Security

Ubuntu 下使用 DNS over TLS (DoT)

DNS over TLS(縮寫:DoT)是通過傳輸層安全協定(TLS)來加密並打包域名系統(DNS)的安全協定。此協定旨在防止中間人攻擊與控制DNS資料以保護使用者隱私。引用自 Wikipedia – DNS over TLS,但是 DNS query 的效能會掉,而且是倍數的XD。

安裝及設定 stubby

以 Ubuntu 為例,設定檔位置為:/etc/stubby/stubby.yml (以下懶惰寫法):

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
listen_addresses:
  - 192.168.2.11
  - 127.0.0.1
  -  0::1
round_robin_upstreams: 0
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

加密 key

跑一段時間之後 Stubby 會幫忙取得 sha256 的 key

修改 systemd-resolve

sudo vim /etc/systemd/resolved.conf
--------
#  This file is part of systemd.                                                                                                
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details

[Resolve]
DNS=127.0.0.1
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSSEC=yes
#Cache=yes
#DNSStubListener=yes

驗證(收割)DoT

dig @127.0.0.1 www.google.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @127.0.0.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16028
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (".....................................................................................................................................................................................................................................................................................................................................................................................................................")
;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		60	IN	A	172.217.160.100

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 22 23:18:47 CST 2020
;; MSG SIZE  rcvd: 482

DoT 連 853 port 狀況

netstat -tuWc | grep 853
tcp        0      0 host:88387         one.one.one.one:853     ESTABLISHED
tcp        0      0 host:38788         one.one.one.one:853     ESTABLISHED
tcp6       0      0 2001-b011-0000-0000-0000-0-0-0.dynamic-ip6.hinet.net:54386 one.one.one.one:853     ESTABLISHED
tcp6       0      0 2001-b011-0000-0000-0000-0-0-0.dynamic-ip6.hinet.net:38372 one.one.one.one:853     ESTABLISHED

SYN flood protection via sysctl.conf

# SYN flood protection
net.ipv4.tcp_synack_retries=3
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_retries2 = 6
net.ipv4.tcp_fin_timeout=60
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_keepalive_time=1000
net.ipv4.tcp_syncookies=1


回到頂端