Cloudflare Company DNS yeruzhinji pamakero:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
Iyo policy inonzi "Privacy first" kuitira kuti vashandisi vave nerunyararo rwemupfungwa nezve zviri muzvikumbiro zvavo.
Iyo sevhisi inonakidza mukuti, kuwedzera kune yakajairwa DNS, inopa kugona kushandisa matekinoroji DNS-pamusoro-TLS ΠΈ DNS-pamusoro-HTTPS, izvo zvinodzivirira zvakanyanya vanopa kubva pakutarisa zvikumbiro zvako munzira yekukumbira - uye kuunganidza manhamba, kutarisa, kutonga kushambadzira. Cloudflare inotaura kuti zuva rechiziviso (Kubvumbi 1, 2018, kana 04/01 muAmerican notation) harina kusarudzwa nemukana: nderipi rimwe zuva regore iro "mauniti mana" achaunzwa?
Sezvo vateereri vaHabr vane ruzivo rwehunyanzvi, chikamu chechinyakare "sei uchida DNS?" Ini ndichaiisa pakupera kwechinyorwa, asi pano ini ndichataura zvimwe zvinobatsira zvinhu:
Nzira yekushandisa sei sevhisi itsva?
Chinhu chiri nyore kutsanangura ari pamusoro DNS server kero mune yako DNS mutengi (kana sekumusoro-soro muzvirongwa zveiyo DNS server yaunoshandisa). Zvine musoro here kutsiva zvakajairika (8.8.8.8, nezvimwewo), kana kuti zvishoma zvishoma (77.88.8.8 nevamwe vakaita saivo) kumaseva kubva kuCloudflare - ivo vachakusarudzira, asi vanotaura kune anotanga kukurumidza kupindura, maererano neiyo Cloudflare inokurumidza kupfuura vese vakwikwidzi (ini ndichajekesa: zviyero zvakatorwa neyechitatu-bato sevhisi, uye kumhanya kune chaiyo mutengi, hongu, inogona kusiyana).
Zvinonyanya kunakidza kushanda nemamodhi matsva umo chikumbiro chinobhururukira kune sevha pamusoro pekubatanidza yakavanzika (muchokwadi, mhinduro inodzoserwa nayo), iyo yakataurwa DNS-pamusoro-TLS uye DNS-pamusoro-HTTPS. Nehurombo, ivo havatsigirwe "kunze kwebhokisi" (vanyori vanotenda kuti izvi "zvichiri"), asi hazvina kuoma kuronga basa ravo musoftware yako (kana kunyangwe pahardware yako):
DNS pamusoro peHTTPs (DoH)
Sezvinoreva zita, kutaurirana kunoitika pamusoro peHTTPS chiteshi, zvinoreva
- kuvapo kwenzvimbo yekumhara (yekupedzisira) - iri pakero uye
- mutengi anogona kutumira zvikumbiro uye kugamuchira mhinduro.
Zvikumbiro zvinogona kunge zviri muDNS Wireformat fomati inotsanangurwa mukati (inotumirwa uchishandisa nzira dzePOST uye GET HTTP), kana muJSON fomati (uchishandisa nzira yeGET HTTP). Kwandiri pachangu, zano rekuita zvikumbiro zveDNS kuburikidza nezvikumbiro zveHTTP rakaratidzika kunge risingatarisirwe, asi pane zvine musoro zviyo mairi: chikumbiro chakadaro chichapfuura akawanda traffic kusefa masisitimu, mhinduro dzeparsing dziri nyore, uye kugadzira zvikumbiro kuri nyore. Iwo akajairwa maraibhurari uye maprotocol ane basa rekuchengetedza.
Zvikumbiro zvemuenzaniso, kubva pane zvinyorwa:
GADZIRA chikumbiro muDNS Wireformat fomati
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031POST chikumbiro muDNS Wireformat fomati
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Zvakafanana asi kushandisa JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}Zviripachena, isingawanzo (kana imwe chete) router yepamba inogona kushanda neDNS nenzira iyi, asi izvi hazvirevi kuti tsigiro haizoonekwe mangwana - uye, zvinonakidza, pano tinogona kunyatsoita kushanda neDNS mukushandisa kwedu (sezvatove , paCloudflare maseva).
DNS pamusoro peTLS
Nekutadza, DNS mibvunzo inofambiswa pasina encryption. DNS pamusoro peTLS inzira yekuvatumira pamusoro pekubatana kwakachengeteka. Cloudflare inotsigira DNS pamusoro peTLS pane yakajairwa port 853 sekurairwa . Izvi zvinoshandisa chitupa chakapihwa cloudflare-dns.com host, TLS 1.2 uye TLS 1.3 inotsigirwa.
Kugadzira chinongedzo uye kushanda zvinoenderana neprotocol inoenda seizvi:
- Asati amisa chinongedzo cheDNS, mutengi anochengeta base64 encoded SHA256 hash yecloudflare-dns.com's TLS chitupa (inonzi SPKI)
- DNS mutengi inogadza TCP yekubatanidza kune cloudflare-dns.com:853
- DNS mutengi anotanga TLS kubata maoko
- Munguva yeTLS kubata maoko maitiro, iyo cloudflare-dns.com host inopa chitupa chayo cheTLS.
- Kana kubatana kweTLS kwangotangwa, mutengi weDNS anogona kutumira zvikumbiro zveDNS pamusoro pechiteshi chakachengeteka, chinodzivirira zvikumbiro nemhinduro kubva pakuterera nekubirwa.
- Yese mibvunzo yeDNS inotumirwa pamusoro pe TLS yekubatanidza inofanirwa kuenderana neiyo .
Muenzaniso wechikumbiro kuburikidza neDNS pamusoro peTLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msIyi sarudzo inoita seinoshanda zvakanyanya kune emuno DNS maseva anoshandira zvinodiwa netiweki yemuno kana mushandisi mumwechete. Ichokwadi, nerutsigiro rweyero haisi yakanaka kwazvo, asi - ngative netariro!
Mazwi maviri ekutsanangura kuti nhaurirano iri pamusoro pei
Dudziro yeDNS inomiririra Domain Name Service (saka zvichinzi "DNS sevhisi" hazvina basa, dudziro yacho yatove nezwi rekuti "service"), uye inoshandiswa kugadzirisa basa riri nyore - kunzwisisa kuti IP kero ine zita remuenzi. Pese munhu paanodzvanya pane chinongedzo, kana kuisa kero mubrowser kero bar (taura, chimwe chinhu senge ""), komputa yemunhu iri kuyedza kufunga kuti ndeipi server yekutumira chikumbiro kuti iwane zviri papeji. Panyaya ye habrahabr.ru, mhinduro kubva kuDNS ichange iine chiratidzo chewebhu server IP kero: 178.248.237.68, uye ipapo browser ichatoedza kubata sevha neiyo IP kero.
Zvakare, sevha yeDNS, yagamuchira chikumbiro "ndeipi IP kero yemuenzi anonzi habrahabr.ru?", Inosarudza kana ichiziva chero chinhu nezve yakataurwa. Kana zvisina kudaro, inoita chikumbiro kune mamwe maseva eDNS ari munyika, uye, nhanho nhanho, inoedza kufunga mhinduro kumubvunzo wakabvunzwa. Nekuda kweizvozvo, kana wawana mhinduro yekupedzisira, iyo data yakawanikwa inotumirwa kune mutengi achiri kuvamirira, uyezve inochengetwa mu cache yeDNS server pachayo, izvo zvinokutendera iwe kupindura mubvunzo wakafanana nekukurumidza nguva inotevera.
Dambudziko rinowanzoitika nderekuti, chekutanga, iyo DNS yemubvunzo data inofambiswa zviri pachena (izvo zvinopa chero munhu ane mukana wekuyerera kwetraffic kugona kuparadzanisa mibvunzo yeDNS nemhinduro dzavanogamuchira vozozviparura nekuda kwezvinangwa zvavo; izvi zvinopa. kugona kunongedza ads nekurongeka kwemutengi weDNS, izvo zvakawandisa!). Chechipiri, mamwe maISPs (hatizonongedza zvigunwe, asi kwete zvidiki) anowanzo ratidza kushambadzira panzvimbo peimwe kana imwe peji yakakumbirwa (iyo inoshandiswa zviri nyore: pachinzvimbo cheiyo IP kero yemubvunzo nehabranabr.ru zita remuenzi, munhu asina kurongeka Saka, kero yemupi wewebhu server inodzoserwa, uko peji rine chiziviso chinopihwa). Chetatu, kune vanopa Internet vanopa nzira yekuzadzisa zvinodikanwa zvekuvharisa mawebhusaiti ega nekutsiva mhinduro dzeDNS nezve IP kero yeakavharika webhu zviwanikwa neIP kero yeseva yavo ine mapeji e stub (nekuda kweizvozvo, kuwana masaiti akadaro anotonyanya kuoma), kana kukero yeproxy server yako inoita kusefa.
Uyu unofanirwa kunge uri mufananidzo kubva kune saiti. , rinoshandiswa kutsanangura kubatana kune sevhisi. Vanyori vanoita kunge vane chivimbo mumhando yeDNS yavo (zvisinei, zvakaoma kutarisira chero chinhu kubva kuCloudflare):
Mumwe anogona kunyatsonzwisisa Cloudflare, musiki webasa: vanowana chingwa chavo nekuchengetedza uye kugadzira imwe yeanonyanya kufarirwa maCDN network munyika (ayo mabasa anosanganisira kwete chete kugovera zvemukati, asiwo kuitisa DNS nzvimbo), uye, nekuda chido cheavo, uyo asina ruzivo rwakakwana, dzidzisai avo wavasingazivi, kuti kwekuenda mune network yepasirese, kazhinji inotambura nekuvharira kero dzemaseva avo kubva ngatisataure kuti ndiani - saka kuva neDNS isingakanganisike ne "kushevedzera, muridzo uye scribbles" yekambani zvinoreva kushomeka kukuvadza kune bhizinesi ravo. Uye mabhenefiti ehunyanzvi (adiki, asi akanaka: kunyanya, kune vatengi veyemahara DNS Cloudflare, kuvandudza marekodhi eDNS ezviwanikwa zvakabatwa pamaseva ekambani eDNS zvichave pakarepo) ita kuti kushandisa sevhisi yakatsanangurwa mupositi iwedzere kunakidza.
Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. , Munogamuchirwa.
Uchashandisa sevhisi itsva here?
-
Ehe, nekungozvitsanangura mu OS uye / kana pane router
-
Hongu, uye ini ndichashandisa zvirevo zvitsva (DNS pamusoro peHTTPs uye DNS pamusoro peTLS)
-
Kwete, ndine maseva emazuva ano akakwana (uyu mupi weruzhinji: Google, Yandex, nezvimwewo)
-
Kwete, handitombozivi zvandiri kushandisa izvozvi
-
Ini ndinoshandisa yangu inodzokorodza DNS ine SSL mugero kwavari
693 vashandisi vakavhota. 191 mushandisi haana.
Source: www.habr.com