ProHoster > Blog > Tsamaiso > Thibelo ea Bypass ILV ka DNStap le BGP

Thibelo ea Bypass ILV ka DNStap le BGP

Thibelo ea Bypass ILV ka DNStap le BGP

Sehlooho se otlolohile hantle, kea tseba. Ka mohlala, ho na le e kholo sehlooho, empa karolo ea IP feela ea lenane la thibela e nkoa moo. Hape re tla eketsa domains.

Ka lebaka la hore makhotla le RKN li thibela ntho e 'ngoe le e' ngoe ka ho le letona le ka ho le letšehali, 'me bafani ba leka ka matla hore ba se ke ba oela tlas'a lichelete tse fanoeng ke Revizorro, tahlehelo e amanang le ho thibela e kholo haholo. 'Me har'a libaka tse koetsoeng "ka molao" ho na le tse ngata tse molemo (hello, rutracker)

Ke lula ka ntle ho sebaka sa RKN, empa batsoali ba ka, beng ka ka le metsoalle ba ile ba sala hae. Kahoo ho ile ha etsoa qeto ea ho tla ka tsela e bonolo ea hore batho ba hole le IT ba fete ho thibela, haholo ntle le ho kenya letsoho ho hang.

Lengolong lena, nke ke ka hlalosa lintho tsa motheo tsa marang-rang ka mehato, empa ke tla hlalosa melao-motheo e akaretsang ea hore na morero ona o ka sebelisoa joang. Kahoo tsebo ea hore na marang-rang a sebetsa joang ka kakaretso le ho Linux haholo-holo e tlameha ho ba le.

Mefuta ea liloko

Taba ea pele, a re khatholleng mohopolo oa rona oa se koetsoeng.

Ho na le mefuta e mengata ea linotlolo ho XML e laotsoeng ho tsoa ho RKN:

  • IP
  • Lebitso la Lebitso
  • URL

Bakeng sa ho nolofatsa, re tla li fokotsa ho tse peli: IP le domain, 'me re tla ntša sebaka sa marang-rang ho thibela ka URL (ka ho toba, ba se ba re etselitse sena).

batho ba molemo ho tloha Roskomsvoboda hlokomela e babatsehang API, eo ka eona re ka fumanang seo re se hlokang:

Ho fihlella libaka tse koetsoeng

Ho etsa sena, re hloka VPS e nyane ea kantle ho naha, ka ho khetheha e nang le sephethephethe se se nang moeli - ho na le tse ngata tsa tsena bakeng sa 3-5. U lokela ho e nka haufi le linaheng tse ling e le hore ping e se kholo haholo, empa hape, ela hloko hore Inthanete le geography ha li lumellane kamehla. 'Me kaha ha ho na SLA bakeng sa lichelete tsa 5, ho molemo ho nka likotoana tsa 2+ ho tsoa ho bafani ba fapaneng bakeng sa mamello ea liphoso.

Ka mor'a moo, re hloka ho theha kotopo e patiloeng ho tloha ho router ea bareki ho ea ho VPS. Ke sebelisa Wireguard e le eona e potlakileng le e bonolo ho e qala. Ke boetse ke na le li-routers tsa bareki tse thehiloeng ho Linux (APU2 kapa ho hong ho OpenWRT). Tabeng ea Mikrotik / Cisco e meng, u ka sebelisa liprothokholo tse fumanehang ho tsona joalo ka OpenVPN le GRE-over-IPSEC.

Ho tsebahatsa le ho tsamaisa sephethephethe sa thahasello

Ehlile, o ka tima sephethephethe sohle sa Marang-rang ka linaha tse ling. Empa, mohlomong, lebelo la ho sebetsa le litaba tsa lehae le tla utloa bohloko haholo ho sena. Ho feta moo, litlhoko tsa bandwidth ho VPS li tla ba holimo haholo.

Ka hona, re tla hloka ho abela sephethephethe ka tsela e itseng libakeng tse koetsoeng ebe re se lebisa kotopong. Leha sephethephethe se "eketsehileng" se fihla moo, se ntse se le betere ho feta ho khanna ntho e 'ngoe le e' ngoe ka kotopo.

Ho laola sephethephethe, re tla sebelisa protocol ea BGP mme re phatlalatse litsela tsa marang-rang a hlokahalang ho tloha VPS ea rona ho ea ho bareki. Ha re nke BIRD e le e 'ngoe ea li-daemone tsa BGP tse sebetsang ka ho fetesisa le tse bonolo.

IP

Ka ho thibela IP, ntho e 'ngoe le e' ngoe e hlakile: re phatlalatsa feela li-IP tse koetsoeng ka VPS. Bothata ke hore ho na le li-subnets tse ka bang likete tse 600 lethathamong leo API e le khutlisetsang, 'me boholo ba tsona ke /32 mabotho. Palo ena ea litsela e ka ferekanya li-routers tse fokolang tsa bareki.

Ka hona, ha ho sebetsoa lethathamo, ho ile ha etsoa qeto ea ho akaretsa marang-rang / 24 haeba e na le mabotho a 2 kapa ho feta. Kahoo, palo ea litsela e fokotsoe ho ~ 100 tse likete. Script ea sena e tla latela.

Libaka

E rarahane ho feta mme ho na le mekhoa e mengata. Mohlala, o ka kenya squid e pepeneneng ho router e 'ngoe le e' ngoe ea bareki 'me u etse HTTP ho kenella moo ebe u nyarela ho ts'oarana ka letsoho ea TLS e le hore u fumane URL e kopiloeng molemong oa pele le domain name ho tsoa ho SNI ea bobeli.

Empa ka lebaka la mefuta eohle ea TLS1.3 + eSNI e ncha, tlhahlobo ea HTTPS e ntse e fokotseha letsatsi le leng le le leng. Ho joalo, 'me lisebelisoa tse lehlakoreng la bareki li ntse li rarahana le ho feta - o tla tlameha ho sebelisa bonyane OpenWRT.

Ka hona, ke ile ka etsa qeto ea ho nka tsela ea ho thibela likarabo ho likopo tsa DNS. Mona hape, leha e le efe DNS-over-TLS / HTTPS e qala ho tsamaea ka holim'a hlooho ea hau, empa re ka (hajoale) ho laola karolo ena ho moreki - e ka e tima kapa u sebelise seva ea hau bakeng sa DoT / DoH.

Mokhoa oa ho thibela DNS?

Mona, hape, ho ka ba le mekhoa e mengata.

  • Thibelo ea sephethephethe sa DNS ka PCAP kapa NFLOG
    Mekhoa ena ka bobeli ea ho kheloha e sebelisoa molemong oa ts'ebetso sidmat. Empa ha e e-s'o tšehetsoe ka nako e telele 'me ts'ebetso ke ea khale haholo, kahoo u ntse u hloka ho e ngolla marang-rang.
  • Tlhahlobo ea li-database tsa DNS
    Ka bomalimabe, li-recursors tseo ke li tsebang ha li khone ho fana ka likarabo, empa ke likopo feela. Ha e le hantle, sena sea utloahala, kaha, ho fapana le likōpo, likarabo li na le sebopeho se rarahaneng 'me ho thata ho li ngola ka mokhoa oa mongolo.
  • DNStap
    Ka lehlohonolo, ba bangata ba bona ba se ba ntse ba tšehetsa DNSTap molemong ona.

DNSTap ke eng?

Thibelo ea Bypass ILV ka DNStap le BGP

Ke protocol ea li-client-server e thehiloeng ho Protocol Buffers le Frame Streams bakeng sa ho fetisoa ho tloha ho seva sa DNS ho ea ho 'mokelli oa lipotso le likarabo tsa DNS tse hlophisitsoeng. Ha e le hantle, seva sa DNS se fetisetsa metadata ea lipotso le karabo (mofuta oa molaetsa, mofani oa IP, joalo-joalo) hammoho le melaetsa e feletseng ea DNS ka mokhoa oa (binary) oo e sebetsang le bona holim'a marang-rang.

Ho bohlokoa ho utloisisa hore ho paradigm ea DNSTap, seva sa DNS se sebetsa joalo ka moreki mme 'mokelli o sebetsa joalo ka seva. Ke hore, seva sa DNS se hokahana le 'mokelli, eseng ka tsela e fapaneng.

Kajeno DNStap e tšehetsoa ho li-server tsohle tse tsebahalang tsa DNS. Empa, ho etsa mohlala, BIND ho li-distributions tse ngata (joaloka Ubuntu LTS) hangata e hahoa ka mabaka a itseng ntle le tšehetso ea eona. Kahoo a re se keng ra khathatseha ka ho kopanya hape, empa re nke recursor e bobebe le e potlakileng - Unbound.

U ka tšoara DNSTap joang?

Ho na le ba bang bongata Lisebelisoa tsa CLI bakeng sa ho sebetsa le letoto la liketsahalo tsa DNSTap, empa ha lia lokela ho rarolla bothata ba rona. Ka hona, ke ile ka etsa qeto ea ho iqapela baesekele ea ka e tla etsa ntho e 'ngoe le e 'ngoe e hlokahalang: dnstap-bgp

Algorithm ea mosebetsi:

  • Ha e qala, e kenya lethathamo la libaka ho tsoa faeleng ea mongolo, e li khelosa (habr.com -> com.habr), ha e kenyelle mela e robehileng, likopi le li-subdomain (ke hore haeba lenane le na le habr.com le www.habr.com, e tla jarisoa ea pele feela) 'me e theha sefate sa pele bakeng sa ho batla ka potlako lethathamong lena
  • E sebetsa joalo ka seva ea DNSTap, e emela khokahano e tsoang ho seva sa DNS. Ha e le hantle, e tšehetsa li-sockets tsa UNIX le TCP, empa li-server tsa DNS tseo ke li tsebang li ka sebelisa li-sockets tsa UNIX feela.
  • Lipakete tsa DNStap tse kenang li qala ho tlosoa ka har'a sebopeho sa Protobuf, ebe molaetsa oa binary oa DNS ka boeona, o sebakeng se seng sa masimo a Protobuf, o fetisetsoa boemong ba lirekoto tsa DNS RR.
  • E ea hlahlojoa hore na moamoheli ea kopiloeng (kapa domain name ea motsoali) e lethathamong le laetsoeng, haeba ho se joalo, karabo e hlokomolohuoa.
  • Ke li-RR tsa A/AAAA/CNAME feela tse khethiloeng karabong 'me liaterese tse tsamaellanang tsa IPv4/IPv6 li ntšoa ho tsona.
  • Liaterese tsa IP li bolokiloe ka TTL e ka lokisehang 'me li bapatsoa ho lithaka tsohle tse hlophisitsoeng tsa BGP
  • Ha o fumana karabo e supang IP e seng e ntse e bolokiloe, TTL ea eona ea ntlafatsoa
  • Ka mor'a hore TTL e felisoe ke nako, keno e tlosoa ho cache le ho tsoa liphatlalatsong tsa BGP

Ts'ebetso e eketsehileng:

  • Ho bala hape lethathamo la libaka ka SIGHUP
  • Ho boloka cache e hokahane le maemo a mang dnstap-bgp ka HTTP/JSON
  • Hlakola cache ho disk (bobolokelong ba BoltDB) ho khutlisetsa litaba tsa eona kamora ho qala bocha
  • Ts'ehetso ea ho fetohela sebakeng se fapaneng sa mabitso sa marang-rang (hobaneng sena se hlokahala se tla hlalosoa ka tlase)
  • Tšehetso ea IPv6

Meeli:

  • Libaka tsa IDN ha li so tšehetsoe
  • Litlhophiso tse fokolang tsa BGP

Ke bokeletse RPM le DEB liphutheloana bakeng sa ho instola bonolo. E lokela ho sebetsa ho li-OS tsohle tsa morao-rao tse nang le systemd. ha ba na litšepe.

Scheme

Kahoo, a re qaleng ho kopanya likarolo tsohle hammoho. Ka lebaka leo, re lokela ho fumana ntho e kang ena topology ea marang-rang:
Thibelo ea Bypass ILV ka DNStap le BGP

Monahano oa mosebetsi, ke nahana, o hlakile ho tsoa setšoantšong:

  • Moreki o na le seva ea rona e hlophisitsoeng joalo ka DNS, 'me lipotso tsa DNS le tsona li tlameha ho feta VPN. Sena sea hlokahala e le hore mofani a se ke a sebelisa thibelo ea DNS ho thibela.
  • Ha o bula sebaka sa marang-rang, moreki o romella potso ea DNS joalo ka "li-IP tsa xxx.org ke life"
  • E se nang moeli e rarolla xxx.org (kapa e e nka ho tsoa ho cache) ebe e romela karabo ho moreki "xxx.org e na le IP ea mofuta o joalo", e e qopitsa ka tsela e tšoanang ka DNSTap
  • dnstap-bgp e phatlalatsa liaterese tsena ka NONYANE ka BGP haeba domain name e le lethathamong le koetsoeng
  • NONYANE e bapatsa tsela e eang ho li-IP tsena ka next-hop self router ea bareki
  • Lipakete tse latelang ho tloha ho moreki ho ea ho li-IP tsena li feta ka har'a kotopo

Ho seva, bakeng sa litsela tse eang libakeng tse koetsoeng, ke sebelisa tafole e arohaneng ka hare ho BIRD mme ha e kopane le OS ka tsela leha e le efe.

Morero ona o na le bothata: pakete ea pele ea SYN e tsoang ho mofani, mohlomong, e tla ba le nako ea ho tsamaea ka mofani oa malapeng. tsela ha e phatlalatsoe hanghang. 'Me mona likhetho li ka khoneha ho itšetlehile ka hore na mofani o etsa thibela joang. Haeba a ka theola sephethephethe feela, joale ha ho na bothata. 'Me haeba a e khutlisetsa ho DPI e itseng, joale (ka khopolo) liphello tse khethehileng li ka khoneha.

Hape ho ka etsahala hore bareki ha ba hlomphe mehlolo ea DNS TTL, e ka etsang hore moreki a sebelise mangolo a khale a tsoang ho cache ea eona e bolileng ho fapana le ho botsa Unbound.

Ha e le hantle, ha ho ea pele kapa ea bobeli e ileng ea baka mathata ho 'na, empa mileage ea hau e ka fapana.

Tokiso ea seva

Bakeng sa boiketlo ba ho phutha, ke ile ka ngola karolo bakeng sa Ansible. E ka hlophisa li-server le bareki ka bobeli ba ipapisitse le Linux (e etselitsoeng li-distributions tse thehiloeng ho deb). Litlhophiso tsohle li hlakile ebile li se li entsoe inventory.yml. Karolo ena e khaotsoe bukeng ea ka e kholo ea ho bapala, kahoo e kanna ea ba le liphoso - ho hula likōpo amohela 🙂

Ha re feteleng ka likarolo tse kholo.

BGP

Ho tsamaisa li-daemone tse peli tsa BGP ho moamoheli a le mong ho na le bothata ba mantlha: BIRD ha e batle ho theha BGP e shebaneng le "localhost" (kapa sebopeho sefe kapa sefe sa lehae). Ho tloha lentsoeng ho hang. Googling le manane a poso ha a ka a thusa, ba bolela hore sena se entsoe ka moralo. Mohlomong ho na le tsela e itseng, empa ha kea e fumana.

O ka leka daemon e 'ngoe ea BGP, empa ke rata BIRD mme e sebelisoa hohle ke nna, ha ke batle ho hlahisa mekhatlo.

Ka hona, ke ile ka pata dnstap-bgp ka har'a sebaka sa marang-rang sa marang-rang, se kopantsoeng le motso ka har'a sebopeho sa veth: e tšoana le phala, lipheletsong tsa eona tse khomarelang libaka tse fapaneng tsa mabitso. Ho e 'ngoe le e' ngoe ea lipheletsong tsena, re fanyeha liaterese tsa IP tsa poraefete tsa p2p tse sa feteleng ka nģ'ane ho moamoheli, kahoo e ka ba eng kapa eng. Ona ke ona mokhoa o sebelisoang ho fihlella lits'ebetso ka hare ratoa ke bohle Docker le lijana tse ling.

Bakeng sa sena ho ne ho ngoliloe mongolo 'me ts'ebetso e seng e hlalositsoe ka holimo bakeng sa ho hula ka moriri sebakeng se seng sa mabitso e ile ea kenngoa ho dnstap-bgp. Ka lebaka la sena, e tlameha ho tsamaisoa joalo ka motso kapa e fuoe binary ea CAP_SYS_ADMIN ka taelo ea setcap.

Mohlala oa mongolo oa ho theha sebaka sa mabitso

#!/bin/bash

NS="dtap"

IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"

IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"

IP_R="192.168.149.1"
IP_NS="192.168.149.2"

/bin/systemctl stop dnstap-bgp || true

$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS

$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS

$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up

$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up

/bin/systemctl start dnstap-bgp

dnstap-bgp.conf

namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"

[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"

[bgp]
as = 65000
routerid = "192.168.149.2"

peers = [
    "192.168.149.1",
]

nonyana.conf

router id 192.168.1.1;

table rkn;

# Clients
protocol bgp bgp_client1 {
    table rkn;
    local as 65000;
    neighbor 192.168.1.2 as 65000;
    direct;
    bfd on;
    next hop self;
    graceful restart;
    graceful restart time 60;
    export all;
    import none;
}

# DNSTap-BGP
protocol bgp bgp_dnstap {
    table rkn;
    local as 65000;
    neighbor 192.168.149.2 as 65000;
    direct;
    passive on;
    rr client;
    import all;
    export none;
}

# Static routes list
protocol static static_rkn {
    table rkn;
    include "rkn_routes.list";
    import all;
    export none;
}

rkn_routes.list

route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...

DNS

Ka ho sa feleng, ho Ubuntu, binary ea Unbound e koaletsoe ke profil ea AppArmor, e e thibelang ho hokela mefuta eohle ea li-sockets tsa DNStap. O ka hlakola profaele ena, kapa oa e tima:

# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unbound

Mohlomong sena se tlameha ho kenyelletsoa bukeng ea ho bapala. Ho loketse, ha e le hantle, ho lokisa boemo le ho fana ka litokelo tse hlokahalang, empa ke ne ke le botsoa haholo.

e sa tlangwang.conf

server:
    chroot: ""
    port: 53
    interface: 0.0.0.0
    root-hints: "/var/lib/unbound/named.root"
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    access-control: 192.168.0.0/16 allow

remote-control:
    control-enable: yes
    control-use-cert: no

dnstap:
    dnstap-enable: yes
    dnstap-socket-path: "/tmp/dnstap.sock"
    dnstap-send-identity: no
    dnstap-send-version: no

    dnstap-log-client-response-messages: yes

Manane a ho jarolla le ho a sebetsa

Script bakeng sa ho khoasolla le ho sebetsana le lethathamo la liaterese tsa IP
E khoasolla lenane, e akaretsa sehlongoapele px. The seke_keketsa и dont_summarize o ka bolella li-IP le marang-rang ho tlola kapa ho se akaretsa. Ke ne ke e hloka. subnet ea VPS ea ka e ne e le lethathamong la li-block 🙂

Ntho e qabolang ke hore RosKomSvoboda API e thibela likopo ka moemeli oa kamehla oa Python. Ho bonahala eka ngoana oa script o e fumane. Ka hona, re e fetolela ho Ognelis.

Ho fihlela joale, e sebetsa feela le IPv4. karolo ea IPv6 e nyane, empa ho tla ba bonolo ho e lokisa. Ntle le haeba o tlameha ho sebelisa nonyana6 hape.

rkn.py

#!/usr/bin/python3

import json, urllib.request, ipaddress as ipa

url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'

dont_summarize = {
    # ipa.IPv4Network('1.1.1.0/24'),
}

dont_add = {
    # ipa.IPv4Address('1.1.1.1'),
}

req = urllib.request.Request(
    url,
    data=None, 
    headers={
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
    }
)

f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))

prefix32 = ipa.IPv4Address('255.255.255.255')

r = {}
for i in ips:
    ip = ipa.ip_network(i)
    if not isinstance(ip, ipa.IPv4Network):
        continue

    addr = ip.network_address

    if addr in dont_add:
        continue

    m = ip.netmask
    if m != prefix32:
        r[m] = [addr, 1]
        continue

    sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)

    if sn in dont_summarize:
        tgt = addr
    else:
        tgt = sn

    if not sn in r:
        r[tgt] = [addr, 1]
    else:
        r[tgt][1] += 1

o = []
for n, v in r.items():
    if v[1] == 1:
        o.append(str(v[0]) + '/32')
    else:
        o.append(n)

for k in o:
    print(k)

Script ho ntlafatsoa
Ke e matha moqhaka hang ka letsatsi, mohlomong ho bohlokoa ho e hula lihora tse ling le tse ling tsa 4. ena, ka maikutlo a ka, ke nako ea nchafatso eo RKN e e hlokang ho tsoa ho bafani. Ho feta moo, ba na le lithibelo tse ling tse potlakileng haholo, tse ka fihlang kapele.

E etsa se latelang:

  • E tsamaisa mongolo oa pele mme e ntlafatsa lenane la litsela (rkn_routes.list) bakeng sa NONYANA
  • Reload NONYANA
  • E ntlafatsa le ho hloekisa lenane la libaka tsa dnstap-bgp
  • Kenya hape dnstap-bgp

rkn_update.sh

#!/bin/bash

ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"

# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new

if [ $? -ne 0 ]; then
    rm -f $ROUTES.new
    echo "Unable to download RKN routes"
    exit 1
fi

if [ -e $ROUTES ]; then
    mv $ROUTES $ROUTES.old
fi

mv $ROUTES.new $ROUTES

/bin/systemctl try-reload-or-restart bird

# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new

if [ $? -ne 0 ]; then
    rm -f $DOMAINS.new
    echo "Unable to download RKN domains"
    exit 1
fi

if [ -e $DOMAINS ]; then
    mv $DOMAINS $DOMAINS.old
fi

mv $DOMAINS.new $DOMAINS

/bin/systemctl try-reload-or-restart dnstap-bgp

Li ngotsoe ntle le ho nahana haholo, kahoo haeba u bona ntho e ka ntlafatsoang - e-ea bakeng sa eona.

Tlhophiso ea bareki

Mona ke tla fana ka mehlala bakeng sa li-routers tsa Linux, empa tabeng ea Mikrotik / Cisco e lokela ho ba bonolo le ho feta.

Taba ea pele, re theha BIRD:

nonyana.conf

router id 192.168.1.2;
table rkn;

protocol device {
    scan time 10;
};

# Servers
protocol bgp bgp_server1 {
    table rkn;
    local as 65000;
    neighbor 192.168.1.1 as 65000;
    direct;
    bfd on;
    next hop self;
    graceful restart;
    graceful restart time 60;
    rr client;
    export none;
    import all;
}

protocol kernel {
    table rkn;
    kernel table 222;
    scan time 10;
    export all;
    import none;
}

Kahoo, re tla hokahanya litsela tse amoheloang ho tsoa ho BGP le nomoro ea tafole ea kernel 222.

Kamora moo, ho lekane ho kopa kernel ho sheba poleiti ena pele o sheba e sa feleng:

# ip rule add from all pref 256 lookup 222
# ip rule
0:  from all lookup local
256:    from all lookup 222
32766:  from all lookup main
32767:  from all lookup default

Ntho e 'ngoe le e' ngoe, e sala e le ho lokisa DHCP ho router ho aba aterese ea IP ea seva e le DNS, 'me morero o se o lokile.

Mathata

Ka algorithm ea hajoale ea ho hlahisa le ho sebetsana le lenane la libaka, e kenyelletsa, hara lintho tse ling, youtube.com le li-CDN tsa eona.

'Me sena se lebisa tabeng ea hore livideo tsohle li tla feta VPN, e ka koalang mocha kaofela. Mohlomong ke habohlokoa ho bokella lethathamo la libaka tse ratoang-tse sa kenyelletsoeng tse thibelang RKN bakeng sa nako, li-guts li tšesaane. 'Me u li tlōle ha u li bala.

fihlela qeto e

Mokhoa o hlalositsoeng o u lumella ho feta hoo e batlang e le thibelo leha e le efe eo bafani ba fanang ka eona hona joale ba e sebelisang.

Ha e le hantle, dnstap-bgp e ka sebelisoa bakeng sa morero ofe kapa ofe moo boemo bo itseng ba taolo ea sephethephethe bo hlokahalang ho latela lebitso la domain. Hopola feela hore mehleng ea rona, libaka tse sekete li ka fanyeha atereseng e le 'ngoe ea IP (ka mor'a Cloudflare, mohlala), kahoo mokhoa ona o na le ho nepahala ho fokolang.

Empa bakeng sa litlhoko tsa liloko tse fetang, sena se lekane.

Keketso, liphetoho, likopo tsa ho hula - amohela!

Source: www.habr.com

Eketsa ka tlhaloso