Isihloko sishaywe kahle, ngiyazi. Ngokwesibonelo, kukhona omkhulu
Ngenxa yokuthi izinkantolo kanye ne-RKN zivimba yonke into kwesokudla nakwesobunxele, futhi abahlinzeki bazama kanzima ukuthi bangaweli ngaphansi kwezinhlawulo ezikhishwe ngu-Revizorro, ukulahlekelwa okuhlobene nokuvimbela kukhulu kakhulu. Futhi phakathi kwamasayithi "avinjelwe" avinjelwe kuneziningi eziwusizo (sawubona, i-rutracker)
Ngihlala ngaphandle kwesifunda sase-RKN, kodwa abazali bami, izihlobo nabangane basala ekhaya. Ngakho-ke kwanqunywa ukuqhamuka nendlela elula yokuthi abantu abakude ne-IT badlule ukuvimba, okungcono ngaphandle kokuhlanganyela kwabo nhlobo.
Kule nothi, ngeke ngichaze izinto eziyisisekelo zenethiwekhi ngezinyathelo, kodwa ngizochaza izimiso ezijwayelekile zokuthi lolu hlelo lungasetshenziswa kanjani. Ngakho-ke ulwazi lokuthi inethiwekhi isebenza kanjani ngokujwayelekile futhi ku-Linux ikakhulukazi kufanele ube nayo.
Izinhlobo zokukhiya
Okokuqala, ake sivuselele inkumbulo yethu yalokho okuvinjiwe.
Kunezinhlobo ezimbalwa zokukhiya ku-XML engalayishiwe evela ku-RKN:
- IP
- Isizinda
- I-URL
Ukwenza kube lula, sizokwehlisa kube kabili: IP nesizinda, futhi sizovele sikhiphe isizinda ekuvinjweni nge-URL (ngokunembile, sebevele basenzela lokhu).
abantu abalungile
- I-IP:
https://api.reserve-rbl.ru/api/v2/ips/json - Izizinda:
https://api.reserve-rbl.ru/api/v2/domains/json
Ukufinyelela kumasayithi avinjiwe
Ukuze senze lokhu, sidinga i-VPS encane yangaphandle, okungcono ngethrafikhi engenamkhawulo - kukhona okuningi kwalokhu ngamarandi angu-3-5. Udinga ukuyithatha eduze phesheya ukuze i-ping ingabi enkulu kakhulu, kodwa futhi, khumbula ukuthi i-intanethi kanye ne-geography akuhambisani ngaso sonke isikhathi. Futhi njengoba ingekho i-SLA yamarandi angu-5, kungcono ukuthatha izingcezu ezingu-2+ kubahlinzeki abahlukene ukuze ubekezelele amaphutha.
Okulandelayo, sidinga ukusetha umhubhe obethelwe kusuka kumzila weklayenti kuya ku-VPS. Ngisebenzisa i-Wireguard njengokushesha nokulula ukukumisa. Futhi nginamarutha eklayenti asekelwe ku-Linux (
Ukuhlonza kanye nokuqondisa kabusha kwethrafikhi enentshisekelo
Ungakwazi, vele, ukucisha yonke ithrafikhi ye-inthanethi ngokusebenzisa amazwe angaphandle. Kodwa, cishe, isivinini sokusebenza nokuqukethwe kwendawo sizohlupheka kakhulu kulokhu. Futhi, izidingo zomkhawulokudonsa ku-VPS zizoba phezulu kakhulu.
Ngakho-ke, sizodinga ukuthi ngandlela thize sabe ithrafikhi kumasayithi avinjiwe futhi ngokukhetha siyiqondise emhubheni. Ngisho noma ezinye zethrafikhi "ezengeziwe" zifika lapho, kusengcono kakhulu kunokushayela yonke into emhubheni.
Ukuze silawule ithrafikhi, sizosebenzisa iphrothokholi ye-BGP futhi simemezele imizila eya kumanethiwekhi adingekayo ukusuka ku-VPS yethu kuya kumakhasimende. Ake sithathe INYONI njengenye yamademoni e-BGP asebenza kakhulu futhi asebenziseka kalula.
IP
Ngokuvinjwa yi-IP, yonke into icacile: simane simemezele wonke ama-IP avinjelwe nge-VPS. Inkinga ukuthi kukhona cishe ama-subnets ayizinkulungwane ezingama-600 ohlwini olubuyiswa yi-API, futhi iningi lawo lingabasingathi abangu-/32. Leli nani lemizila lingadida amarutha amaklayenti abuthaka.
Ngakho-ke, lapho kucutshungulwa uhlu, kwanqunywa ukuthi kufinyezwe kunethiwekhi / 24 uma inababungazi abangu-2 noma ngaphezulu. Ngakho-ke, inani lemizila lehlisiwe laya ku-~ 100 izinkulungwane. Iskripthi salokhu sizolandela.
Izizinda
Kuyinkimbinkimbi futhi kunezindlela ezimbalwa. Isibonelo, ungafaka i-squid ekhanyelayo kumzila weklayenti ngalinye bese unqamula i-HTTP lapho bese ulunguza ekuxhawulaneni kwe-TLS ukuze uthole i-URL eceliwe esimweni sokuqala kanye nesizinda ku-SNI okwesibili.
Kodwa ngenxa yazo zonke izinhlobo ze-TLS1.3 + eSNI entsha, ukuhlaziywa kwe-HTTPS kuya ngokuya kuncipha ngokwenzeka nsuku zonke. Yebo, futhi ingqalasizinda ohlangothini lweklayenti iba inkimbinkimbi - kuzodingeka usebenzise okungenani i-OpenWRT.
Ngakho-ke, nginqume ukuthatha indlela yokuvimbela izimpendulo kuzicelo ze-DNS. Nalapha, noma iyiphi i-DNS-over-TLS / HTTPS iqala ukuhamba phezu kwekhanda lakho, kodwa singakwazi (okwamanje) ukulawula le ngxenye kuklayenti - ukuyikhubaza noma usebenzise iseva yakho ye-DoT / DoH.
Ungasusa kanjani i-DNS?
Lapha, futhi, kungase kube nezindlela eziningana.
- Ukutholwa kwethrafikhi ye-DNS nge-PCAP noma i-NFLOG
Zombili lezi zindlela zokuvimbela zisetshenziswa ekusetshenziswenisidmat . Kodwa ayikasekelwa isikhathi eside futhi ukusebenza kwayo kukudala kakhulu, ngakho-ke kusadingeka ukuthi uyibhalele ihhanisi. - Ukuhlaziywa kwamalogi weseva ye-DNS
Ngeshwa, ama-recursers engiwaziyo awakwazi ukuloga izimpendulo, kodwa izicelo kuphela. Empeleni, lokhu kunengqondo, njengoba, ngokungafani nezicelo, izimpendulo zinesakhiwo esiyinkimbinkimbi futhi kunzima ukuzibhala ngendlela yombhalo. I-DNStap
Ngenhlanhla, abaningi babo sebevele basekela i-DNSTap ngale njongo.
Yini i-DNStap?
Kuyiphrothokholi yeseva yeklayenti esuselwe Kumabhafa Ephrothokholi kanye Nokusakaza Kozimele ukuze idluliselwe isuka kuseva ye-DNS iye kumqoqi wemibuzo ehlelekile ye-DNS nezimpendulo. Empeleni, iseva ye-DNS idlulisa imethadatha yombuzo nezimpendulo (uhlobo lomlayezo, iklayenti/iseva ye-IP, njll.) kanye nemilayezo egcwele ye-DNS kufomu (inambambili) lapho isebenza nabo kunethiwekhi.
Kubalulekile ukuqonda ukuthi ku-paradigm ye-DNSTap, iseva ye-DNS isebenza njengeklayenti futhi umqoqi wenza njengeseva. Okusho ukuthi, iseva ye-DNS ixhuma kumqoqi, hhayi ngokuphambene nalokho.
Namuhla i-DNStap isekelwa kuwo wonke amaseva e-DNS adumile. Kodwa, ngokwesibonelo, BIND ekusabalaliseni okuningi (njenge-Ubuntu LTS) kuvame ukwakhiwa ngesizathu esithile ngaphandle kokusekelwa kwayo. Ngakho-ke masingazihluphi ngokuhlanganisa kabusha, kodwa sithathe i-recursor elula futhi esheshayo - Unbound.
Ungayibamba kanjani i-DNSTap?
Zikhona
I-algorithm yomsebenzi:
- Uma yethulwa, ilayisha uhlu lwezizinda ezisuka kufayela lombhalo, iziguqule (habr.com -> com.habr), ingafaki imigqa ephukile, izimpinda nezizinda ezingaphansi (okungukuthi, uma uhlu luqukethe i-habr.com kanye ne-www.habr.com, izolayishwa kuphela eyokuqala) futhi yakha isihlahla sesiqalo sokusesha ngokushesha kulolu hlu
- Isebenza njengeseva ye-DNSTap, ilinda uxhumano oluvela kuseva ye-DNS. Empeleni, isekela zombili izisekelo ze-UNIX ne-TCP, kodwa amaseva e-DNS engiwaziyo angasebenzisa kuphela amasokhethi e-UNIX.
- Amaphakethe angenayo e-DNStap aqala esulwa esakhiweni se-Protobuf, bese umlayezo kanambambili we-DNS ngokwawo, otholakala kwenye yezinkambu ze-Protobuf, uhlukaniselwe ezingeni lamarekhodi e-DNS RR.
- Kuyahlolwa ukuthi ingabe umsingathi oceliwe (noma isizinda sakhe esingumzali) ukuhlu olulayishiwe, uma kungenjalo, impendulo ayinakwa.
- Ama-RR e-A/AAAA/CNAME kuphela akhethiwe empendulweni futhi amakheli e-IPv4/IPv6 ahambisanayo akhishwa kuwo.
- Amakheli e-IP agcinwe nge-TTL elungisekayo futhi akhangiswa kubo bonke ontanga ye-BGP emisiwe
- Lapho ithola impendulo ekhomba ku-IP esivele inqolobane, i-TTL yayo iyabuyekezwa
- Ngemva kokuphelelwa yisikhathi kwe-TTL, okufakiwe kuyasuswa kunqolobane nasezimemezelweni ze-BGP
Ukusebenza okwengeziwe:
- Ifunda kabusha uhlu lwezizinda nge-SIGHUP
- Ukugcina inqolobane ivumelanisiwe nezinye izimo dnstap-bgp nge-HTTP/JSON
- Phinda kabili inqolobane kudiski (kusizindalwazi se-BoltDB) ukuze ubuyisele okuqukethwe kwayo ngemva kokuqalisa kabusha
- Usekelo lokushintshela endaweni yamagama yenethiwekhi ehlukile (kungani lokhu kudingeka kuzochazwa ngezansi)
- Usekelo lwe-IPv6
Ukulinganiselwa:
- Izizinda ze-IDN azikasekelwa okwamanje
- Izilungiselelo ezimbalwa ze-BGP
Ngiqoqile
Lolu hlelo
Ngakho-ke, ake siqale ukuhlanganisa zonke izingxenye ndawonye. Ngenxa yalokho, kufanele sithole into efana nale nethiwekhi ye-topology:
I-logic yomsebenzi, ngicabanga, icacile kusukela kumdwebo:
- Iklayenti linesiphakeli sethu esilungiselelwe njenge-DNS, futhi imibuzo ye-DNS kufanele idlule ku-VPN. Lokhu kuyadingeka ukuze umhlinzeki angakwazi ukusebenzisa ukungenelela kwe-DNS ukuvimba.
- Lapho uvula isayithi, iklayenti lithumela umbuzo we-DNS njengokuthi βayini ama-IPs we-xxx.orgβ
- itho olukhululekile ixazulula i-xxx.org (noma iyithatha kunqolobane) futhi ithumele impendulo kuklayenti elithi βxxx.org ine-IP enjalo naleyoβ, iphindaphindeka ngokuhambisana nge-DNStap
- dnstap-bgp imemezela la makheli ku INYONI nge-BGP uma isizinda sisohlwini oluvinjiwe
- INYONI ikhangisa umzila oya kulawa ma-IP nge
next-hop self
i-router yeklayenti - Amaphakethe alandelayo asuka kuklayenti aya kulawa ma-IP adlula emhubheni
Kuseva, emigwaqweni eya kumasayithi avinjiwe, ngisebenzisa itafula elihlukile ngaphakathi kwe-BIRD futhi ayiphambanisi ne-OS nganoma iyiphi indlela.
Lolu hlelo lune-drawback: iphakethe lokuqala le-SYN elivela kuklayenti, cishe, lizoba nesikhathi sokuhamba ngomhlinzeki wasekhaya. umzila awumenyezelwa ngokushesha. Futhi lapha izinketho zingenzeka kuye ngokuthi umhlinzeki wenza kanjani ukuvimba. Uma ewisa nje izimoto, akunankinga. Futhi uma eyiqondisa kabusha kwenye i-DPI, khona-ke (ngokwethiyori) imiphumela ekhethekile ingenzeka.
Kungenzeka futhi ukuthi amaklayenti awahloniphi izimangaliso ze-DNS TTL, okungabangela iklayenti ukuthi lisebenzise okufakiwe okudala okuvela kunqolobane yalo ebolile esikhundleni sokubuza Ukungaboshiwe.
Empeleni, okokuqala noma okwesibili akungibangele izinkinga, kodwa imayela lakho lingahluka.
Ukushuna Kweseva
Ukuze kube lula ukugoqa, ngabhala
Ake sidlule ezingxenyeni eziyinhloko.
I-BGP
Ukusebenzisa amadaemoni e-BGP amabili kumsingathi ofanayo kunenkinga enkulu: INYONI ayifuni ukumisa ukubuka kwe-BGP nge-localhost (noma yisiphi isixhumi esibonakalayo sendawo). Kusukela izwi nhlobo. I-Googling nokufunda uhlu lwamakheli akusizanga, bathi lokhu kwenziwa ngokuklama. Mhlawumbe kukhona indlela, kodwa angizange ngiyithole.
Ungazama enye i-daemon ye-BGP, kodwa ngithanda INYONI futhi isetshenziswa yimi yonke indawo, angifuni ukukhiqiza amabhizinisi.
Ngakho-ke, ngifihle i-dnstap-bgp ngaphakathi kwendawo yamagama yenethiwekhi, exhunywe empandeni ngokusebenzisa isixhumi esibonakalayo se-veth: ifana nepayipi, iziphetho zayo eziphuma ezindaweni zamagama ezahlukene. Kuzo zonke lezi ziphetho, silenga amakheli e-IP ayimfihlo we-p2p angadluli umsingathi, ukuze abe yinoma yini. Lena indlela efanayo esetshenziswa ukufinyelela izinqubo ngaphakathi ethandwa yibo bonke I-Docker nezinye iziqukathi.
Kwalotshwa lokhu
Isibonelo sombhalo wokudala indawo yamagama
#!/bin/bash
NS="dtap"
IP="/sbin/ip"
IPNS="$IP netns exec $NS $IP"
IF_R="veth-$NS-r"
IF_NS="veth-$NS-ns"
IP_R="192.168.149.1"
IP_NS="192.168.149.2"
/bin/systemctl stop dnstap-bgp || true
$IP netns del $NS > /dev/null 2>&1
$IP netns add $NS
$IP link add $IF_R type veth peer name $IF_NS
$IP link set $IF_NS netns $NS
$IP addr add $IP_R remote $IP_NS dev $IF_R
$IP link set $IF_R up
$IPNS addr add $IP_NS remote $IP_R dev $IF_NS
$IPNS link set $IF_NS up
/bin/systemctl start dnstap-bgp
dnstap-bgp.conf
namespace = "dtap"
domains = "/var/cache/rkn_domains.txt"
ttl = "168h"
[dnstap]
listen = "/tmp/dnstap.sock"
perm = "0666"
[bgp]
as = 65000
routerid = "192.168.149.2"
peers = [
"192.168.149.1",
]
inyoni.conf
router id 192.168.1.1;
table rkn;
# Clients
protocol bgp bgp_client1 {
table rkn;
local as 65000;
neighbor 192.168.1.2 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
export all;
import none;
}
# DNSTap-BGP
protocol bgp bgp_dnstap {
table rkn;
local as 65000;
neighbor 192.168.149.2 as 65000;
direct;
passive on;
rr client;
import all;
export none;
}
# Static routes list
protocol static static_rkn {
table rkn;
include "rkn_routes.list";
import all;
export none;
}
rkn_routes.list
route 3.226.79.85/32 via "ens3";
route 18.236.189.0/24 via "ens3";
route 3.224.21.0/24 via "ens3";
...
DNS
Ngokuzenzakalelayo, ku-Ubuntu, i-Unbound kanambambili iboshwe iphrofayili ye-AppArmor, eyivimbela ekuxhumekeni kuzo zonke izinhlobo zamasokhethi e-DNStap. Ungakwazi ukususa le phrofayela, noma uyikhubaze:
# cd /etc/apparmor.d/disable && ln -s ../usr.sbin.unbound .
# apparmor_parser -R /etc/apparmor.d/usr.sbin.unbound
Lokhu kufanele kwengezwe encwadini yokudlala. Kuhle, yiqiniso, ukulungisa iphrofayili futhi ngikhiphe amalungelo adingekayo, kodwa ngangivilapha kakhulu.
unbound.conf
server:
chroot: ""
port: 53
interface: 0.0.0.0
root-hints: "/var/lib/unbound/named.root"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
access-control: 192.168.0.0/16 allow
remote-control:
control-enable: yes
control-use-cert: no
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-send-identity: no
dnstap-send-version: no
dnstap-log-client-response-messages: yes
Ilanda nokucubungula izinhlu
Ilanda uhlu, ifingqa isiqalo pfx. I ungangezi ΠΈ ungafingqa ungatshela ama-IP namanethiwekhi ukuthi eqe noma angafingqa. Bengiyidinga. i-subnet ye-VPS yami yayisohlwini lwe-blocklist π
Into ehlekisayo ukuthi i-RosKomSvoboda API ivimba izicelo nge-ejenti yomsebenzisi ye-Python ezenzakalelayo. Kubonakala sengathi ingane yombhalo uyitholile. Ngakho-ke, siyishintshela ku-Ognelis.
Kuze kube manje, isebenza kuphela nge-IPv4. isabelo se-IPv6 sincane, kodwa kuzoba lula ukukulungisa. Ngaphandle uma kufanele usebenzise inyoni6 futhi.
rkn.py
#!/usr/bin/python3
import json, urllib.request, ipaddress as ipa
url = 'https://api.reserve-rbl.ru/api/v2/ips/json'
pfx = '24'
dont_summarize = {
# ipa.IPv4Network('1.1.1.0/24'),
}
dont_add = {
# ipa.IPv4Address('1.1.1.1'),
}
req = urllib.request.Request(
url,
data=None,
headers={
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'
}
)
f = urllib.request.urlopen(req)
ips = json.loads(f.read().decode('utf-8'))
prefix32 = ipa.IPv4Address('255.255.255.255')
r = {}
for i in ips:
ip = ipa.ip_network(i)
if not isinstance(ip, ipa.IPv4Network):
continue
addr = ip.network_address
if addr in dont_add:
continue
m = ip.netmask
if m != prefix32:
r[m] = [addr, 1]
continue
sn = ipa.IPv4Network(str(addr) + '/' + pfx, strict=False)
if sn in dont_summarize:
tgt = addr
else:
tgt = sn
if not sn in r:
r[tgt] = [addr, 1]
else:
r[tgt][1] += 1
o = []
for n, v in r.items():
if v[1] == 1:
o.append(str(v[0]) + '/32')
else:
o.append(n)
for k in o:
print(k)
Ngiyigijima emqhele kanye ngosuku, mhlawumbe kuwufanele ukuyidonsa njalo emahoreni ama-4. lokhu, ngokubona kwami, isikhathi sokuvuselela i-RKN esidinga kubahlinzeki. Futhi, banokunye ukuvinjwa okuphuthumayo, okungase kufike ngokushesha.
Wenza lokhu okulandelayo:
- Isebenzisa umbhalo wokuqala futhi ibuyekeze uhlu lwemizila (
rkn_routes.list
) okweNYONI - Layisha kabusha INYONI
- Ibuyekeza futhi ihlanze uhlu lwezizinda ze-dnstap-bgp
- Layisha kabusha i-dnstap-bgp
rkn_update.sh
#!/bin/bash
ROUTES="/etc/bird/rkn_routes.list"
DOMAINS="/var/cache/rkn_domains.txt"
# Get & summarize routes
/opt/rkn.py | sed 's/(.*)/route 1 via "ens3";/' > $ROUTES.new
if [ $? -ne 0 ]; then
rm -f $ROUTES.new
echo "Unable to download RKN routes"
exit 1
fi
if [ -e $ROUTES ]; then
mv $ROUTES $ROUTES.old
fi
mv $ROUTES.new $ROUTES
/bin/systemctl try-reload-or-restart bird
# Get domains
curl -s https://api.reserve-rbl.ru/api/v2/domains/json -o - | jq -r '.[]' | sed 's/^*.//' | sort | uniq > $DOMAINS.new
if [ $? -ne 0 ]; then
rm -f $DOMAINS.new
echo "Unable to download RKN domains"
exit 1
fi
if [ -e $DOMAINS ]; then
mv $DOMAINS $DOMAINS.old
fi
mv $DOMAINS.new $DOMAINS
/bin/systemctl try-reload-or-restart dnstap-bgp
Zabhalwa ngaphandle kokucabanga okuningi, ngakho-ke uma ubona okuthile okungathuthukiswa - hamba ngakho.
Ukusethwa kweklayenti
Lapha ngizonikeza izibonelo zamarutha e-Linux, kodwa esimweni se-Mikrotik / Cisco kufanele kube lula nakakhulu.
Okokuqala, simisa i-BIRD:
inyoni.conf
router id 192.168.1.2;
table rkn;
protocol device {
scan time 10;
};
# Servers
protocol bgp bgp_server1 {
table rkn;
local as 65000;
neighbor 192.168.1.1 as 65000;
direct;
bfd on;
next hop self;
graceful restart;
graceful restart time 60;
rr client;
export none;
import all;
}
protocol kernel {
table rkn;
kernel table 222;
scan time 10;
export all;
import none;
}
Ngakho, sizovumelanisa imizila etholwe ku-BGP nenombolo yethebula le-kernel routing 222.
Ngemuva kwalokho, kwanele ukucela i-kernel ukuthi ibheke leli puleti ngaphambi kokubheka elizenzakalelayo:
# ip rule add from all pref 256 lookup 222
# ip rule
0: from all lookup local
256: from all lookup 222
32766: from all lookup main
32767: from all lookup default
Konke, kusala ukulungisa i-DHCP kumzila ukuze kusabalalise ikheli le-IP lemhubhe leseva njenge-DNS, futhi uhlelo selulungile.
amaphutha
Nge-algorithm yamanje yokukhiqiza nokucubungula uhlu lwezizinda, ihlanganisa, phakathi kwezinye izinto, youtube.com
kanye nama-CDN ayo.
Futhi lokhu kuholela eqinisweni lokuthi wonke amavidiyo azohamba nge-VPN, engavala isiteshi sonke. Mhlawumbe kufanelekile ukuhlanganisa uhlu lwezizinda ezithandwayo-okungafakiwe okuvimbela i-RKN okwamanje, izibilini zincane. Futhi weqe lapho uhlaziya.
isiphetho
Indlela echaziwe ikuvumela ukuthi udlule cishe noma yikuphi ukuvimba okwenziwa abahlinzeki okwamanje.
Empeleni, dnstap-bgp ingasetshenziswa nganoma iyiphi enye injongo lapho kudingeka izinga elithile lokulawulwa kwethrafikhi ngokusekelwe egameni lesizinda. Vele ukhumbule ukuthi esikhathini sethu, amasayithi ayinkulungwane angalenga ekhelini elifanayo le-IP (ngemuva kwe-Cloudflare, isibonelo), ngakho le ndlela inokunemba okuphansi kakhulu.
Kodwa ngezidingo zokudlula izingidi, lokhu kwanele.
Ukwengezwa, ukuhlelwa, izicelo zokudonsa - wamukelekile!
Source: www.habr.com