
else
cc = 'no-cache'
end
[200, { 'content-type' => 'application/dns-message', 'content-length' => str.size, 'cache-control' => cc }, [ str ] ]
end
else
[415, { 'content-type' => 'text/plain' }, [ "Unsupported Media Type" ]]
end
}
á€ááá
á¹á
ááœááºá áá±áááœááºáž áááºááŸáºáá¬áá¬ááẠDNS áá¯ááºááá¯ážááŸá¯áá»á¬ážááᯠáá¯ááºáá±á¬ááºááẠáá¬áááºááŸáááŒá±á¬ááºáž áá»á±ážáá°ážááŒá¯á áááááŒá¯áá«á
root@beta:/usr/local/etc/h2o # local-unbound verison
usage: local-unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /var/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-p do not create a pidfile.
-v verbose (more times to increase verbosity)
Version 1.8.1
linked libs: mini-event internal (it uses select), OpenSSL 1.1.1a-freebsd 20 Nov 2018
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected]
root@eprove:/usr/local/etc/h2o # sockstat -46 | grep unbound
unbound local-unbo 69749 3 udp6 ::1:53 *:*
unbound local-unbo 69749 4 tcp6 ::1:53 *:*
unbound local-unbo 69749 5 udp4 127.0.0.1:53 *:*
unbound local-unbo 69749 6 tcp4 127.0.0.1:53 *:*
áá»ááºáááºááŸá¬ H2O ááá¯ááŒááºáááºá áááºáááºááŸáá·áºáááºážáááááºáá»á¬ážááá¯ááŒáá·áºááŸá¯áááºááŒá áºáááºá
root@beta:/usr/local/etc/h2o # service h2o restart
Stopping h2o.
Waiting for PIDS: 69871.
Starting h2o.
start_server (pid:70532) starting now...
4. á ááºážáááºááŒááºážá
ááá¯á·ááŒá±á¬áá·áºá á ááºážáááºááŸá¯áá±á¬ááºážááá¯áá»ááºááᯠáááºáá¶áá±ážááá¯á·ááŒá®áž utility ááá¯á¡áá¯á¶ážááŒá¯á ááœááºáááºá¡ááœá¬ážá¡áá¬ááá¯ááŒáá·áºááŸá¯ááŒááºážááŒáá·áº ááááºáá»á¬ážááá¯á á áºáá±ážááŒáá«á áá¯á· áá»á áºáá°.
root@beta/usr/local/etc/h2o # curl -H 'accept: application/dns-message' 'https://my.domain/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
...
root@beta:~ # tcpdump -n -i lo0 udp port 53 -xx -XX -vv
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
16:32:40.420831 IP (tos 0x0, ttl 64, id 37575, offset 0, flags [none], proto UDP (17), length 57, bad cksum 0 (->e9ea)!)
127.0.0.1.21070 > 127.0.0.1.53: [bad udp cksum 0xfe38 -> 0x33e3!] 43981+ A? example.com. (29)
0x0000: 0200 0000 4500 0039 92c7 0000 4011 0000 ....E..9....@...
0x0010: 7f00 0001 7f00 0001 524e 0035 0025 fe38 ........RN.5.%.8
0x0020: abcd 0100 0001 0000 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01 mple.com.....
16:32:40.796507 IP (tos 0x0, ttl 64, id 37590, offset 0, flags [none], proto UDP (17), length 73, bad cksum 0 (->e9cb)!)
127.0.0.1.53 > 127.0.0.1.21070: [bad udp cksum 0xfe48 -> 0x43fa!] 43981 q: A? example.com. 1/0/0 example.com. A 93.184.216.34 (45)
0x0000: 0200 0000 4500 0049 92d6 0000 4011 0000 ....E..I....@...
0x0010: 7f00 0001 7f00 0001 0035 524e 0035 fe48 .........5RN.5.H
0x0020: abcd 8180 0001 0001 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01c0 0c00 mple.com........
0x0040: 0100 0100 0151 8000 045d b8d8 22 .....Q...].."
^C
2 packets captured
23 packets received by filter
0 packets dropped by kernel
á¡ááœááºááœáẠááááºá á¬ááᯠááŒá±ááŸááºážááẠáá±á¬ááºážááá¯áá»ááºá¡á¬áž áááºááá¯á·ááŒáááẠexample.com DNS áá¬áá¬á០áááºáá¶áááŸáááŒá®áž á¡á±á¬ááºááŒááºá áœá¬ áá¯ááºáá±á¬ááºáá²á·áá«áááºá
ááᯠáá»ááºááŸááá±áá±ážáááºááŸá¬ áá»áœááºá¯ááºááá¯á·ááá¬áá¬ááᯠFirefox browser ááœáẠá¡áááºááœááºážáááºááŒá áºáááºá ááá¯ááá¯á·ááŒá¯áá¯ááºáááºá ááœá²á·á ááºážááŸá¯á á¬áá»ááºááŸá¬áá»á¬ážááŸá áááºáááºáá»á¬ážá áœá¬ááᯠáááºááŒá±á¬ááºážáá²ááẠááá¯á¡ááºáááºá about: config ááá¯.
ááááŠážá áœá¬á á€áááºááŸá¬ ááá±á¬ááºáá¬á០DNS á¡áá»ááºá¡áááºááᯠáá±á¬ááºážááá¯ááá·áº áá»áœááºá¯ááºááá¯á·á API ááááºá á¬ááŒá áºáááºá network.trr.uri. DNS á¡ááœááºážááá¯á· áááºáá±á¬ááºááŒááºážáááŒá¯áá² ááá±á¬ááºáá¬ááá¯ááºááá¯áẠá¡áá¯á¶ážááŒá¯á áá¯á¶ááŒá¯á¶áá±á¬ IP ááŒááºáááºááŒááºáá¬ážááŸá¯á¡ááœáẠဠURL á០ááá¯ááááºáž IP ááᯠââáááºááŸááºáááºáááºáž á¡ááŒá¶ááŒá¯áá¬ážáááºá network.trr.bootstrap ááááºá á¬. áá±á¬ááºáá¯á¶ážá¡áá±áá²á· parameter á áá°á·áá¬áá°áá«á network.trr.mode DoH á¡áá¯á¶ážááŒá¯ááŸá¯ á¡áá«á¡áááºá "3" ááá¯á· áááºááá¯ážáááºááŸááºááŒááºážááẠá¡áááºááŒá±ááŸááºážááŸá¯á¡ááœáẠDNS-over-HTTPS áá®ážááá·áºá¡áá¯á¶ážááŒá¯ááẠááá±á¬ááºáá¬á¡á¬áž ááœááºážá¡á¬ážáá±ážáááºááŒá áºááŒá®áž ááá¯ááá¯áá¯á¶ááŒááºá áááºáá»áááŒá®áž áá¯á¶ááŒá¯á¶á áááºáá»ááá±á¬ "2" ááẠDoH ááᯠáŠážá á¬ážáá±ážáááºááŒá áºááŒá®áž á ᶠDNS ááŸá¬ááœá±ááŸá¯ááᯠá¡á á¬ážááá¯ážááœá±ážáá»ááºááŸá¯á¡ááŒá Ạáá»ááºáá¬ážáááºááŒá áºáááºá
5. á¡ááŒááºá
áá±á¬ááºážáá«ážá á¡áá±á¬ááºá¡áá°ááŒá áºáá«ááá¬ážá ááá¯á·áá±á¬áẠááŸá°áá«ááºážááŸá¯áá¯á¶á ᶠ(á¡á±á¬ááºáá«) ááŸáááá·áº ááŸááºááœá¶á·ááá±áá«ááŸáá·áºá
source: www.habr.com