Hello, I’m Wu Hongsheng.
Back in 2005, I made a little dnS-related product, DNSPod.
At that time to do such a product’s background is very simple, it is still a “south to north telecommunications unicom, netcom,” era, believes that many people have impression: the time you open a website, first of all to see and not the website homepage, but a maze of telecom “1” “telecom 2” “netcom 1” “netcom 2″… , operators set thresholds between each other, resulting in the final communication speed decline or the result of the user to pay. DNSPod solves this problem in a very elegant way, automatically diverting users to the corresponding server. It is also because of this way that many friends know DNSPod and know me.
For many people, even long-time users of DNSPod, the impression of DNSPod is still in that very early stage. In fact, today’s DNSPod, has long been not a single domain name resolution product, it has quietly grown into a daily resolution volume of more than 1.6 trillion times a monster. During this period our technical proposal has experienced many significant upgrade iteration, including the underlying parsing techniques to do a long and detailed analysis, constant innovation and trial and error, form the framework based on the F – Stack/DPDK server architecture since the research of recursion and authority, continuously explore the performance limit, makes every effort to provide users with high speed and stable analytic experience.
In addition to the rapid advances in the hard power of technology, I’ve been thinking about exploring more unmet needs for DNS use. So in the past few years, in addition to the comprehensive upgrade of authoritative packages known to all, we also launched a series of DNS-related products and services such as Mobile resolution (HTTPDNS), Intranet resolution (Private DNS), Public resolution (IGTM), DoT, DoH, etc. After several years of graying and polishing of the underlying modules, a complete full-link DNS scheme is completed.
The power of the new DNSPod reveals the secrets of the DoH
What are the advantages of this new DNSPod? Today, I would like to share with you our national secret DoH.
DoH stands for DNS over HTTPs, which uses HTTPs to transmit the DNS protocol. DoH uses the same security principles as DoT, using TLS to transmit DNS. TLS protocol is one of the most commonly used security encryption protocols on the Internet. The security basis of our access to HTTPs is based on TLS protocol. Compared with the connectionless UDP mode with no encryption, TLS itself has achieved confidentiality and integrity.
So how does the TLS protocol itself achieve integrity and confidentiality? The basic idea of TLS protocol is certificate + encryption mechanism to ensure security. A certificate is equivalent to applying for a valid ID card. When the client initiates a connection to the server, the two parties verify their identities. The server sends the certificate to the client, and the client verifies the content and validity of the certificate.
The handshake protocol uses public key encryption: first, the client asks the server for and verifies the public key. After verification, the two parties negotiate to generate a “conversation key”, similar to the Morse code that is unique to both of them. After this, the two parties use the conversation key to encrypt communication. A handshake agreement is a set of encrypted communications between you and your pen Pal, and a certificate is a guarantee that the person you send the letter to is your pen Pal.
DoT connects to DNS servers over TLS on dedicated ports, whereas DoH is based on sending queries to specific HTTP endpoints on HTTPS ports using the HTTP application layer protocol. The perception here is that the DoT port number is 853 and DoH port number 443.
However, due to the addition of the handshake process and the addition of data encryption steps, the loss of time caused by early negotiation inevitably leads to the problem of slower transmission speed.
But! Through the efforts of our team, through the transformation and optimization of the client side, we adopted local cache, prefetch in advance, connection reuse and other technical solutions, and actively optimized the overall process to achieve a delay effect similar to the original DNS protocol. In fact, this is just a small example of DNSPod’s hard power, and we don’t stop there.
The development of national secret products, when The Times need
As practitioners of network security industry, password algorithm as the core technology to ensure information security, but our country has a number of core fields have long used 3DES and other international common password algorithm system. Cryptography can directly affect data, is the core means of data protection, and is also an important basis to ensure the ecological security and normal operation of information industry. It plays an irreplaceable role in computer and network system security. Popularizing domestic cryptographic technology and applying commercial cryptographic algorithm is one of the necessary measures to construct China’s cyberspace security infrastructure. Based on the above reasons, the development of national secret product development is not only required by enterprises, but also required by The Times.
Therefore, we adapt the key negotiation part of the communication message to national secret (SM2). In the process of node handshake, SM2 password component and SM2 digital certificate are used, and then DNSPod DoH is transformed into national secret DoH.
The TLS flow of base and SM2 encryption algorithm is divided into the following steps:
- Handshake request phase: The client sends a Hello packet to the server to request the server certificate.
- Server-side authentication: The server sends the server certificate to the client.
- Client authentication: The client verifies the validity of the server certificate and initiates the key exchange process.
- Complete handshake: The key exchange is complete, and subsequent data transmission is encrypted based on the negotiated key.
As you can see,There are major differences with the traditional TLS handshake process:
- In the server side authentication stage, the server side uses the SM2 certificate, which contains the SM2 public key.
- During client authentication, the key exchange message contains the pre-master key, which is encrypted using the SM2 public key on the server.
- In the client authentication phase, the client received the client certificate request, first sent the client SM2 certificate to the server, and after sending the key exchange message, sent the client SM2 certificate signature. The server authenticates the client using the SM2 certificate signature received from the client.
- When sending the client SM2 certificate signature, a hash value calculated from the public key in the server SM2 certificate is added to the signature text.
DNSPod’s National secret DoH is the first DoH product that supports domestic cryptographic algorithm in China. In fact, such a product requires a huge investment of labor and energy, but it is difficult to turn into a commercial return in a short time. DNSPod, in my opinion, as a domestic leading DNS service provider, the network encryption technology products of the Chinese themselves, to defend the Chinese own confidential information, privacy, fill the technology gap of localization independently controllable security products in China and product blank, to some extent, this is a trailblazer of a sense of purpose.
I also hope that in the future, more enterprises and developers can devote themselves to the field of state secret products and build this industrial chain together.
Welcome to click on a button to subscribe to “Yunjian Big Tycoon” column, access to more quality content. Watch the ups and downs of cloud technology and listen to the big shots for guidance.