πΎ Archived View for tilde.team βΊ ~rami βΊ redhat_resolved.gmi captured on 2024-08-18 at 17:35:11. Gemini links have been rewritten to link to archived content
β¬ οΈ Previous capture (2024-05-10)
-=-=-=-=-=-=-
Χ¨ΧΧ
SUBJECT: Resolvectl (Systemd): System-wide Π½Π°ΡΡΡΠΎΠΉΠΊΠ° Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠ³ΠΎ Π²Π΅ΡΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠ³ΠΎ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ (DNSOverTLS, DNSSEC, ECH: Encrypted Client Hello) Ρ ΠΊΠΎΡΠ½Π΅Π²ΡΠΌΠΈ DNS-ΡΠ΅ΡΠ²Π΅ΡΠ°ΠΌΠΈ ΠΈ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΊΠ΅ΡΠΈΡΠΎΠ²Π°Π½ΠΈΡ DNS-Π·Π°ΠΏΡΠΎΡΠΎΠ² Π±Π΅Π· ΡΡΡΠ°Π½ΠΎΠ²ΠΊΠΈ ΡΡΠΎΡΠΎΠ½Π½Π΅Π³ΠΎ ΠΠ
AUTHOR: Rami Rosenfeld
DATE: 07/02/24
TIME: 00.00
LANG: ru, en
LICENSE: GNU FDL 1.3
TAGS: gnu, gnome, software, opensource, linux, system, man, manual, bash, privacy, security, rhel, centos, mate, xfce, lxde, spin, de, systemd, systemctl, selinux, firewalld, dnf, rpm, ostree, flatpak, siverblue, dns, dnsovertls, dnssec, ech
ΠΠΎΡ Π»ΡΠ±ΠΈΠΌΠ°Ρ systemd, ΡΠΎΠΆΠ΄Π΅Π½Π½Π°Ρ Π±Π΅Π·ΡΠΌΠ½ΡΠΌ Π³Π΅Π½ΠΈΠ΅ΠΌ ΠΠ΅Π½Π½Π°ΡΡΠΎΠΌ ΠΠΎΡΡΠ΅ΡΠΈΠ½Π³ΠΎΠΌ, Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΡΠ°Π΅Ρ ΡΠ΄ΠΈΠ²Π»ΡΡΡ ΠΈ ΡΠ°Π΄ΠΎΠ²Π°ΡΡ ΡΠ²ΠΎΠ΅ΠΉ ΠΏΡΠΎΡΡΠΎΡΠΎΠΉ, ΡΠ΄ΠΎΠ±ΡΡΠ²ΠΎΠΌ ΠΈ Π»ΠΎΠ³ΠΈΡΠ½ΠΎΡΡΡΡ ΠΏΠΎΡΡΡΠΎΠ΅Π½ΠΈΡ. ΠΠ±ΡΠ°ΡΠΈΡΠ΅ ΠΎΡΠΎΠ±ΠΎΠ΅ Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅: Π²ΡΠ΅Π³ΠΎ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΎ ΠΏΡΠ°Π²ΠΎΠΊ Π² ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΌ ΡΠ°ΠΉΠ»Π΅ - ΠΈ ΠΌΡ Π°ΠΊΡΠΈΠ²ΠΈΡΡΠ΅ΠΌ DNSOverTLS, DNSSEC ΠΈ Encrypted Client Hello Π΄Π»Ρ Π²ΡΠ΅ΠΉ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ (Π° ΡΠ°ΠΊΠΆΠ΅ ΠΊΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ DNS-Π·Π°ΠΏΡΠΎΡΠΎΠ²)!
ΠΠΠΠΠ! Encrypted Client Hello Π±ΡΠ΄Π΅Ρ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΎ ΡΠΎΠ»ΡΠΊΠΎ(!) Π΄Π»Ρ ΡΠ΅Ρ ΠΏΡΠΈΠΊΠ»Π°Π΄Π½ΡΡ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ Π΅Π³ΠΎ ΠΏΠΎΠ΄Π΄Π΅ΡΠΆΠΈΠ²Π°ΡΡ! ΠΠΎΠ΄ΡΠΎΠ±Π½Π΅Π΅ ΡΠΌ.:
Firefox: ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° Encrypted Client Hello (Quad9)
nano /etc/systemd/resolved.conf
DNS=9.9.9.11 149.112.112.11 2620:fe::11 2620:fe::fe:11 FallbackDNS=1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003 #Domains= DNSSEC=yes DNSOverTLS=yes #MulticastDNS=no #LLMNR=resolve Cache=no-negative #CacheFromLocalhost=no #DNSStubListener=yes #DNSStubListenerExtra= #ReadEtcHosts=yes #ResolveUnicastSingleLabel=no StaleRetentionSec=86400
ΠΠΠ¦ΠΠ:
- ΠΡΠ΄ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ Π΄Π²Π° ΠΊΠΎΡΠ½Π΅Π²ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ° Quad9 (ipv4/6);
- Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΡΠ΅Π·Π΅ΡΠ²Π½ΡΡ (FallbackDNS) ΡΠ΅ΡΠ²Π΅ΡΠΎΠ² Π±ΡΠ΄Π΅Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Cloudflare;
- ΠΠ±ΡΠ°ΡΠΈΡΠ΅ Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅: Π²ΠΌΠ΅ΡΡΠΎ ΠΎΠ±ΡΠ΅ΡΠΏΠΎΡΡΠ΅Π±ΠΈΠΌΡΡ Π°Π΄ΡΠ΅ΡΠΎΠ² (9.9.9.9 ΠΈ 1.1.1.1) ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ Π½Π΅ΠΌΠ½ΠΎΠ³ΠΎ Π΄ΡΡΠ³ΠΈΠ΅; Π½ΠΎ ΠΎΠ½ΠΈ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»ΡΡΡ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΡΠΉ ΠΌΠ½Π΅ ΡΠ°ΡΡΠΈΡΠ΅Π½Π½ΡΠΉ ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»;
- ΠΠΏΡΠΈΡ DNSSEC=yes - ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°Π΅Ρ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΡΡ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ;
- ΠΠΏΡΠΈΡ DNSOverTLS=yes - Π°ΠΊΡΠΈΠ²ΠΈΡΡΠ΅Ρ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠ΅Π΅ Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠ΅ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅;
- ΠΠΏΡΠΈΡ Cache=no-negative - ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΠΎΠΊΡΠ°ΡΠΈΡΡ ΡΠ°Π·ΠΌΠ΅Ρ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎΠ³ΠΎ DNS-ΠΊΡΡΠ° Π·Π° ΡΡΠ΅Ρ Ρ ΡΠ°Π½Π΅Π½ΠΈΡ ΡΠΎΠ»ΡΠΊΠΎ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ Ρ ΠΏΠΎΠ»ΠΎΠΆΠΈΡΠ΅Π»ΡΠ½ΡΠΌ ΠΎΡΠΊΠ»ΠΈΠΊΠΎΠΌ;
- ΠΠΏΡΠΈΡ StaleRetentionSec=86400 - ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΡ Ρ ΡΠ°Π½Π΅Π½ΠΈΠ΅ Π·Π°ΠΏΠΈΡΠΈ Π² ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ 24 ΡΠ°ΡΠΎΠ² (Π²Π½Π΅ Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ ΠΎΡ Π΅Π΅ "Π²ΡΠ΅ΠΌΠ΅Π½ΠΈ ΠΆΠΈΠ·Π½ΠΈ", TLS) Π½Π° ΠΊΠΎΡΠ½Π΅Π²ΠΎΠΌ ΡΠ΅ΡΠ²Π΅ΡΠ΅.
ΠΠΠΠΠ! ΠΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΡ Π² ΡΠ΅ΡΠ΅Π²ΡΡ Π½Π°ΡΡΡΠΎΠΉΠΊΠ°Ρ ΠΠ‘ ΠΏΡΠΎΠΈΠ·ΠΎΠΉΠ΄ΡΡ ΡΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠ»Π΅ ΠΏΠ΅ΡΠ΅Π·Π°Π³ΡΡΠ·ΠΊΠΈ NM ΠΈΠ»ΠΈ Π²ΡΠ΅Π³ΠΎ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠ° (Π΄Π»Ρ ΡΠΈΡΡΠΎΡΡ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ° - Π½Π°ΡΡΠΎΡΡΠ΅Π»ΡΠ½ΠΎ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄ΡΡ ΠΏΠΎΡΠ»Π΅Π΄Π½Π΅Π΅).
systemd-analyze cat-config systemd/resolved.conf
resolvectl status
Global Protocols: LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=yes/supported resolv.conf mode: stub Current DNS Server: 9.9.9.11 DNS Servers: 9.9.9.11 149.112.112.11 2620:fe::11 2620:fe::fe:11 Fallback DNS Servers: 1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003 Link 2 (enp3s0) Current Scopes: none Protocols: -DefaultRoute LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=yes/supported Link 3 (wlp2s0) Current Scopes: DNS LLMNR/IPv4 Protocols: +DefaultRoute LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=yes/supported Current DNS Server: 192.168.nnn.nnn DNS Servers: 192.168.nnn.nnn
$ resolvectl query go.dnscheck.tools
go.dnscheck.tools: 2604:a880:400:d0::256e:b001 -- link: wlp2s0 142.93.10.179 -- link: wlp2s0 -- Information acquired via protocol DNS in 1.4529s. -- Data is authenticated: yes; -- Data was acquired via local or encrypted transport: yes -- Data from: network
resolvectl reset-statistics
resolvectl statistics
DNSSEC supported by current servers: yes
Transactions
Current Transactions: 0
Total Transactions: 0
Cache
Current Cache Size: 61
Cache Hits: 0
Cache Misses: 0
DNSSEC Verdicts
Secure: 0
Insecure: 0
Bogus: 0
Indeterminate: 0
resolvectl show-cache
(...)
Scope protocol=dns
org IN DS 26974 8 2 4fede294c53f438a158c (...)
. IN DNSKEY 257 3 RSASHA256 AwEAAaz/tAm8y (...)
-- Key tag: 30903
fedoraproject.org IN A 34.221.3.152
fedoraproject.org IN A 67.219.144.68
(...)
resolvectl flush-caches
resolvectl monitor
β Q: detectportal.firefox.com IN A β S: success β A: detectportal.firefox.com IN CNAME detectportal.prod.mozaws.net β Q: dns11.quad9.net IN A β S: success β A: dns11.quad9.net IN A 149.112.112.11 β A: dns11.quad9.net IN A 9.9.9.11
$ delv site.name @9.9.9.11
fully validated site.name. 28800 IN A 81.125.249.17 site.name. 28800 IN RRSIG A 8 2 86400 2024
Π‘ΠΈΠ½ΡΠ°ΠΊΡΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ:
delv domain-name-here β The domain name to be looked up.
delv @dns-server-name domain-name-here β The name or IP address of the name server to query.
delv @dns-server-name domain-name-here type β State what type of DNS query is required. For example, A, AAAA, MX, TXT and so on.
ΠΡΠ»ΠΈ ΠΏΡΠΈ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ "ΠΊΠΎΡΠΎΡΠΊΠΎΠΉ" ΠΊΠΎΠΌΠ°Π½Π΄Ρ "delv site.name" Π²ΠΎΠ·Π½ΠΈΠΊΠ°Π΅Ρ ΠΎΡΠΈΠ±ΠΊΠ°:
;; broken trust chain resolving 'site.name/A/IN': 127.0.0.53#53 ;; resolution failed: broken trust chain
ΡΠ΅Π·ΠΎΠ»Π²Π΅Ρ 127.0.0.53:53 Π½Π΅ ΡΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠΈΡΠΎΠ²Π°Π½ ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΠΎ Π΄Π»Ρ Π²Π°Π»ΠΈΠ΄Π°ΡΠΈΠΈ DNSSEC. ΠΠΎΡΡΠΎΠΌΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΠΏΠΎΠ»Π½ΡΡ Π²Π΅ΡΡΠΈΡ ΠΊΠΎΠΌΠ°Π½Π΄Ρ (Ρ ΡΠΊΠ°Π·Π°Π½ΠΈΠ΅ΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ DNS-ΡΠ΅ΡΠ²Π΅ΡΠ°), Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ:
delv site.name @1.1.1.3
delv site.name @9.9.9.11
ΠΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΠΌ.:
Quad9: Π‘Π΅ΡΠ΅Π²ΡΠ΅ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ DNS
Firefox: ΠΠ°ΡΡΡΠΎΠΉΠΊΠ° Encrypted Client Hello (Quad9)
π― Rami Rosenfeld, 2024. GNU FDL 1.3.