Emva konyaka kunye nesiqingatha sophuhliso ukukhutshwa kwe-caching yeseva ye-DNS , uxanduva lokuguqula igama eliphinda-phindayo. I-PowerDNS Recursor yakhelwe kwisiseko sekhowudi efanayo ne-PowerDNS Authoritative Server, kodwa i-PowerDNS i-recursive ne-recursive servers ye-DNS iphuhliswa ngemijikelo eyahlukeneyo yophuhliso kwaye ikhutshwe njengemveliso eyahlukileyo. Ikhowudi yeprojekthi ilayisenisi phantsi kwe-GPLv2.
Inguqulelo entsha isusa yonke imiba enxulumene nokusetyenzwa kweepakethe ze-DNS kunye neeflegi ze-EDNS. Iinguqulelo ezindala ze-PowerDNS Recursor ngaphambi kwe-2016 zazinomkhuba wokungahoyi iipakethi ezineeflegi ze-EDNS ezingaxhaswanga ngaphandle kokuthumela impendulo kwifomathi endala, ukulahla iiflegi ze-EDNS njengoko zifunwa yinkcazo. Ngaphambili, le ndlela yokuziphatha ingekho mgangathweni yayixhaswa kwi-BIND ngendlela yokusebenza, kodwa ngaphakathi kwendawo kumalinge kaFebruwari , abaphuhlisi beseva ye-DNS bagqibe kwelokuba baluyeke olu hack.
Kwi-PowerDNS, iingxaki eziphambili ekuqhubeni iipakethi kunye ne-EDNS zapheliswa emva kwe-2017 ekukhululweni kwe-4.1, kwaye kwisebe le-2016 elikhutshwe kwi-4.0, ukungahambisani komntu ngamnye kwavela phantsi kweemeko ezithile kwaye, ngokubanzi, ungaphazamisi ngokuqhelekileyo. ukusebenza. Kwi-PowerDNS Recursor 4.2, njengakwi , Iindlela zokusebenza ezisusiweyo zokuxhasa iiseva ezigunyazisiweyo eziphendula ngokungalunganga kwizicelo ngeeflegi ze-EDNS. Kuze kube ngoku, ukuba emva kokuthumela isicelo kunye neeflegi ze-EDNS akukho mpendulo emva kwexesha elithile, iseva ye-DNS icinga ukuba iiflegi ezongeziweyo azixhaswanga kwaye zithumele isicelo sesibini ngaphandle kweeflegi ze-EDNS. Oku kuziphatha ngoku kukhutshaziwe njengoko le khowudi ibangele ukunyuka kwe-latency ngenxa yokuhanjiswa kwepakethi, ukunyuka kwenethiwekhi yenethiwekhi kunye nokungaqondakali xa ungaphenduli ngenxa yokungaphumeleli kwenethiwekhi, kunye nokuthintela ukuphunyezwa kweempawu ezisekelwe kwi-EDNS ezifana ne-DNS Cookies ukukhusela ukuhlaselwa kwe-DDoS.
Kuye kwagqitywa ukuba lo msitho ubanjwe kunyaka ozayo yenzelwe ukugxila kwi ngoqhekeko lwe-IP xa kusetyenzwa imiyalezo emikhulu ye-DNS. Njengenxalenye yeli nyathelo lungisa ubungakanani obucetyiswayo be-buffer ye-EDNS ukuya kwi-1200 bytes, kunye Ukucubungula izicelo nge-TCP yinto efunekayo kwiiseva. Ngoku inkxaso yokucubungula izicelo nge-UDP iyadingeka, kwaye i-TCP iyanqweneleka, kodwa ayidingeki ukuba isebenze (umgangatho ufuna ukukwazi ukukhubaza i-TCP). Kucetywayo ukuba kususwe inketho yokukhubaza i-TCP kumgangatho kunye nokulungelelanisa ukutshintshwa kokuthumela izicelo kwi-UDP ekusebenziseni i-TCP kwiimeko apho ubungakanani be-buffer be-EDNS obusekiweyo ayanele.
Utshintsho olucetywayo njengenxalenye yenyathelo luya kuphelisa ukudideka ngokukhetha ubukhulu be-buffer ye-EDNS kunye nokusombulula ingxaki yokuhlukana kwemiyalezo emikhulu ye-UDP, ukuqhutyelwa kwayo rhoqo kukhokelela ekulahlekeni kwepakethi kunye nokuphuma kwexesha kwicala lomxhasi. Kwicala lomxhasi, ubukhulu be-buffer ye-EDNS buya kuhlala kwaye iimpendulo ezinkulu ziya kuthunyelwa ngokukhawuleza kumxhasi nge-TCP. Ukuphepha ukuthumela imiyalezo emikhulu nge-UDP kuya kukuvumela ukuba uvale ngenxa yetyhefu kwi-cache ye-DNS, esekelwe ekusetyenzisweni kweepakethi ze-UDP eziqhekezayo (xa zihlulwe zibe ngamaqhekeza, iqhekeza lesibini alibandakanyi i-header ene-identifier, ngoko inokwakheka, eyaneleyo kuphela ukuba i-checksum ihambelane) .
I-PowerDNS Recursor 4.2 ithatha ingqalelo kwiingxaki kunye neepakethi ezinkulu ze-UDP kunye nokutshintsha ekusebenziseni ubukhulu be-buffer ye-EDNS (edns-outgoing-bufsize) ye-1232 bytes, endaweni yomda osetyenziswe ngaphambili we-1680 bytes, ekufuneka inciphise kakhulu amathuba okulahlekelwa iipakethi ze-UDP. . Ixabiso le-1232 likhethiweyo kuba liphezulu apho ubukhulu bempendulo ye-DNS, ithathela ingqalelo i-IPv6, ingena kwixabiso elincinci le-MTU (1280). Ixabiso le-truncation-threshold parameter, elijongene nokunciphisa iimpendulo kumxhasi, liye lancitshiswa libe yi-1232.
Olunye utshintsho kwi-PowerDNS Recursor 4.2:
- Inkxaso yendlela eyongeziweyo (X-Proxied-For), eyi-DNS elingana ne-X-Forwarded-For HTTP header, evumela ulwazi malunga nedilesi ye-IP kunye nenombolo yesiqhagamshelo somceli wokuqala ukuba adluliselwe kwiiproxi eziphakathi kunye nezikali zomthwalo (ezifana ne-dnsdist) . Ukuvumela i-XPF kukho iinketho ""Kwaye"";
- Inkxaso ephuculweyo yolwandiso lwe-EDNS (ECS), ekuvumela ukuba udlulise imibuzo ye-DNS kulwazi lweseva ye-DNS enegunya malunga ne-subnet apho isicelo sokuqala esidluliselwe ecaleni kwetsheyini sasinetyhefu (idatha malunga ne-subnet yomthombo womxhasi iyimfuneko ekusebenzeni okusebenzayo kothungelwano lonikezelo lomxholo) . Ukhupho olutsha longeza useto lolawulo olukhethiweyo kusetyenziso lwe-EDNS Client Subnet: "Β» ngoluhlu lwe-netmasks apho i-IP iya kusetyenziswa kwi-ECS kwizicelo eziphumayo. Kwiidilesi ezingaweliyo kwiimaski ezikhankanyiweyo, idilesi jikelele echazwe kumyalelo "". Ngomyalelo "Β»ungachaza ii subnets apho izicelo ezingenayo ezizaliswe ngamaxabiso eECS zingayi kutshintshwa;
- Kwiiseva eziqhuba inani elikhulu lezicelo ngomzuzwana (ngaphezu kwe-100 lamawaka), umyalelo "", emisela inani lemisonto yokufumana izicelo ezingenayo kunye nokusasazwa phakathi kwemisonto yabasebenzi (iyavakala kuphela xa usebenzisa "").
- Ulungiselelo olongeziweyo ukuchaza eyakho ifayile nge imimandla apho abasebenzisi banokubhalisa ii-subdomains zabo, endaweni yoluhlu olwakhelwe kwi-PowerDNS Recursor.
Iprojekthi ye-PowerDNS iphinde yabhengeza inyathelo lokuya kumjikelo wophuhliso lweenyanga ezintandathu, kunye nokukhutshwa okukhulu okulandelayo kwePowerDNS Recursor 4.3 kulindeleke ngoJanuwari 2020. Uhlaziyo lokukhutshwa okubalulekileyo luya kuphuhliswa unyaka wonke, emva koko ukulungiswa komngcipheko kuya kukhutshwa ezinye iinyanga ezintandathu. Ngaloo ndlela, inkxaso ye-PowerDNS Recursor 4.2 yesebe iya kuhlala kude kube nguJanuwari 2021. Utshintsho olufanayo lomjikelo wophuhliso lwenziwe kwi-PowerDNS Authoritative Server, ekulindeleke ukuba ikhulule i-4.2 kungekudala.
Iimpawu eziphambili zePowerDNS Recursor:
- Izixhobo zokuqokelela izibalo ezikude;
- Ukuqalisa kwakhona ngoko nangoko;
- Injini eyakhelwe-ngaphakathi yokudibanisa abaphangi ngolwimi lwesiLua;
- Inkxaso epheleleyo ye-DNSSEC kunye ;
- Inkxaso ye-RPZ (IiNdawo zoMgaqo-nkqubo wokuPhendula) kunye nokukwazi ukuchaza uluhlu lwabantsundu;
- Iindlela zokuchasa ubuqhophololo;
- Ukukwazi ukurekhoda iziphumo zesisombululo njengefayile yezowuni BIND.
- Ukuqinisekisa ukusebenza okuphezulu, iindlela zale mihla zokudityaniswa koqhagamshelo zisetyenziswa kwiFreeBSD, Linux kunye neSolaris (kqueue, epoll, /dev/poll), kunye nomgangatho ophezulu wepakethi yeDNS parser ekwaziyo ukucubungula amashumi amawaka ezicelo ezifanayo.
umthombo: opennet.ru