递归解析器的案例
On September 30th 2021, Slack had an outage that impacted less than 1% of our online user base, and lasted for 24 hours. This outage was the result of our attempt to enable DNSSEC — an extension intended to secure the DNS protocol, required for FedRAMP Moderate — but which ultimately led to a series of unfortunate events.
2021年9月30日,Slack发生了一次故障,影响了我们不到1%的在线用户群,并持续了24小时。这次中断是我们试图启用DNSSEC的结果--这是一个旨在保护DNS协议的扩展,是FedRAMP适度的要求--但最终导致了一系列不幸的事件。
The internet relies very heavily on the Domain Name System (DNS) protocol. DNS is like a phone book for the entire internet. Web sites are accessed through domain names, but web browsers interact using IP addresses. DNS translates domain names to IP addresses, so that browsers can load the sites you need. Refer to ‘What is DNS?’ by Cloudflare to read more about how DNS works and all the necessary steps to do a domain name lookup.
互联网在很大程度上依赖于域名系统(DNS)协议。DNS就像整个互联网的电话簿。网站是通过域名访问的,但网络浏览器使用IP地址进行交互。DNS将域名翻译成IP地址,这样浏览器就可以加载你需要的网站。请参考Cloudflare的 "什么是DNS?",了解更多关于DNS的工作原理以及进行域名查询的所有必要步骤。
DNS as a protocol is insecure by default, and anyone in transit between the client and the authoritative DNS name server for a given domain name can tamper with the response, directing the client elsewhere. DNS has a security extension commonly referred to as DNSSEC, which prevents tampering with responses between the authoritative DNS server of the domain name (i.e. slack.com.) and the client’s DNS recursive resolver of choice. DNSSEC will not protect the last mile of DNS — which is the communication between the client and their DNS recursor — from a MiTM attack. While we are aware of the debate around the utility of DNSSEC among the DNS community, we are still committed to securing Slack for our customers.
DNS作为一种协议,默认情况下是不安全的,在客户端和给定域名的权威DNS名称服务器之间,任何人都可以篡改响应,将客户端引向其他地方。DNS有一个通常被称为DNSSEC的安全扩展,它可以防止在域名的权威DNS服务器(即slack.com)和客户选择的DNS递归解析器之间篡改响应。DNSSEC不会保护DNS的最后一英里--也就是客户和他们的DNS递归解析器之间的通信--免受MiTM攻击。虽然我们知道DNS社区对DNSSEC的效用有争议,但我们仍然致力于为我们的客户保护Slack的安全。
At Slack, we use Amazon Route 53 as our authoritative...