Inkampani ye-Cloudflare I-DNS yomphakathi emakhelini:
- 1.1.1.1
- 1.0.0.1
- 2606: 4700: 4700 :: 1111
- 2606: 4700: 4700 :: 1001
Inqubomgomo kuthiwa "Imfihlo kuqala" ukuze abasebenzisi babe nokuthula kwengqondo mayelana nokuqukethwe kwezicelo zabo.
Isevisi iyathakazelisa ngokuthi, ngaphezu kwe-DNS evamile, inikeza ikhono lokusebenzisa ubuchwepheshe I-DNS-over-TLS и I-DNS-over-HTTPS, okuzovimbela kakhulu abahlinzeki ukuthi balalele izicelo zakho endleleni yezicelo - futhi baqoqe izibalo, baqaphe, baphathe ukukhangisa. I-Cloudflare ithi idethi yesimemezelo (ngo-Ephreli 1, 2018, noma i-04/01 ku-notation yaseMelika) ayikhethwanga ngenhlanhla: yiluphi olunye usuku lonyaka lapho "amayunithi amane" azokwethulwa?
Njengoba izethameli zikaHabr zinolwazi ngobuchwepheshe, isigaba sendabuko "kungani udinga i-DNS?" Ngizoyibeka ekugcineni kokuthunyelwe, kodwa lapha ngizosho izinto eziwusizo kakhulu:
Isetshenziswa kanjani isevisi entsha?
Into elula ukucacisa amakheli eseva ye-DNS angenhla kuklayenti lakho le-DNS (noma njengokukhuphuka komfula kuzilungiselelo zeseva yendawo ye-DNS oyisebenzisayo). Ingabe kunengqondo ukumiselela amanani avamile (8.8.8.8, njll.), noma okuvamile kancane (77.88.8.8 nabanye abafana nabo) kumaseva avela ku-Cloudflare - bazokunqumela, kodwa bakhulumela abaqalayo isivinini sokuphendula, ngokusho ukuthi i-Cloudflare ishesha kunabo bonke abaqhudelana nabo (ngizocacisa: izilinganiso zithathwe isevisi yenkampani yangaphandle, futhi isivinini kuklayenti elithile, ngokuqinisekile, singase sihluke).
Kujabulisa kakhulu ukusebenza ngezindlela ezintsha lapho isicelo sindizela kuseva ngoxhumano olubethelwe (eqinisweni, impendulo ibuyiselwa ngakho), i-DNS-over-TLS eshiwo kanye ne-DNS-over-HTTPS. Ngeshwa, azisekelwa "ngaphandle kwebhokisi" (ababhali bakholelwa ukuthi lokhu "okwamanje"), kodwa akunzima ukuhlela umsebenzi wabo kusofthiwe yakho (noma ngisho naku-hardware yakho):
I-DNS phezu kwe-HTTPs (DoH)
Njengoba igama liphakamisa, ukuxhumana kwenzeka ngesiteshi se-HTTPS, okusho ukuthi
- ukuba khona kwendawo yokufika (indawo yokugcina) - itholakala ekhelini futhi
- iklayenti elingathumela izicelo futhi lithole izimpendulo.
Izicelo zingaba ngefomethi ye-DNS Wireformat echazwe kuyo (ithunyelwe kusetshenziswa izindlela ze-POST ne-GET HTTP), noma ngefomethi ye-JSON (kusetshenziswa indlela ye-GET HTTP). Kimina mathupha, umbono wokwenza izicelo ze-DNS ngezicelo ze-HTTP ubonakale ungalindelekile, kodwa kukhona okusanhlamvu okunengqondo kuwo: isicelo esinjalo sizodlula izinhlelo eziningi zokuhlunga ithrafikhi, izimpendulo zokuhlaziya zilula kakhulu, futhi ukukhiqiza izicelo kulula nakakhulu. Imitapo yolwazi evamile kanye nemithethonqubo inesibopho sokuvikeleka.
Cela izibonelo, ngokuqondile kumadokhumenti:
THOLA isicelo ngefomethi ye-DNS Wireformat
$ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f968700a400)
GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
Host: cloudflare-dns.com
User-Agent: curl/7.54.0
Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
HTTP/2 200
date: Fri, 23 Mar 2018 05:14:02 GMT
content-type: application/dns-udpwireformat
content-length: 49
cache-control: max-age=0
set-cookie: __cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
server: cloudflare-nginx
cf-ray: 3ffe69838a418c4c-SFO-DOG
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031THUMELA isicelo ngefomethi ye-DNS Wireformat
$ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
{ [49 bytes data]
100 49 100 49 0 0 493 0 --:--:-- --:--:-- --:--:-- 494
* Connection #0 to host cloudflare-dns.com left intact
0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
0000030 22
0000031
Kuyafana kodwa usebenzisa i-JSON
$ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": true,
"CD": false,
"Question": [
{
"name": "example.com.",
"type": 1
}
],
"Answer": [
{
"name": "example.com.",
"type": 1,
"TTL": 1069,
"data": "93.184.216.34"
}
]
}Ngokusobala, i-router yasekhaya engavamile (uma okungenani eyodwa) ingasebenza ne-DNS ngale ndlela, kodwa lokhu akusho ukuthi ukusekelwa ngeke kuvele kusasa - futhi, ngokuthakazelisayo, lapha singakwazi ukusebenzisana ne-DNS ohlelweni lwethu lokusebenza (njengoba kakade , kumaseva we-Cloudflare).
I-DNS nge-TLS
Ngokuzenzakalelayo, imibuzo ye-DNS idluliselwa ngaphandle kokubethela. I-DNS nge-TLS iyindlela yokuzithumela ngoxhumano oluvikelekile. I-Cloudflare isekela i-DNS phezu kwe-TLS ku-port ejwayelekile 853 njengoba kunqunyiwe . Lokhu kusebenzisa isitifiketi esikhishelwe umsingathi we-cloudflare-dns.com, i-TLS 1.2 ne-TLS 1.3 ziyasekelwa.
Ukusungula uxhumano nokusebenza ngokuvumelana nephrothokholi kuhamba kanje:
- Ngaphambi kokusungula uxhumano lwe-DNS, iklayenti ligcina i-base64 efakwe ikhodi ye-SHA256 hash yesitifiketi se-TLS se-cloudflare-dns.com (esibizwa nge-SPKI)
- Iklayenti le-DNS lisungula uxhumano lwe-TCP ku-cloudflare-dns.com:853
- Iklayenti le-DNS liqala ukuxhawulana kwe-TLS
- Ngesikhathi senqubo ye-TLS yokuxhawula, umsingathi we-cloudflare-dns.com wethula isitifiketi sakhe se-TLS.
- Uma uxhumano lwe-TLS selusunguliwe, iklayenti le-DNS lingathumela izicelo ze-DNS ngesiteshi esivikelekile, esivimbela izicelo nezimpendulo ukuthi zilalele futhi zoniwe.
- Yonke imibuzo ye-DNS ethunyelwe ngoxhumo lwe-TLS kufanele ihambisane ne- .
Isibonelo sesicelo nge-DNS nge-TLS:
$ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 170 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B
;; QUESTION SECTION:
;; example.com. IN A
;; ANSWER SECTION:
example.com. 2347 IN A 93.184.216.34
;; Received 468 B
;; Time 2018-03-31 15:20:57 PDT
;; From 1.1.1.1@853(TCP) in 12.6 msLe nketho ibonakala isebenza kangcono kakhulu kumaseva endawo e-DNS anikezela ngezidingo zenethiwekhi yendawo noma umsebenzisi oyedwa. Yiqiniso, ngokusekelwa izinga akukuhle kakhulu, kodwa - ake sethembe!
Amagama amabili encazelo yokuthi ingxoxo imayelana nani
Isifinyezo esithi DNS simelela Isevisi Yegama Lesizinda (ngakho-ke ukuthi “isevisi ye-DNS” akudingekile ngandlela-thile, isifinyezo sesivele siqukethe igama elithi “isevisi”), futhi sisetshenziselwa ukuxazulula umsebenzi olula - ukuqonda ukuthi igama elithile le-host host linaliphi ikheli. Ngaso sonke isikhathi lapho umuntu echofoza isixhumanisi, noma efaka ikheli kubha yekheli lesiphequluli (isho, into efana nokuthi ""), ikhompuyutha yomuntu izama ukuthola ukuthi iyiphi iseva okufanele ithumele isicelo ukuze ithole okuqukethwe kwekhasi. Endabeni ye-habrahabr.ru, impendulo evela ku-DNS izoqukatha inkomba yekheli le-IP leseva yewebhu: 178.248.237.68, bese isiphequluli sesivele sizame ukuxhumana neseva ngekheli le-IP elishiwo.
Ngokulandelayo, iseva ye-DNS, ngemva kokuthola isicelo sokuthi “lithini ikheli le-IP lomsingathi ogama lakhe lingu-habrahabr.ru?”, inquma ukuthi ingabe kukhona ekwaziyo mayelana nomsingathi oshiwo. Uma kungenjalo, yenza isicelo kwamanye amaseva e-DNS emhlabeni, futhi, isinyathelo ngesinyathelo, izama ukuthola impendulo yombuzo obuziwe. Ngenxa yalokho, lapho uthola impendulo yokugcina, idatha etholakele ithunyelwa kuklayenti esalilindile, futhi igcinwa kunqolobane yeseva ye-DNS ngokwayo, okuzokuvumela ukuthi uphendule umbuzo ofanayo ngokushesha okukhulu ngokuzayo.
Inkinga evamile ukuthi, okokuqala, idatha yombuzo we-DNS idluliselwa ngokucacile (okunikeza noma ubani okwazi ukufinyelela ukuhamba kwethrafikhi ikhono lokuhlukanisa imibuzo ye-DNS kanye nezimpendulo abazitholayo bese bezihlukanisela izinjongo zabo; lokhu kunikeza ikhono lokukhomba izikhangiso ngokunemba kweklayenti le-DNS, okuyinto eningi kakhulu!). Okwesibili, abanye abahlinzeki be-inthanethi (ngeke bakhombe iminwe, kodwa hhayi encane kunazo zonke) bavame ukubonisa izikhangiso esikhundleni sekhasi elilodwa noma elinye eliceliwe (elisetshenziswa kalula: esikhundleni sekheli le-IP elishiwo isicelo somsingathi we-habranabr.ru Ngakho-ke, ikheli leseva yewebhu yomhlinzeki libuyiselwa, lapho ikhasi eliqukethe isikhangiso linikezwa khona). Okwesithathu, kukhona abahlinzeki bokufinyelela ku-inthanethi abasebenzisa indlela yokufeza izidingo zokuvimba amasayithi ngamanye ngokufaka esikhundleni sezimpendulo ezifanele ze-DNS mayelana namakheli e-IP wezinsiza zewebhu ezivinjiwe ngekheli le-IP leseva yabo equkethe amakhasi we-stub (ngenxa yalokho, ukufinyelela amasayithi anjalo ayinkimbinkimbi kakhulu), noma ekhelini leseva elibamba lakho elenza ukuhlunga.
Lokhu kufanele kube isithombe esivela kusayithi. , esetshenziselwa ukuchaza ukuxhumana nesevisi. Ababhali babonakala beqiniseka kakhulu ngekhwalithi ye-DNS yabo (noma kunjalo, kunzima ukulindela noma yini enye ku-Cloudflare):
Umuntu angaqonda ngokugcwele i-Cloudflare, umdali wesevisi: bathola isinkwa sabo ngokugcina nokuthuthukisa enye yamanethiwekhi e-CDN aziwa kakhulu emhlabeni (okuyinto imisebenzi engabandakanyi nje ukusabalalisa okuqukethwe, kodwa futhi nokubamba izindawo ze-DNS), futhi, ngenxa isifiso salabo, ongazi kahle, bafundise labo abangabazi,kulokho lapho okumele baye khona kunethiwekhi yomhlaba, imvamisa ihlushwa ukuvimba amakheli eziphakeli zabo masingasho ukuthi ubani - ngakho-ke ukuba ne-DNS engathinteki "ukumemeza, amakhwela nokubhala" enkampanini kusho ukulimala okuncane ebhizinisini labo. Futhi izinzuzo zobuchwepheshe (i-trifle, kodwa enhle: ikakhulukazi, kumakhasimende e-DNS Cloudflare yamahhala, ukuvuselela amarekhodi e-DNS ezinsiza ezisingathwa kumaseva e-DNS enkampani kuzoba khona manjalo) kwenza ukusebenzisa isevisi echazwe kokuthunyelwe kuthakazelise nakakhulu.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Ingabe uzosebenzisa isevisi entsha?
-
Yebo, ngokumane uyicacise ku-OS kanye / noma ku-router
-
Yebo, futhi ngizosebenzisa izivumelwano ezintsha (i-DNS phezu kwe-HTTP ne-DNS nge-TLS)
-
Cha, nginamaseva amanje anele (lona umhlinzeki womphakathi: i-Google, i-Yandex, njll.)
-
Cha, angazi nokuthi ngisebenzisani njengamanje
-
Ngisebenzisa i-DNS yami ephindaphindayo ngomhubhe we-SSL kubo
693 abasebenzisi abavotile. Umsebenzisi ongu-191 uyekile.
Source: www.habr.com