ProHoster > Блог > Maamulka > Waxaan kula kulannaa adeega Cloudflare ciwaanada 1.1.1.1 iyo 1.0.0.1, ama "sharafta DNS ee dadweynaha ayaa timid!"

Waxaan kula kulannaa adeega Cloudflare ciwaanada 1.1.1.1 iyo 1.0.0.1, ama "sharafta DNS ee dadweynaha ayaa timid!"

Waxaan kula kulannaa adeega Cloudflare ciwaanada 1.1.1.1 iyo 1.0.0.1, ama "sharafta DNS ee dadweynaha ayaa timid!"

Shirkadda Cloudflare soo bandhigay DNS-ka guud ee ciwaannada:

  • 1.1.1.1
  • 1.0.0.1
  • 2606: 4700: 4700 1111 ::
  • 2606: 4700: 4700 1001 ::

Siyaasada ayaa la sheegay inay tahay "Privacy marka hore" si isticmaalayaashu ay u helaan xasilooni maskaxeed oo ku saabsan waxa ku jira codsiyadooda.

Adeeggu waa mid xiiso leh, marka lagu daro DNS-ka caadiga ah, wuxuu bixiyaa awoodda isticmaalka tignoolajiyada DNS-over-TLS и DNS-over-HTTPS, taas oo si weyn uga ilaalin doonta bixiyeyaasha inay dhagaystaan ​​codsiyadaada iyadoo la raacayo dariiqa codsiyada - oo ay ururiyaan tirakoob, kormeeraan, maamulaan xayeysiisyada. Cloudflare waxay sheeganeysaa in taariikhda lagu dhawaaqay (Abriil 1, 2018, ama 04/01 ee qoraalka Mareykanka) aan la dooran si kadis ah: waa maxay maalinta kale ee sanadka ayaa la soo bandhigi doonaa "afar cutub"?

Maaddaama dhagaystayaasha Habr ay yihiin kuwo farsamo ahaan caqli-gal ah, qaybta dhaqanka "maxaad ugu baahan tahay DNS?" Waxaan ku dhejin doonaa dhammaadka boostada, laakiin halkan waxaan ku sheegi doonaa waxyaabo waxtar leh oo waxtar leh:

Sidee loo isticmaalaa adeegga cusub?

Waxa ugu fudud waa in lagu qeexo ciwaannada sare ee DNS ee macmiilkaaga DNS (ama sida kor u kaca ee goobaha server-ka DNS ee aad isticmaasho). Macno ma leedahay in la beddelo qiyamka caadiga ah Google DNS (8.8.8.8, iwm.), ama in yar oo aan caadi ahayn Yandex server DNS dadweynaha (77.88.8.8 iyo kuwa kale oo la mid ah) server-yada Cloudflare - iyaga ayaa kuu go'aamin doona, laakiin wuxuu u hadlaa bilawga jadwalka xawaaraha jawaabta, marka loo eego taas oo Cloudflare uu ka dhakhso badan yahay dhammaan tartamayaasha (waxaan caddayn doonaa: cabbirada waxaa qaatay adeeg dhinac saddexaad ah, iyo xawaaraha macmiilka gaarka ah, dabcan, way kala duwanaan kartaa).

Waxaan kula kulannaa adeega Cloudflare ciwaanada 1.1.1.1 iyo 1.0.0.1, ama "sharafta DNS ee dadweynaha ayaa timid!"

Aad ayey u xiiso badan tahay in lala shaqeeyo habab cusub oo codsigu u duulayo serverka xiriir qarsoodi ah (xaqiiqdii, jawaabta ayaa lagu soo celiyay iyada), DNS-over-TLS iyo DNS-over-HTTPS. Nasiib darro, laguma taageero "ka baxsan sanduuqa" (qorayaashu waxay aaminsan yihiin in tani ay tahay "weli"), laakiin ma adka in ay habeeyaan shaqadooda software-kaaga (ama xitaa qalabkaaga):

DNS ka dul HTTPs (DoH)

Sida magacaba ka muuqata, isgaarsiintu waxay ka dhacdaa kanaalka HTTPS, taas oo macnaheedu yahay

  1. joogitaanka barta degitaanka (barta dhamaadka) - waxay ku taal cinwaanka https://cloudflare-dns.com/dns-queryiyo
  2. macmiil soo diri kara codsiyada oo heli kara jawaabaha.

Codsiyada waxay noqon karaan qaabka DNS Wireformat ee lagu qeexay RFC1035 (lagu diro iyadoo la adeegsanayo hababka POST iyo GET HTTP), ama qaab JSON ah (iyadoo la adeegsanayo habka GET HTTP). Aniga shakhsi ahaan, fikradda ah samaynta codsiyada DNS ee codsiyada HTTP waxay u muuqatay mid lama filaan ah, laakiin waxaa ku jira hadhuudh macquul ah: codsigan oo kale wuxuu dhaafi doonaa nidaamyo kala duwan oo taraafikada, jawaabaha falanqaynta waa mid fudud, iyo abuurista codsiyada xitaa way fududahay. Maktabadaha caadiga ah iyo borotokoollada ayaa mas'uul ka ah amniga.

Codso tusaalooyin, si toos ah dukumentiyada:

Codsiga ku hel qaab qaab Wireformat DNS

$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*

* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG

{ [49 bytes data]
100    49  100    49    0     0    493      0 --:--:-- --:--:-- --:--:--   494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031

Codsiga POST ee qaabka Wireformat ee DNS

$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump

{ [49 bytes data]
100    49  100    49    0     0    493      0 --:--:-- --:--:-- --:--:--   494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031

La mid ah laakiin isticmaalaya JSON

$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "example.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "example.com.",
      "type": 1,
      "TTL": 1069,
      "data": "93.184.216.34"
    }
  ]
}

Sida iska cad, naadir (haddii ugu yaraan hal) router gurigu sidan oo kale ula shaqayn karo DNS, laakiin tani macnaheedu maaha in taageeradu aanay soo muuqan doonin berrito - iyo, xiisaha lihi, halkan waxaan si buuxda uga hirgelin karnaa la shaqaynta DNS ee codsigeena (sida horeba in la sameeyo Mozilla, kaliya ku yaal server-yada Cloudflare).

DNS ka sarreeya TLS

Sida caadiga ah, weydiimaha DNS waxaa lagu kala qaadaa iyada oo aan qarsoodi ahayn. DNS ka sarreeya TLS waa hab loogu diro iyaga xiriir sugan. Cloudflare waxay ku taageertaa DNS ka badan TLS ee dekedda caadiga ah 853 sida lagu qoray RFC7858. Tani waxay isticmaashaa shahaado la siiyay Cloudflare-dns.com host, TLS 1.2 iyo TLS 1.3 waa la taageeray.

Samaynta isku xidhka iyo ku shaqaynta si waafaqsan hab-maamuuska waxay u dhacdaa sidatan:

  • Kahor inta aan la samayn isku xirka DNS, macmiilku waxa uu kaydiyaa base64 ku lifaaqan SHA256 hash ee Cloudflare-dns.com's shahaadada TLS (loo yaqaan SPKI)
  • Macmiilka DNS wuxuu sameeyaa isku xirka TCP ee Cloudflare-dns.com:853
  • Macmiilka DNS waxa uu bilaabay gacan qaadka TLS
  • Inta lagu jiro nidaamka gacan qaadka TLS, Cloudflare-dns.com martigeliyaha wuxuu soo bandhigayaa shahaadada TLS.
  • Marka xidhiidhka TLS la sameeyo, macmiilka DNS wuxuu u soo diri karaa codsiyada DNS kanaal sugan, kaas oo ka hortagaya codsiyada iyo jawaabaha in la dhegeysto oo la mariyo.
  • Dhammaan weydiimaha DNS ee lagu soo diro xiriirka TLS waa inay u hoggaansamaan u diraya DNS-ka TCP.

Tusaalaha codsiga loo marayo DNS ee TLS:

$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com.             IN  A

;; ANSWER SECTION:
example.com.            2347    IN  A   93.184.216.34

;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 ms

Doorashadani waxay u muuqataa inay si fiican ugu shaqaynayso server-yada DNS ee maxaliga ah ee u adeegaya baahida shabakad maxalli ah ama hal isticmaale. Run, taageerada heerka ma aha mid aad u wanaagsan, laakiin - aynu rajeyno!

Laba kelmadood oo sharraxaad ah waxa sheekadu ku saabsan tahay

Soo gaabinta DNS waxay u taagan tahay Adeegga Magaca Domain (sidaas darteed in la yiraahdo "adeegga DNS" waa mid aan badneyn, soo gaabinta horeyba waxay ka kooban tahay ereyga "adeegga"), waxaana loo isticmaalaa in lagu xalliyo hawl fudud - si loo fahmo cinwaanka IP-ga ee magaca martida gaarka ah uu leeyahay. Mar kasta oo uu qofku gujiyo isku-xiraha, ama uu galo ciwaanka ku jira barta ciwaanka browserka (dheh, wax la mid ah "https://habrahabr.ru/post/346430/"), Kombuyuutarka bani'aadamku wuxuu isku dayayaa inuu ogaado server-ka uu u dirayo codsiga si uu u helo macluumaadka bogga. Xaaladda habrahabr.ru, jawaabta DNS waxay ka koobnaan doontaa tilmaanta cinwaanka IP-ga ee server-ka shabakadda: 178.248.237.68, ka dibna browserku wuxuu mar hore isku dayi doonaa inuu la xiriiro server-ka cinwaanka IP-ga ee la cayimay.

Dhanka kale, server-ka DNS, ka dib markii uu helay codsiga "waa maxay ciwaanka IP-ga ee martigeliyaha lagu magacaabo habrahabr.ru?", wuxuu go'aamiyaa inuu wax ka ogyahay martigeliyaha la cayimay. Haddii aysan ahayn, waxay codsi u dirtaa server-yada kale ee DNS ee adduunka, iyo, tallaabo tallaabo, waxay isku daydaa inay ogaato jawaabta su'aasha la waydiiyay. Natiijo ahaan, marka la helo jawaabta kama dambaysta ah, xogta la helay ayaa loo diraa macmiilka weli iyaga oo sugaya, oo lagu daray waxa lagu kaydiyaa kaydka server-ka DNS laftiisa, taas oo kuu ogolaan doonta inaad si dhakhso ah uga jawaabto su'aasha la midka ah wakhtiga soo socda.

Dhibaatada caadiga ah ayaa ah, marka hore, xogta weydiinta DNS waxaa lagu kala qaadaa si cad (taas oo siinaysa qof kasta oo marin u leh socodka taraafikada awood u leh inuu go'doomiyo weydiimaha DNS iyo jawaabaha ay helaan ka dibna u kala qaybiyaan ujeedooyinkooda; Awoodda lagu beegsanayo xayeysiisyada saxda ah ee macmiilka DNS, taas oo aad u badan!). Marka labaad, qaar ka mid ah ISP-yada (ma tilmaami doonno farahooda, laakiin maaha kuwa ugu yaryar) waxay u muuqdaan inay muujiyaan xayeysiis halkii ay ka ahaan lahaayeen hal ama bog kale oo la codsaday (kaas oo si fudud loo hirgeliyay: halkii ciwaanka IP-ga ee la cayimay ee su'aasha habranabr.ru magaca martida loo yahay, qof random ah Sidaas awgeed, ciwaanka mareegaha bixiyaha waa la soo celiyaa, halkaas oo bogga xayaysiisku ku jiro la geeyo). Marka saddexaad, waxaa jira bixiyeyaasha gelitaanka internetka oo hirgeliya hab lagu buuxinayo shuruudaha xannibaadda goobaha gaarka ah iyaga oo beddelaya jawaabaha DNS ee saxda ah ee ku saabsan ciwaannada IP-yada ee ilaha shabakada ee la xannibay ciwaanka IP-ga ee serverkooda oo ka kooban bogag adag (natiijo ahaan, helitaanka goobahan oo kale ayaa si muuqata u dhib badan), ama ciwaanka serfarka wakiilkaaga ee sameeya shaandhaynta.

Tani waxay u badan tahay inay noqoto sawir goobta. http://1.1.1.1/, oo loo isticmaalo in lagu qeexo xidhiidhka adeegga. Qorayaashu waxay u muuqdaan inay aad ugu kalsoon yihiin tayada DNS-kooda (si kastaba ha ahaatee, way adag tahay in laga filayo wax kale Cloudflare):

Waxaan kula kulannaa adeega Cloudflare ciwaanada 1.1.1.1 iyo 1.0.0.1, ama "sharafta DNS ee dadweynaha ayaa timid!"

Mid ayaa si buuxda u fahmi kara Cloudflare, abuuraha adeegga: waxay ku kasbadaan rootigooda iyagoo ilaalinaya oo horumarinaya mid ka mid ah shabakadaha CDN ee ugu caansan adduunka (shaqooyinkaas oo ay ku jiraan ma aha oo kaliya qaybinta nuxurka, laakiin sidoo kale martigelinta aagagga DNS), iyo, sababtoo ah rabitaanka kuwa, oo aan aqoon fiican u lahayn, baro kuwa cid aanay garanayn, taas xagee loo aadayaa Shabakadda caalamiga ah, inta badan waxay la ildaran tahay xannibaadda ciwaannada server-kooda yaan la odhan - markaa haysashada DNS-ka oo aan saameyn ku yeelan "qeylada, foorida iyo qoraallada" ee shirkadda waxay la macno tahay waxyeellada ganacsigooda. Iyo faa'iidooyinka farsamada (wax yar, laakiin fiican: gaar ahaan, macaamiisha DNS Cloudflare bilaashka ah, cusbooneysiinta diiwaannada DNS ee kheyraadka lagu hayo server-yada DNS ee shirkadda waxay noqon doontaa mid degdeg ah) adoo isticmaalaya adeegga lagu sharraxay boostada xitaa xiiso badan.

Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. Soo gal, soo dhawoow.

Ma isticmaali doontaa adeegga cusub?

  • Haa, adoo si fudud u qeexaya OS-ka iyo / ama router-ka

  • Haa, oo waxaan isticmaali doonaa borotokool cusub (DNS dul HTTPs iyo DNS dul TLS)

  • Maya, waxaan haystaa adeegayaal ku filan hadda (kan waa bixiye dadweyne: Google, Yandex, iwm.)

  • Maya, xitaa ma garanayo waxa aan hadda isticmaalayo

  • Waxaan u isticmaalaa DNS-ka soo noqnoqda oo wata tunnel SSL iyaga

693 isticmaale ayaa u codeeyay. 191 isticmaale waa ka aamusay.

Source: www.habr.com

Add a comment