Mushure megore nehafu yebudiriro kuburitswa kwe caching DNS server , inokonzera kudzokorora zita rekushandura. PowerDNS Recursor yakavakirwa pane imwecheteyo kodhi base sePowerDNS Authoritative Server, asi PowerDNS inodzokororwa uye ine mvumo DNS maseva anogadzirwa kuburikidza neakasiyana ekusimudzira uye anoburitswa sezvigadzirwa zvakasiyana. Project code ane rezinesi pasi peGPLv2.
Iyo vhezheni nyowani inobvisa zvese zvine chekuita nekugadziriswa kweDNS mapaketi ane EDNS mireza. Shanduro dzekare dzePowerDNS Recursor pamberi pe2016 dzaive netsika yekuregeredza mapaketi asina kutsigirwa EDNS mireza pasina kutumira mhinduro mune yekare fomati, vachirasa mireza yeEDNS sezvinodiwa nekutsanangurwa. Kare, iyi isiri-yakajairwa maitiro yaitsigirwa muBIND nenzira yekushanda, asi mukati mechikamu che. muna February zvirongwa , DNS server Developers vakasarudza kusiya iyi hack.
MuPowerDNS, matambudziko makuru mukugadzirisa mapaketi ane EDNS akabviswa kumashure muna 2017 mukuburitswa 4.1, uye mubazi re2016 rakaburitswa muna 4.0, kusawirirana kwemunhu kwakaitika kunoitika pasi peimwe seti yemamiriro ezvinhu uye, kazhinji, hazvikanganise zvakajairika. oparesheni. MuPowerDNS Recursor 4.2, sezvazviri , Yakabviswa maworkaround kutsigira maseva ane chiremera anopindura zvisizvo zvikumbiro ane EDNS mireza. Kusvika ikozvino, kana mushure mekutumira chikumbiro neEDNS mireza pakanga pasina mhinduro mushure meimwe nguva yenguva, sevha yeDNS yaifunga kuti mireza yakawedzerwa haina kutsigirwa uye yakatumira chikumbiro chechipiri pasina mireza yeEDNS. Hunhu uhwu hwave hurema sezvo iyi kodhi yakakonzera kuwedzera latency nekuda kwepakeji retransmissions, kuwedzera network mutoro uye kusanzwisisika kana usingapindure nekuda kwekutadza kwenetiweki, uye yakadzivirira kushandiswa kweEDNS-based features seDNS Cookies kudzivirira kurwiswa kweDDoS.
Zvakasarudzwa kuti chiitiko ichi chiitwe gore rinouya yakagadzirirwa kuisa pfungwa pa neIP kupatsanurwa paunenge uchigadzira mameseji makuru eDNS. Sechikamu chekutanga gadzirisa yakakurudzirwa buffer saizi yeEDNS kusvika 1200 bytes, uye kugadzirisa zvikumbiro kuburikidza neTCP chinhu chinofanirwa-kuva nemasevhisi. Ikozvino tsigiro yekugadzirisa zvikumbiro kuburikidza neUDP inodiwa, uye TCP inodikanwa, asi haidiwi kushanda (chiyero chinoda kugona kudzima TCP). Inokurudzirwa kubvisa sarudzo yekudzima TCP kubva pachiyero uye kuenzanisa shanduko kubva pakutumira zvikumbiro pamusoro peUDP kusvika pakushandisa TCP mumamiriro ezvinhu apo iyo yakasimbiswa EDNS buffer size haina kukwana.
Shanduko dzakarongwa sechikamu chechirongwa ichi dzichabvisa kuvhiringidzika nekusarudza saizi yebhafa yeEDNS uye kugadzirisa dambudziko rekutsemuka kwemameseji makuru eUDP, kugadziridzwa kwacho kunowanzo tungamira mukurasikirwa kwepaketi uye nguva yekubuda padivi revatengi. Kudivi remutengi, saizi yebhafa yeEDNS ichange ichigara uye mhinduro huru dzichatumirwa nekukurumidza kumutengi pamusoro peTCP. Kudzivisa kutumira mameseji makuru pamusoro peUDP kuchakubvumidzawo kuvhara yekuisa chepfu kuDNS cache, zvichibva pakushandiswa kwemapaketi eUDP akatsemuka (kana akatsemurwa kuita zvidimbu, chidimbu chechipiri hachisanganisi musoro une chiziviso, saka chinogona kugadzirwa, icho chinokwana chete kuti cheki ienderane) .
PowerDNS Recursor 4.2 inofunga nezvematambudziko ane mahombe eUDP mapaketi uye anochinja kushandisa EDNS buffer size (edns-outgoing-bufsize) ye1232 bytes, panzvimbo peiyo yakamboshandiswa muganhu we1680 bytes, iyo inofanirwa kuderedza zvakanyanya mukana wekurasikirwa neUDP mapaketi. . Kukosha 1232 kwakasarudzwa nekuti ndiyo yakakura iyo saizi yemhinduro yeDNS, uchifunga nezve IPv6, inokwana mune shoma MTU kukosha (1280). Kukosha kweiyo truncation-threshold parameter, iyo ine basa rekucheka mhinduro kumutengi, yakaderedzwawo kusvika 1232.
Dzimwe shanduko muPowerDNS Recursor 4.2:
- Yakawedzerwa michina tsigiro (X-Proxied-For), inova iyo DNS yakaenzana neX-Forwarded-For HTTP musoro, ichibvumira ruzivo nezve IP kero uye nhamba yechiteshi chemunyoreri wepakutanga kuti atumirwe kuburikidza nepakati proxies uye mitoro mitoro (senge dnsdist) . Kugonesa XPF pane sarudzo ""Uye"";
- Rutsigiro rwakavandudzwa rwekuwedzera kweEDNS (ECS), iyo inokutendera kuti utumire muDNS mibvunzo kune ine mvumo yeDNS server ruzivo nezve subnet kubva iyo yekutanga chikumbiro chakafambiswa pamwe neketani chaive chine chepfu (data nezve mutengi sosi subnet inodiwa kuti ishande inoshanda yekutumira zvemukati network) . Kuburitswa kutsva kunowedzera marongero ekusarudza kutonga pamusoro pekushandiswa kweEDNS Client Subnet: "Β»ine runyorwa rwemasiki etiweki ayo iyo IP ichashandiswa muECS mukukumbira kunobuda. Kune kero dzisingawire mukati memasiki akatsanangurwa, kero yakajairika inotsanangurwa mukuraira "". Kuburikidza neDirective"Β»unogona kutsanangura ma subnets kubva kune izvo zvinouya zvikumbiro zvine akazadzwa ECS tsika hazvizotsiviwa;
- Kune maseva anogadzirisa nhamba huru yezvikumbiro pasekondi (kupfuura 100 zviuru), chirevo "", iyo inosarudza huwandu hwetambo dzekugamuchira zvikumbiro zvinouya uye nekuzvigovera pakati petambo dzevashandi (zvine musoro chete kana uchishandisa"").
- Added setting kutsanangura faira rako pachako ne domains umo vashandisi vanogona kunyoresa ma subdomain avo, pachinzvimbo cherondedzero yakavakirwa muPowerDNS Recursor.
Iyo PowerDNS purojekiti yakazivisawo mafambiro kumwedzi mitanhatu yekuvandudza, nekuburitswa kukuru kunotevera kwePowerDNS Recursor 4.3 inotarisirwa muna Ndira 2020. Zvigadziriso zvekuburitswa kwakakosha zvichagadziriswa gore rose, mushure mezvo zvigadziriso zvenjodzi zvichaburitswa kweimwe mwedzi mitanhatu. Saka, rutsigiro rwePowerDNS Recursor 4.2 bazi richagara kusvika Ndira 2021. Shanduko dzakafanana dzekusimudzira dzakaitirwa PowerDNS Authoritative Server, inotarisirwa kuburitsa 4.2 munguva pfupi iri kutevera.
Mamiriro makuru ePowerDNS Recursor:
- Zvishandiso zvekuunganidza zviverengero kure;
- Instant restart;
- Yakavakwa-mukati injini yekubatanidza vanobata mumutauro weLua;
- Yakazara DNSSEC rutsigiro uye ;
- Tsigiro yeRPZ (Response Policy Zones) uye kugona kutsanangura blacklists;
- Anti-spoofing michina;
- Kugona kurekodha mhinduro senge BIND zone mafaera.
- Kuve nechokwadi chekushanda kwepamusoro, nzira dzemazuva ano dzekubatanidza kuwanda dzinoshandiswa muFreeBSD, Linux uye Solaris (kqueue, epoll, /dev/poll), pamwe nepamusoro-inoshanda DNS packet parser inokwanisa kugadzirisa makumi ezviuru zvezvikumbiro zvakafanana.
Source: opennet.ru