DNSブロッキングで無駄な広告表示を減らそう

by 東平洋史

Slide 1

Slide 1 text

DNS

Slide 2

Slide 2 text

Web

Slide 3

Slide 3 text

Web https://ngk2018b.connpass.com/event/104965/

Slide 4

Slide 4 text

https://ngk2018b.connpass.com/event/104965/

Slide 5

Slide 5 text

Web Web

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Web

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Web https://ngk2018b.connpass.com/event/104965/

Slide 11

Slide 11 text

Slide 12

Slide 12 text

DNS

Slide 13

Slide 13 text

DNS Web DNS DNS Web

Slide 14

Slide 14 text

Slide 15

Slide 15 text

%+!+ Mac(#-,UNIX like OS)(Windows'&. • DNS3@:7A6GE:4&.62;+C8;+(#-, ) • 62;+C8;+ • >E:4&. +$ • + https://tomocha.net/diary/?20180818#201808182 0

Slide 16

Slide 16 text

Unbound!" 2018%12,11)*-+(. 1.8.3 • Windows • #&!""! " https://www.nlnetlabs.nl/projects/unbound/download/ • Mac • #&"! " https://www.nlnetlabs.nl/projects/unbound/download/ • "('1) • /Library/LaunchDaemons/ plist / "! 0$ ('1)

Slide 17

Slide 17 text

$ tar xvf unbound-1.8.3.tar.gz $ ls unbound-1.8.3 $ cd unbound-1.8.3 $ ./configure $ make $ make check $ sudo make install

Slide 18

Slide 18 text

Label homebrew.mxcl.unbound KeepAlive RunAtLoad ProgramArguments /usr/local/sbin/unbound -d -c /usr/local/etc/unbound/unbound.conf StandardErrorPath /dev/null StandardOutPath /dev/null plist

Slide 19

Slide 19 text

• Mac • /usr/local/etc/unbound/unbound.conf include: "/usr/local/etc/unbound/blocking.conf” • Windows • C:¥Program Files¥Unbound¥blocking.conf include: "C:¥Program Files¥Unbound¥blocking.conf” Unbound

Slide 20

Slide 20 text

DO bit off 2& Unbound 1.8.1 default DO biton DNSSEC /$4 TCP 5'6"0() * harden-referral-path: no ↓ harden-referral-path: yes • Mac%# • /usr/local/etc/unbound/unbound.conf • Windows%# • C:¥Program Files¥Unbound¥blocking.conf 2&1,-3. !+ http://www.e-ontap.com/blog/20181031.html

Slide 21

Slide 21 text

EDNS512 edns-buffer-size: 4096 ↓ edns-buffer-size: 512 • Mac • /usr/local/etc/unbound/unbound.conf • Windows • C:¥Program Files¥Unbound¥blocking.conf http://www.e-ontap.com/blog/20181031.html EDNS

Slide 22

Slide 22 text

• ?>A4C@A4 https://280blocker.net/download/ • #?>A9: • %1-;53"3 */+)( • &5%'2,' (https://280blocker.net)<430<.-47 1 -( • 14D&5 1-(=BC64!7$ 78 1-( ?>A4C@A4

Slide 23

Slide 23 text

*) • -&(0' &( $ • blocking.conf + /1# local-zone: “ .” static ! !".! nodatanxdomain%,

Slide 24

Slide 24 text

• Mac • sudo pkill -HUP unbound • Windows • Unbound DNS validator

Slide 25

Slide 25 text

DNS

Slide 26

Slide 26 text

Slide 27

Slide 27 text

()googleadservices.com

Slide 28

Slide 28 text

()googleadservices.comGoogle Public DNS

Slide 29

Slide 29 text

"Your_cache_server_is_vulnerable.” DO bit off

Slide 30

Slide 30 text

EDNS dig rs.dns-oarc.net txt xxx.xxx.xxx.xxx IP

Slide 31

Slide 31 text

DNS

Slide 32

Slide 32 text

Mac DNS

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

DNS 1. DNS 2. +

Slide 36

Slide 36 text

DNS 1. 127.0.0.1

Slide 37

Slide 37 text

DNS 1. 127.0.0.1 2. OK

Slide 38

Slide 38 text

DNS

Slide 39

Slide 39 text

Windows DNS

Slide 40

Slide 40 text

Slide 41

Slide 41 text

Slide 42

Slide 42 text

NIC 1. 2. NIC 3.

Slide 43

Slide 43 text

NIC 1. 4(TCP/IPv4) 2.

Slide 44

Slide 44 text

DNS 1. DNS

Slide 45

Slide 45 text

DNS 1. 127.0.0.1 2. OK

Slide 46

Slide 46 text

DNS OK

Slide 47

Slide 47 text

DNS

Slide 48

Slide 48 text

https://ngk2018b.connpass.com/event/104965/

Slide 49

Slide 49 text

DNS38/(9*%38/) • DNS(4/,5+:1:'9-0:7 • Unbound'9-0:7 • Unbound 2&'7 • +'0include • DO bit % off (DNSSEC%$ ) • EDNS1/2&+'.%512 • 38/)#+'06-0(") • +'06-0 • 38/)# • ! https://tomocha.net/diary/?20180818#201808182 %