Pulogalamu ya ProHoster > Blog > Ulamuliro > Timakumana ndi msonkhano kuchokera ku Cloudflare pamaadiresi 1.1.1.1 ndi 1.0.0.1, kapena "shelufu ya DNS yafika!"
Timakumana ndi msonkhano kuchokera ku Cloudflare pamaadiresi 1.1.1.1 ndi 1.0.0.1, kapena "shelufu ya DNS yafika!"
Chosavuta kwambiri ndikutchula ma adilesi apamwamba a seva ya DNS mu kasitomala wanu wa DNS (kapena ngati kumtunda pazokonda za seva ya DNS yomwe mumagwiritsa ntchito). Kodi n'kwanzeru kusintha makhalidwe abwino? Google DNS (8.8.8.8, etc.), kapena zochepa kwambiri Yandex public DNS seva (77.88.8.8 ndi ena onga iwo) kwa ma seva ochokera ku Cloudflare - adzakusankhirani, koma zimalankhula zoyamba ndandanda liwiro la mayankho, malinga ndi zomwe Cloudflare imagwira ntchito mwachangu kuposa onse opikisana nawo (ndiroleni ndifotokozere: miyeso idapangidwa ndi gulu lachitatu, ndipo liwiro kwa kasitomala wina, ndithudi, likhoza kusiyana).
Ndizosangalatsa kwambiri kugwira ntchito ndi mitundu yatsopano momwe pempho limawulukira ku seva kudzera pa intaneti yolumikizidwa (kwenikweni, yankho limabwezedwa kudzera pamenepo), DNS-over-TLS ndi DNS-over-HTTPS. Tsoka ilo, samathandizidwa kunja kwa bokosi (olembawo amakhulupirira kuti izi ndi "panobe"), koma kukonza ntchito yawo mu pulogalamu yanu (kapena ngakhale pa hardware yanu) sikovuta:
kukhalapo kwa malo otsetsereka (mapeto) - ili pa https://cloudflare-dns.com/dns-queryndi
kasitomala amene angathe kutumiza zopempha ndi kulandira mayankho.
Zopempha zitha kukhala mu DNS Wireformat yofotokozedwamo Zogulitsa (kutumizidwa pogwiritsa ntchito njira za POST ndi GET HTTP), kapena mumtundu wa JSON (pogwiritsa ntchito njira ya GET HTTP). Kwa ine panokha, lingaliro lopanga mafunso a DNS kudzera pa zopempha za HTTP limawoneka mosayembekezereka, koma pali zomveka mmenemo: pempho lotereli lidzadutsa njira zambiri zosefera magalimoto, kuyankha kuyankha ndikosavuta, ndipo kupanga zopempha ndikosavuta. Malaibulale odziwika bwino ndi ma protocol ali ndi udindo wachitetezo.
Zitsanzo za mafunso, molunjika kuchokera pa zolembedwa:
Mwachiwonekere, ma routers akunyumba ochepa (ngati alipo) amatha kugwira ntchito ndi DNS monga chonchi, koma izi sizikutanthauza kuti chithandizo sichidzawonekera mawa - ndipo, chochititsa chidwi, apa titha kugwiritsa ntchito mosavuta DNS mu ntchito yathu (monga kale). apanga Mozilla, pa ma seva a Cloudflare).
DNS pa TLS
Mwachikhazikitso, mafunso a DNS amatumizidwa popanda kubisa. DNS pa TLS ndi njira yotumizira iwo pa intaneti yotetezeka. Cloudflare imathandizira DNS pa TLS pa doko lokhazikika 853 monga momwe adanenera Zogulitsa. Izi zimagwiritsa ntchito satifiketi yoperekedwa kwa cloudflare-dns.com, TLS 1.2 ndi TLS 1.3 amathandizidwa.
Kukhazikitsa kulumikizana ndikugwira ntchito ndi protocol kumapita motere:
Asanakhazikitse kulumikizana ndi DNS, kasitomala amasunga base64 encoded SHA256 hash ya cloudflare-dns.com's TLS satifiketi (yotchedwa SPKI)
Makasitomala a DNS amakhazikitsa kulumikizana kwa TCP ku cloudflare-dns.com:853
DNS kasitomala amayambitsa njira ya TLS yogwirana chanza
Pakugwirana chanza kwa TLS, wolandila cloudflare-dns.com amapereka satifiketi yake ya TLS.
Kulumikizana kwa TLS kukakhazikitsidwa, kasitomala wa DNS amatha kutumiza mafunso a DNS panjira yotetezeka, zomwe zimalepheretsa kubisalira ndikunamiza zopempha ndi mayankho.
Zopempha zonse za DNS zotumizidwa kudzera pa intaneti ya TLS ziyenera kutsatira zomwe zanenedwa kutumiza DNS pa TCP.
Chitsanzo cha pempho kudzera pa DNS pa TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 ms
Izi zikuwoneka kuti ndizoyenera ma seva a DNS am'deralo omwe akutumikira zosowa za netiweki yakomweko kapena wogwiritsa ntchito m'modzi. Zowona, kuthandizira kwa muyezo sikwabwino kwambiri, koma tiyeni tiyembekeze!
Mawu awiri ofotokozera zomwe tikukamba
Chidule cha DNS chikuyimira Domain Name Service (choncho kunena kuti "DNS service" ndizovuta; mawu ofupikitsa ali kale ndi mawu oti "service"), ndipo amagwiritsidwa ntchito kuthetsa ntchito yosavuta - kumvetsetsa kuti adilesi ya IP yomwe dzina la wolandirayo lili ndi chiyani. Nthawi iliyonse munthu akadina ulalo, kapena kulowetsa adilesi mu adilesi ya asakatuli (nenani, ngati "https://habrahabr.ru/post/346430/"), kompyuta ya munthu ikuyesera kudziwa seva yomwe ingatumize pempho kuti ilandire zomwe zili patsambalo. Pankhani ya habrahabr.ru, yankho lochokera ku DNS lidzakhala ndi chizindikiro cha adilesi ya IP ya seva yapaintaneti: 178.248.237.68, ndiyeno msakatuli adzayesa kulumikizana ndi seva ndi adilesi ya IP yomwe yatchulidwa.
Kenako, seva ya DNS, italandira pempho lakuti "Kodi adilesi ya IP ya wolandirayo dzina lake habrahabr.ru ndi chiyani?", imatsimikizira ngati ikudziwa chilichonse chokhudza wolandirayo. Ngati sichoncho, zimapanga funso kwa ma seva ena a DNS padziko lapansi, ndipo, pang'onopang'ono, amayesa kupeza yankho la funso lomwe lafunsidwa. Zotsatira zake, popeza yankho lomaliza, zomwe zapezeka zimatumizidwa kwa kasitomala akudikirira, kuphatikizanso zimasungidwa mu cache ya seva ya DNS yokha, zomwe zimakupatsani mwayi woyankha funso lofananalo mwachangu nthawi ina.
Vuto lodziwika bwino ndiloti, choyamba, deta yafunso ya DNS imatumizidwa momveka bwino (zomwe zimalola aliyense yemwe ali ndi mwayi wofikira kumayendedwe amtundu uliwonse kuti adzipatula mafunso a DNS ndi mayankho omwe amabwera, kenako ndikuwagawa pazolinga zawo; izi zimalola kuthekera. kutsata kutsatsa molondola kwa kasitomala wa DNS, ndipo izi ndizambiri!). Kachiwiri, ena opereka intaneti (sitidzaloza zala, koma osati ang'onoang'ono) amakonda kuwonetsa zotsatsa m'malo mwa tsamba limodzi kapena lina lomwe lafunsidwa (lomwe limakhazikitsidwa mophweka: m'malo mwa adilesi ya IP yomwe yatchulidwa kuti mupemphe dzina la wolandila. habranabr.ru kwa munthu mwachisawawa Mwa njira iyi, adilesi ya seva yapaintaneti ya woperekayo imabwezedwa, pomwe tsamba lomwe lili ndi zotsatsa limatumizidwa). Chachitatu, pali opereka intaneti omwe amakhazikitsa njira yokwaniritsira zofunikira zoletsa masamba pawokha posintha mayankho olondola a DNS okhudza ma adilesi a IP azinthu zotsekedwa ndi adilesi ya IP ya seva yawo yomwe ili ndi masamba a stub (zotsatira zake, kupeza masamba oterowo amakhala ovuta kwambiri), kapena ku adilesi ya seva yanu ya proxy yomwe imasefa.
Muyenera kuyika chithunzi kuchokera patsamba lino http://1.1.1.1/, yomwe imathandizira kufotokozera kulumikizidwa ku ntchito. Olembawo, mwachiwonekere, ali ndi chidaliro chonse mu mtundu wa DNS yawo (komabe, ndizovuta kuyembekezera chilichonse chosiyana ndi Cloudflare):
Munthu amatha kumvetsetsa bwino Cloudflare, yemwe adayambitsa ntchitoyi: amapeza chakudya chawo pothandizira ndikupanga imodzi mwama CDN otchuka kwambiri padziko lonse lapansi (ntchito zomwe sizikuphatikizapo kugawa zomwe zili, komanso kuchititsa magawo a DNS), ndi, chifukwa cha zofuna zawo, amene sadziwa zambiri, phunzitsani iwo amene sadziwa,ku uyo koyenera kupita pa intaneti yapadziko lonse lapansi, nthawi zambiri amavutika ndi kutsekereza ma adilesi ake a seva ndi sitinena ndani - kotero kukhala ndi DNS yomwe simakhudzidwa ndi "mfuu, mluzu ndi scribbles" kumatanthauza kuchepa kwa bizinesi yawo ku kampani. Ndipo ubwino waumisiri (chinthu chaching'ono, koma chabwino: makamaka, kwa makasitomala a DNS Cloudflare yaulere, kukonzanso zolemba za DNS zazinthu zomwe zimagwiritsidwa ntchito pa seva za DNS za kampaniyo zidzakhala nthawi yomweyo) kupanga kugwiritsa ntchito ntchito yomwe yafotokozedwa mu positiyi kukhala yosangalatsa kwambiri. .
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. Lowani muakauntichonde.
Kodi mukugwiritsa ntchito ntchito yatsopanoyi?
Inde, pongofotokoza mu OS ndi/kapena pa rauta
Inde, ndipo ndigwiritsa ntchito ma protocol atsopano (DNS pa HTTPs ndi DNS pa TLS)
Ayi, ndili ndi ma seva apano okwanira (uyu ndi wopereka pagulu: Google, Yandex, etc.)