跳到内容
🛠️ToolsShed

DNS Security Reference

包含记录类型、攻击和DoH vs DoT比较的DNSSEC和DNS安全最佳实践综合参考。

DnsSecurityReference.dnssecTitle

DnsSecurityReference.dnssecDesc

DNSKEY

Contains the public key used to verify signatures in the zone.

RRSIG

Resource Record Signature — cryptographic signature over a DNS record set.

DS

Delegation Signer — links a child zone's DNSKEY to the parent zone.

NSEC

Next Secure — proves non-existence of a DNS record (authenticated denial).

NSEC3

Hashed version of NSEC — prevents zone walking by hashing owner names.

CDS

Child DS — child zone signals key changes to parent for automated rollover.

关于此工具

DNS(域名系统)是互联网的地址簿,将易读的域名转换为IP地址—但传统DNS以未加密的方式运行,容易受到欺骗、缓存投毒和中间人攻击的威胁,可能被重定向到恶意网站。DNSSEC(DNS安全扩展)通过向DNS响应添加密码学认证来解决这一问题,确保记录未被篡改,而DNS over HTTPS(DoH)和DNS over TLS(DoT)对查询进行加密,防止窃听和跟踪。对于系统管理员、开发者、安全专业人员以及任何希望保护其DNS流量免受监视或攻击的人来说,理解这些技术至关重要。

此DNS安全参考工具提供DNSSEC记录类型(DNSKEY、RRSIG、DS、NSEC/NSEC3)、常见DNS攻击(欺骗、DDoS放大、劫持、NXDOMAIN攻击)以及DNS加密协议之间详细比较的综合文档—特别是DoH(443端口,与网络流量无法区分)和DoT(853端口,在企业网络中更易于监控)的隐私和实现差异。无论您是为域启用DNSSEC、为组织选择DoH或DoT,还是学习DNS安全最佳实践,该工具都将分散的知识整合到一个可搜索的参考中。

该工具非常适合启用DNSSEC的域管理员(需要DNS提供商支持和注册商DS记录配置)、设计基础设施加密DNS解决方案的网络工程师、审计DNS策略的安全从业者以及构建DNSSEC感知应用或安全DNS客户端的开发者。对于长期数据保护,结合dnsviz.net或dig命令行实用程序等工具进行实践测试时,基于浏览器的参考资料最有用。

常见问题

代码实现

import subprocess

# Query DNSSEC records using dig
def check_dnssec(domain: str) -> None:
    print(f"Checking DNSSEC for: {domain}")

    # Check DNSKEY record
    result = subprocess.run(
        ["dig", "+dnssec", "DNSKEY", domain],
        capture_output=True, text=True
    )
    if "DNSKEY" in result.stdout:
        print(f"  ✓ DNSKEY record found")
    else:
        print(f"  ✗ No DNSKEY record")

    # Check DS record at parent
    result = subprocess.run(
        ["dig", "+dnssec", "DS", domain],
        capture_output=True, text=True
    )
    if "DS" in result.stdout:
        print(f"  ✓ DS record found (DNSSEC enabled)")
    else:
        print(f"  ✗ No DS record (DNSSEC not fully configured)")

    # Check RRSIG
    result = subprocess.run(
        ["dig", "+dnssec", "A", domain],
        capture_output=True, text=True
    )
    if "RRSIG" in result.stdout:
        print(f"  ✓ RRSIG present (records are signed)")
    else:
        print(f"  ✗ No RRSIG (records not signed)")

check_dnssec("cloudflare.com")

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.