Kampani ya Cloudflare DNS pagulu pama adilesi:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
Akuti lamulo la "Zazinsinsi choyamba" limagwiritsidwa ntchito, kuti ogwiritsa ntchito athe kukhala otsimikiza za zomwe apempha.
Ntchitoyi ndi yosangalatsa chifukwa, kuwonjezera pa DNS wamba, imapereka mwayi wogwiritsa ntchito matekinoloje DNS-over-TLS ΠΈ DNS-over-HTTPS, zomwe zingalepheretse opereka chithandizo kutchera khutu pazopempha zanu - ndikusonkhanitsa ziwerengero, kuyang'anira, ndi kuyang'anira malonda. Cloudflare akuti tsiku lolengeza (Epulo 1, 2018, kapena 04/01 m'mabuku aku America) silinasankhidwe mwangozi: ndi tsiku liti lachaka lomwe "magawo anayi" adzaperekedwa?
Popeza omvera a Habr ndi odziwa mwaukadaulo, gawo lachikhalidwe "chifukwa chiyani timafunikira DNS?" Ndiziyika kumapeto kwa positi, ndipo apa ndifotokoza zinthu zothandiza kwambiri:
Momwe mungagwiritsire ntchito ntchito yatsopanoyi?
Chosavuta kwambiri ndikutchula ma adilesi apamwamba a seva ya DNS mu kasitomala wanu wa DNS (kapena ngati kumtunda pazokonda za seva ya DNS yomwe mumagwiritsa ntchito). Kodi n'kwanzeru kusintha makhalidwe abwino? (8.8.8.8, etc.), kapena zochepa kwambiri (77.88.8.8 ndi ena onga iwo) kwa ma seva ochokera ku Cloudflare - adzakusankhirani, koma zimalankhula zoyamba liwiro la mayankho, malinga ndi zomwe Cloudflare imagwira ntchito mwachangu kuposa onse opikisana nawo (ndiroleni ndifotokozere: miyeso idapangidwa ndi gulu lachitatu, ndipo liwiro kwa kasitomala wina, ndithudi, likhoza kusiyana).
Ndizosangalatsa kwambiri kugwira ntchito ndi mitundu yatsopano momwe pempho limawulukira ku seva kudzera pa intaneti yolumikizidwa (kwenikweni, yankho limabwezedwa kudzera pamenepo), DNS-over-TLS ndi DNS-over-HTTPS. Tsoka ilo, samathandizidwa kunja kwa bokosi (olembawo amakhulupirira kuti izi ndi "panobe"), koma kukonza ntchito yawo mu pulogalamu yanu (kapena ngakhale pa hardware yanu) sikovuta:
DNS pa HTTPs (DoH)
Monga momwe dzinalo likusonyezera, kulumikizana kumachitika panjira ya HTTPS, zomwe zikutanthauza
- kukhalapo kwa malo otsetsereka (mapeto) - ili pa ndi
- kasitomala amene angathe kutumiza zopempha ndi kulandira mayankho.
Zopempha zitha kukhala mu DNS Wireformat yofotokozedwamo (kutumizidwa pogwiritsa ntchito njira za POST ndi GET HTTP), kapena mumtundu wa JSON (pogwiritsa ntchito njira ya GET HTTP). Kwa ine panokha, lingaliro lopanga mafunso a DNS kudzera pa zopempha za HTTP limawoneka mosayembekezereka, koma pali zomveka mmenemo: pempho lotereli lidzadutsa njira zambiri zosefera magalimoto, kuyankha kuyankha ndikosavuta, ndipo kupanga zopempha ndikosavuta. Malaibulale odziwika bwino ndi ma protocol ali ndi udindo wachitetezo.
Zitsanzo za mafunso, molunjika kuchokera pa zolembedwa:
PEZANI pempho mu mtundu wa DNS Wireformat
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031POST pempho mu DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Zomwezo, koma kugwiritsa ntchito JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}Mwachiwonekere, ma routers akunyumba ochepa (ngati alipo) amatha kugwira ntchito ndi DNS monga chonchi, koma izi sizikutanthauza kuti chithandizo sichidzawonekera mawa - ndipo, chochititsa chidwi, apa titha kugwiritsa ntchito mosavuta DNS mu ntchito yathu (monga kale). , pa ma seva a Cloudflare).
DNS pa TLS
Mwachikhazikitso, mafunso a DNS amatumizidwa popanda kubisa. DNS pa TLS ndi njira yotumizira iwo pa intaneti yotetezeka. Cloudflare imathandizira DNS pa TLS pa doko lokhazikika 853 monga momwe adanenera . Izi zimagwiritsa ntchito satifiketi yoperekedwa kwa cloudflare-dns.com, TLS 1.2 ndi TLS 1.3 amathandizidwa.
Kukhazikitsa kulumikizana ndikugwira ntchito ndi protocol kumapita motere:
- Asanakhazikitse kulumikizana ndi DNS, kasitomala amasunga base64 encoded SHA256 hash ya cloudflare-dns.com's TLS satifiketi (yotchedwa SPKI)
- Makasitomala a DNS amakhazikitsa kulumikizana kwa TCP ku cloudflare-dns.com:853
- DNS kasitomala amayambitsa njira ya TLS yogwirana chanza
- Pakugwirana chanza kwa TLS, wolandila cloudflare-dns.com amapereka satifiketi yake ya TLS.
- Kulumikizana kwa TLS kukakhazikitsidwa, kasitomala wa DNS amatha kutumiza mafunso a DNS panjira yotetezeka, zomwe zimalepheretsa kubisalira ndikunamiza zopempha ndi mayankho.
- Zopempha zonse za DNS zotumizidwa kudzera pa intaneti ya TLS ziyenera kutsatira zomwe zanenedwa .
Chitsanzo cha pempho kudzera pa DNS pa TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msIzi zikuwoneka kuti ndizoyenera ma seva a DNS am'deralo omwe akutumikira zosowa za netiweki yakomweko kapena wogwiritsa ntchito m'modzi. Zowona, kuthandizira kwa muyezo sikwabwino kwambiri, koma tiyeni tiyembekeze!
Mawu awiri ofotokozera zomwe tikukamba
Chidule cha DNS chikuyimira Domain Name Service (choncho kunena kuti "DNS service" ndizovuta; mawu ofupikitsa ali kale ndi mawu oti "service"), ndipo amagwiritsidwa ntchito kuthetsa ntchito yosavuta - kumvetsetsa kuti adilesi ya IP yomwe dzina la wolandirayo lili ndi chiyani. Nthawi iliyonse munthu akadina ulalo, kapena kulowetsa adilesi mu adilesi ya asakatuli (nenani, ngati ""), kompyuta ya munthu ikuyesera kudziwa seva yomwe ingatumize pempho kuti ilandire zomwe zili patsambalo. Pankhani ya habrahabr.ru, yankho lochokera ku DNS lidzakhala ndi chizindikiro cha adilesi ya IP ya seva yapaintaneti: 178.248.237.68, ndiyeno msakatuli adzayesa kulumikizana ndi seva ndi adilesi ya IP yomwe yatchulidwa.
Kenako, seva ya DNS, italandira pempho lakuti "Kodi adilesi ya IP ya wolandirayo dzina lake habrahabr.ru ndi chiyani?", imatsimikizira ngati ikudziwa chilichonse chokhudza wolandirayo. Ngati sichoncho, zimapanga funso kwa ma seva ena a DNS padziko lapansi, ndipo, pang'onopang'ono, amayesa kupeza yankho la funso lomwe lafunsidwa. Zotsatira zake, popeza yankho lomaliza, zomwe zapezeka zimatumizidwa kwa kasitomala akudikirira, kuphatikizanso zimasungidwa mu cache ya seva ya DNS yokha, zomwe zimakupatsani mwayi woyankha funso lofananalo mwachangu nthawi ina.
Vuto lodziwika bwino ndiloti, choyamba, deta yafunso ya DNS imatumizidwa momveka bwino (zomwe zimalola aliyense yemwe ali ndi mwayi wofikira kumayendedwe amtundu uliwonse kuti adzipatula mafunso a DNS ndi mayankho omwe amabwera, kenako ndikuwagawa pazolinga zawo; izi zimalola kuthekera. kutsata kutsatsa molondola kwa kasitomala wa DNS, ndipo izi ndizambiri!). Kachiwiri, ena opereka intaneti (sitidzaloza zala, koma osati ang'onoang'ono) amakonda kuwonetsa zotsatsa m'malo mwa tsamba limodzi kapena lina lomwe lafunsidwa (lomwe limakhazikitsidwa mophweka: m'malo mwa adilesi ya IP yomwe yatchulidwa kuti mupemphe dzina la wolandila. habranabr.ru kwa munthu mwachisawawa Mwa njira iyi, adilesi ya seva yapaintaneti ya woperekayo imabwezedwa, pomwe tsamba lomwe lili ndi zotsatsa limatumizidwa). Chachitatu, pali opereka intaneti omwe amakhazikitsa njira yokwaniritsira zofunikira zoletsa masamba pawokha posintha mayankho olondola a DNS okhudza ma adilesi a IP azinthu zotsekedwa ndi adilesi ya IP ya seva yawo yomwe ili ndi masamba a stub (zotsatira zake, kupeza masamba oterowo amakhala ovuta kwambiri), kapena ku adilesi ya seva yanu ya proxy yomwe imasefa.
Muyenera kuyika chithunzi kuchokera patsamba lino , yomwe imathandizira kufotokozera kulumikizidwa ku ntchito. Olembawo, mwachiwonekere, ali ndi chidaliro chonse mu mtundu wa DNS yawo (komabe, ndizovuta kuyembekezera chilichonse chosiyana ndi Cloudflare):
Munthu amatha kumvetsetsa bwino Cloudflare, yemwe adayambitsa ntchitoyi: amapeza chakudya chawo pothandizira ndikupanga imodzi mwama CDN otchuka kwambiri padziko lonse lapansi (ntchito zomwe sizikuphatikizapo kugawa zomwe zili, komanso kuchititsa magawo a DNS), ndi, chifukwa cha zofuna zawo, amene sadziwa zambiri, phunzitsani iwo amene sadziwa,ku uyo koyenera kupita pa intaneti yapadziko lonse lapansi, nthawi zambiri amavutika ndi kutsekereza ma adilesi ake a seva ndi sitinena ndani - kotero kukhala ndi DNS yomwe simakhudzidwa ndi "mfuu, mluzu ndi scribbles" kumatanthauza kuchepa kwa bizinesi yawo ku kampani. Ndipo ubwino waumisiri (chinthu chaching'ono, koma chabwino: makamaka, kwa makasitomala a DNS Cloudflare yaulere, kukonzanso zolemba za DNS zazinthu zomwe zimagwiritsidwa ntchito pa seva za DNS za kampaniyo zidzakhala nthawi yomweyo) kupanga kugwiritsa ntchito ntchito yomwe yafotokozedwa mu positiyi kukhala yosangalatsa kwambiri. .
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. chonde.
Kodi mukugwiritsa ntchito ntchito yatsopanoyi?
-
Inde, pongofotokoza mu OS ndi/kapena pa rauta
-
Inde, ndipo ndigwiritsa ntchito ma protocol atsopano (DNS pa HTTPs ndi DNS pa TLS)
-
Ayi, ndili ndi ma seva apano okwanira (uyu ndi wopereka pagulu: Google, Yandex, etc.)
-
Ayi, sindikudziwa zomwe ndikugwiritsa ntchito panopo
-
Ndimagwiritsa ntchito DNS yanga yobwereza ndi njira ya SSL patsogolo pawo
Ogwiritsa 693 adavota. Wogwiritsa m'modzi adasala.
Source: www.habr.com