1.大家最关注的,翻墙,防止DNS被劫持。
资深不资深的玩家肯定都知道某墙的事情。用了OpenDNS之类后,真的能防止被某墙劫持域名吗?恐怕太小看某墙了吧。只要是DNS的UDP包经过旁路设备,直接就会被篡改。不信?看看结果
正常请求一个被劫持的域名,当然是劫持没商量了
Sam@Bra:~$ dig hen.bao.li ; <<>> DiG 9.6.0-APPLE-P2 <<>> hen.bao.li ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50859 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;hen.bao.li. IN A ;; ANSWER SECTION: hen.bao.li. 85697 IN A 78.16.49.15 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 7 23:18:48 2009 ;; MSG SIZE rcvd: 44
Sam@Bra:~$ dig hen.bao.li
; <<>> DiG 9.6.0-APPLE-P2 <<>> hen.bao.li;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50859;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;hen.bao.li. IN A;; ANSWER SECTION:hen.bao.li. 85697 IN A 78.16.49.15;; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Mon Dec 7 23:18:48 2009;; MSG SIZE rcvd: 44
然后再看用了Google Public DNS后,照样劫持你没商量
Sam@Bra:~$ dig @8.8.8.8 hen.bao.li ; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 hen.bao.li ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15485 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;hen.bao.li. IN A ;; ANSWER SECTION: hen.bao.li. 86400 IN A 78.16.49.15 ;; Query time: 75 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Dec 7 23:20:58 2009 ;; MSG SIZE rcvd: 54
我们看看国外机器得出的真实结果
[root@WS-10267 ~]# dig @8.8.8.8 hen.bao.li ; <<>> DiG 9.3.4-P1 <<>> @8.8.8.8 hen.bao.li ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20845 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;hen.bao.li. IN A ;; ANSWER SECTION: hen.bao.li. 14400 IN A 69.163.142.44 ;; Query time: 252 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Dec 7 23:25:12 2009 ;; MSG SIZE rcvd: 44
可以看到,此路不通。想靠换国外DNS来翻墙的可以醒醒了。
2.解析速度快
Google Public DNS解析速度是挺快的,但OpenDNS就未必了
Sam@Bra:~$ dig @208.67.222.222 http://www.dnspod.com ; <<>> DiG 9.6.0-APPLE-P2 <<>> @208.67.222.222 http://www.dnspod.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17404 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.dnspod.com. IN A ;; ANSWER SECTION: http://www.dnspod.com. 600 IN CNAME http://www.dnspod.com.cdnudns.com. http://www.dnspod.com.cdnudns.com. 300 IN A 61.172.249.96 http://www.dnspod.com.cdnudns.com. 300 IN A 218.244.147.137 ;; Query time: 608 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Mon Dec 7 23:29:01 2009 ;; MSG SIZE rcvd: 101
.
分页: [1] [2]
TAG: DNS
- 上一篇:解决DNS查询域名劫持问题
- 下一篇:DNS体系结构分析