Mutuwu wamenyedwa kwambiri, ndikudziwa. Mwachitsanzo, pali chachikulu , koma gawo la IP lokha la blocklist limaganiziridwa pamenepo. Tiwonjezeranso madambwe.
Chifukwa chakuti makhoti ndi RKN amaletsa chirichonse kumanja ndi kumanzere, ndipo opereka chithandizo akuyesera kuti asagwere pansi pa chindapusa choperekedwa ndi Revizorro, kutayika kogwirizana ndi kutsekereza kumakhala kwakukulu. Ndipo pakati pamasamba "oletsedwa" pali zambiri zothandiza (hello, rutracker)
Ndimakhala kunja kwa boma la RKN, koma makolo anga, abale ndi anzanga adatsalira kunyumba. Chifukwa chake adaganiza zobwera ndi njira yosavuta yoti anthu omwe ali kutali ndi IT adutse kutsekereza, makamaka osatenga nawo mbali.
M'mawu awa, sindifotokoza zinthu zoyambira pa intaneti pamasitepe, koma ndifotokoza mfundo za momwe dongosololi lingagwiritsidwire ntchito. Chifukwa chake kudziwa momwe maukonde amagwirira ntchito nthawi zonse komanso mu Linux makamaka ndikofunikira.
Mitundu ya maloko
Choyamba, tiyeni titsitsimutse kukumbukira zomwe zatsekedwa.
Pali mitundu ingapo yamaloko mu XML yotsitsidwa kuchokera ku RKN:
- IP
- Kasitomala
- ulalo
Kuti zikhale zosavuta, tidzazichepetsa kukhala ziwiri: IP ndi domain, ndipo tidzangotulutsa domain kuti lisatseke ndi URL (molondola, adatichitira kale izi).
anthu abwino anazindikira zodabwitsa , kudzera momwe titha kupeza zomwe tikufuna:
- IP:
- Madomeni:
Kufikira masamba oletsedwa
Kuti tichite izi, timafunikira VPS yaying'ono yakunja, makamaka yokhala ndi magalimoto opanda malire - pali zambiri zandalama za 3-5. Muyenera kuitenga pafupi ndi kunja kuti ping isakhale yaikulu kwambiri, koma kachiwiri, ganizirani kuti intaneti ndi geography sizimagwirizana nthawi zonse. Ndipo popeza palibe SLA ya ndalama za 5, ndibwino kuti mutenge zidutswa za 2+ kuchokera kwa opereka osiyanasiyana kuti mulole zolakwika.
Kenako, tifunika kukhazikitsa njira yobisika kuchokera pa router kasitomala kupita ku VPS. Ndimagwiritsa ntchito Wireguard ngati yachangu komanso yosavuta kuyiyika. Ndilinso ndi ma routers a kasitomala kutengera Linux ( kapena china chake mu OpenWRT). Pankhani ya Mikrotik / Cisco, mutha kugwiritsa ntchito ma protocol omwe alipo monga OpenVPN ndi GRE-over-IPSEC.
Kuzindikiritsa ndi kuwongoleranso magalimoto ofuna chidwi
Mutha, ndithudi, kuzimitsa magalimoto onse pa intaneti kudzera m'mayiko akunja. Koma, mwinamwake, kuthamanga kwa ntchito ndi zomwe zili m'deralo kudzavutika kwambiri ndi izi. Kuphatikiza apo, zofunikira za bandwidth pa VPS zidzakhala zapamwamba kwambiri.
Chifukwa chake, tidzafunika kugawa kuchuluka kwa magalimoto kumalo otsekedwa ndikuwongolera kunjira. Ngakhale magalimoto ena "owonjezera" akafika kumeneko, ndikwabwinoko kuposa kuyendetsa chilichonse mumsewu.
Kuti tiyendetse magalimoto, tidzagwiritsa ntchito protocol ya BGP ndikulengeza njira zama netiweki ofunikira kuchokera ku VPS yathu kupita kwa makasitomala. Tiyeni titenge BIRD ngati imodzi mwama daemoni a BGP omwe amagwira ntchito kwambiri komanso osavuta.
IP
Ndi kutsekeredwa ndi IP, chilichonse chikuwonekera: timangolengeza ma IP onse otsekedwa ndi VPS. Vuto ndiloti pali ma subnets pafupifupi 600 pamndandanda womwe API imabwerera, ndipo ambiri mwa iwo ndi / 32 makamu. Nambala iyi ya misewu imatha kusokoneza ma routers ofooka a kasitomala.
Chifukwa chake, pokonza mndandandawo, adaganiza zofotokozera mwachidule maukonde / 24 ngati ili ndi 2 kapena kupitilira apo. Choncho, chiwerengero cha misewu chinachepetsedwa kufika ~ 100 zikwi. Script ya izi itsatira.
Madomeni
Ndizovuta kwambiri ndipo pali njira zingapo. Mwachitsanzo, mutha kuyika squid yowonekera pa rauta iliyonse ya kasitomala ndikuchita HTTP kuyang'ana pamenepo ndikuyang'ana pakugwirana chanza kwa TLS kuti mupeze ulalo womwe wapemphedwa poyambirira komanso dera lochokera ku SNI kachiwiri.
Koma chifukwa cha mitundu yonse yatsopano ya TLS1.3 + eSNI, kusanthula kwa HTTPS kukucheperachepera tsiku lililonse. Inde, ndipo zomangamanga kumbali ya kasitomala zikukhala zovuta kwambiri - muyenera kugwiritsa ntchito OpenWRT.
Chifukwa chake, ndidasankha kutenga njira yolumikizira mayankho ku mafunso a DNS. Apanso, DNS-over-TLS / HTTPS iliyonse imayamba kuyenda pamutu panu, koma titha (pakadali pano) kuwongolera gawo ili pa kasitomala - mwina kuyimitsa kapena kugwiritsa ntchito seva yanu ya DoT / DoH.
Momwe mungaletsere DNS?
Apanso, pangakhale njira zingapo.
- Kusokoneza magalimoto a DNS kudzera pa PCAP kapena NFLOG
Njira ziwirizi zochepetsera zikugwiritsidwa ntchito pazothandizira . Koma sichinathandizidwe kwa nthawi yayitali ndipo magwiridwe antchito ake ndi akale kwambiri, chifukwa chake muyenera kulemba ma harness ake. - Kusanthula kwa zipika za seva za DNS
Tsoka ilo, zobwereza zomwe ndikudziwa sizitha kulemba mayankho, koma zopempha. Kwenikweni, izi ndizomveka, chifukwa, mosiyana ndi zopempha, mayankho ali ndi dongosolo lovuta ndipo n'zovuta kuwalemba m'malemba.
Mwamwayi, ambiri aiwo amathandizira kale DNStap pazifukwa izi.
Kodi DNStap ndi chiyani?
Ndi protocol ya kasitomala-server yotengera Protocol Buffers ndi Frame Streams kuti isamutsidwe kuchokera pa seva ya DNS kupita kwa wosonkhanitsa mafunso ndi mayankho a DNS. Kwenikweni, seva ya DNS imatumiza metadata yamafunso ndi mayankho (mtundu wa uthenga, kasitomala / seva IP, ndi zina zambiri.) kuphatikiza mauthenga athunthu a DNS mu mawonekedwe (a binary) momwe amagwirira ntchito nawo pamaneti.
Ndikofunika kumvetsetsa kuti mu DNStap paradigm, seva ya DNS imakhala ngati kasitomala ndipo wosonkhanitsa amachita ngati seva. Ndiye kuti, seva ya DNS imalumikizana ndi wokhometsa, osati mosemphanitsa.
Masiku ano DNStap imathandizidwa ndi ma seva onse otchuka a DNS. Koma, mwachitsanzo, BIND mu magawo ambiri (monga Ubuntu LTS) nthawi zambiri imamangidwa pazifukwa zina popanda thandizo lake. Chifukwa chake tisavutike ndi kukonzanso, koma tengani chowonjezera chopepuka komanso chofulumira - Chopanda malire.
Momwe mungagwire DNSTap?
pali Zida za CLI zogwirira ntchito ndi zochitika za DNSTap, koma sizoyenera kuthetsa vuto lathu. Chifukwa chake, ndidaganiza zopanga njinga yangayanga yomwe ingachite chilichonse chofunikira:
Algorithm yantchito:
- Ikakhazikitsidwa, imadzaza mndandanda wamadomeni kuchokera pafayilo yolemba, kuwatembenuza (habr.com -> com.habr), osaphatikiza mizere yosweka, zobwerezabwereza ndi ma subdomains (mwachitsanzo, ngati mndandandawo uli ndi habr.com ndi www.habr.com, idzayikidwa yoyamba yokha) ndikumanga mtengo woyambira kuti mufufuze mwachangu pamndandandawu
- Kuchita ngati seva ya DNStap, imadikirira kulumikizana kuchokera ku seva ya DNS. M'malo mwake, imathandizira zitsulo zonse za UNIX ndi TCP, koma ma seva a DNS omwe ndikudziwa amatha kugwiritsa ntchito sockets za UNIX.
- Mapaketi a DNStap omwe akubwera amayamba kusinthidwa kukhala Protobuf, kenako uthenga wa DNS womwewo, womwe uli m'gawo limodzi la Protobuf, umayikidwa pamlingo wa zolemba za DNS RR.
- Imawunikiridwa ngati wolandila wofunsidwa (kapena dera lake la makolo) ali pamndandanda wodzaza, ngati sichoncho, yankho limanyalanyazidwa.
- Ma A/AAAA/CNAME RR okha ndi omwe amasankhidwa kuchokera pamayankhidwe ndipo ma adilesi ofananira nawo a IPv4/IPv6 amachotsedwa mwa iwo.
- Maadiresi a IP amasungidwa ndi TTL yosinthika ndikulengezedwa kwa anzawo onse a BGP
- Mukalandira yankho lolozera ku IP yosungidwa kale, TTL yake imasinthidwa
- TTL ikatha, choloweracho chimachotsedwa ku cache ndi kulengeza za BGP
Ntchito zowonjezera:
- Kuwerenganso mndandanda wamadomeni ndi SIGHUP
- Kusunga cache mu kulunzanitsa ndi zina dnstap-bgp kudzera pa HTTP/JSON
- Fananizani cache pa disk (mu database ya BoltDB) kuti mubwezeretse zomwe zili mkati mwake mutayambiranso
- Thandizo losinthira ku malo ena amtaneti (chifukwa chiyani izi zikufunika zidzafotokozedwa pansipa)
- Thandizo la IPv6
Zolepheretsa:
- Madomeni a IDN sakuthandizidwa pano
- Zokonda zochepa za BGP
Ndinasonkhanitsa phukusi zosavuta unsembe. Iyenera kugwira ntchito pama OS onse aposachedwa ndi systemd. alibe zodalira.
Chiwembu
Choncho, tiyeni tiyambe kusonkhanitsa zigawo zonse pamodzi. Zotsatira zake, tiyenera kupeza china chonga ichi network topology:
Malingaliro a ntchito, ndikuganiza, akuwonekera bwino pazithunzi:
- Makasitomala ali ndi seva yathu yokonzedwa ngati DNS, ndipo mafunso a DNS ayeneranso kudutsa VPN. Izi ndizofunikira kuti woperekayo asagwiritse ntchito kutsekereza kwa DNS kuti atseke.
- Mukatsegula tsambalo, kasitomala amatumiza funso la DNS ngati "Kodi ma IP a xxx.org ndi chiyani"
- Osalephera imakonza xxx.org (kapena kuichotsa mu cache) ndikutumiza yankho kwa kasitomala "xxx.org ili ndi izi ndi IP", ndikuzibwereza mofanana kudzera pa DNStap
- dnstap-bgp amalengeza ma adilesi awa mu BIRD kudzera pa BGP ngati domain ili pamndandanda woletsedwa
- BIRD imatsatsa njira yopita ku ma IP awa ndi
next-hop selfkasitomala wa router - Mapaketi otsatirawa kuchokera kwa kasitomala kupita ku ma IP awa amadutsa mumsewu
Pa seva, panjira zopita kumasamba otsekedwa, ndimagwiritsa ntchito tebulo losiyana mkati mwa BIRD ndipo silimadutsana ndi OS mwanjira iliyonse.
Chiwembuchi chili ndi zovuta zake: paketi yoyamba ya SYN kuchokera kwa kasitomala, mwinamwake, idzakhala ndi nthawi yochoka kupyolera mwa wothandizira pakhomo. njira sikulengezedwa mwamsanga. Ndipo apa zosankha ndizotheka kutengera momwe woperekera amachitira kutsekereza. Ngati amangogwetsa magalimoto, ndiye kuti palibe vuto. Ndipo ngati ayilozera ku DPI ina, ndiye (mwachidziwitso) zotsatira zapadera ndizotheka.
Ndizothekanso kuti makasitomala salemekeza zozizwitsa za DNS TTL, zomwe zingapangitse kasitomala kugwiritsa ntchito zolemba zakale kuchokera ku cache yake yovunda m'malo mofunsa Unbound.
M'zochita, woyamba kapena wachiwiri sanandibweretsere mavuto, koma mtunda wanu ukhoza kusiyana.
Kukonza Seva
Kuti ndizitha kugubuduza, ndinalemba . Itha kukonza ma seva ndi makasitomala kutengera Linux (yopangidwira magawo otengera deb). Zokonda zonse ndizodziwikiratu ndipo zakhazikitsidwa katundu.yml. Udindowu wadulidwa kuchokera mu sewero langa lalikulu, kotero likhoza kukhala ndi zolakwika - mwalandiridwa π
Tiyeni tidutse zigawo zikuluzikulu.
BGP
Kuthamanga ma daemoni awiri a BGP pa wolandira yemweyo kuli ndi vuto lalikulu: BIRD sikufuna kukhazikitsa BGP kuyang'ana ndi localhost (kapena mawonekedwe apafupi). Kuchokera ku mawu konse. Kufufuza ndi kuwerenga mndandanda wamakalata sikunathandize, amati izi zidachitika mwadongosolo. Mwina pali njira ina, koma sindinaipeze.
Mutha kuyesa daemon ina ya BGP, koma ndimakonda BIRD ndipo imagwiritsidwa ntchito kulikonse ndi ine, sindikufuna kupanga mabungwe.
Chifukwa chake, ndinabisa dnstap-bgp mkati mwa malo ochezera a pa intaneti, omwe amalumikizidwa ndi muzu kudzera mu mawonekedwe a veth: ali ngati chitoliro, malekezero ake omwe amatuluka m'malo osiyanasiyana. Pazifukwa zonsezi, timapachika ma adilesi a IP achinsinsi a p2p omwe samapitilira wolandila, kuti akhale chilichonse. Iyi ndi njira yomweyi yomwe imagwiritsidwa ntchito kupeza njira mkati okondedwa ndi onse Docker ndi zotengera zina.
Kwa ichi chinalembedwa ndipo magwiridwe antchito omwe tafotokozera kale pakudzikoka ndi tsitsi kupita kumalo ena a mayina adawonjezedwa ku dnstap-bgp. Chifukwa chake, iyenera kuyendetsedwa ngati muzu kapena kuperekedwa ku binary CAP_SYS_ADMIN kudzera pa setcap command.
Zolemba zachitsanzo zopangira dzina
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgpdnstap-bgp.conf
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]mbalame.conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...DNS
Mwachikhazikitso, mu Ubuntu, Binary Yopanda malire imakanizidwa ndi mbiri ya AppArmor, yomwe imaletsa kuti isagwirizane ndi mitundu yonse ya soketi za DNStap. Mutha kufufuta mbiriyi, kapena kuyimitsa:
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unboundIzi ziyenera kuwonjezeredwa ku playbook. Ndikoyenera, ndithudi, kukonza mbiriyo ndikupereka ufulu wofunikira, koma ndinali waulesi kwambiri.
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yesKutsitsa ndi kukonza mindandanda
Imatsitsa mndandandawo, ikuphatikiza ku chiyambi pfx. The osandiwonjeza ΠΈ dont_summarize mutha kuwuza ma IP ndi ma network kuti adumphe kapena asafotokoze mwachidule. Ndinazifuna. subnet ya VPS yanga inali mu blocklist π
Chosangalatsa ndichakuti RosKomSvoboda API imaletsa zopempha ndi wogwiritsa ntchito wa Python. Zikuwoneka ngati wachinyamata wapeza. Chifukwa chake, timasintha kukhala Ognelis.
Pakadali pano, imangogwira ntchito ndi IPv4. gawo la IPv6 ndi laling'ono, koma lidzakhala losavuta kukonza. Pokhapokha muyenera kugwiritsa ntchito bird6 komanso.
rkn.py
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
Ndimayendetsa pa korona kamodzi patsiku, mwina ndiyenera kukoka maola 4 aliwonse. iyi, mwa lingaliro langa, ndi nthawi yokonzanso yomwe RKN ikufuna kuchokera kwa opereka chithandizo. Kuphatikiza apo, ali ndi zoletsa zina zachangu kwambiri, zomwe zitha kufika mwachangu.
Amachita izi:
- Imayendetsa script yoyamba ndikusintha mndandanda wamayendedwe (
rkn_routes.list) kwa MKWATI - Kwezaninso BIIRD
- Zosintha ndikuyeretsa mndandanda wamadomeni a dnstap-bgp
- Kwezaninso dnstap-bgp
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgpZinalembedwa popanda kuganizira kwambiri, kotero ngati muwona chinachake chomwe chingasinthidwe - pitani.
Kukonzekera kwa kasitomala
Apa ndipereka zitsanzo za ma routers a Linux, koma pankhani ya Mikrotik / Cisco ziyenera kukhala zosavuta.
Choyamba, timakhazikitsa BIRD:
mbalame.conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}Chifukwa chake, tidzalunzanitsa njira zolandilidwa kuchokera ku BGP ndi tebulo la kernel routing nambala 222.
Pambuyo pake, ndikwanira kufunsa kernel kuyang'ana mbale iyi musanayang'ane yokhazikika:
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup defaultChilichonse, chimatsalira kukonza DHCP pa rauta kuti igawire adilesi ya IP ya seva ngati DNS, ndipo chiwembu chakonzeka.
zolakwa
Ndi ma aligorivimu apano opanga ndi kukonza mndandanda wa madambwe, akuphatikizapo, mwa zina, youtube.com ndi ma CDN ake.
Ndipo izi zimapangitsa kuti makanema onse azidutsa mu VPN, yomwe imatha kutseka njira yonse. Mwina ndi bwino kulemba mndandanda wa madera otchuka-zochotsa zomwe zimalepheretsa RKN panthawiyi, matumbo ndi ochepa. Ndipo zilumpheni pamene mukuzigawa.
Pomaliza
Njira yofotokozedwayo imakuthandizani kuti mulambalale pafupifupi kutsekereza kulikonse komwe opereka akugwiritsa ntchito pano.
M'malo mwake, dnstap-bgp zitha kugwiritsidwa ntchito pazifukwa zina zilizonse pomwe mulingo wowongolera magalimoto ukufunika kutengera dzina la domain. Ingokumbukirani kuti m'nthawi yathu ino, masamba chikwi amatha kukhazikika pa adilesi yomweyo ya IP (kuseri kwa Cloudflare, mwachitsanzo), chifukwa chake njirayi imakhala yolondola kwambiri.
Koma pazosowa zodutsa maloko, izi ndizokwanira.
Zowonjezera, zosintha, zopempha zokoka - kulandiridwa!
Source: www.habr.com