Kamupani Cloudflare DNS lautele i tuatusi:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
O lo'o fa'apea mai o lo'o fa'aogaina se faiga fa'avae "Fa'alilolilo muamua", ina ia mafai ai e tagata fa'aoga ona mautinoa e uiga i mea o latou talosaga.
E manaia le tautua aua, faʻaopoopo i le DNS masani, e maua ai le avanoa e faʻaoga ai tekinolosi DNS-over-TLS и DNS-over-HTTPS, lea o le a matua taofia ai kamupani mai le fa'alogo i au talosaga i luga o le ala talosaga - ma le aoina o fuainumera, mata'ituina, ma le puleaina o fa'asalalauga. Fai mai Cloudflare o le aso faʻasalalauga (Aperila 1, 2018, poʻo 04/01 i Amerika faʻamatalaga) e leʻi filifilia i se avanoa: o le a le isi aso o le tausaga o le a tuʻuina atu ai le "fa iunite"?
Talu ai o le au maimoa a Habr e atamai faʻapitoa, o le vaega masani "aisea tatou te manaʻomia ai DNS?" O le a ou tuʻuina i le pito o le pou, ma o iinei o le a ou faʻamatalaina atili ai mea aoga:
Fa'afefea ona fa'aoga le auaunaga fou?
O le mea sili ona faigofie o le faʻamaonia o tuatusi DNS o loʻo i luga i lau DNS client (poʻo le faʻaulu i luga o le faʻaogaina o le DNS server o loʻo e faʻaogaina). Pe talafeagai le suia o tulaga taua masani? (8.8.8.8, ma isi), poʻo teisi le masani (77.88.8.8 ma isi e pei oi latou) i sapalai mai Cloudflare - latou te filifili mo oe, ae e tautala mo se amataga saoasaoa o tali, e tusa ai ma le Cloudflare e galue vave nai lo tagata tauva uma (seʻi ou faʻamalamalama: o fuataga na faia e se isi vaega, ma le saoasaoa i se tagata faʻatau faapitoa, ioe, atonu e eseese).
E sili atu le manaia o le galue i auala fou lea e lele ai le talosaga i le 'auʻaunaga e ala i se fesoʻotaʻiga faʻailoga (o le mea moni, o le tali e toe faʻafoʻi mai ai), o le DNS-over-TLS ma le DNS-over-HTTPS ua taʻua. Ae paga lea, e le o lagolagoina i latou mai le atigipusa (o le au tusitala e talitonu o le "ae"), ae o le faʻatulagaina o latou galuega i lau polokalama (poʻo luga o au meafaigaluega) e le faigata:
DNS ile HTTPs (DoH)
E pei ona taʻu mai e le igoa, o fesoʻotaʻiga e tupu i luga o se auala HTTPS, o lona uiga
- i ai o se nofoaga e tulaueleele ai (matuʻai) - o loʻo tu i ma
- se tagata o tausia e mafai ona auina atu talosaga ma maua tali.
O talosaga e mafai ona i totonu ole DNS Wireformat ua fa'amatalaina ile (auina atu e faʻaaoga ai le POST ma GET HTTP metotia), poʻo le JSON format (faʻaaogaina le GET HTTP method). Mo aʻu lava ia, o le manatu o le faia o fesili DNS e ala i talosaga HTTP na foliga mai e leʻi faʻamoemoeina, ae o loʻo i ai se fua faʻatatau i totonu: o sea talosaga o le a pasia le tele o auala e faʻaogaina ai auala, o tali faʻasalalau e faigofie tele, ma o le faʻatupuina o talosaga e sili atu ona faigofie. O faletusi masani ma tulafono e nafa ma le saogalemu.
Fa'ata'ita'iga fesili, sa'o mai le fa'amaumauga:
MAUA talosaga ile DNS Wireformat format
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031POST talosaga ile DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Le tutusa, ae faʻaaoga JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}E manino lava, e toʻaitiiti (pe a iai) fale e mafai ona galulue faʻatasi ma DNS e pei o lenei, ae e le o lona uiga o le a le faʻaalia taeao le lagolago - ma, fiafia, iinei e mafai ona faigofie ona tatou faʻatinoina galuega ma DNS i la tatou talosaga (e pei ona uma. , na'o luga ole Cloudflare servers).
DNS ile TLS
Ona o le faaletonu, e auina atu fesili DNS e aunoa ma se fa'ailoga. DNS i luga o le TLS o se auala e lafo ai i latou i luga o se fesoʻotaʻiga malupuipuia. E lagolagoina e Cloudflare DNS i luga ole TLS i luga ole uafu masani 853 e pei ona faʻatonuina . E fa'aogaina e lenei mea se tusi faamaonia na tu'uina atu mo le talimalo cloudflare-dns.com, TLS 1.2 ma TLS 1.3 e lagolagoina.
O le faʻatuina o se fesoʻotaʻiga ma le galulue faʻatasi ma le protocol e pei o lenei:
- A'o le'i fa'atuina se feso'ota'iga ile DNS, e teu e le kalani se fa'ailoga SHA64 fa'ailoga base256 ole tusipasi TLS cloudflare-dns.com (ta'ua SPKI)
- Ole DNS client e fa'atuina se feso'ota'iga TCP ile cloudflare-dns.com:853
- DNS client e amataina le TLS fa'atalofa lima
- I le taimi o le lululima TLS, o le cloudflare-dns.com talimalo e tuʻuina atu lana tusi faamaonia TLS.
- O le taimi lava e fa'amautu ai le feso'ota'iga TLS, e mafai e le kalani DNS ona tu'uina atu fesili DNS i luga o se auala malupuipuia, e taofia ai le fa'alogo ma le fa'aseseina o talosaga ma tali.
- O talosaga DNS uma e lafo i luga o se TLS feso'ota'iga e tatau ona tausisia le fa'amatalaga e tusa ai ma .
Faataitaiga o se talosaga e ala ile DNS ile TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msO lenei filifiliga e foliga mai e sili atu ona fetaui mo sapalai DNS i le lotoifale o loʻo tautuaina manaʻoga o se fesoʻotaiga i le lotoifale poʻo se tagata e tasi. E moni, o le lagolago mo le tulaga e le lelei tele, ae ia tatou faʻamoemoe!
E lua upu fa'amatala o le mea o lo'o tatou talanoa ai
O le fa'apuupuuga DNS o lo'o fa'atusa mo le Domain Name Service (o lona uiga o le "DNS service" e fai si fa'aletonu; o le acronym ua uma ona i ai le upu "au'aunaga"), ma e fa'aoga e foia ai se galuega faigofie - ia malamalama po o le a le tuatusi IP o loʻo i ai i se igoa talimalo patino. Soo se taimi lava e kiliki ai e se tagata se sootaga, pe ulufale i se tuatusi (fai mai, se mea e pei o le “"), o loʻo taumafai le komepiuta a le tagata e suʻesuʻe poʻo le fea server e tuʻuina atu se talosaga e maua ai mea o loʻo i totonu o se itulau. I le tulaga o le habrahabr.ru, o le tali mai le DNS o le a aofia ai se faʻamatalaga o le tuatusi IP o le upega tafaʻilagi: 178.248.237.68, ona taumafai lea o le browser e faʻafesoʻotaʻi le server ma le tuatusi IP faʻamaonia.
I le isi itu, o le DNS server, ina ua maua le talosaga "o le a le tuatusi IP o le talimalo e igoa ia habrahabr.ru?", E fuafua pe na te iloa se mea e uiga i le tagata faʻapitoa. Afai e leai, e faia se fesili i isi DNS servers i le lalolagi, ma, i lea laasaga ma lea laasaga, taumafai e iloa le tali i le fesili na fesiligia. O le iʻuga, i le mauaina o le tali mulimuli, o faʻamatalaga maua e lafo atu i le tagata faʻatali o loʻo faʻatali, faʻatasi ai ma le teuina i totonu o le cache o le DNS server lava ia, lea o le a mafai ai ona e taliina se fesili tutusa i le isi taimi.
O se faʻafitauli masani o le, muamua, o faʻamatalaga ole fesili DNS e lafo i le manino (lea e mafai ai e soʻo se tasi ona maua le avanoa i le auala o fefaʻatauaiga e faʻamavaeina fesili DNS ma tali e maua mai ai, ona faʻapipiʻi lea mo a latou lava faʻamoemoega; e faʻatagaina ai le gafatia. e faʻatatau i faʻasalalauga ma le saʻo mo le DNS client, ma e matua tele lava!). Lona lua, o nisi 'au'aunaga Initaneti (matou te le tusi tamatamailima, ae le o mea laiti) e masani ona fa'aalia fa'asalalauga nai lo le tasi po'o le isi itulau talosaga (lea e fa'atinoina faigofie lava: nai lo le tuatusi IP fa'amaonia mo se talosaga mo le igoa talimalo. habranabr.ru i se tagata faʻafuaseʻi I lenei auala, o le tuatusi o le upega tafaʻilagi a le kamupani e tuʻuina atu, lea e tuʻuina atu ai le itulau o loʻo i ai le faʻasalalauga). Lona tolu, o loʻo i ai le Initaneti o loʻo tuʻuina atu se faiga mo le faʻataunuʻuina o manaʻoga mo le polokaina o nofoaga taʻitasi e ala i le suia o tali saʻo DNS e uiga i tuatusi IP o punaoa i luga ole laiga ma le tuatusi IP o la latou 'auʻaunaga o loʻo i ai itulau stub (o se taunuuga, avanoa i o ia nofoaga o le a sili atu ona faigata), poʻo le tuatusi o lau 'auʻaunaga sui o loʻo faʻatinoina le faʻamamaina.
Atonu e tatau ona e tuʻuina se ata mai le upega tafaʻilagi iinei , lea e faʻamatalaina le fesoʻotaʻiga i le auaunaga. O tusitala, e foliga mai, e matua mautinoa lava i le lelei o latou DNS (ae ui i lea, e faigata ona faʻamoemoeina se mea ese mai Cloudflare):
E mafai e se tasi ona malamalama atoatoa i le Cloudflare, o le na faia le auaunaga: latou te mauaina a latou falaoa e ala i le lagolagoina ma le atinaʻeina o se tasi o fesoʻotaʻiga CDN sili ona lauiloa i le lalolagi (o galuega e aofia ai e le gata o le tufatufaina atu o mea, ae faʻapea foʻi le talimalo DNS zones), ma, ona o le mana'o o i latou , o ai e le iloa tele, aoao i latou o ai latou te le iloa, i lena o fea e alu i ai i luga ole feso'ota'iga i le lalolagi, e masani ona pagatia i le polokaina o ona tuatusi server e matou te le fai atu po o ai - o le i ai la o se DNS e le'o a'afia i "alaga, fa'aili ma tusiupu" o lona uiga e fa'aitiitia le afaina o latou pisinisi mo se kamupani. Ma o tulaga faʻapitoa faʻapitoa (o se mea itiiti, ae manaia: aemaise lava, mo tagata faʻatau ole DNS Cloudflare e leai se totogi, faʻafouina faʻamaumauga DNS o punaoa o loʻo faʻapipiʻiina i luga ole kamupani DNS o le a vave lava) faʻaaogaina le auaunaga o loʻo faʻamatalaina i le meli e sili atu ona manaia. .
Na'o tagata fa'aigoaina e mafai ona auai i le su'esu'ega. , faʻamolemole.
E te fa'aaogaina le auaunaga fou?
-
Ioe, e ala i le faʻamaonia i le OS ma / poʻo luga ole router
-
Ioe, ma o le a ou faʻaogaina tulafono fou (DNS i luga ole HTTPs ma DNS ile TLS)
-
Leai, o loʻo lava aʻu 'auʻaunaga o loʻo i ai nei (o se faʻasalalauga lautele: Google, Yandex, ma isi.)
-
Leai, ou te le iloa le mea o loʻo ou faʻaaogaina i le taimi nei
-
Ou te faʻaogaina laʻu lava DNS recursive ma se alalaupapa SSL io latou luma
693 tagata fa'aoga na palota. 191 tagata fa'aoga fa'ate'aina.
puna: www.habr.com