19 KiB
title | icon |
---|---|
DNS 簡介 | material/dns |
The Domain Name System is the 'phonebook of the Internet'. DNS 將網域名稱轉換為 IP 位址,以便瀏覽器和其他服務可以通過分散的伺服器網路載入網路資源。
什麼是 DNS?
當您訪問一個網站時,會傳回一個數字地址。 For example, when you visit privacyguides.org
, the address 192.98.54.105
is returned.
DNS 從網際網路的 早期 就存在了。 來往 DNS 伺服器的 DNS 請求通常 不是 加密的。 一般家用的網路中,客戶的伺服器通常是由 ISP 透過 DHCP給予的。
Unencrypted DNS requests are able to be easily surveilled and modified in transit. In some parts of the world, ISPs are ordered to do primitive DNS filtering. 當您要求被封鎖網域的IP位址時,伺服器可能不會回應,或可能會使用其他IP位址回應。 由於DNS通訊協定沒有加密, ISP (或任何網路營運商)可以使用 DPI 來監控請求。 網路服務供應商也可以根據共同特徵封鎖請求,無論你使用哪種 DNS 伺服器。 未加密的 DNS 總是使用 53 號端口 ,並且總是使用UDP。
接下來,我們將討論並提供一個教程來證明外部觀察者可以使用普通的未加密 DNS 和 加密 DNS 看到什麼。
未加密的 DNS
-
使用
tshark
( Wireshark 項目的一部分) ,我們可以監控和記錄網路封包的傳輸。 This command records packets that meet the rules specified:tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8
-
We can then use
dig
(Linux, MacOS etc) ornslookup
(Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS.=== "Linux, macOS"
``` dig +noall +answer privacyguides.org @1.1.1.1 dig +noall +answer privacyguides.org @8.8.8.8 ```
=== "Windows"
``` nslookup privacyguides.org 1.1.1.1 nslookup privacyguides.org 8.8.8.8 ```
-
Next, we want to analyse the results:
=== "Wireshark"
``` wireshark -r /tmp/dns.pcap ```
=== "tshark"
``` tshark -r /tmp/dns.pcap ```
如果執行上面的 Wireshark 命令,頂部窗格會顯示「frame」,底部窗格會顯示所選框架的所有資料。 企業過濾和監控解決方案(例如政府購買的解決方案)可以自動執行此過程,而無需人工交互,並且可以聚合這些框架以產生對網路觀察者有用的統計數據。
No. | Time | Source | Destination | Protocol | Length | Info |
---|---|---|---|---|---|---|
1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT |
2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT |
3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT |
4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT |
An observer could modify any of these packets.
什麼是「加密後的 DNS」 ?
加密 DNS 可以引用許多協議之一,最常見的是:
DNSCrypt
DNSCrypt 是第一種查詢加密 DNS 的方法之一。 DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the Internet Engineering Task Force (IETF) nor has it gone through the Request for Comments (RFC) process, so it has not been used widely outside of a few implementations. As a result, it has been largely replaced by the more popular DNS over HTTPS.
DNS over TLS (DoT)
DNS over TLS is another method for encrypting DNS communication that is defined in RFC 7858. Support was first implemented in Android 9, iOS 14, and on Linux in systemd-resolved in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a complex protocol and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls.
DNS over HTTPS (DoH)
DNS over HTTPS as defined in RFC 8484 packages queries in the HTTP/2 protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83.
Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled by default). General Linux desktop support is waiting on the systemd implementation so installing third-party software is still required.
外部人士可以看到什麼?
在此範例中,我們將記錄當我們提出 DoH 請求時發生的事情:
-
First, start
tshark
:tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1"
-
Second, make a request with
curl
:curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org
-
After making the request, we can stop the packet capture with CTRL + C.
-
Analyse the results in Wireshark:
wireshark -r /tmp/dns_doh.pcap
We can see the connection establishment and TLS handshake that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned.
什麼時候 不該 使用加密的 DNS ?
在有網路過濾(或審查)的地方,訪問被禁止的資源可能會產生某些後果,您應該在 威脅模型中考慮這些後果。 We do not suggest the use of encrypted DNS for this purpose. Use Tor or a VPN instead. 如果您使用的是VPN ,則應使用 VPN 的 DNS 伺服器。 使用 VPN 時,您已經信任它們與您的所有網路活動。
當我們進行 DNS 查詢時,通常是因為我們想要存取資源。 接下來,我們將討論一些即使在使用加密 DNS 時也可能會披露您的瀏覽活動的情況:
IP 位址
確定瀏覽活動的最簡單方法可能是查看您的設備正在訪問的 IP 位址。 例如,如果觀察者知道 privacyguides.org
位於 198.98.54.105
,而您的裝置正在請求 198.98.54.105
的數據,則很有可能您正在訪問隱私指南。
此方法僅在 IP 位址屬於僅託管少數網站的伺服器時才有用。 如果網站託管在共享平臺上(例如Github Pages , Cloudflare Pages , Netlify , WordPress , Blogger等) ,它也不是很有用。 如果服務器託管在 反向代理之後,這也不是很有用,這在現代互聯網上非常常見。
伺服器名指示(SNI)
伺服器名稱指示通常用於IP位址託管多個網站時。 This could be a service like Cloudflare, or some other Denial-of-service attack protection.
-
Start capturing again with
tshark
. We've added a filter with our IP address so you don't capture many packets:tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105
-
Then we visit https://privacyguides.org.
-
After visiting the website, we want to stop the packet capture with CTRL + C.
-
Next we want to analyze the results:
wireshark -r /tmp/pg.pcap
We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello".
-
Expand the triangle ▸ next to each field:
▸ Transport Layer Security ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello ▸ Handshake Protocol: Client Hello ▸ Extension: server_name (len=22) ▸ Server Name Indication extension
-
We can see the SNI value which discloses the website we are visiting. The
tshark
command can give you the value directly for all packets containing a SNI value:tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The TLS v1.3 protocol brings with it Encrypted Client Hello, which prevents this kind of leak.
Governments, in particular China and Russia, have either already started blocking it or expressed a desire to do so. Recently, Russia has started blocking foreign websites that use the HTTP/3 standard. 這是因為作為HTTP/3的一部分的 QUIC 協議要求 ClientHello
也被加密。
Online Certificate Status Protocol (OCSP)
Another way your browser can disclose your browsing activities is with the Online Certificate Status Protocol. When visiting an HTTPS website, the browser might check to see if the website's certificate has been revoked. This is generally done through the HTTP protocol, meaning it is not encrypted.
The OCSP request contains the certificate "serial number", which is unique. It is sent to the "OCSP responder" in order to check its status.
We can simulate what a browser would do using the openssl
command.
-
Get the server certificate and use
sed
to keep just the important part and write it out to a file:openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert
-
Get the intermediate certificate. Certificate Authorities (CA) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate.
openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert
-
The first certificate in
pg_and_intermediate.cert
is actually the server certificate from step 1. We can usesed
again to delete until the first instance of END:sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert
-
Get the OCSP responder for the server certificate:
openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert
Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use:
openssl x509 -text -noout -in /tmp/pg_server.cert
-
Start the packet capture:
tshark -w /tmp/pg_ocsp.pcap -f "tcp port http"
-
Make the OCSP request:
openssl ocsp -issuer /tmp/intermediate_chain.cert \ -cert /tmp/pg_server.cert \ -text \ -url http://r3.o.lencr.org
-
Open the capture:
wireshark -r /tmp/pg_ocsp.pcap
There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field:
▸ Online Certificate Status Protocol ▸ tbsRequest ▸ requestList: 1 item ▸ Request ▸ reqCert serialNumber
For the "Response" we can also see the "serial number":
▸ Online Certificate Status Protocol ▸ responseBytes ▸ BasicOCSPResponse ▸ tbsResponseData ▸ responses: 1 item ▸ SingleResponse ▸ certID serialNumber
-
Or use
tshark
to filter the packets for the Serial Number:tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber
If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check Certificate Transparency logs for the serial number.
Should I use encrypted DNS?
We made this flow chart to describe when you should use encrypted DNS:
graph TB
Start[Start] --> anonymous{Trying to be<br> anonymous?}
anonymous--> | Yes | tor(Use Tor)
anonymous --> | No | censorship{Avoiding<br> censorship?}
censorship --> | Yes | vpnOrTor(Use<br> VPN or Tor)
censorship --> | No | privacy{Want privacy<br> from ISP?}
privacy --> | Yes | vpnOrTor
privacy --> | No | obnoxious{ISP makes<br> obnoxious<br> redirects?}
obnoxious --> | Yes | encryptedDNS(Use<br> encrypted DNS<br> with 3rd party)
obnoxious --> | No | ispDNS{Does ISP support<br> encrypted DNS?}
ispDNS --> | Yes | useISP(Use<br> encrypted DNS<br> with ISP)
ispDNS --> | No | nothing(Do nothing)
Encrypted DNS with a third-party should only be used to get around redirects and basic DNS blocking when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering.
List of recommended DNS servers{.md-button}
What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests.
In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted.
The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with.
DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a privacyguides.org
lookup, a root DNS server would sign a key for the .org
nameserver, and the .org
nameserver would then sign a key for privacyguides.org
’s authoritative nameserver.
Adapted from DNS Security Extensions (DNSSEC) overview by Google and DNSSEC: An Introduction by Cloudflare, both licensed under CC BY 4.0.
What is QNAME minimization?
A QNAME is a "qualified name", for example privacyguides.org
. QNAME minimisation reduces the amount of information sent from the DNS server to the authoritative name server.
Instead of sending the whole domain privacyguides.org
, QNAME minimization means the DNS server will ask for all the records that end in .org
. Further technical description is defined in RFC 7816.
What is EDNS Client Subnet (ECS)?
The EDNS Client Subnet is a method for a recursive DNS resolver to specify a subnetwork for the host or client which is making the DNS query.
It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a content delivery network, which are often used in video streaming and serving JavaScript web apps.
This feature does come at a privacy cost, as it tells the DNS server some information about the client's location.
--8<-- "includes/abbreviations.zh-Hant.txt"