2020-07-29 08:31:42 +08:00
|
|
|
|
[#]: collector: (lujun9972)
|
|
|
|
|
|
[#]: translator: (geekpi)
|
2020-08-03 20:01:29 +08:00
|
|
|
|
[#]: reviewer: (wxy)
|
2020-08-03 20:03:10 +08:00
|
|
|
|
[#]: publisher: (wxy)
|
|
|
|
|
|
[#]: url: (https://linux.cn/article-12483-1.html)
|
2020-07-29 08:31:42 +08:00
|
|
|
|
[#]: subject: (Use DNS over TLS)
|
|
|
|
|
|
[#]: via: (https://fedoramagazine.org/use-dns-over-tls/)
|
|
|
|
|
|
[#]: author: (Thomas Bianchi https://fedoramagazine.org/author/thobianchi/)
|
|
|
|
|
|
|
|
|
|
|
|
使用 DNS over TLS
|
|
|
|
|
|
======
|
|
|
|
|
|
|
|
|
|
|
|
![][1]
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
现代计算机用来在互联网种查找资源的[域名系统(DNS)][2] 是在 [35 年前][3]设计的,没有考虑用户隐私。它会面临安全风险和攻击,例如 [DNS 劫持][4]。它还能让 [ISP][5] 拦截查询。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
幸运的是,现在有 [DNS over TLS][6] 和 [DNSSEC][7] 两种技术。DNS over TLS 和 DNSSEC 允许创建从计算机到它配置的 DNS 服务器之间的安全且加密的端到端隧道。在 Fedora 上,部署这些技术的步骤很容易,并且所有必要的工具也很容易获得。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
本指南将演示如何使用 `systemd-resolved` 在 Fedora 上配置 DNS over TLS。有关 `systemd-resolved` 服务的更多信息,请参见[文档][8]。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
### 步骤 1:设置 systemd-resolved
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
类似于下面所示修改 `/etc/systemd/resolved.conf`。确保启用 DNS over TLS 并配置要使用的 DNS 服务器的 IP 地址。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ cat /etc/systemd/resolved.conf
|
|
|
|
|
|
[Resolve]
|
|
|
|
|
|
DNS=1.1.1.1 9.9.9.9
|
|
|
|
|
|
DNSOverTLS=yes
|
|
|
|
|
|
DNSSEC=yes
|
|
|
|
|
|
FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4
|
|
|
|
|
|
#Domains=~.
|
|
|
|
|
|
#LLMNR=yes
|
|
|
|
|
|
#MulticastDNS=yes
|
|
|
|
|
|
#Cache=yes
|
|
|
|
|
|
#DNSStubListener=yes
|
|
|
|
|
|
#ReadEtcHosts=yes
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
关于选项的简要说明:
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
* `DNS`:以空格分隔的 IPv4 和 IPv6 地址列表,用作系统 DNS 服务器。
|
|
|
|
|
|
* `FallbackDNS`:以空格分隔的 IPv4 和 IPv6 地址列表,用作后备 DNS 服务器。
|
|
|
|
|
|
* `Domains`:在解析单标签主机名时,这些域名用于搜索后缀。 `~.` 代表对于所有域名,优先使用 `DNS=` 定义的系统 DNS 服务器。
|
|
|
|
|
|
* `DNSOverTLS`:如果启用,那么将加密与服务器的所有连接。请注意,此模式要求 DNS 服务器支持 DNS-over-TLS,并具有其 IP 的有效证书。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
> 注意:上面示例中列出的 DNS 服务器是我个人的选择。你要确定要使用的 DNS 服务器。要注意你要向谁请求 IP。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
### 步骤 2:告诉 NetworkManager 将信息推给 systemd-resolved
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
在 `/etc/NetworkManager/conf.d` 中创建一个名为 `10-dns-systemd-resolved.conf` 的文件。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ cat /etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf
|
|
|
|
|
|
[main]
|
|
|
|
|
|
dns=systemd-resolved
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
上面的设置(`dns=systemd-resolved`)让 `NetworkManager` 将从 DHCP 获得的 DNS 信息推送到 `systemd-resolved` 服务。这将覆盖*步骤 1* 中配置的 DNS 设置。这在受信任的网络中没问题,但是也可以设置为 `dns=none` 从而使用 `/etc/systemd/resolved.conf` 中配置的 DNS 服务器。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
### 步骤 3: 启动和重启服务
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
若要使上述步骤中的配置生效,请启动并启用 `systemd-resolved` 服务。然后重启 `NetworkManager` 服务。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
注意:在 `NetworkManager` 重启时,连接会中断几秒钟。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ sudo systemctl start systemd-resolved
|
|
|
|
|
|
$ sudo systemctl enable systemd-resolved
|
|
|
|
|
|
$ sudo systemctl restart NetworkManager
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
> 注意:目前,systemd-resolved 服务默认处于禁用状态,是可选使用的。[有计划][33]在 Fedora 33 中默认启用systemd-resolved。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
### 步骤 4:检查是否一切正常
|
|
|
|
|
|
|
|
|
|
|
|
现在,你应该在使用 DNS over TLS。检查 DNS 解析状态来确认这一点:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ resolvectl status
|
|
|
|
|
|
MulticastDNS setting: yes
|
|
|
|
|
|
DNSOverTLS setting: yes
|
|
|
|
|
|
DNSSEC setting: yes
|
|
|
|
|
|
DNSSEC supported: yes
|
|
|
|
|
|
Current DNS Server: 1.1.1.1
|
|
|
|
|
|
DNS Servers: 1.1.1.1
|
|
|
|
|
|
9.9.9.9
|
|
|
|
|
|
Fallback DNS Servers: 8.8.8.8
|
|
|
|
|
|
1.0.0.1
|
|
|
|
|
|
8.8.4.4
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
`/etc/resolv.conf` 应该指向 `127.0.0.53`。
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ cat /etc/resolv.conf
|
|
|
|
|
|
# Generated by NetworkManager
|
|
|
|
|
|
search lan
|
|
|
|
|
|
nameserver 127.0.0.53
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
若要查看 `systemd-resolved` 发送和接收安全查询的地址和端口,请运行:
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ sudo ss -lntp | grep '\(State\|:53 \)'
|
|
|
|
|
|
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
|
|
|
|
|
|
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=10410,fd=18))
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
若要进行安全查询,请运行:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ resolvectl query fedoraproject.org
|
|
|
|
|
|
fedoraproject.org: 8.43.85.67 -- link: wlp58s0
|
|
|
|
|
|
8.43.85.73 -- link: wlp58s0
|
|
|
|
|
|
|
|
|
|
|
|
[..]
|
|
|
|
|
|
|
|
|
|
|
|
-- Information acquired via protocol DNS in 36.3ms.
|
|
|
|
|
|
-- Data is authenticated: yes
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### 额外步骤 5:使用 Wireshark 验证配置
|
|
|
|
|
|
|
|
|
|
|
|
首先,安装并运行 [Wireshark][10]:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ sudo dnf install wireshark
|
|
|
|
|
|
$ sudo wireshark
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2020-08-03 20:01:29 +08:00
|
|
|
|
它会询问你在哪个设备上捕获数据包。在我这里,因为我使用无线接口,我用的是 `wlp58s0`。在 Wireshark 中设置筛选器,`tcp.port == 853`(853 是 DNS over TLS 协议端口)。在捕获 DNS 查询之前,你需要刷新本地 DNS 缓存:
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ sudo resolvectl flush-caches
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
现在运行:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
$ nslookup fedoramagazine.org
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
你应该会看到你的计算机和配置的 DNS 服务器之间的 TLS 加密交换:
|
|
|
|
|
|
|
|
|
|
|
|
![][11]
|
|
|
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
via: https://fedoramagazine.org/use-dns-over-tls/
|
|
|
|
|
|
|
|
|
|
|
|
作者:[Thomas Bianchi][a]
|
|
|
|
|
|
选题:[lujun9972][b]
|
|
|
|
|
|
译者:[geekpi](https://github.com/geekpi)
|
2020-08-03 20:01:29 +08:00
|
|
|
|
校对:[wxy](https://github.com/wxy)
|
2020-07-29 08:31:42 +08:00
|
|
|
|
|
|
|
|
|
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|
|
|
|
|
|
|
|
|
|
|
[a]: https://fedoramagazine.org/author/thobianchi/
|
|
|
|
|
|
[b]: https://github.com/lujun9972
|
|
|
|
|
|
[1]: https://fedoramagazine.org/wp-content/uploads/2020/06/use-dns-over-tls-816x345.jpg
|
|
|
|
|
|
[2]: https://en.wikipedia.org/wiki/Domain_Name_System
|
|
|
|
|
|
[3]: https://tools.ietf.org/html/rfc1035
|
|
|
|
|
|
[4]: https://en.wikipedia.org/wiki/DNS_hijacking
|
|
|
|
|
|
[5]: https://en.wikipedia.org/wiki/Internet_service_provider
|
|
|
|
|
|
[6]: https://en.wikipedia.org/wiki/DNS_over_TLS
|
|
|
|
|
|
[7]: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
|
|
|
|
|
|
[8]: https://www.freedesktop.org/wiki/Software/systemd/resolved/
|
|
|
|
|
|
[9]: https://fedoraproject.org/wiki/Changes/systemd-resolved
|
|
|
|
|
|
[10]: https://www.wireshark.org/
|
|
|
|
|
|
[11]: https://fedoramagazine.org/wp-content/uploads/2020/06/1-1024x651.png
|
