精华内容
下载资源
问答
  • <p>-dns switch to use custom dns server is not working in Windows 7, still uses OS settings for DNS. <p>I also tried setting in .PyFunceble.yaml but it still goes to OS defined DNS server. <p>Is this ...
  • <div><p>该提问来源于开源项目:zephyrproject-rtos/zephyr</p></div>
  • review all content, update as needed</li><li>[x] Launch (switch DNS)</li><li>[x] switch TravisCI deployment config</li><li>[x] merge in new code</li></ul> <p>Launch is a beautiful thing, but it's...
  • <ul><li>One-line feature description (can be used as a release note): Switch default DNS plugin to CoreDNS </li><li>Primary contact (assignee): </li><li>Responsible SIGs: sig-network, sig-cluster-...
  • <p>switch all worker to private dns <p>I tested this PR by... launching cluster where i am seeing slow startup(flintrock needed bend-aid to start cluster). After this change cluster start in first try...
  • <div><ul><li>Update kube-dns from v1.14.5 to v1.14.8</li><li>Switch kube-dns sidecar to probe for SRV records (recommended for 1.9)</li><li>...kubernetes-sigs/bootkube</p></div>
  • <div><p>I tested this in my cluster and <p>cc /openshift-team-monitoring PTAL, thanks! <ul><li>[] I added CHANGELOG entry for this change.</li><li>[x] No user facing changes, so no entry in CHANGELOG...
  • Using DNSSEC, Domain Name System Security extensions, which were designed many yearsafter DNS, is the way to mitigate DNS cache poisoning attacks,by providing integrity to the DNS respon...

    >> Using DNSSEC, Domain Name System Security extensions, which were designed many years
    after DNS, is the way to mitigate DNS cache poisoning attacks,
    by providing integrity to the DNS responses.
    If a client asks the RIT DNS server for the IP address of www.arin.net ,
    the RIT DNS server will ask one of the 13 logical route name servers,
    and then an authoritative dot net TLD DNS server, and then finally,
    the authoritative DNS server for the arin.net domain.
    If a client's DNS server supports DNSSEC, it sets the DO, DNSSEC OK flag in its DNS requests
    to a route name server, an authoritative TLD DNS server,
    and the authoritative DNS server of the domain in question.
    In turn, each of the servers will send back extra DNS resource records,
    that we'll see in a little bit.
    These extra records tell the RIT DNS server that the child zones are DNSSEC enabled.
    In our story, the RIT DNS server's query on the client's behalf,
    will reach the arin.net authoritative DNS server.
    When that server gives the answer to the RIT DNS server, it sends the answer along with a hash
    of each group of resource records in the answer,
    signed with arin.net's private ZSK, Zone Signing Key.
    For instance, a response could have multiple A records, MX records, and NS records.
    Each of these groups has a signed hash sent in a new DNS resource record type, rrsig.
    Why sign resource record groups rather than individual records?
    Quite simply, it's quicker.
    Furthermore, there's no way to query for just one A, or MX record.
    A DNS server will always return them as a group.
    So, there's no point in signing each one individually
    when you can sign them all together.
    The arin.net DNS server also gives the RIT DNS server arin.net's public ZSK, Zone Signing Key,
    in the form of another new DNS resource record type, DNSKEY.
    arin.net's public KSK, is also sent in the form of a second DNSKEY record.
    These DNSKEY records are hashed and encrypted with arin.net's private KSK,
    producing another rrsig record, this one for the DNSKEY records.
    So, the RIT DNS server will request the sets of resource records,
    which also returns each group's corresponding rrsig record,
    request the DNSKEY records containing the public Zone Signing Key,
    and the public Key Signing Key, which also returns the rrsig
    for the DNSKEY resource record set.
    Verify the rrsig of the requested resource record set with the public Zone Signing Key.
    Verify the rrsig of the DNSKEY resource record set with the public Key Signing Key.

     

    DNSSEC Part 2

    >> There is a zone signing key and a key signing key.
    Because it's difficult to swap out an old or compromised key signing key.
    Changing the zone signing key is a lot easier.
    We can use a smaller zone signing key without compromising the security of the server,
    minimizing the amount of data that the server has to send with each response.
    Furthermore, the DNS key resource record set
    and corresponding RRSIG records can be cached for future use.
    The key signing key works basically like the zone signing key.
    The only difference is the zone signing key signs the individual records
    to create the RRSIG records for each group, while the key signing key is used
    to sign the DNS key records, producing an RRSIG record for the DNS key group.
    For the rest of this story, we'll just reference a single public key,
    and not worry about zone signing key or key signing key for simplistic purposes.
    Now, it's time for the RIT DNS server to verify the A records
    for www.arin.net [assumed spelling].
    The RIT DNS server takes the RRSIG for the A record group,
    which is a cache of all the A records, encrypted with a private key of arin.net.
    To decrypt this, the RIT DNS server, uses the public key of arin.net,
    which is in the DNS key record that was sent.
    If the decrypted hash matches the computed hash by the RIT DNS server,
    the DNS key record validates the RRSIG record.
    And, the RRSIG record validates the A records.
    All is good.
    But, wait a minute, wait if someone broke
    into the arin.net DNS server and generated his own key pair?
    Now, the attacker can modify the DNS records, point to incorrect IP addresses,
    and sign the records with the attacker key pair.
    To make sure this doesn't happen, arin.net's public key is certified by a higher authority.
    arin.net had previously sent their public key to the .net zone administrators,
    and after arin.net was validated by .net, the .net zone agreed to vouch for arin.net,
    by taking arin.net's public key and hashing it.
    This is in the form of another new DNS record, the DS record, stored on the .net DNS servers.
    In our example, the .net zone, when giving the RIT DNS server a referral
    to the authoritative DNS servers for arin.net also sent a DS record
    which contains the hash of arin.net's public key.
    The RIT DNS server hashes arin.net's public key, and compares the results
    to the DS record sent from the .net zone.
    If the hashes match, we know, that arin.net's public key is really arin.net's public key.
    And, that the records they sent are legitimate.
    How do we trust the DS record itself?
    The DS record is in turn hashed and encrypted with .net's private key,
    and presented in the form of an RRSIG record.
    Now, the RIT DNS server requests that the .net zone send its public key
    in the form of a DNS key record.
    The RIT DNS server takes the .net public key,
    decrypts the RRSIG encrypted hash, and computes its own hash.
    If the two match, the .net zone has proven it is really the .net zone.

     

    DNSSEC Part 3

    >> But wait another minute now.
    What if someone broke into the dot.net zone
    and used a different public private key pair as described before?
    Just like arin.net is certified by its higher-level parent, .net,
    .net is certified by its higher-level parent, dot, or the root zone.
    A hash of the .net public key was sent in a DS record
    from the root zone earlier to the RIT DNS server.
    The RIT DNS server hashes .nets public key and compares the results
    to the DS record sent by the root zone.
    If the hashes match, we know that .nets public key is really .nets public key
    and that the records that they sent are legitimate.
    How do we trust the DS record itself?
    Along with this DS record, is the RRSIG record for the DS record which contains a hash
    of the DS record encrypted with the root zone's private key and stored in the root zone.
    Upon request from the RIT DNS server,
    the root zone's public key will be sent in a DNS key record.
    The RIT DNS server takes the root zone's public key,
    decrypts the RRSIG encrypted hash and computes its own hash.
    If the two match, then the root zone's public key is really the root zone's pubic key.
    .Nets public key is really .nets public key.
    Arin.net's public key is really arin.net's public key and the resource records sent
    by arin.net's DNS servers have integrity.
    Now I know what you're thinking.
    What if someone broke into the root zone and switched the keys there?
    Right? Well the root zone's key, sign in key, is vetted by a thorough security procedure.
    This includes a root signing ceremony that alternates between the two secure facilities
    that safeguard the root zone's key sign in key located in El Segundo,
    California and Culpepper, Virginia.

    转载于:https://www.cnblogs.com/sec875/articles/10028810.html

    展开全文
  • OpenStack: switch to CoreDNS

    2020-12-05 13:09:20
    CoreDNS. OpenShift already uses CoreDNS so it doesn't make sense to bring in a different DNS tech to the mix. <p>This also reads /etc/resolv.conf for upstream DNS rather than hardcoding OpenStack&...
  • 选择两个DNS服务器以启用DNS切换,然后取消选中该选项以将其禁用。或只需单击“重置DNS”按钮即可禁用。 该应用程序将创建一个VPN隧道,仅用于DNS查询。其他网络流量不会受到影响。 DNS交换提供程序是更改DNS...
  • <p><strong>Is this a request for help?... Since Kubernetes 1.11, Kubernetes uses coreDNS by default and we need to switch over.</p><p>该提问来源于开源项目:Azure/acs-engine</p></div>
  • There used to be an incorrect entry in our DNS for for a switches IP address, this therefore populated the DNS name in netdisco as expected. I have now removed the entry from the DNS but it wont ...
  • <div><p>While passing buffers to <code>ns_put16, make sure they are unsigned. Instead of adding additional typecasting, consistently use unsigned char. ...apache/trafficserver</p></div>
  • dns-graceful-stack-switch 用于node.js的猴子补丁DNS查找方法。 为什么? 如果您在禁用IPv4的情况下使用了node.js,则在大多数网络操作中都会出现异常(ENETUNREACH),但ping6 address正常工作。 要用最少的...
  • <p>These commands was removed back in Lollipop, we should switch the way telemetry flushing DNS cache by toggling the airplane mode instead.</p><p>该提问来源于开源项目:catapult-project/catapult...
  • switch通过DNS劫持实现连接自建云服务器 1. 安装依赖 服务器安装python3, pip3 安装python的第三方库requests pip3 install requests 2. 新建文件 新建的hosts.txt和dns_server.py两个文件的路径均在服务器目录下 ...

    switch通过DNS劫持实现连接自建云服务器

    1. 安装依赖

    服务器安装python3, pip3

    安装python的第三方库requests

    pip3 install requests
    

    2. 打开53端口(UDP)

    3. 新建文件

    新建的hosts.txt和dns_server.py两个文件的路径均在服务器目录下

    新建hosts.txt,内容为

    #this is the default hosts file for the dns proxy
    #format: hostname regex -> ip address
    
    # [My Host Entries]
    ^hivebedrock\.network$ 
    ^mco\.mineplex\.com$ xxx.xxx.xxx.xxx
    ^play\.inpvp\.net$ xxx.xxx.xxx.xxx
    ^mco\.lbsg\.net$ xxx.xxx.xxx.xxx
    ^mco\.cubecraft\.net$ xxx.xxx.xxx.xxx 
    

    其中xxx.xxx.xxx.xxx全部替换为服务器的ip地址

    新建dns_server.py,内容为

    #!/usr/bin/python3
    
    import re
    import sys
    import socket
    import traceback
    from os.path import isfile
    
    HOSTS_FILE = "hosts.txt"
    
    SERVER_HOST = "0.0.0.0"
    SERVER_PORT = 53
    
    #ipv4_exp = re.compile(r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")
    
    class DNSQuery:
        def __init__(self, data):
            self.data = data
            self.domain = bytearray()
            tipo = (data[2] >> 3) & 15
            if tipo == 0:
                ini = 12
                lon = data[ini]
                while lon != 0:
                    self.domain += data[ini + 1:ini + lon + 1] + bytes(".", "ascii")
                    ini += lon + 1
                    lon = data[ini]
            self.domain = str(self.domain, "utf8").rstrip(".")
    
        def response(self, ip):
            packet = bytearray()
            if self.domain:
                packet += self.data[:2] + bytearray([0x81, 0x80])
                packet += self.data[4:6] + self.data[4:6] + bytearray([0x00, 0x00, 0x00, 0x00])  # Questions and Answers Counts
                packet += self.data[12:]  # Original Domain Name Question
                packet += bytearray([0xC0, 0x0C])  # Pointer to domain name
                packet += bytearray([0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x04])  # Response type, ttl and resource data length -> 4 bytes
                packet += bytearray([int(x) for x in ip.split(".")])  # 4 bytes of IP
            return packet
    
    def parse_host_file_as_regex(data):
        host_list = []
        for line in data.splitlines():
            if line != "" and line[0] != "#":
                split_line = line.split(" ", 1)
                if len(split_line) == 2:
                    host_regex = split_line[0]
                    ip_addr = split_line[1]
                    host_list.append([re.compile(host_regex), ip_addr])
        return host_list
    
    if __name__ == '__main__':
        if isfile(HOSTS_FILE):
            host_data = parse_host_file_as_regex(open(HOSTS_FILE, "r").read())
            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            sock.bind((SERVER_HOST, SERVER_PORT))
            print("DNS Proxy server started on UDP port {}!".format(SERVER_PORT))
            while True:
                try:
                    (data, addr) = sock.recvfrom(1024)
                    p = DNSQuery(data)
                    result = [ip_addr for (regex, ip_addr) in host_data if regex.search(p.domain)]
                    if result:
                        ip = result[0]
                        print("Local:  {} -> {}".format(p.domain, ip))
                        sock.sendto(p.response(ip), addr)
                    else:
                        ip = socket.gethostbyname(p.domain)
                        print("Remote: {} -> {}".format(p.domain, ip))
                        sock.sendto(p.response(ip), addr)
                except KeyboardInterrupt:
                    print("Done!")
                    sock.close()
                    sys.exit(0)
                except:
                    traceback.print_exc()
        else:
            print("Host file not found!")
    

    4. 新建一个screen,运行dns_server.py

    screen -S dns
    
    python3 dns_server.py
    
    展开全文
  • 90DNS测试仪 一个简单的交换机自制软件,它可以进行DNS解析,以查看是否可以到达Nintendo的服务器。 这也可以用来测试Atmosphere的DNS MITM是否正常工作
  • <div><p>I wanted to prevent reverse DNS lookups, so I tried --... If not, they should be disabled by default and enabled with a switch.</p><p>该提问来源于开源项目:drwetter/testssl.sh</p></div>
  • <div><p>Kubernetes now uses coreDNS instead of kubeDNS. See: https://kubernetes.io/docs/setup/release/notes/#kubernetes-1-13-release-notes</p> <p>Minikube has already done this and OKD 4 will do this ...
  • <div><p>This pull request is for ...description:The test case is used to switch the whole testing cluster to run in dns forward mode. </code></pre>该提问来源于开源项目:xcat2/xcat-core</p></div>
  • t work via ipv6, so switch to a NetworkManager dispatcher that runs after dhclient instead as a workaround. <p>Motivation - add ipV6 support - point worker dns queries to their local coredns instance ...
  • <div><p>JJ has the gcloud-ruby.com domain name that we can use for the CI builds. Configure the CI project to get permissions to the domain name and then change the CI configuration to use it.</p><p>...
  • <div><p>Replaces the node-local DNS setup via <code>dnsmasq</code> with dedicated and independent CoreDNS instances per node. <p>Client-side DNS configuration is the same: * First DNS server is the ...
  • t work via ipv6, so switch to a NetworkManager dispatcher that runs after dhclient instead as a workaround. <p><strong>- What I did</strong></p> <p>Reworked the prepender implementation (with help ...
  • sdns:适用于macOS的命令行DNS切换器:“ sdns switch google”

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 1,028
精华内容 411
关键字:

dnsswitch