最近出現一些社交媒體內容説 Elon Musk 購買了 錢.tw 指向 https://x.com/elonmusk 我去核查了一下,覺得證據不足以説明是Elon Musk 購買了 錢.tw 。
Whois查詢
.TW 是顶级域(TLD)之一,由twnic.tw 在管理。在 twnic.tw 可以查詢whois 資訊。whois用来查询域名的IP以及所有者等信息的传输协议,通常用來查詢域名是否已經被註冊。
在 https://www.twnic.tw/whois_n.cgi?query=錢.tw 可以查到以下資訊:
註冊原型域名: 錢.tw (xn--sw4a.tw)
繁體對照字域名: 錢.tw (xn--sw4a.tw)
簡体對照字域名: 钱.tw (xn--674a.tw)
自動解析域名: 錢.tw (xn--sw4a.tw)
钱.tw (xn--674a.tw)
保留字域名(由下列相關字組合之域名):
銭 錢 钱
Domain Status: ok
Registrant:
(Redacted for privacy)
Administrative Contact:
(Redacted for privacy)
Technical Contact:
(Redacted for privacy)
Record expires on 2025-11-05 11:07:12 (UTC+8)
Record created on 2024-11-05 11:07:12 (UTC+8)
Domain servers in listed order:
fay.ns.cloudflare.com
max.ns.cloudflare.com
Registration Service Provider: HINET
Registration Service URL: http://domain.hinet.net
Registrar Abuse Contact Email: [email protected]
解讀以上內容就是, 漢字也可以註冊域名,大多數新款瀏覽器支持國際化域名(IDN),也就是支持非 ASCII 字符的域名轉換為 Punycode(國際化域名編碼) ,例如上面的 錢.tw 轉換為 xn--sw4a.tw,如 https://www.佐拉科技有限公司.com 轉換為 https://www.xn--qqq44c53cd8xokat1ttz0brw1c.com 。但是 錢.tw 域名的註冊資訊是隱藏的,於2024年11月5日,在中華電信註冊的( http://domain.hinet.net ),使用了Cloudflare的CDN服務.
網站主機資訊
使用curl指令查看 錢.tw 主機的header 資訊:
% curl -I https://xn--sw4a.tw
HTTP/2 301
date: Sun, 15 Dec 2024 00:12:36 GMT
content-type: text/html
content-length: 167
location: https://x.com/elonmusk
cache-control: max-age=3600
expires: Sun, 15 Dec 2024 01:12:36 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZFHEPpUg30%2BwEKPtjAci34uEF4EB5KwLF7tZLQRRUS23MDsUWOsOTb2%2F1ZhNJ1qSe2RN62LPprqW1H6UhSfJkPuI%2BnP%2Flci3XcFJtlAN%2FJ4Ibk4ythnTduE1tx1HOqk2%2FAWzAX8TRcfEIg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8f2239189c42b2fe-TPE
上面有用的資訊就是網站使用了 HTTP/2 301 跳轉到 https://x.com/elonmusk ,緩存時間是3600秒,也就是説1小時後才去真實的主機上查詢一次,其他時間都是由Cloudflare這個反向代理伺服器返回網頁內容。
SSL安全證書
繼續用 % curl -v https://xn--sw4a.tw 查看可用的資訊:
% curl -v https://xn--sw4a.tw
* Connected to xn--sw4a.tw (2606:4700:3030::6815:4b77) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=xn--sw4a.tw
* start date: Dec 5 16:33:31 2024 GMT
* expire date: Mar 5 16:33:30 2025 GMT
* subjectAltName: host "xn--sw4a.tw" matched cert's "xn--sw4a.tw"
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://xn--sw4a.tw/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: xn--sw4a.tw]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: xn--sw4a.tw
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 301
< date: Sun, 15 Dec 2024 00:31:43 GMT
< content-type: text/html
< content-length: 167
< location: https://x.com/elonmusk
< cache-control: max-age=3600
< expires: Sun, 15 Dec 2024 01:31:43 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=obD%2F8o73XEnwoMqLQ9urBRH43fjANx6xyQlleAN%2F21twtEFuzZQHG326TFI23HJYAg5mEwWot4ckA5aJGezfRsg4kkvmey0GlDoX3XpdYM7MNdBJMMfKDsC98M6J8YfOWCy6fLEQoNNNVA%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8f2255161aa8331d-TPE
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host xn--sw4a.tw left intact
zuola@zuolas-MacBook-Air ~ % clear
zuola@zuolas-MacBook-Air ~ % curl -v https://xn--sw4a.tw
* Host xn--sw4a.tw:443 was resolved.
* IPv6: 2606:4700:3032::ac43:af93, 2606:4700:3030::6815:4b77
* IPv4: 172.67.175.147, 104.21.75.119
* Trying [2606:4700:3032::ac43:af93]:443...
* Trying 172.67.175.147:443...
* Connected to xn--sw4a.tw (2606:4700:3032::ac43:af93) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=xn--sw4a.tw
* start date: Dec 5 16:33:31 2024 GMT
* expire date: Mar 5 16:33:30 2025 GMT
* subjectAltName: host "xn--sw4a.tw" matched cert's "xn--sw4a.tw"
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://xn--sw4a.tw/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: xn--sw4a.tw]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: xn--sw4a.tw
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 301
< date: Sun, 15 Dec 2024 00:32:08 GMT
< content-type: text/html
< content-length: 167
< location: https://x.com/elonmusk
< cache-control: max-age=3600
< expires: Sun, 15 Dec 2024 01:32:08 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EHV7Rvy8PKoQs%2BAXRlSi6U%2Bsc8f1MjxMIOYfoGDp0oxo8m2Isp14zjVAf9e0q5c4GXYkihKQcRbcRT%2Bgg5DTEwgQZTEIj3stryxe2iDleKY%2BX%2FOcTvCOB7EV3YBexajo8RVmWpn4cMhzPQ%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8f2255b50b2d332d-TPE
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host xn--sw4a.tw left intact
從上面的資訊可以看出,雖然域名是2024年11月5日11點7分購買的,但啓用Cloudfalre的SSL證書的時間是2024年12月5日的16:33分,隔了一個月才想起來要用Cloudflare作為CDN,用於隱藏真實主機地址,或只是為了減輕主機的訪問壓力。
DNS查詢
最後,來查看一個
xn--sw4a.tw 這個域名的解析過程
% dig +trace xn--sw4a.tw
; <<>> DiG 9.10.6 <<>> +trace xn--sw4a.tw
;; global options: +cmd
. 2770 IN NS i.root-servers.net.
. 2770 IN NS a.root-servers.net.
. 2770 IN NS e.root-servers.net.
. 2770 IN NS k.root-servers.net.
. 2770 IN NS m.root-servers.net.
. 2770 IN NS j.root-servers.net.
. 2770 IN NS g.root-servers.net.
. 2770 IN NS d.root-servers.net.
. 2770 IN NS h.root-servers.net.
. 2770 IN NS c.root-servers.net.
. 2770 IN NS b.root-servers.net.
. 2770 IN NS f.root-servers.net.
. 2770 IN NS l.root-servers.net.
;; Received 239 bytes from fe80::6c3a:ffff:fe2c:db64%11#53(fe80::6c3a:ffff:fe2c:db64%11) in 5 ms
tw. 172800 IN NS anytld.apnic.net.
tw. 172800 IN NS a.dns.tw.
tw. 172800 IN NS c.dns.tw.
tw. 172800 IN NS b.dns.tw.
tw. 172800 IN NS d.dns.tw.
tw. 172800 IN NS e.dns.tw.
tw. 172800 IN NS f.dns.tw.
tw. 172800 IN NS g.dns.tw.
tw. 172800 IN NS h.dns.tw.
tw. 86400 IN DS 51277 8 2 462DA9AF501D2B1EEF6725522DB5972F8CD2490B51D92088FF1E3D2D E0EC7BCD
tw. 86400 IN RRSIG DS 8 1 86400 20241227170000 20241214160000 61050 . l6yAwYXLnPfPe6s+PSCXBQVsVoWV4W+24egKqUnIT+4nfg+5CT+L/d2+ nzH6kgIvPeWQDNxPUBlswoguT11oIZ8I3p+TOyuxq5vUESvQQgp/R6tk ixOnz7AtxTzkKY6TM4/6jgqHum2CGkzzSPWq54CmRIgYo3W4ablsd/3H LrAgscmZMu5LrLoH5eA5eD9omqjLz5+FgdhrRqm9ojFpS1/dj8Mftoku 6Qa0x8LDNo2N6iis5t9XPUW7ycmCo3RMgNeEumMhwml9Udhzy1MhFepK /2XzyVptEnoEe0QjYoFd1E+LmIwdwq5ZMTRMY0NJcPrfZ8b2or5F7vtU YD1Txg==
;; Received 879 bytes from 192.112.36.4#53(g.root-servers.net) in 130 ms
xn--sw4a.tw. 3600 IN NS fay.ns.cloudflare.com.
xn--sw4a.tw. 3600 IN NS max.ns.cloudflare.com.
5CS12GGF7OBDDUPJP7K0D74HG6IU0G5U.tw. 900 IN NSEC3 1 1 0 - 5CV5H40UUKARFGRHOJ6NC0PRVF3J5I8E NS SOA RRSIG DNSKEY NSEC3PARAM
5CS12GGF7OBDDUPJP7K0D74HG6IU0G5U.tw. 900 IN RRSIG NSEC3 8 2 900 20250113230022 20241214230022 14991 tw. hz+iweQdvcVJwE3wyD1BZJfgravzVXBGeKf+srGXaTh11Wo8coz18yoj Mfhvtf40A0urzYK1zCQ975+hHDnNjkda1Axu3Hx3aHHwbL82ININ8F5a +i+4QZzRMku27+QpzJ6vvDxEY0yRnb7NecFisW+9/R/wB7vWaqE+vi/W 7UU=
N0KPE50BHKUG765THO8AF758B5UOSATE.tw. 900 IN NSEC3 1 1 0 - N0MMJVQM441C4LGPV2UI07UT632QMVQ9 DNAME RRSIG
N0KPE50BHKUG765THO8AF758B5UOSATE.tw. 900 IN RRSIG NSEC3 8 2 900 20250113230022 20241214230022 14991 tw. fndWLLY/QSpqhtSgC3cmUmqxHSYful5YxOUYoMcHzLxft6cmVteeuArR gerVn394bupNEsekqI6dnujuweYWnhnWoEDzXum6NL0SKKmIj7y53TfG 4mN/BjtDsAHLqHezSPiNQHagkMoAL1iRiSdedEvqWaLK/NH/N6SLovmZ ct0=
;; Received 576 bytes from 34.141.111.176#53(g.dns.tw) in 513 ms
xn--sw4a.tw. 300 IN A 104.21.75.119
xn--sw4a.tw. 300 IN A 172.67.175.147
;; Received 72 bytes from 2803:f800:50::6ca2:c073#53(fay.ns.cloudflare.com) in 56 ms
上面的資訊揭示了解析過程應該向哪些地方作了查詢。查詢有以下步驟,先做根伺服器查詢,將查詢轉發到 .tw 頂級域名伺服器,根伺服器返回了負責 .tw 的頂級域名伺服器的列表,然後查詢二級域名 xn--sw4a.tw 使用的域名伺服器是fay.ns.cloudflare.com. 和 max.ns.cloudflare.com. 這兩個由cloudfalre提供的域名伺服器,cloudfalre登記了原始主機地址,也登記了對外公開的主機地址,也就是CDN地址,由cloudfalre的DNS伺服器返回給瀏覽器104.21.75.119和172.67.175.147這兩個地址。
Anycast
又有新的知識點了,104.21.75.119和172.67.175.147這兩個IP是特殊的IP地址,跟8.8.8.8 這種地址一樣,是用了anycast 技術的IP, Anycast 是一種網絡尋址技術,它將同一個 IP 地址分配給多個地理位置的伺服器。當用戶發起請求時,路由協議(通常是 BGP)會將流量引導到最近(最優)的機房的同名同IP伺服器。也就是説,CDN服務商雖然只給了你兩個IP地址,但實際上提供了不止兩台主機幫助你分發網站內容。也可以這樣理解,世界上有一萬個叫 John 的人共用同一個名字,你只認識離你最近的那個。
我們來驗證一下,當我在台灣進行traceroute查詢
% traceroute 104.21.75.119
traceroute to 104.21.75.119 (104.21.75.119), 64 hops max, 40 byte packets
1 172.20.10.1 (172.20.10.1) 5.209 ms 3.045 ms 3.950 ms
2 * * *
3 10.169.65.46 (10.169.65.46) 51.885 ms 31.734 ms 40.698 ms
4 10.169.195.2 (10.169.195.2) 29.859 ms 47.892 ms 34.868 ms
5 10.169.65.2 (10.169.65.2) 39.926 ms 29.973 ms 31.826 ms
6 nh203-79-206-225.static.apol.com.tw (203.79.206.225) 28.032 ms 24.802 ms 30.922 ms
7 nh203-79-206-9.static.apol.com.tw (203.79.206.9) 47.070 ms 29.085 ms 28.844 ms
8 211-76-102-191.aptg.com.tw (211.76.102.191) 53.139 ms
211-76-102-92.aptg.com.tw (211.76.102.92) 37.256 ms
211-76-102-91.aptg.com.tw (211.76.102.91) 49.195 ms
9 211.76.96.78 (211.76.96.78) 37.173 ms 29.705 ms 29.971 ms
10 211-76-100-35.aptg.com.tw (211.76.100.35) 46.948 ms 31.377 ms 30.134 ms
11 104.21.75.119 (104.21.75.119) 53.958 ms 29.038 ms 30.503 ms
上面的結果證明104.21.75.119的上一跳是一個aptg.com.tw 的IP,可見這個IP在台灣,只需要30毫秒即可抵達。但是如果你在其他國家也用traceroute查詢,104.21.75.119的上一跳不會是同一個。並且你用ip location工具查詢這個IP的物理地址,大概率會説是在 California 。 另外,全世界的域名根伺服器如 i.root-servers.net.也是用了anycast技術,只用一個IP但實際上提供多台主機提供服務。
順便説一下,我注意到 edu.tw的的DNS出現DNSSEC配置不當會不會導致DNS查詢結果被偽造,被很多垃圾站使用edu.tw 的域名。目前Google搜索“線上賭場 site: edu.tw”就能看到很多結果。
回到主題
目前沒有證據證明Elog Musk購買並使用了 錢.tw 這個台灣域名。
我也用 zuo.la 的二級域名 https://錢.zuo.la 是指向了 Elog Musk的社交媒體帳號。當然也不能證明 http://錢.zuo.la 也是 Elog Musk付錢購買了我的二級域名。
作者是誰
我是 https://zuo.la/ ,我的名片在 https://zuo.la/namecard/