curl & kdig経由でドット(. tcp)doh(oooottp)
11829 ワード
私が間違いをしたならば、自由に指摘してください
DNSへのイントロ
DNS (Plain Text Over UDP)
Well Also Over TCP But Still Plain Text
私はCloudflareドキュメントが大好きです、そして、それはかなり簡単に部分の大部分をカバーします.
https://www.cloudflare.com/learning/dns/what-is-dns/
DNSSEC (Security Extn But Still Plain Text)
UDP上ではまだプレーンテキストですが、DNSレコードを検証します
https://www.cloudflare.com/learning/dns/dns-security/
And Then Comes Security(Encryption) DOT & DOH
ここではプレーンテキストが暗号化されたテキストです
[ドット]https://www.cloudflare.com/learning/dns/dns-over-tls/
Cloudflare詳細説明と実際的見解
[ドット]https://developers.cloudflare.com/1.1.1.1/dns-over-tls
ドントhttps://developers.cloudflare.com/1.1.1.1/dns-over-https
私は実用的なビューをキャプチャしている方法はどのように見えるし、どのようにCCLとKDIGを使用してCLIを介して1つを試みることができます.
CloudFlareを介してどのようにそれを達成することができます詳細については
CURL
https://developers.cloudflare.com/1.1.1.1/dns-over-tls では、実用的な視点から始めましょう
DOH ( HTTP経由のDNS )
curl事前に使用するDOHクエリ:
Curl v7.4+
したがって、基本的に以下のように、それはHTTPの上にあるので、DH記録(IP)からDNS記録(CloudFlare DNS . com)を得ます、そして、したがって、あなたはリソースを必要としますhttps://cloudflare-dns.com/dns-query ).とIPをフェッチした後に接続を行います
単純なカール
(- V => verbose )
(- i =>ヘッドリクエスト)
(-- doh url =) HTTP経由でDNSサーバにDONSを要求するhttps://cloudflare-dns.com/dns-query )
$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com
詳細$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com
* Found bundle for host cloudflare-dns.com: 0x7fffe56ebe80 [serially]
* Server doesn't support multiplex (yet)
* Trying 104.16.249.249:443...
* TCP_NODELAY set
* Hostname 'cloudflare-dns.com' was found in DNS cache
* Trying 104.16.249.249:443...
* TCP_NODELAY set
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
* start date: Jan 28 00:00:00 2019 GMT
* expire date: Feb 1 12:00:00 2021 GMT
* subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56e5290)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32
* We are completely uploaded and fine
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
* start date: Jan 28 00:00:00 2019 GMT
* expire date: Feb 1 12:00:00 2021 GMT
* subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56df9e0)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32
* We are completely uploaded and fine
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 74
< access-control-allow-origin: *
< cf-request-id: 04e15902c60000de8edb16a200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab13b45de8e-BLR
<
* Connection #1 to host cloudflare-dns.com left intact
* a DOH request is completed, 1 to go
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 62
< access-control-allow-origin: *
< cf-request-id: 04e15902d60000deb22981d200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab15b01deb2-BLR
<
* Connection #0 to host cloudflare-dns.com left intact
* a DOH request is completed, 0 to go
----- DOH Response [Starts] -----
* DOH Host name: www.google.com
* TTL: 43 seconds
* DOH A: 172.217.160.164
* DOH AAAA: 2404:6800:4009:080a:0000:0000:0000:2004
----- DOH Response [Ends] -----
* Trying 172.217.160.164:443...
* TCP_NODELAY set
* Connected to www.google.com (172.217.160.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
* start date: Aug 11 08:59:33 2020 GMT
* expire date: Nov 3 08:59:33 2020 GMT
* subjectAltName: host "www.google.com" matched cert's "www.google.com"
* issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56bfaa0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Sun, 30 Aug 2020 14:22:56 GMT
date: Sun, 30 Aug 2020 14:22:56 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Sun, 30 Aug 2020 14:22:56 GMT
expires: Sun, 30 Aug 2020 14:22:56 GMT
< cache-control: private
cache-control: private
< set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
< set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host www.google.com left intact
ドット( TCP over TCP )
事前に必要な
KDIGを用いたDOH質問
$ apt install knot-dnsutils
$ kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com google.com
詳細# kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33976
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 409 B
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 101 IN A 216.58.193.78
;; Received 468 B
;; Time 2020-12-30 02:36:00 UTC
;; From 1.1.1.1@853(TCP) in 9.6 ms
Reference
この問題について(curl & kdig経由でドット(. tcp)doh(oooottp)), 我々は、より多くの情報をここで見つけました https://dev.to/aashishrbhandari/dot-doh-learning-47fjテキストは自由に共有またはコピーできます。ただし、このドキュメントのURLは参考URLとして残しておいてください。
Collection and Share based on the CC Protocol