document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

translated

Browse Source
This commit is contained in:
geekpi 2020-07-29 08:31:42 +08:00
parent 5cb9394945
commit 69647f1fbc
2 changed files with 175 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
sources/tech/20200710 Use DNS over TLS.md
View File

@ -1,175 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (geekpi)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Use DNS over TLS)
[#]: via: (https://fedoramagazine.org/use-dns-over-tls/)
[#]: author: (Thomas Bianchi https://fedoramagazine.org/author/thobianchi/)
Use DNS over TLS
======
![][1]
The [Domain Name System (DNS)][2] that modern computers use to find resources on the internet was designed [35 years ago][3] without consideration for user privacy. It is exposed to security risks and attacks like [DNS Hijacking][4]. It also allows [ISPs][5] to intercept the queries.
Luckily, [DNS over TLS][6] and [DNSSEC][7] are available. DNS over TLS and DNSSEC allow safe and encrypted end-to-end tunnels to be created from a computer to its configured DNS servers. On Fedora, the steps to implement these technologies are easy and all the necessary tools are readily available.
This guide will demonstrate how to configure DNS over TLS on Fedora using systemd-resolved. Refer to the [documentation][8] for further information about the systemd-resolved service.
### Step 1 : Set-up systemd-resolved
Modify _/etc/systemd/resolved.conf_ so that it is similar to what is shown below. Be sure to enable DNS over TLS and to configure the IP addresses of the DNS servers you want to use.
```
$ cat /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 9.9.9.9
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4
#Domains=~.
#LLMNR=yes
#MulticastDNS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
```
A quick note about the options:
* **DNS**: A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers
* **FallbackDNS**: A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers.
* **Domains**: These domains are used as search suffixes when resolving single-label host names, _~._ stand for use the system DNS server defined with DNS= preferably for all domains.
* **DNSOverTLS:** If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate for its IP.
> _NOTE: The DNS servers listed in the above example are my personal choices. You should decide which DNS servers you want to use; being mindful of whom you are asking IPs for internet navigation_.
### Step 2 : Tell NetworkManager to push info to systemd-resolved
Create a file in _/etc/NetworkManager/conf.d_ named _10-dns-systemd-resolved.conf_.
```
$ cat /etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf
[main]
dns=systemd-resolved
```
The setting shown above (_dns=systemd-resolved_) will cause NetworkManager to push DNS information acquired from DHCP to the systemd-resolved service. This will override the DNS settings configured in _Step 1_. This is fine on a trusted network, but feel free to set _dns=none_ instead to use the DNS servers configured in _/etc/systemd/resolved.conf_.
### Step 3 : start & restart services
To make the settings configured in the previous steps take effect, start and enable _systemd-resolved_. Then restart _NetworkManager_.
**CAUTION**: This will lead to a loss of connection for a few seconds while NetworkManager is restarting.
```
$ sudo systemctl start systemd-resolved
$ sudo systemctl enable systemd-resolved
$ sudo systemctl restart NetworkManager
```
> _NOTE: Currently, the systemd-resolved service is disabled by default and its use is opt-in. [There are plans][9] to enable systemd-resolved by default in Fedora 33._
### Step 4 : Check if everything is fine
Now you should be using DNS over TLS. Confirm this by checking DNS resolution status with:
```
$ resolvectl status
MulticastDNS setting: yes
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1
9.9.9.9
Fallback DNS Servers: 8.8.8.8
1.0.0.1
8.8.4.4
```
/etc/resolv.conf should point to 127.0.0.53
```
$ cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 127.0.0.53
```
To see the address and port that systemd-resolved is sending and receiving secure queries on, run:
```
$ sudo ss -lntp | grep '\(State\|:53 \)'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=10410,fd=18))
```
To make a secure query, run:
```
$ resolvectl query fedoraproject.org
fedoraproject.org: 8.43.85.67 -- link: wlp58s0
8.43.85.73 -- link: wlp58s0
[..]
-- Information acquired via protocol DNS in 36.3ms.
-- Data is authenticated: yes
```
### BONUS Step 5 : Use Wireshark to verify the configuration
First, install and run [Wireshark][10]:
```
$ sudo dnf install wireshark
$ sudo wireshark
```
It will ask you which link device it have to begin capturing packets on. In my case, because I use a wireless interface, I will go ahead with _wlp58s0_. Set up a filter in Wireshark like _tcp.port == 853_ (853 is the DNS over TLS protocol port). You need to flush the local DNS caches before you can capture a DNS query:
```
$ sudo resolvectl flush-caches
```
Now run:
```
$ nslookup fedoramagazine.org
```
You should see a TLS-encryped exchange between your computer and your configured DNS server:
![][11]
_Poster in Cover Image Approved for Release by NSA on 04-17-2018, FOIA Case # 83661_
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/use-dns-over-tls/
作者:[Thomas Bianchi][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/thobianchi/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2020/06/use-dns-over-tls-816x345.jpg
[2]: https://en.wikipedia.org/wiki/Domain_Name_System
[3]: https://tools.ietf.org/html/rfc1035
[4]: https://en.wikipedia.org/wiki/DNS_hijacking
[5]: https://en.wikipedia.org/wiki/Internet_service_provider
[6]: https://en.wikipedia.org/wiki/DNS_over_TLS
[7]: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
[8]: https://www.freedesktop.org/wiki/Software/systemd/resolved/
[9]: https://fedoraproject.org/wiki/Changes/systemd-resolved
[10]: https://www.wireshark.org/
[11]: https://fedoramagazine.org/wp-content/uploads/2020/06/1-1024x651.png

175
translated/tech/20200710 Use DNS over TLS.md Normal file
View File

@ -0,0 +1,175 @@
[#]: collector: (lujun9972)
[#]: translator: (geekpi)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Use DNS over TLS)
[#]: via: (https://fedoramagazine.org/use-dns-over-tls/)
[#]: author: (Thomas Bianchi https://fedoramagazine.org/author/thobianchi/)
使用 DNS over TLS
======
![][1]
现代计算机用来在互联网种查找资源的[域名系统 DNS][2] 是在 [35 年前][3]设计的,而没有考虑用户隐私。它会面临安全风险和攻击,例如 [DNS 劫持][4]。它还能让 [ISP][5] 拦截查询。
幸运的是,现在有 [DNS over TLS][6] 和 [DNSSEC][7] 可用。DNS over TLS 和 DNSSEC 允许创建从计算机到它配置的 DNS 服务器的安全且加密的端到端隧道。在 Fedora 上,部署这些技术的步骤很容易,并且所有必要的工具也很容易获得。
本指南将演示如何使用 systemd-resolved 在 Fedora 上配置 DNS over TLS。有关 systemd-resolved 服务的更多信息,请参见[文档][8]。
### 步骤 1设置 Step 1 : Set-up systemd-resolved
修改 _/etc/systemd/resolved.conf_,类似于下面所示。确保启用 DNS over TLS 并配置要使用的 DNS 服务器的 IP 地址。
```
$ cat /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 9.9.9.9
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4
#Domains=~.
#LLMNR=yes
#MulticastDNS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
```
关于选项的简要说明:
* **DNS**:以空格分隔的 IPv4 和 IPv6 地址列表,用作系统 DNS 服务器
* **FallbackDNS**:以空格分隔的 IPv4 和 IPv6 地址列表,用作后备 DNS 服务器。
* **Domains**:在解析单标签主机名时,这些域名用于搜索后缀。 _~._ 代表对于所有域名,优先使用 DNS= 定义的系统 DNS 服务器。
* **DNSOverTLS**:如果启用,那么将加密与服务器的所有连接。请注意,此模式要求 DNS 服务器支持 DNS-over-TLS并具有其 IP 的有效证书。
> _注意上面示例中列出的 DNS 服务器是我个人的选择。你要确定要使用的 DNS 服务器。要注意你要向谁请求 IP_
### 步骤 2告诉 NetworkManager 将信息推给 systemd-resolved
_/etc/NetworkManager/conf.d_ 中创建一个名为 _10-dns-systemd-resolved.conf_ 的文件。
```
$ cat /etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf
[main]
dns=systemd-resolved
```
上面的设置_dns=systemd-resolved_让 NetworkManager 将从 DHCP 获得的 DNS 信息推送到 systemd-resolved 服务。这将覆盖_步骤 1_ 中配置的 DNS 设置。这在受信任的网络中没问题,但是可以设置 _dns=none_ 从而使用 _/etc/systemd/resolved.conf_ 中配置的 DNS 服务器。
### 步骤 3 启动和重启服务
若要使上述步骤中的配置生效,请启动并启用 _systemd-resolved_。然后重启 _NetworkManager_
**注意**:在 NetworkManager 重启时,连接会中断几秒钟。
```
$ sudo systemctl start systemd-resolved
$ sudo systemctl enable systemd-resolved
$ sudo systemctl restart NetworkManager
```
> _注意目前systemd-resolved 服务默认处于禁用状态,并且是计划使用的。[这有个方案][33]可在 Fedora 33 中默认启用systemd-resolved。_
### 步骤 4检查是否一切正常
现在,你应该在使用 DNS over TLS。检查 DNS 解析状态来确认这一点:
```
$ resolvectl status
MulticastDNS setting: yes
DNSOverTLS setting: yes
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1
9.9.9.9
Fallback DNS Servers: 8.8.8.8
1.0.0.1
8.8.4.4
```
/etc/resolv.conf 应该指向 127.0.0.53
```
$ cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 127.0.0.53
```
若要查看 systemd-resolved 发送和接收安全查询的地址和端口,请运行:
```
$ sudo ss -lntp | grep '\(State\|:53 \)'
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=10410,fd=18))
```
若要进行安全查询,请运行:
```
$ resolvectl query fedoraproject.org
fedoraproject.org: 8.43.85.67 -- link: wlp58s0
8.43.85.73 -- link: wlp58s0
[..]
-- Information acquired via protocol DNS in 36.3ms.
-- Data is authenticated: yes
```
### 额外步骤 5使用 Wireshark 验证配置
首先,安装并运行 [Wireshark][10]
```
$ sudo dnf install wireshark
$ sudo wireshark
```
它会询问你在哪个设备上捕获数据包。在我这里,因为我使用无线接口,我用的是 _wlp58s0_。在 Wireshark 中设置筛选器_tcp.port == 853_853 是 DNS over TLS 协议端口)。在捕获 DNS 查询之前,你需要刷新本地 DNS 缓存:
```
$ sudo resolvectl flush-caches
```
现在运行:
```
$ nslookup fedoramagazine.org
```
你应该会看到你的计算机和配置的 DNS 服务器之间的 TLS 加密交换:
![][11]
_Poster in Cover Image Approved for Release by NSA on 04-17-2018, FOIA Case # 83661_
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/use-dns-over-tls/
作者:[Thomas Bianchi][a]
选题:[lujun9972][b]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/thobianchi/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2020/06/use-dns-over-tls-816x345.jpg
[2]: https://en.wikipedia.org/wiki/Domain_Name_System
[3]: https://tools.ietf.org/html/rfc1035
[4]: https://en.wikipedia.org/wiki/DNS_hijacking
[5]: https://en.wikipedia.org/wiki/Internet_service_provider
[6]: https://en.wikipedia.org/wiki/DNS_over_TLS
[7]: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
[8]: https://www.freedesktop.org/wiki/Software/systemd/resolved/
[9]: https://fedoraproject.org/wiki/Changes/systemd-resolved
[10]: https://www.wireshark.org/
[11]: https://fedoramagazine.org/wp-content/uploads/2020/06/1-1024x651.png