Ile-iṣẹ Cloudflare DNS ti gbogbo eniyan ni awọn adirẹsi:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 1111 ::
- 2606: 4700: 4700 1001 ::
Ilana naa ni a sọ pe o jẹ “Aṣiri akọkọ” ki awọn olumulo le ni ifọkanbalẹ ti ọkan nipa akoonu ti awọn ibeere wọn.
Iṣẹ naa jẹ iyanilenu ni pe, ni afikun si DNS deede, o pese agbara lati lo awọn imọ-ẹrọ DNS-lori-TLS и DNS-lori-HTTPS, eyi ti yoo ṣe idiwọ pupọ fun awọn olupese lati gbọti lori awọn ibeere rẹ ni ọna ti awọn ibeere - ati gba awọn iṣiro, ṣe atẹle, ṣakoso ipolowo. Cloudflare sọ pe ọjọ ti ikede naa (Kẹrin 1, 2018, tabi 04/01 ni akọsilẹ Amẹrika) ko yan nipasẹ aye: ọjọ miiran ti ọdun ni “awọn ẹya mẹrin” yoo gbekalẹ?
Niwọn igba ti awọn olugbo Habr jẹ oye imọ-ẹrọ, apakan ibile “kilode ti o nilo DNS?” Emi yoo fi sii ni ipari ifiweranṣẹ, ṣugbọn nibi Emi yoo sọ awọn nkan ti o wulo diẹ sii:
Bawo ni lati lo iṣẹ tuntun naa?
Ohun ti o rọrun julọ ni lati pato awọn adirẹsi olupin DNS ti o wa loke ninu alabara DNS rẹ (tabi bi oke ni awọn eto ti olupin DNS agbegbe ti o lo). Ṣe o jẹ oye lati rọpo awọn iye deede (8.8.8.8, ati be be lo), tabi die-die kere wọpọ (77.88.8.8 ati awọn miiran bii wọn) si awọn olupin lati Cloudflare - wọn yoo pinnu fun ọ, ṣugbọn sọrọ fun olubere kan iyara idahun, ni ibamu si eyiti Cloudflare yiyara ju gbogbo awọn oludije lọ (Emi yoo ṣalaye: awọn wiwọn ni a mu nipasẹ iṣẹ ẹnikẹta, ati iyara si alabara kan pato, dajudaju, le yatọ).
O jẹ ohun ti o nifẹ diẹ sii lati ṣiṣẹ pẹlu awọn ipo tuntun ninu eyiti ibeere naa fo si olupin lori asopọ ti paroko (ni otitọ, idahun ti pada nipasẹ rẹ), DNS-over-TLS ti a mẹnuba ati DNS-over-HTTPS. Laanu, wọn ko ni atilẹyin “lati inu apoti” (awọn onkọwe gbagbọ pe eyi jẹ “sibẹsibẹ”), ṣugbọn ko nira lati ṣeto iṣẹ wọn ninu sọfitiwia rẹ (tabi paapaa lori ohun elo rẹ):
DNS lori HTTPs (DoH)
Gẹgẹbi orukọ ṣe daba, ibaraẹnisọrọ waye lori ikanni HTTPS, eyiti o tumọ si
- Iwaju aaye ibalẹ kan (ojuami ipari) - o wa ni adirẹsi naa ati
- alabara ti o le firanṣẹ awọn ibeere ati gba awọn idahun.
Awọn ibeere le boya wa ni ọna kika Wireformat DNS ti a ṣalaye ninu (firanṣẹ ni lilo awọn ọna POST ati GET HTTP), tabi ni ọna kika JSON (lilo ọna GET HTTP). Fun mi tikalararẹ, imọran ti ṣiṣe awọn ibeere DNS nipasẹ awọn ibeere HTTP dabi airotẹlẹ, ṣugbọn ọkà onipin wa ninu rẹ: iru ibeere kan yoo kọja ọpọlọpọ awọn ọna ṣiṣe sisẹ ijabọ, awọn idahun ṣiṣatunṣe jẹ ohun rọrun, ati awọn ibeere ti ipilẹṣẹ paapaa rọrun. Awọn ile-ikawe deede ati awọn ilana jẹ iduro fun aabo.
Beere awọn apẹẹrẹ, taara lati inu iwe:
Gba ibeere ni ọna kika Wireformat DNS
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031Ibere POST ni ọna kika Wireformat DNS
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Kanna sugbon lilo JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}O han ni, olutọpa ile ti o ṣọwọn (ti o ba kere ju ọkan) le ṣiṣẹ pẹlu DNS ni ọna yii, ṣugbọn eyi ko tumọ si pe atilẹyin kii yoo han ni ọla - ati, ni iyanilenu, nibi a le ṣe imuse ṣiṣẹ pẹlu DNS ninu ohun elo wa (bii tẹlẹ. , o kan lori awọn olupin Cloudflare).
DNS lori TLS
Nipa aiyipada, awọn ibeere DNS ti wa ni gbigbe laisi fifi ẹnọ kọ nkan. DNS lori TLS jẹ ọna lati firanṣẹ wọn lori asopọ to ni aabo. Cloudflare ṣe atilẹyin DNS lori TLS lori ibudo boṣewa 853 bi a ti paṣẹ . Eyi nlo ijẹrisi ti a fun ni fun olupin cloudflare-dns.com, TLS 1.2 ati TLS 1.3 ni atilẹyin.
Ṣiṣeto asopọ ati ṣiṣẹ ni ibamu si ilana naa n lọ nkan bii eyi:
- Ṣaaju ki o to ṣeto asopọ DNS kan, alabara tọju ipilẹ ipilẹ64 ti koodu SHA256 hash ti ijẹrisi TLS ti cloudflare-dns.com (ti a pe ni SPKI)
- Onibara DNS ṣe agbekalẹ asopọ TCP kan si cloudflare-dns.com:853
- Onibara DNS bẹrẹ mimu ọwọ TLS
- Lakoko ilana imuwowo TLS, agbalejo cloudflare-dns.com ṣafihan ijẹrisi TLS rẹ.
- Ni kete ti a ti fi idi asopọ TLS kan mulẹ, alabara DNS le fi awọn ibeere DNS ranṣẹ lori ikanni to ni aabo, eyiti o ṣe idiwọ awọn ibeere ati awọn idahun lati wa ni eti ati sisọ.
- Gbogbo awọn ibeere DNS ti a firanṣẹ lori asopọ TLS gbọdọ wa ni ibamu pẹlu awọn .
Apeere ti ibeere nipasẹ DNS lori TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msAṣayan yii dabi pe o ṣiṣẹ dara julọ fun awọn olupin DNS agbegbe ti n ṣiṣẹ awọn iwulo ti nẹtiwọọki agbegbe tabi olumulo kan. Otitọ, pẹlu atilẹyin ti boṣewa ko dara pupọ, ṣugbọn - jẹ ki a nireti!
Awọn ọrọ meji ti alaye ohun ti ibaraẹnisọrọ jẹ nipa
Awọn abbreviation DNS duro fun Iṣẹ Orukọ Aṣẹ (nitorinaa sisọ “iṣẹ DNS” jẹ diẹ laiṣe, abbreviation ti ni ọrọ “iṣẹ” tẹlẹ ninu), ati pe o ti lo lati yanju iṣẹ-ṣiṣe ti o rọrun - lati loye kini adiresi IP kan pato orukọ agbalejo ni. Ni gbogbo igba ti eniyan ba tẹ ọna asopọ kan, tabi tẹ adirẹsi sii ninu ọpa adirẹsi ẹrọ aṣawakiri (sọ, nkan bi ""), Kọmputa eniyan n gbiyanju lati ṣawari iru olupin lati fi ibeere ranṣẹ lati gba akoonu oju-iwe naa. Ninu ọran ti habrahabr.ru, idahun lati DNS yoo ni itọkasi ti adiresi IP olupin wẹẹbu: 178.248.237.68, ati lẹhinna ẹrọ aṣawakiri naa yoo gbiyanju tẹlẹ lati kan si olupin pẹlu adiresi IP ti o pato.
Ni ọna, olupin DNS, ti o ti gba ibeere naa “kini adiresi IP ti agbalejo ti a npè ni habrahabr.ru?”, pinnu boya o mọ ohunkohun nipa agbalejo pàtó kan. Ti kii ba ṣe bẹ, o ṣe ibeere kan si awọn olupin DNS miiran ni agbaye, ati, ni igbesẹ nipasẹ igbese, gbiyanju lati ṣawari idahun si ibeere ti o beere. Bii abajade, lori wiwa idahun ikẹhin, data ti o rii ni a firanṣẹ si alabara tun nduro fun wọn, pẹlu pe o ti fipamọ sinu kaṣe ti olupin DNS funrararẹ, eyiti yoo gba ọ laaye lati dahun ibeere kanna ni iyara pupọ ni atẹle.
Iṣoro ti o wọpọ ni pe, akọkọ, data ibeere DNS ti wa ni gbigbe ni gbangba (eyiti o fun ẹnikẹni ti o ni iraye si ṣiṣan ijabọ ni agbara lati ya sọtọ awọn ibeere DNS ati awọn idahun ti wọn gba ati lẹhinna tu wọn fun awọn idi tirẹ; agbara lati fojusi awọn ipolowo pẹlu deede fun alabara DNS, eyiti o jẹ pupọ pupọ!). Ni ẹẹkeji, diẹ ninu awọn ISP (a kii yoo tọka awọn ika ọwọ, ṣugbọn kii ṣe awọn ti o kere julọ) ṣọ lati ṣafihan awọn ipolowo dipo ọkan tabi oju-iwe miiran ti o beere (eyiti o jẹ imuse ni irọrun: dipo adiresi IP ti a sọ fun ibeere nipasẹ habranabr.ru ogun orukọ, a ID eniyan Bayi, awọn adirẹsi ti awọn ayelujara server ti wa ni pada, ibi ti awọn iwe ti o ni awọn ipolongo ti wa ni yoo wa). Ni ẹkẹta, awọn olupese iwọle Intanẹẹti wa ti o ṣe ilana kan fun ṣiṣe awọn ibeere fun didi awọn aaye kọọkan nipa rirọpo awọn idahun DNS ti o pe nipa awọn adirẹsi IP ti awọn orisun wẹẹbu dina pẹlu adiresi IP ti olupin wọn ti o ni awọn oju-iwe stub (ni abajade, iwọle si iru awọn aaye yii ṣe akiyesi idiju diẹ sii), tabi si adirẹsi olupin aṣoju rẹ ti o ṣe sisẹ.
Eyi yẹ ki o jẹ aworan kan lati aaye naa. , ti a lo lati ṣe apejuwe asopọ si iṣẹ naa. Awọn onkọwe dabi ẹni pe o ni igboya pupọ ninu didara DNS wọn (sibẹsibẹ, o ṣoro lati nireti ohunkohun miiran lati Cloudflare):
Ẹnikan le ni oye Cloudflare ni kikun, ẹlẹda ti iṣẹ naa: wọn jo'gun akara wọn nipasẹ mimu ati idagbasoke ọkan ninu awọn nẹtiwọọki CDN olokiki julọ ni agbaye (awọn iṣẹ ṣiṣe pẹlu kii ṣe pinpin akoonu nikan, ṣugbọn tun gbalejo awọn agbegbe DNS), ati, nitori ifẹ ti awọn, ti ko ni oye daradara, kọ awọn tí wọn kò mọ̀, si iyẹn ibi ti lati lọ ni agbaye nẹtiwọki, oyimbo igba jiya lati ìdènà awọn adirẹsi ti won apèsè lati ka ma so tani - nitorinaa nini DNS ti ko ni ipa nipasẹ “kigbe, awọn súfèé ati awọn iwe afọwọkọ” fun ile-iṣẹ tumọ si ipalara diẹ si iṣowo wọn. Ati awọn anfani imọ-ẹrọ (kekere kan, ṣugbọn o wuyi: ni pataki, fun awọn alabara ti DNS Cloudflare ọfẹ, imudojuiwọn awọn igbasilẹ DNS ti awọn orisun ti o gbalejo lori awọn olupin DNS ti ile-iṣẹ yoo jẹ lẹsẹkẹsẹ) jẹ ki lilo iṣẹ ti a ṣalaye ninu ifiweranṣẹ paapaa nifẹ si.
Awọn olumulo ti o forukọsilẹ nikan le kopa ninu iwadi naa. , Jowo.
Ṣe iwọ yoo lo iṣẹ tuntun naa?
-
Bẹẹni, nipa sisọ ni pato ni OS ati / tabi lori olulana naa
-
Bẹẹni, ati pe Emi yoo lo awọn ilana tuntun (DNS lori HTTPs ati DNS lori TLS)
-
Rara, Mo ni awọn olupin lọwọlọwọ to (eyi jẹ olupese ti gbogbo eniyan: Google, Yandex, ati bẹbẹ lọ)
-
Rara, Emi ko paapaa mọ ohun ti Mo nlo ni bayi
-
Mo lo DNS loorekoore mi pẹlu oju eefin SSL si wọn
693 olumulo dibo. 191 olumulo abstained.
orisun: www.habr.com