背景与价值域名解析是外联的前置环节。通过白名单与DoH解析策略,可降低劫持风险并提升可控性与审计性。统一规范白名单:仅允许批准域名解析与外联。超时与重试:解析请求设置超时与最大重试次数,指数退避。记录审计:对解析结果与失败原因进行结构化记录。核心实现策略与解析const allowDomains = new Set(['example.com','app.example.com'])
function domainAllowed(d: string): boolean { return allowDomains.has(d) }
function backoff(baseMs: number, attempt: number, maxMs: number): number {
const exp = Math.min(maxMs, baseMs * Math.pow(2, attempt))
const jitter = Math.random() * exp * 0.5
return Math.floor(exp * 0.75 + jitter)
}
type DoHRes = { Status: number; Answer?: { name: string; data: string; type: number }[] }
async function dohResolve(domain: string, timeoutMs: number): Promise<DoHRes | null> {
const ctrl = new AbortController()
const t = setTimeout(() => ctrl.abort(), timeoutMs)
try {
const r = await fetch('https://cloudflare-dns.com/dns-query?name=' + encodeURIComponent(domain) + '&type=A', { headers: { 'accept': 'application/dns-json' }, signal: ctrl.signal })
clearTimeout(t)
if (!r.ok) return null
return r.json()
} catch {
clearTimeout(t)
return null
}
}
type Audit = { domain: string; status: number; answers: string[] }
async function resolveWithPolicy(domain: string, attempts = 3, baseMs = 100, maxMs = 1000): Promise<Audit | null> {
if (!domainAllowed(domain)) return null
let last: DoHRes | null = null
for (let i = 0; i < attempts; i++) {
const res = await dohResolve(domain, 800)
if (res && res.Status === 0) return { domain, status: res.Status, answers: (res.Answer || []).map(a => a.data) }
last = res
await new Promise(r => setTimeout(r, backoff(baseMs, i, maxMs)))
}
if (!last) return null
return { domain, status: last.Status || -1, answers: [] }
}
落地建议解析与外联仅允许白名单域名,统一DoH通道并设置超时与重试策略。对解析结果进行审计,失败与异常统一记录并报警。配合出口治理阻断对非白名单域的直接访问。验证清单请求域名是否命中白名单;解析是否在超时与重试策略内完成。审计是否记录解析结果与失败原因。
发表评论 取消回复