将DNS转发到Cloudflare';通过CoreDNS通过TLS发送DNS
我举一个例子,尝试设置通过TLS到CloudFlare的解析器的安全DNS转发。我正在使用CoreDNS 1.5.0(最新版本),我的配置如下:将DNS转发到Cloudflare';通过CoreDNS通过TLS发送DNS,dns,coredns,Dns,Coredns,我举一个例子,尝试设置通过TLS到CloudFlare的解析器的安全DNS转发。我正在使用CoreDNS 1.5.0(最新版本),我的配置如下: # CoreDNS Configuration .:53 { forward . tls://1.1.1.1 tls://1.0.0.1 { tls_servername tls.cloudflare-dns.com policy sequential health_check 5s } log } 我提出这样
# CoreDNS Configuration
.:53 {
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername tls.cloudflare-dns.com
policy sequential
health_check 5s
}
log
}
root@8ef125545369:/# dig @127.0.0.1 google.com
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @127.0.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49802
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 090b0d7fadcdd8bb (echoed)
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 08 19:29:30 UTC 2019
;; MSG SIZE rcvd: 51
ubuntu:bionicca证书。我还可以使用openssl s_client
连接到1.1.1.1:443
,而不会出现问题
在设置从CoreDNS到CloudFlare的解析程序的TLS上的DNS转发时,我是否缺少一些东西
编辑
我已经在Docker容器之外的主机操作系统上测试了它,我看到了相同的功能,即它不工作。我通过在Travis CI中运行它再次测试了它,它工作了;显然,我的公司防火墙不喜欢TLS上的DNS
我可以通过安装knot dnsutils
(在Ubuntu 18.04上)并尝试直接查询Cloudflare来验证这一点:
$ kdig -d @1.0.0.1 +tls-ca +tls-host=cloudflare-dns.com google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.0.0.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 133 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; WARNING: TLS, handshake failed (Error in the pull function.)
这是在公司网络中查询时发生的情况。从Travis CI,我看到:
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 133 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59442
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 69 B
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 156 IN A 172.217.5.14
;; Received 128 B
;; Time 2019-04-09 22:03:18 UTC
;; From 1.1.1.1@853(TCP) in 12.8 ms
;;调试:查询所有者(google.com.)、类(1)、类型(1)、服务器(1.1.1.1)、端口(853)、协议(TCP)
;; 调试:TLS,导入了133个系统证书
;; 调试:TLS,收到的证书层次结构:
;; 调试:#1,C=US,ST=California,L=San Francisco,O=Cloudflare\,Inc.,CN=Cloudflare-dns.com
;; 调试:SHA-256引脚:v6zes8hhbwuecshf7uv5xgm7dj3umxis9//7qC8+jU=
;; 调试:#2,C=US,O=DigiCert Inc,CN=DigiCert ECC安全服务器CA
;; 调试:SHA-256引脚:PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; 调试:TLS,跳过证书PIN检查
;; 调试:TLS,证书受信任。
;; TLS会话(TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER我通过在Travis CI中运行它再次测试了这一点,它成功了;显然,我的公司防火墙不喜欢TLS上的DNS
我可以通过安装knot dnsutils
(在Ubuntu 18.04上)并尝试直接查询Cloudflare来验证这一点:
$ kdig -d @1.0.0.1 +tls-ca +tls-host=cloudflare-dns.com google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.0.0.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 133 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; WARNING: TLS, handshake failed (Error in the pull function.)
这是在公司网络中查询时发生的情况。从Travis CI,我看到:
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 133 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 59442
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 69 B
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 156 IN A 172.217.5.14
;; Received 128 B
;; Time 2019-04-09 22:03:18 UTC
;; From 1.1.1.1@853(TCP) in 12.8 ms
;;调试:查询所有者(google.com.)、类(1)、类型(1)、服务器(1.1.1.1)、端口(853)、协议(TCP)
;; 调试:TLS,导入了133个系统证书
;; 调试:TLS,收到的证书层次结构:
;; 调试:#1,C=US,ST=California,L=San Francisco,O=Cloudflare\,Inc.,CN=Cloudflare-dns.com
;; 调试:SHA-256引脚:v6zes8hhbwuecshf7uv5xgm7dj3umxis9//7qC8+jU=
;; 调试:#2,C=US,O=DigiCert Inc,CN=DigiCert ECC安全服务器CA
;; 调试:SHA-256引脚:PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; 调试:TLS,跳过证书PIN检查
;; 调试:TLS,证书受信任。
;; TLS会话(TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>标题