systemd-resolved, ağ adı çözümlemesi sağlayan bir systemd hizmetidir. systemd kullanan dağıtımlarla birlikte gelir ve yüksek ihtimal aktif olarak çalışmaktadır. systemd, başlangıçta PID 1 olarak çalışan ve sistemin geri kalanını başlatan bir sistem ve servis yöneticisidir. Seveni olduğu kadar sevmeyeni çoktur. systemd-resolved tarafında DNSSEC ve DNS over TLS aktif edilmesini anlatacağım. Anlatım Ubuntu Server 20.04.1 LTS üzerinde yapılmaktadır.
Yapılandırma
Netplan tarafında ağ arayüzü için tanımlı DNS adresini 127.0.0.53 olarak değiştiriyoruz.
# vim /etc/netplan/00-installer-config.yaml
Netplan konfigürasyon dosyasını açıyoruz.
network:
ethernets:
ens32:
addresses:
- 192.168.1.3/24
gateway4: 192.168.1.1
nameservers:
addresses:
- 127.0.0.53
version: 2
Yaptığımız değişikliği uyguluyoruz.
# netplan apply
systemd-resolved konfigürasyonuna geçebiliriz.
# vim /etc/systemd/resolved.conf
Aşağıdaki şekilde düzenliyoruz.
[Resolve]
DNS=1.1.1.1
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes
Ardından systemd-resolved yeniden başlatabiliriz.
# systemctl restart systemd-resolved
DNSSEC doğrulamasının aktif olup olmadığını kontrol ediyoruz.
# resolvectl statistics
DNSSEC supported by current servers: yes
Transactions
Current Transactions: 0
Total Transactions: 138
Cache
Current Cache Size: 31
Cache Hits: 26
Cache Misses: 112
DNSSEC Verdicts
Secure: 63
Insecure: 78
Bogus: 0
Indeterminate: 0
DNS over TLS trafiğini tshark ile kontrol ediyoruz.
# tshark dst port 853
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens32'
1 0.000000000 192.168.1.3 → 1.1.1.1 TCP 78 35958 → 853 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2081448733 TSecr=0 WS=128 TFO=R
2 0.000203340 192.168.1.3 → 1.1.1.1 TCP 78 35960 → 853 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2081448733 TSecr=0 WS=128 TFO=R
3 0.007289875 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=1 Ack=1 Win=64256 Len=0
4 0.007346121 192.168.1.3 → 1.1.1.1 TLSv1.2 391 Client Hello
5 0.007612579 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=1 Ack=1 Win=64256 Len=0
6 0.007666299 192.168.1.3 → 1.1.1.1 TLSv1.2 391 Client Hello
7 0.015554475 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=338 Ack=1441 Win=64128 Len=0
8 0.015775418 192.168.1.3 → 1.1.1.1 TLSv1.2 60 Change Cipher Spec
9 0.015933904 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=344 Ack=2705 Win=64128 Len=0
10 0.016398082 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=338 Ack=1441 Win=64128 Len=0
11 0.016585253 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=338 Ack=2705 Win=63488 Len=0
12 0.017058097 192.168.1.3 → 1.1.1.1 TLSv1.2 128 Application Data
13 0.017150420 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
14 0.017189443 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
15 0.017307885 192.168.1.3 → 1.1.1.1 TLSv1.2 60 Change Cipher Spec
16 0.018214170 192.168.1.3 → 1.1.1.1 TLSv1.2 128 Application Data
17 0.018314397 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
18 0.018351016 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
19 0.018383867 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
20 0.018418863 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
21 0.018458998 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
22 0.018493783 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
23 0.029401235 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=638 Ack=3647 Win=64128 Len=0
24 0.029565372 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
25 0.029610326 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=638 Ack=3647 Win=64128 Len=0
26 0.029636465 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
27 0.029724670 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
28 0.029777780 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
29 0.029802496 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=748 Ack=4139 Win=64128 Len=0
30 0.030026965 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=748 Ack=4139 Win=64128 Len=0
31 0.037532885 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=748 Ack=4631 Win=64128 Len=0
32 0.037704276 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
33 0.037768456 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
34 0.037794134 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=748 Ack=4631 Win=64128 Len=0
35 0.037880506 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
36 0.037927634 192.168.1.3 → 1.1.1.1 TLSv1.2 140 Application Data
37 0.097373921 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
38 0.097432711 192.168.1.3 → 1.1.1.1 TLSv1.2 131 Application Data
39 0.097689551 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
40 0.097739004 192.168.1.3 → 1.1.1.1 TLSv1.2 131 Application Data
41 0.104993653 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
42 0.105051842 192.168.1.3 → 1.1.1.1 TLSv1.2 131 Application Data
43 0.105233632 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
44 0.105285218 192.168.1.3 → 1.1.1.1 TLSv1.2 131 Application Data
45 0.112568441 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
46 0.112626840 192.168.1.3 → 1.1.1.1 TLSv1.2 127 Application Data
47 0.112996101 192.168.1.3 → 1.1.1.1 TLSv1.2 78 Application Data
48 0.113055111 192.168.1.3 → 1.1.1.1 TLSv1.2 127 Application Data
49 0.164631035 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=1157 Ack=8003 Win=64128 Len=0
50 0.168529697 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=1157 Ack=8003 Win=64128 Len=0
51 10.120289463 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [ACK] Seq=1157 Ack=8027 Win=64128 Len=0
52 10.120534121 192.168.1.3 → 1.1.1.1 TCP 54 35960 → 853 [FIN, ACK] Seq=1157 Ack=8028 Win=64128 Len=0
53 10.121801561 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=1157 Ack=8027 Win=64128 Len=0
54 10.121848049 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [FIN, ACK] Seq=1157 Ack=8027 Win=64128 Len=0
55 10.122203103 192.168.1.3 → 1.1.1.1 TCP 54 35958 → 853 [ACK] Seq=1158 Ack=8028 Win=64128 Len=0