背景与价值域名解析是外联的前置环节。通过白名单与DoH解析策略,可降低劫持风险并提升可控性与审计性。统一规范白名单:仅允许批准域名解析与外联。超时与重试:解析请求设置超时与最大重试次数,指数退避。记录审计:对解析结果与失败原因进行结构化记录。核心实现策略与解析const allowDomains = new Set(['example.com','app.example.com']) function domainAllowed(d: string): boolean { return allowDomains.has(d) } function backoff(baseMs: number, attempt: number, maxMs: number): number { const exp = Math.min(maxMs, baseMs * Math.pow(2, attempt)) const jitter = Math.random() * exp * 0.5 return Math.floor(exp * 0.75 + jitter) } type DoHRes = { Status: number; Answer?: { name: string; data: string; type: number }[] } async function dohResolve(domain: string, timeoutMs: number): Promise<DoHRes | null> { const ctrl = new AbortController() const t = setTimeout(() => ctrl.abort(), timeoutMs) try { const r = await fetch('https://cloudflare-dns.com/dns-query?name=' + encodeURIComponent(domain) + '&type=A', { headers: { 'accept': 'application/dns-json' }, signal: ctrl.signal }) clearTimeout(t) if (!r.ok) return null return r.json() } catch { clearTimeout(t) return null } } type Audit = { domain: string; status: number; answers: string[] } async function resolveWithPolicy(domain: string, attempts = 3, baseMs = 100, maxMs = 1000): Promise<Audit | null> { if (!domainAllowed(domain)) return null let last: DoHRes | null = null for (let i = 0; i < attempts; i++) { const res = await dohResolve(domain, 800) if (res && res.Status === 0) return { domain, status: res.Status, answers: (res.Answer || []).map(a => a.data) } last = res await new Promise(r => setTimeout(r, backoff(baseMs, i, maxMs))) } if (!last) return null return { domain, status: last.Status || -1, answers: [] } } 落地建议解析与外联仅允许白名单域名,统一DoH通道并设置超时与重试策略。对解析结果进行审计,失败与异常统一记录并报警。配合出口治理阻断对非白名单域的直接访问。验证清单请求域名是否命中白名单;解析是否在超时与重试策略内完成。审计是否记录解析结果与失败原因。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复