ProHoster > Блог > Isakoso > Nipa didi RKN nipa lilo DNSTap ati BGP

Nipa didi RKN nipa lilo DNSTap ati BGP

Nipa didi RKN nipa lilo DNSTap ati BGP

Awọn koko ti wa ni oyimbo daradara-wọ, Mo mọ. Fun apẹẹrẹ, o tayọ nkan, sugbon nikan ni IP apa ti awọn blocklist ti wa ni kà nibẹ. A yoo tun fi awọn ibugbe.

Nitori otitọ pe awọn ile-ẹjọ ati RKN n ṣe idiwọ ohun gbogbo ni apa osi ati ọtun, ati pe awọn olupese n gbiyanju gidigidi lati ma ṣubu labẹ awọn itanran ti Revizorro ti gbejade, awọn adanu ti o somọ lati dina jẹ nla. Ati laarin awọn aaye ti dina “tọtọ” awọn aaye ti o wulo pupọ wa (hello, rutracker)

Mo n gbe ni ita aṣẹ ti RKN, ṣugbọn awọn obi mi, awọn ibatan ati awọn ọrẹ wa ni ilu mi. Nitorinaa o pinnu lati wa ọna irọrun fun awọn eniyan ti o jinna si IT lati fori idinamọ naa, ni pataki laisi ikopa wọn rara.

Ninu akọsilẹ yii, Emi kii yoo ṣe apejuwe awọn nkan nẹtiwọọki ipilẹ ni igbese nipasẹ igbese, ṣugbọn yoo ṣe apejuwe awọn ipilẹ gbogbogbo ti bii ero yii ṣe le ṣe imuse. Nitorinaa imọ ti bii nẹtiwọọki n ṣiṣẹ ni gbogbogbo ati ni Lainos ni pataki jẹ dandan ni.

Awọn oriṣi ti awọn titiipa

Lákọ̀ọ́kọ́, ẹ jẹ́ ká tún ìrántí wa sọ̀rọ̀ nípa ohun tí wọ́n ti dina.

Awọn oriṣi awọn titiipa lo wa ninu XML ti a ṣe igbasilẹ lati RKN:

  • IP
  • Момен
  • URL

Fun ayedero, a yoo din wọn si meji: IP ati domain, ati lati ìdènà nipa URL a yoo nìkan fa jade awọn ìkápá (tabi dipo, yi ti a ti tẹlẹ ṣe fun wa).

Ti o dara eniyan lati Roskomsvoboda muse a iyanu APInipasẹ eyiti a le gba ohun ti a nilo:

Wiwọle si awọn aaye dina

Lati ṣe eyi, a nilo diẹ ninu awọn VPS ajeji kekere, ni pataki pẹlu ijabọ ailopin - ọpọlọpọ wọn wa fun awọn ẹtu 3-5. O nilo lati ra ni ilu okeere ti o wa nitosi ki ping ko ga ju, ṣugbọn tun ranti pe Intanẹẹti ati ilẹ-aye kii ṣe deedee nigbagbogbo. Ati pe niwọn igba ti ko si SLA fun awọn ẹtu 5, o dara lati mu awọn ege 2+ lati awọn olupese oriṣiriṣi fun ifarada aṣiṣe.

Nigbamii ti, a nilo lati ṣeto eefin ti paroko lati ọdọ olulana alabara si VPS. Mo lo Wireguard bi iyara ati irọrun julọ lati tunto nitori… Awọn olulana onibara mi tun da lori Linux (APU2 tabi nkankan lori OpenWRT). Ninu ọran ti diẹ ninu Mikrotik/Cisco, o le lo awọn ilana ti o wa lori wọn bi OpenVPN ati GRE-over-IPSEC.

Idanimọ ati redirection ti ijabọ ti awọn anfani

O le, nitorinaa, da gbogbo ijabọ Intanẹẹti duro lati lọ si odi. Ṣugbọn, o ṣeese, iyara ti ṣiṣẹ pẹlu akoonu agbegbe yoo jiya pupọ lati eyi. Pẹlupẹlu, awọn ibeere bandiwidi lori VPS yoo ga julọ.

Nitorinaa, a yoo nilo lati ya sọtọ ijabọ si awọn aaye ti a dina mọ ki a yan lọ si oju eefin naa. Paapa ti diẹ ninu awọn ijabọ "afikun" wa nibẹ, o tun dara julọ ju wiwakọ ohun gbogbo nipasẹ oju eefin.

Lati ṣakoso ijabọ, a yoo lo ilana BGP ati ipolowo awọn ipa-ọna si awọn nẹtiwọọki pataki lati ọdọ VPS wa si awọn alabara. Jẹ ki a mu BIRD bi daemon BGP, nitori pe o jẹ ọkan ninu iṣẹ ṣiṣe julọ ati irọrun.

IP

Ohun gbogbo jẹ kedere pẹlu didi IP: a kan kede gbogbo awọn IP dina lati VPS. Iṣoro naa ni pe o wa nipa awọn subnets 600 ẹgbẹrun ninu atokọ ti a pese nipasẹ API, ati pe ọpọlọpọ ninu wọn jẹ / 32 ogun. Nọmba awọn ipa-ọna yii le daru awọn onimọ-ọna alabara alailagbara.

Nitorinaa, nigba ṣiṣe atokọ naa, o pinnu lati akopọ si nẹtiwọọki / 24 ti awọn ogun meji tabi diẹ sii wa ninu rẹ. Bayi, nọmba awọn ipa-ọna ti dinku si ~ 2 ẹgbẹrun. Iwe afọwọkọ fun eyi yoo tẹle.

Awọn ibugbe

O ni idiju diẹ sii ati pe awọn ọna pupọ lo wa. Fun apẹẹrẹ, o le fi Squid sihin sori ẹrọ olulana kọọkan ki o gba HTTP wọle nibẹ ki o ṣe amí lori imuwowo TLS lati le gba URL ti o beere ni ọran akọkọ ati aaye lati SNI ni keji.

Ṣugbọn nitori gbogbo TLS1.3+eSNI tuntun, itupalẹ HTTPS n dinku ati pe ko ni ojulowo ni gbogbo ọjọ. Ati awọn amayederun lori ẹgbẹ alabara di idiju diẹ sii - iwọ yoo ni lati lo o kere ju OpenWRT.

Nitorinaa, Mo pinnu lati gba ọna ti awọn idahun intercepting si awọn ibeere DNS. Nibi, paapaa, gbogbo iru DNS-over-TLS/HTTPS bẹrẹ lati rababa lori awọn ori wa, ṣugbọn a le (fun ni bayi) ṣakoso apakan yii lori alabara - boya mu ṣiṣẹ tabi lo olupin tiwa fun DoT/DoH.

Bawo ni lati ji DNS?

Awọn ọna pupọ tun le wa nibi.

  • Idilọwọ ijabọ DNS nipasẹ PCAP tabi NFLOG
    Mejeji ti awọn wọnyi interception ọna ti wa ni imuse ni awọn IwUlO sidmat. Ṣugbọn ko ṣe atilẹyin fun igba pipẹ ati pe iṣẹ ṣiṣe jẹ alakoko, nitorinaa o tun nilo lati kọ abuda kan fun rẹ.
  • Ayẹwo akọọlẹ olupin DNS
    Laanu, awọn atunṣe ti mo mọ ko mọ bi a ṣe le wọle awọn idahun, ṣugbọn awọn ibeere nikan. Ni ipilẹ, eyi jẹ ọgbọn, nitori, ko dabi awọn ibeere, awọn idahun ni eto eka ati pe o nira lati kọ wọn ni fọọmu ọrọ.
  • Tẹ ni kia kia DNS
    Ni Oriire, ọpọlọpọ ninu wọn ti ṣe atilẹyin DNSTap tẹlẹ fun awọn idi wọnyi.

Kini DNSTap?

Nipa didi RKN nipa lilo DNSTap ati BGP

Eyi jẹ Ilana olupin-olupin ti o da lori Awọn Buffers Protocol ati Awọn ṣiṣan fireemu lati gbe awọn ibeere DNS eleto ati awọn idahun lati ọdọ olupin DNS si olugba kan. Ni pataki, olupin DNS n gbejade ibeere ati metadata esi (iru ifiranṣẹ, alabara / olupin IP, ati bẹbẹ lọ) pẹlu awọn ifiranṣẹ DNS ni kikun ni fọọmu (alakomeji) ninu eyiti o ṣiṣẹ pẹlu wọn lori nẹtiwọọki.

O ṣe pataki lati ni oye pe ni DNSTap paradigm, olupin DNS n ṣiṣẹ bi alabara, ati pe olugba n ṣiṣẹ bi olupin kan. Iyẹn ni, olupin DNS sopọ si olugba, kii ṣe idakeji.

Loni, DNSTap ni atilẹyin ni gbogbo awọn olupin DNS olokiki. Ṣugbọn, fun apẹẹrẹ, BIND ni ọpọlọpọ awọn pinpin (bii Ubuntu LTS) nigbagbogbo ni akopọ fun idi kan laisi atilẹyin rẹ. Nitorinaa jẹ ki a maṣe yọ ara rẹ lẹnu pẹlu atunkọ, ṣugbọn mu fẹẹrẹfẹ ati oluyipada iyara - Unbound.

Bawo ni lati yẹ DNSTap?

Nibẹ ni o wa diẹ ninu awọn iye Awọn ohun elo CLI wa fun ṣiṣẹ pẹlu ṣiṣan ti awọn iṣẹlẹ DNSTap, ṣugbọn wọn ko dara fun yanju iṣoro wa. Nitorinaa Mo pinnu lati ṣẹda keke ti ara mi, eyiti yoo ṣe ohun gbogbo ti o jẹ dandan: dnstap-bgp

Algorithm iṣẹ:

  • Nigbati o ba ṣe ifilọlẹ, o ṣajọpọ atokọ ti awọn ibugbe lati faili ọrọ kan, yi pada wọn (habr.com -> com.habr), laisi awọn laini fifọ, awọn ẹda-iwe ati awọn subdomains (ie ti atokọ naa ba ni habr.com ati www.habr.com, yoo kojọpọ nikan ni akọkọ) ati kọ igi ìpele fun wiwa ni iyara nipasẹ atokọ yii
  • Ṣiṣẹ bi olupin DNSTap, o duro de asopọ lati olupin DNS. Ni opo, o ṣe atilẹyin mejeeji UNIX ati awọn sockets TCP, ṣugbọn awọn olupin DNS Mo mọ nikan ṣe atilẹyin awọn iho UNIX
  • Awọn apo-iwe DNSTap ti nwọle ti wa ni akọkọ deserialized sinu eto Protobuf, ati lẹhinna ifiranṣẹ alakomeji DNS funrararẹ, ti o wa ni ọkan ninu awọn aaye Protobuf, ti pin si ipele ti awọn igbasilẹ DNS RR.
  • O ti ṣayẹwo boya agbalejo ti o beere (tabi ibugbe obi) wa ninu atokọ ti o kojọpọ; ti kii ba ṣe bẹ, a kọju esi naa
  • Awọn RR A/AAAA/CNAME nikan ni a yan lati idahun ati awọn adirẹsi IPv4/IPv6 ti o baamu ti yọ jade lati ọdọ wọn
  • Awọn adirẹsi IP ti wa ni ipamọ pẹlu TTL atunto ati ipolowo si gbogbo awọn ẹlẹgbẹ BGP ti a tunto
  • Nigbati o ba n gba esi ti o tọka si IP ipamọ tẹlẹ, TTL rẹ ti ni imudojuiwọn
  • Lẹhin ipari TTL, a yọ iwọle kuro lati kaṣe ati lati awọn ikede BGP

Afikun iṣẹ-ṣiṣe:

  • Tun-kika atokọ ti awọn ibugbe nipasẹ SIGHUP
  • Mu cache ṣiṣẹpọ pẹlu awọn apẹẹrẹ miiran dnstap-bgp nipasẹ HTTP/JSON
  • Ṣiṣatunṣe kaṣe lori disiki (ni ibi ipamọ data BoltDB) lati mu awọn akoonu rẹ pada lẹhin atunbere
  • Atilẹyin fun yi pada si aaye orukọ nẹtiwọọki ti o yatọ (kilode ti eyi nilo yoo ṣe alaye ni isalẹ)
  • IPv6 atilẹyin

Awọn idiwọn:

  • Awọn ibugbe IDN ko ti ni atilẹyin sibẹsibẹ
  • Awọn eto BGP diẹ

Mo ti gba RPM ati DEB jo fun rorun fifi sori. Yẹ ki o ṣiṣẹ lori gbogbo awọn OS to ṣẹṣẹ ṣe pẹlu systemd, nitori ... wọn ko ni igbẹkẹle.

Ero

Nitorinaa, jẹ ki a bẹrẹ lati ṣajọpọ gbogbo awọn paati papọ. Bi abajade, o yẹ ki a gba nkan bii topology nẹtiwọki yii:
Nipa didi RKN nipa lilo DNSTap ati BGP

Imọye ti iṣẹ naa, Mo ro pe, jẹ kedere lati inu aworan atọka:

  • Onibara ti tunto olupin wa bi DNS, ati pe awọn ibeere DNS gbọdọ tun lọ nipasẹ VPN. Eyi jẹ pataki ki olupese ko le lo idawọle DNS lati dènà.
  • Nigbati alabara ba ṣii oju opo wẹẹbu kan, o firanṣẹ ibeere DNS kan bii “kini IP ni xxx.org ni?”
  • ohun àìríye pinnu xxx.org (tabi gba lati kaṣe) ati fi esi ranṣẹ si alabara “xxx.org ni iru ati iru IP kan”, ni nigbakannaa ṣe ẹda rẹ nipasẹ DNSTap
  • dnstap-bgp polowo wọnyi adirẹsi ni EYE nipasẹ BGP ti agbegbe ba wa lori atokọ dina
  • EYE Ipolowo ipa-ọna si awọn IP wọnyi pẹlu next-hop self olulana onibara
  • Awọn apo-iwe ti o tẹle lati ọdọ alabara si awọn IP wọnyi lọ nipasẹ oju eefin naa

Lori olupin naa, Mo lo tabili ti o yatọ si inu BIRD fun awọn ipa-ọna si awọn aaye dina ati pe ko ni intersect pẹlu OS ni eyikeyi ọna.

Aṣiṣe wa ninu ero yii: apo SYN akọkọ lati ọdọ alabara yoo ni akoko pupọ lati lọ nipasẹ olupese ile nitori Ọna naa ko kede lẹsẹkẹsẹ. Ati pe nibi awọn aṣayan ṣee ṣe da lori bii olupese ṣe ṣe idinamọ. Ti o ba kan silẹ ijabọ, lẹhinna ko si iṣoro. Ati pe ti o ba tun ṣe atunṣe si diẹ ninu DPI, lẹhinna (itumọ-ọrọ) awọn ipa pataki ṣee ṣe.

Awọn iṣẹ iyanu tun ṣee ṣe pẹlu awọn alabara ti ko bọwọ fun TTL DNS, eyiti o le ja si alabara ni lilo diẹ ninu awọn igbasilẹ igba atijọ lati kaṣe rotten dipo ti beere Unbound.

Ni iṣe, bẹni akọkọ tabi ekeji ko fa awọn iṣoro fun mi, ṣugbọn irin-ajo rẹ le yatọ.

Ṣiṣatunṣe olupin

Fun irọrun ti yiyi, Mo kọ ipa fun Ansible. O le tunto awọn olupin mejeeji ati awọn alabara ti o da lori Linux (apẹrẹ fun awọn pinpin orisun-deb). Gbogbo eto jẹ kedere ati pe a ṣeto sinu akojo oja.yml. A ge ipa yii lati inu iwe-iṣere nla mi, nitorinaa o le ni awọn aṣiṣe ninu - fa awọn ẹri fa kaabo :)

Jẹ ká lọ nipasẹ awọn ifilelẹ ti awọn irinše.

BGP

Nigbati o ba nṣiṣẹ awọn daemons BGP meji lori agbalejo kanna, iṣoro ipilẹ kan dide: BIRD ko fẹ gbe BGP peering pẹlu localhost (tabi pẹlu wiwo agbegbe eyikeyi). Lati ọrọ Egba. Googling ati kika awọn atokọ ifiweranṣẹ ko ṣe iranlọwọ, wọn sọ pe o jẹ nipasẹ apẹrẹ. Ọna kan le wa, ṣugbọn Emi ko rii.

O le gbiyanju daemon BGP miiran, ṣugbọn Mo fẹran BIRD ati pe Mo lo nibi gbogbo, Emi ko fẹ ṣẹda awọn nkan diẹ sii.

Nitorinaa, Mo tọju dnstap-bgp inu aaye orukọ nẹtiwọọki, eyiti o sopọ si gbongbo nipasẹ wiwo veth: o dabi paipu kan, awọn opin eyiti o duro ni awọn aaye orukọ oriṣiriṣi. Ni ọkọọkan awọn opin wọnyi a so awọn adirẹsi IP p2p ikọkọ ti ko lọ kọja agbalejo, ki wọn le jẹ ohunkohun. Eyi jẹ ilana kanna ti o lo lati wọle si awọn ilana inu gbogbo eniyan ká ayanfẹ Docker ati awọn apoti miiran.

Eyi ni idi ti a fi kọ ọ akosile ati iṣẹ ṣiṣe ti a ti ṣalaye tẹlẹ loke ti fifa ara rẹ nipasẹ irun si aaye orukọ miiran ni a ṣafikun si dnstap-bgp. Nitori eyi, o gbọdọ ṣiṣẹ bi gbongbo tabi fi fun alakomeji CAP_SYS_ADMIN nipasẹ aṣẹ setcap.

Iwe afọwọkọ apẹẹrẹ fun ṣiṣẹda aaye orukọ

#!/bin/bash

NS="dtap"

IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"

IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"

IP_R="192.168.149.1"
IP_NS="192.168.149.2"

/bin/systemctl stop dnstap-bgp || true

$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS

$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS

$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up

$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up

/bin/systemctl start dnstap-bgp

dnstap-bgp.conf

namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"

[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"

[bgp]
as = 65000
routerid = "192.168.149.2"

peers = [
    "192.168.149.1",
]

eye.conf

router id 192.168.1.1;

table rkn;

# Clients
protocol bgp bgp_client1 {
    table rkn;
    local as 65000;
    neighbor 192.168.1.2 as 65000;
    direct;
    bfd on;
    next hop self;
    graceful restart;
    graceful restart time 60;
    export all;
    import none;
}

# DNSTap-BGP
protocol bgp bgp_dnstap {
    table rkn;
    local as 65000;
    neighbor 192.168.149.2 as 65000;
    direct;
    passive on;
    rr client;
    import all;
    export none;
}

# Static routes list
protocol static static_rkn {
    table rkn;
    include "rkn_routes.list";
    import all;
    export none;
}

rkn_routes.list

route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...

DNS

Nipa aiyipada, ni Ubuntu, alakomeji Unbound jẹ dimole pẹlu profaili AppArmor kan, eyiti o ṣe idiwọ lati sopọ si eyikeyi awọn iho DNSTap. O le pa profaili yii rẹ tabi mu u ṣiṣẹ:

# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unbound

O yẹ ki o ṣee ṣe afikun eyi si iwe-iṣere. Yoo jẹ apẹrẹ, nitorinaa, lati ṣe atunṣe profaili ati fun awọn ẹtọ to wulo, ṣugbọn ọlẹ pupọ ni mi.

unbound.conf

server:
    chroot: ""
    port: 53
    interface: 0.0.0.0
    root-hints: "/var/lib/unbound/named.root"
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    access-control: 192.168.0.0/16 allow

remote-control:
    control-enable: yes
    control-use-cert: no

dnstap:
    dnstap-enable: yes
    dnstap-socket-path: "/tmp/dnstap.sock"
    dnstap-send-identity: no
    dnstap-send-version: no

    dnstap-log-client-response-messages: yes

Gbigba lati ayelujara ati processing awọn akojọ

Iwe afọwọkọ fun igbasilẹ ati sisẹ atokọ ti awọn adirẹsi IP
O ṣe igbasilẹ atokọ naa, ṣe akopọ si ìpele pfx. awọn maṣe_afikun и maṣe_ṣe akopọ o le sọ fun awọn IP ati awọn nẹtiwọki ti o nilo lati fo tabi ko ṣe akopọ. Mo nilo eyi nitori ... subnet VPS mi wa lori blocklist :)

Ohun ti o dun ni pe RosKomSvoboda API ṣe idiwọ awọn ibeere pẹlu aṣoju olumulo Python aiyipada. O dabi pe wọn ni iwe afọwọkọ ọmọ. Nitorinaa, a yipada si Ognelis.

Fun bayi o ṣiṣẹ nikan pẹlu IPv4 nitori… Ipin IPv6 jẹ kekere, ṣugbọn yoo rọrun lati ṣatunṣe. Ayafi ti o tun ni lati lo eye6.

rkn.py

#!/usr/bin/python3

import json, urllib.request, ipaddress as ipa

url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'

dont_summarize = {
    # ipa.IPv4Network('1.1.1.0/24'),
}

dont_add = {
    # ipa.IPv4Address('1.1.1.1'),
}

req = urllib.request.Request(
    url,
    data=None, 
    headers={
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
    }
)

f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))

prefix32 = ipa.IPv4Address('255.255.255.255')

r = {}
for i in ips:
    ip = ipa.ip_network(i)
    if not isinstance(ip, ipa.IPv4Network):
        continue

    addr = ip.network_address

    if addr in dont_add:
        continue

    m = ip.netmask
    if m != prefix32:
        r[m] = [addr, 1]
        continue

    sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)

    if sn in dont_summarize:
        tgt = addr
    else:
        tgt = sn

    if not sn in r:
        r[tgt] = [addr, 1]
    else:
        r[tgt][1] += 1

o = []
for n, v in r.items():
    if v[1] == 1:
        o.append(str(v[0]) + '/32')
    else:
        o.append(n)

for k in o:
    print(k)

Akosile fun imudojuiwọn
Mo ṣiṣe ni ẹẹkan lojoojumọ nipasẹ ade, boya o tọ lati ṣiṣẹ lẹẹkan ni gbogbo wakati 4 nitori ... Eyi, ninu ero mi, ni akoko isọdọtun ti RKN nilo lati ọdọ awọn olupese. Ni afikun, wọn ni diẹ ninu awọn idinamọ iyara-julọ ti o le de iyara.

Ṣe awọn wọnyi:

  • Ṣiṣe iwe afọwọkọ akọkọ ati imudojuiwọn atokọ ti awọn ipa-ọna (rkn_routes.list) fun BIRD
  • Tun gbee si BIRD
  • Ṣe imudojuiwọn ati nu akojọ awọn ibugbe fun dnstap-bgp
  • Tun gbee dnstap-bgp

rkn_update.sh

#!/bin/bash

ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"

# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new

if [ $? -ne 0 ]; then
    rm -f $ROUTES.new
    echo "Unable to download RKN routes"
    exit 1
fi

if [ -e $ROUTES ]; then
    mv $ROUTES $ROUTES.old
fi

mv $ROUTES.new $ROUTES

/bin/systemctl try-reload-or-restart bird

# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new

if [ $? -ne 0 ]; then
    rm -f $DOMAINS.new
    echo "Unable to download RKN domains"
    exit 1
fi

if [ -e $DOMAINS ]; then
    mv $DOMAINS $DOMAINS.old
fi

mv $DOMAINS.new $DOMAINS

/bin/systemctl try-reload-or-restart dnstap-bgp

Wọn kọ wọn laisi ero pupọ, nitorina ti o ba rii nkan ti o le ni ilọsiwaju, lọ fun.

Eto onibara

Nibi Emi yoo fun awọn apẹẹrẹ fun awọn olulana Linux, ṣugbọn ninu ọran Mikrotik/Cisco o yẹ ki o rọrun paapaa.

Ni akọkọ, ṣeto BIRD:

eye.conf

router id 192.168.1.2;
table rkn;

protocol device {
    scan time 10;
};

# Servers
protocol bgp bgp_server1 {
    table rkn;
    local as 65000;
    neighbor 192.168.1.1 as 65000;
    direct;
    bfd on;
    next hop self;
    graceful restart;
    graceful restart time 60;
    rr client;
    export none;
    import all;
}

protocol kernel {
    table rkn;
    kernel table 222;
    scan time 10;
    export all;
    import none;
}

Ni ọna yii a yoo muuṣiṣẹpọ awọn ipa-ọna ti a gba lati ọdọ BGP pẹlu nọmba tabili afisona kernel 222.

Lẹhin eyi, o to lati beere kernel lati wo tabili yii ṣaaju wiwo ọkan aiyipada:

# ip rule add from all pref 256 lookup 222
# ip rule
0:  from all lookup local
256:    from all lookup 222
32766:  from all lookup main
32767:  from all lookup default

Iyẹn ni, gbogbo ohun ti o ku ni lati tunto DHCP lori olulana lati pin kaakiri adiresi IP oju eefin olupin bi DNS ati pe ero naa ti ṣetan.

shortcomings

Pẹlu algorithm lọwọlọwọ fun ipilẹṣẹ ati sisẹ atokọ ti awọn ibugbe, o pẹlu, laarin awọn ohun miiran, youtube.com ati awọn CDN rẹ.

Ati pe eyi yori si otitọ pe gbogbo awọn fidio yoo firanṣẹ nipasẹ VPN, eyiti o le di gbogbo ikanni naa. O le tọ lati ṣajọ atokọ ti awọn ibugbe iyasọtọ olokiki ti RKN tun jẹ alailagbara lati dina. Ati ki o foju wọn nigbati o ba n ṣe itupalẹ.

ipari

Ọna ti a ṣalaye gba ọ laaye lati fori fere eyikeyi idinamọ ti awọn olupese n ṣe lọwọlọwọ.

Ni ipilẹ, dnstap-bgp le ṣee lo fun awọn idi miiran nibiti ipele kan ti iṣakoso ijabọ ti o da lori orukọ ìkápá kan nilo. O kan nilo lati ṣe akiyesi pe ni ode oni ẹgbẹẹgbẹrun awọn aaye le gbele lori adiresi IP kanna (lẹhin diẹ ninu Cloudflare, fun apẹẹrẹ), nitorinaa ọna yii ni deede deede.

Ṣugbọn fun awọn iwulo ti idinamọ fori, eyi ti to.

Awọn afikun, awọn atunṣe, awọn ibeere fa jẹ itẹwọgba!

orisun: www.habr.com

Fi ọrọìwòye kun