Vipengele mbalimbali vya uendeshaji wa DNS tayari vimeguswa mara kwa mara na mwandishi katika idadi ya
Hadi hivi majuzi, licha ya hatari ya dhahiri ya trafiki ya DNS, ambayo bado, kwa sehemu kubwa, inapitishwa kwa uwazi, kwa vitendo vibaya kwa upande wa watoa huduma wanaotaka kuongeza mapato yao kwa kupachika matangazo katika yaliyomo, mashirika ya usalama ya serikali na udhibiti, pamoja na wahalifu tu, mchakato
Kwa bahati nzuri, hali inabadilika. Hasa, watengenezaji wa kivinjari maarufu cha Firefox
1. Matatizo ya DNS-over-HTTPS
Kwa mtazamo wa kwanza, kuanzishwa kwa wingi kwa DNS-over-HTTPS kwenye programu ya Mtandao husababisha tu majibu chanya. Walakini, shetani, kama wanasema, yuko katika maelezo.
Tatizo la kwanza ambalo linapunguza upeo wa matumizi makubwa ya DoH ni kuzingatia kwake trafiki ya mtandao pekee. Hakika, itifaki ya HTTP na toleo lake la sasa la HTTP/2, ambalo DoH inategemea, ndio msingi wa WWW. Lakini mtandao sio tu mtandao. Kuna huduma nyingi maarufu, kama vile barua pepe, wajumbe mbalimbali wa papo hapo, mifumo ya kuhamisha faili, utiririshaji wa media titika, n.k., ambazo hazitumii HTTP. Kwa hivyo, licha ya mtazamo wa wengi wa DoH kama tiba, inageuka kuwa haiwezi kutumika bila juhudi za ziada (na zisizo za lazima) kwa kitu kingine chochote isipokuwa teknolojia za kivinjari. Kwa njia, DNS-over-TLS inaonekana kama mgombea anayefaa zaidi kwa jukumu hili, ambalo linatekeleza ujumuishaji wa trafiki ya kawaida ya DNS katika itifaki salama ya kawaida ya TLS.
Tatizo la pili, ambalo lina uwezekano mkubwa zaidi kuliko lile la kwanza, ni kuachwa halisi kwa ugatuaji wa asili wa DNS kwa kubuni ili kutumia seva moja ya DoH iliyobainishwa katika mipangilio ya kivinjari. Hasa, Mozilla inapendekeza kutumia huduma kutoka Cloudflare. Huduma kama hiyo pia ilizinduliwa na watu wengine mashuhuri wa mtandao, haswa Google. Inabadilika kuwa utekelezaji wa DNS-over-HTTPS kwa namna ambayo inapendekezwa kwa sasa huongeza tu utegemezi wa watumiaji wa mwisho kwenye huduma kubwa zaidi. Sio siri kuwa habari ambayo uchambuzi wa maswali ya DNS inaweza kutoa inaweza kukusanya data zaidi kuihusu, na pia kuongeza usahihi na umuhimu wake.
Katika suala hili, mwandishi alikuwa na bado mfuasi wa utekelezaji mkubwa sio wa DNS-over-HTTPS, lakini wa DNS-over-TLS pamoja na DNSSEC/DANE kama njia ya ulimwengu wote, salama na isiyofaa kwa ujumuishaji zaidi wa njia za Mtandao. kwa kuhakikisha usalama wa trafiki ya DNS. Kwa bahati mbaya, kwa sababu za wazi, mtu hawezi kutarajia kuanzishwa kwa haraka kwa usaidizi wa wingi kwa mbadala wa DoH katika programu ya mteja, na bado ni kikoa cha wapenda teknolojia ya usalama.
Lakini kwa kuwa sasa tuna DoH, kwa nini tusiitumie baada ya kuepuka uangalizi unaowezekana wa mashirika kupitia seva zao hadi kwenye seva yetu ya DNS-over-HTTPS?
2. Itifaki ya DNS-over-HTTPS
Ukiangalia kiwango
Kulingana na kiwango, HTTP/2 pekee na muunganisho salama wa TLS ndizo zinazotumika.
Kutuma ombi la DNS kunaweza kufanywa kwa kutumia mbinu za kawaida za GET na POST. Katika kesi ya kwanza, ombi linabadilishwa kuwa kamba ya msingi64URL iliyosimbwa, na katika pili, kupitia mwili wa ombi la POST katika fomu ya binary. Katika kesi hii, aina maalum ya data ya MIME hutumiwa wakati wa ombi la DNS na majibu application/dns-message.
root@eprove:~ # curl -H 'accept: application/dns-message' 'https://my.domaint/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' -v
* Trying 2001:100:200:300::400:443...
* TCP_NODELAY set
* Connected to eprove.net (2001:100:200:300::400) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=my.domain
* start date: Jul 22 00:07:13 2019 GMT
* expire date: Oct 20 00:07:13 2019 GMT
* subjectAltName: host "my.domain" matched cert's "my.domain"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801441000)
> GET /dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE HTTP/2
> Host: eprove.net
> User-Agent: curl/7.65.3
> accept: application/dns-message
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: h2o/2.3.0-beta2
< content-type: application/dns-message
< cache-control: max-age=86274
< date: Thu, 12 Sep 2019 13:07:25 GMT
< strict-transport-security: max-age=15768000; includeSubDomains; preload
< content-length: 45
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 45)
* stopped the pause stream!
* Connection #0 to host eprove.net left intact
Pia makini na kichwa udhibiti wa kache: katika jibu kutoka kwa seva ya wavuti. Katika parameter umri wa juu ina thamani ya TTL kwa rekodi ya DNS inayorejeshwa (au thamani ya chini ikiwa seti yao inarejeshwa).
Kulingana na hapo juu, utendakazi wa seva ya DoH una hatua kadhaa.
- Pokea ombi la HTTP. Ikiwa hii ni GET basi simbua pakiti kutoka kwa usimbaji wa base64URL.
- Tuma pakiti hii kwa seva ya DNS.
- Pata jibu kutoka kwa seva ya DNS
- Pata thamani ya chini ya TTL katika rekodi zilizopokelewa.
- Rejesha jibu kwa mteja kupitia HTTP.
3. Seva yako mwenyewe ya DNS-over-HTTPS
Njia rahisi zaidi, ya haraka na bora zaidi ya kuendesha seva yako ya DNS-over-HTTPS ni kutumia seva ya wavuti ya HTTP/2.
Chaguo hili linaungwa mkono na ukweli kwamba kanuni zote za seva yako ya DoH zinaweza kutekelezwa kikamilifu kwa kutumia mkalimani iliyounganishwa kwenye H2O yenyewe.
root@beta:~ # uname -v
FreeBSD 12.0-RELEASE-p10 GENERIC
root@beta:~ # cd /usr/ports/www/h2o
root@beta:/usr/ports/www/h2o # make extract
===> License MIT BSD2CLAUSE accepted by the user
===> h2o-2.2.6 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by h2o-2.2.6 for building
===> Extracting for h2o-2.2.6.
=> SHA256 Checksum OK for h2o-h2o-v2.2.6_GH0.tar.gz.
===> h2o-2.2.6 depends on file: /usr/local/bin/ruby26 - found
root@beta:/usr/ports/www/h2o # cd work/h2o-2.2.6/deps/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # git clone https://github.com/iij/mruby-socket.git
ΠΠ»ΠΎΠ½ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Π² Β«mruby-socketΒ»β¦
remote: Enumerating objects: 385, done.
remote: Total 385 (delta 0), reused 0 (delta 0), pack-reused 385
ΠΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΠΎΠ±ΡΠ΅ΠΊΡΠΎΠ²: 100% (385/385), 98.02 KiB | 647.00 KiB/s, Π³ΠΎΡΠΎΠ²ΠΎ.
ΠΠΏΡΠ΅Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΉ: 100% (208/208), Π³ΠΎΡΠΎΠ²ΠΎ.
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # ll
total 181
drwxr-xr-x 9 root wheel 18 12 Π°Π²Π³. 16:09 brotli/
drwxr-xr-x 2 root wheel 4 12 Π°Π²Π³. 16:09 cloexec/
drwxr-xr-x 2 root wheel 5 12 Π°Π²Π³. 16:09 golombset/
drwxr-xr-x 4 root wheel 35 12 Π°Π²Π³. 16:09 klib/
drwxr-xr-x 2 root wheel 5 12 Π°Π²Π³. 16:09 libgkc/
drwxr-xr-x 4 root wheel 26 12 Π°Π²Π³. 16:09 libyrmcds/
drwxr-xr-x 13 root wheel 32 12 Π°Π²Π³. 16:09 mruby/
drwxr-xr-x 5 root wheel 11 12 Π°Π²Π³. 16:09 mruby-digest/
drwxr-xr-x 5 root wheel 10 12 Π°Π²Π³. 16:09 mruby-dir/
drwxr-xr-x 5 root wheel 10 12 Π°Π²Π³. 16:09 mruby-env/
drwxr-xr-x 4 root wheel 9 12 Π°Π²Π³. 16:09 mruby-errno/
drwxr-xr-x 5 root wheel 14 12 Π°Π²Π³. 16:09 mruby-file-stat/
drwxr-xr-x 5 root wheel 10 12 Π°Π²Π³. 16:09 mruby-iijson/
drwxr-xr-x 5 root wheel 11 12 Π°Π²Π³. 16:09 mruby-input-stream/
drwxr-xr-x 6 root wheel 11 12 Π°Π²Π³. 16:09 mruby-io/
drwxr-xr-x 5 root wheel 10 12 Π°Π²Π³. 16:09 mruby-onig-regexp/
drwxr-xr-x 4 root wheel 10 12 Π°Π²Π³. 16:09 mruby-pack/
drwxr-xr-x 5 root wheel 10 12 Π°Π²Π³. 16:09 mruby-require/
drwxr-xr-x 6 root wheel 10 12 ΡΠ΅Π½Ρ. 16:10 mruby-socket/
drwxr-xr-x 2 root wheel 9 12 Π°Π²Π³. 16:09 neverbleed/
drwxr-xr-x 2 root wheel 13 12 Π°Π²Π³. 16:09 picohttpparser/
drwxr-xr-x 2 root wheel 4 12 Π°Π²Π³. 16:09 picotest/
drwxr-xr-x 9 root wheel 16 12 Π°Π²Π³. 16:09 picotls/
drwxr-xr-x 4 root wheel 8 12 Π°Π²Π³. 16:09 ssl-conservatory/
drwxr-xr-x 8 root wheel 18 12 Π°Π²Π³. 16:09 yaml/
drwxr-xr-x 2 root wheel 8 12 Π°Π²Π³. 16:09 yoml/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # cd ../../..
root@beta:/usr/ports/www/h2o # make install clean
...
Usanidi wa seva ya wavuti kwa ujumla ni kawaida.
root@beta:/usr/ports/www/h2o # cd /usr/local/etc/h2o/
root@beta:/usr/local/etc/h2o # cat h2o.conf
# this sample config gives you a feel for how h2o can be used
# and a high-security configuration for TLS and HTTP headers
# see https://h2o.examp1e.net/ for detailed documentation
# and h2o --help for command-line options and settings
# v.20180207 (c)2018 by Max Kostikov http://kostikov.co e-mail: [email protected]
user: www
pid-file: /var/run/h2o.pid
access-log:
path: /var/log/h2o/h2o-access.log
format: "%h %v %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i""
error-log: /var/log/h2o/h2o-error.log
expires: off
compress: on
file.dirlisting: off
file.send-compressed: on
file.index: [ 'index.html', 'index.php' ]
listen:
port: 80
listen:
port: 443
ssl:
cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
cipher-preference: server
dh-file: /etc/ssl/dhparams.pem
certificate-file: /usr/local/etc/letsencrypt/live/eprove.net/fullchain.pem
key-file: /usr/local/etc/letsencrypt/live/my.domain/privkey.pem
hosts:
"*.my.domain":
paths: &go_tls
"/":
redirect:
status: 301
url: https://my.domain/
"my.domain:80":
paths: *go_tls
"my.domain:443":
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
paths:
"/dns-query":
mruby.handler-file: /usr/local/etc/h2o/h2odoh.rb
Isipokuwa ni kidhibiti cha URL /dns-query ambayo seva yetu ya DNS-over-HTTPS, iliyoandikwa kwa mruby na kuitwa kupitia chaguo la kidhibiti, inawajibika. mruby.handler-file.
root@beta:/usr/local/etc/h2o # cat h2odoh.rb
# H2O HTTP/2 web server as DNS-over-HTTP service
# v.20190908 (c)2018-2019 Max Kostikov https://kostikov.co e-mail: [email protected]
proc {|env|
if env['HTTP_ACCEPT'] == "application/dns-message"
case env['REQUEST_METHOD']
when "GET"
req = env['QUERY_STRING'].gsub(/^dns=/,'')
# base64URL decode
req = req.tr("-_", "+/")
if !req.end_with?("=") && req.length % 4 != 0
req = req.ljust((req.length + 3) & ~3, "=")
end
req = req.unpack1("m")
when "POST"
req = env['rack.input'].read
else
req = ""
end
if req.empty?
[400, { 'content-type' => 'text/plain' }, [ "Bad Request" ]]
else
# --- ask DNS server
sock = UDPSocket.new
sock.connect("localhost", 53)
sock.send(req, 0)
str = sock.recv(4096)
sock.close
# --- find lowest TTL in response
nans = str[6, 2].unpack1('n') # number of answers
if nans > 0 # no DNS failure
shift = 12
ttl = 0
while nans > 0
# process domain name compression
if str[shift].unpack1("C") < 192
shift = str.index("x00", shift) + 5
if ttl == 0 # skip question section
next
end
end
shift += 6
curttl = str[shift, 4].unpack1('N')
shift += str[shift + 4, 2].unpack1('n') + 6 # responce data size
if ttl == 0 or ttl > curttl
ttl = curttl
end
nans -= 1
end
cc = 'max-age=' + ttl.to_s
else
cc = 'no-cache'
end
[200, { 'content-type' => 'application/dns-message', 'content-length' => str.size, 'cache-control' => cc }, [ str ] ]
end
else
[415, { 'content-type' => 'text/plain' }, [ "Unsupported Media Type" ]]
end
}
Tafadhali kumbuka kuwa seva ya kache ya ndani inawajibika kwa kuchakata pakiti za DNS, katika kesi hii
root@beta:/usr/local/etc/h2o # local-unbound verison
usage: local-unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /var/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-p do not create a pidfile.
-v verbose (more times to increase verbosity)
Version 1.8.1
linked libs: mini-event internal (it uses select), OpenSSL 1.1.1a-freebsd 20 Nov 2018
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected]
root@eprove:/usr/local/etc/h2o # sockstat -46 | grep unbound
unbound local-unbo 69749 3 udp6 ::1:53 *:*
unbound local-unbo 69749 4 tcp6 ::1:53 *:*
unbound local-unbo 69749 5 udp4 127.0.0.1:53 *:*
unbound local-unbo 69749 6 tcp4 127.0.0.1:53 *:*
Kilichobaki ni kuanza tena H2O na kuona ni nini kinakuja.
root@beta:/usr/local/etc/h2o # service h2o restart
Stopping h2o.
Waiting for PIDS: 69871.
Starting h2o.
start_server (pid:70532) starting now...
4. Kupima
Kwa hiyo, hebu tuangalie matokeo kwa kutuma ombi la mtihani tena na kuangalia trafiki ya mtandao kwa kutumia matumizi tcpdump.
root@beta/usr/local/etc/h2o # curl -H 'accept: application/dns-message' 'https://my.domain/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
...
root@beta:~ # tcpdump -n -i lo0 udp port 53 -xx -XX -vv
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
16:32:40.420831 IP (tos 0x0, ttl 64, id 37575, offset 0, flags [none], proto UDP (17), length 57, bad cksum 0 (->e9ea)!)
127.0.0.1.21070 > 127.0.0.1.53: [bad udp cksum 0xfe38 -> 0x33e3!] 43981+ A? example.com. (29)
0x0000: 0200 0000 4500 0039 92c7 0000 4011 0000 ....E..9....@...
0x0010: 7f00 0001 7f00 0001 524e 0035 0025 fe38 ........RN.5.%.8
0x0020: abcd 0100 0001 0000 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01 mple.com.....
16:32:40.796507 IP (tos 0x0, ttl 64, id 37590, offset 0, flags [none], proto UDP (17), length 73, bad cksum 0 (->e9cb)!)
127.0.0.1.53 > 127.0.0.1.21070: [bad udp cksum 0xfe48 -> 0x43fa!] 43981 q: A? example.com. 1/0/0 example.com. A 93.184.216.34 (45)
0x0000: 0200 0000 4500 0049 92d6 0000 4011 0000 ....E..I....@...
0x0010: 7f00 0001 7f00 0001 0035 524e 0035 fe48 .........5RN.5.H
0x0020: abcd 8180 0001 0001 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01c0 0c00 mple.com........
0x0040: 0100 0100 0151 8000 045d b8d8 22 .....Q...].."
^C
2 packets captured
23 packets received by filter
0 packets dropped by kernel
Matokeo yanaonyesha jinsi ombi la kutatua anwani example.com ilipokelewa na kuchakatwa kwa ufanisi na seva ya DNS.
Sasa kilichobaki ni kuamsha seva yetu kwenye kivinjari cha Firefox. Ili kufanya hivyo, unahitaji kubadilisha mipangilio kadhaa kwenye kurasa za usanidi kuhusu: config.
Kwanza, hii ndio anwani ya API yetu ambayo kivinjari kitaomba maelezo ya DNS mtandao.trr.uri. Inapendekezwa pia kubainisha IP ya kikoa kutoka kwa URL hii kwa azimio salama la IP kwa kutumia kivinjari chenyewe bila kufikia DNS ndani network.trr.bootstrapAddress. Na hatimaye, parameter yenyewe network.trr.mode ikiwa ni pamoja na matumizi ya DoH. Kuweka thamani kuwa "3" kutalazimisha kivinjari kutumia DNS-over-HTTPS pekee kwa utatuzi wa jina, huku "2" inayotegemewa na salama zaidi itatoa kipaumbele kwa DoH, ikiacha utafutaji wa kawaida wa DNS kama chaguo mbadala.
5. FAIDA!
Je, makala hiyo ilisaidia? Kisha tafadhali usiwe na aibu na usaidizi na pesa kupitia fomu ya mchango (hapa chini).
Chanzo: mapenzi.com