āĻĄāĻŋāĻāĻ¨āĻāĻ¸ āĻ āĻĒāĻžāĻ°ā§āĻļāĻ¨ā§āĻ° āĻŦāĻŋāĻāĻŋāĻ¨ā§āĻ¨ āĻĻāĻŋāĻ āĻāĻ¤āĻŋāĻŽāĻ§ā§āĻ¯ā§āĻ āĻ˛ā§āĻāĻ āĻĻā§āĻŦāĻžāĻ°āĻž āĻŦāĻžāĻ°āĻŦāĻžāĻ° āĻ¸ā§āĻĒāĻ°ā§āĻļ āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻā§ āĻŦā§āĻ˛āĻā§āĻ° āĻ āĻāĻļ āĻšāĻŋāĻ¸āĻžāĻŦā§ āĻĒā§āĻ°āĻāĻžāĻļāĻŋāĻ¤āĨ¤ āĻāĻāĻ āĻ¸āĻžāĻĨā§, āĻāĻ āĻŽā§āĻ˛ āĻāĻ¨ā§āĻāĻžāĻ°āĻ¨ā§āĻ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻžāĻāĻŋāĻ° āĻ¸ā§āĻ°āĻā§āĻˇāĻž āĻāĻ¨ā§āĻ¨āĻ¤ āĻāĻ°āĻžāĻ° āĻāĻĒāĻ° āĻ¸āĻ°ā§āĻŦāĻĻāĻžāĻ āĻŽā§āĻ˛ āĻā§āĻ° āĻĻā§āĻāĻ¯āĻŧāĻž āĻšāĻ¯āĻŧā§āĻā§āĨ¤
āĻ¸āĻŽā§āĻĒā§āĻ°āĻ¤āĻŋ āĻ āĻŦāĻ§āĻŋ, āĻĄāĻŋāĻāĻ¨āĻāĻ¸ āĻā§āĻ°ā§āĻ¯āĻžāĻĢāĻŋāĻā§āĻ° āĻ¸ā§āĻ¸ā§āĻĒāĻˇā§āĻ āĻĻā§āĻ°ā§āĻŦāĻ˛āĻ¤āĻž āĻĨāĻžāĻāĻž āĻ¸āĻ¤ā§āĻ¤ā§āĻŦā§āĻ, āĻ¯āĻž āĻāĻāĻ¨āĻ, āĻŦā§āĻļāĻŋāĻ°āĻāĻžāĻ āĻ āĻāĻļā§, āĻŦāĻŋāĻˇāĻ¯āĻŧāĻŦāĻ¸ā§āĻ¤ā§, āĻ¸āĻ°āĻāĻžāĻ°āĻŋ āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻž āĻ¸āĻāĻ¸ā§āĻĨāĻž āĻāĻŦāĻ āĻ¸ā§āĻ¨ā§āĻ¸āĻ°āĻļāĻŋāĻĒā§ āĻŦāĻŋāĻā§āĻāĻžāĻĒāĻ¨ āĻāĻŽā§āĻŦā§āĻĄ āĻāĻ°ā§ āĻ¤āĻžāĻĻā§āĻ° āĻāĻ¯āĻŧ āĻŦāĻžāĻĄāĻŧāĻžāĻ¤ā§ āĻāĻžāĻāĻ¯āĻŧāĻž āĻĒā§āĻ°āĻĻāĻžāĻ¨āĻāĻžāĻ°ā§āĻĻā§āĻ° āĻĒāĻā§āĻˇ āĻĨā§āĻā§ āĻĻā§āĻˇāĻŋāĻ¤ āĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻāĻ˛āĻžāĻĒā§āĻ° āĻāĻ¨ā§āĻ¯ āĻ¸ā§āĻĒāĻˇā§āĻāĻāĻžāĻŦā§ āĻĒā§āĻ°ā§āĻ°āĻŖ āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻā§, āĻ¸ā§āĻāĻ¸āĻžāĻĨā§ āĻ¸āĻšāĻāĻāĻžāĻŦā§ āĻ āĻĒāĻ°āĻžāĻ§ā§, āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž , DNSSEC/DANE, DNScrypt, DNS-over-TLS āĻāĻŦāĻ DNS-over-HTTPS-āĻāĻ° āĻŽāĻ¤ā§ āĻŦāĻŋāĻāĻŋāĻ¨ā§āĻ¨ āĻĒā§āĻ°āĻ¯ā§āĻā§āĻ¤āĻŋāĻ° āĻāĻĒāĻ¸ā§āĻĨāĻŋāĻ¤āĻŋ āĻĨāĻžāĻāĻž āĻ¸āĻ¤ā§āĻ¤ā§āĻŦā§āĻ, āĻ¸ā§āĻĨāĻŦāĻŋāĻ°āĨ¤ āĻāĻŦāĻ āĻ¯āĻĻāĻŋ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ¸āĻŽāĻžāĻ§āĻžāĻ¨, āĻāĻŦāĻ āĻ¤āĻžāĻĻā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻāĻŋāĻā§ āĻĻā§āĻ°ā§āĻāĻāĻžāĻ˛ āĻ§āĻ°ā§ āĻŦāĻŋāĻĻā§āĻ¯āĻŽāĻžāĻ¨ āĻĨāĻžāĻā§, āĻŦā§āĻ¯āĻžāĻĒāĻāĻāĻžāĻŦā§ āĻĒāĻ°āĻŋāĻāĻŋāĻ¤ āĻāĻŦāĻ āĻāĻĒāĻ˛āĻŦā§āĻ§, āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ āĻ¸āĻĢā§āĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ° āĻĨā§āĻā§ āĻ¤āĻžāĻĻā§āĻ° āĻ¸āĻŽāĻ°ā§āĻĨāĻ¨ āĻāĻžāĻā§āĻāĻŋāĻ¤ āĻšāĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤
āĻāĻžāĻā§āĻ¯āĻā§āĻ°āĻŽā§, āĻĒāĻ°āĻŋāĻ¸ā§āĻĨāĻŋāĻ¤āĻŋāĻ° āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨ āĻšāĻā§āĻā§āĨ¤ āĻŦāĻŋāĻļā§āĻˇ āĻāĻ°ā§, āĻāĻ¨āĻĒā§āĻ°āĻŋāĻ¯āĻŧ āĻĢāĻžāĻ¯āĻŧāĻžāĻ°āĻĢāĻā§āĻ¸ āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ°ā§āĻ° āĻŦāĻŋāĻāĻžāĻļāĻāĻžāĻ°ā§āĻ°āĻž āĻĄāĻŋāĻĢāĻ˛ā§āĻāĻ°ā§āĻĒā§ āĻ¸āĻŽāĻ°ā§āĻĨāĻ¨ āĻŽā§āĻĄ āĻ¸āĻā§āĻˇāĻŽ āĻāĻ°āĻžāĻ° āĻĒāĻ°āĻŋāĻāĻ˛ā§āĻĒāĻ¨āĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ (DoH) āĻļā§āĻā§āĻ°āĻāĨ¤ āĻāĻāĻŋ WWW āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§āĻ° DNS āĻā§āĻ°ā§āĻ¯āĻžāĻĢāĻŋāĻāĻā§ āĻāĻĒāĻ°ā§āĻ° āĻšā§āĻŽāĻāĻŋ āĻĨā§āĻā§ āĻ°āĻā§āĻˇāĻž āĻāĻ°āĻ¤ā§ āĻ¸āĻžāĻšāĻžāĻ¯ā§āĻ¯ āĻāĻ°āĻŦā§, āĻ¤āĻŦā§ āĻ¸āĻŽā§āĻāĻžāĻŦā§āĻ¯āĻāĻžāĻŦā§ āĻ¨āĻ¤ā§āĻ¨āĻā§āĻ˛āĻŋ āĻĒā§āĻ°āĻŦāĻ°ā§āĻ¤āĻ¨ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤
1. DNS-āĻāĻāĻžāĻ°-HTTPS āĻ¸āĻŽāĻ¸ā§āĻ¯āĻž
āĻĒā§āĻ°āĻĨāĻŽ āĻ¨āĻāĻ°ā§, āĻāĻ¨ā§āĻāĻžāĻ°āĻ¨ā§āĻ āĻ¸āĻĢā§āĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ°ā§ āĻĄāĻŋāĻāĻ¨āĻāĻ¸-āĻāĻāĻžāĻ°-āĻāĻāĻāĻāĻŋāĻāĻŋāĻĒāĻŋāĻāĻ¸-āĻāĻ° āĻŦā§āĻ¯āĻžāĻĒāĻ āĻĒā§āĻ°āĻŦāĻ°ā§āĻ¤āĻ¨ āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° āĻāĻāĻāĻŋ āĻāĻ¤āĻŋāĻŦāĻžāĻāĻ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻ¸ā§āĻˇā§āĻāĻŋ āĻāĻ°ā§āĨ¤ āĻ¯āĻžāĻāĻšā§āĻ, āĻļāĻ¯āĻŧāĻ¤āĻžāĻ¨, āĻ¯ā§āĻŽāĻ¨ āĻ¤āĻžāĻ°āĻž āĻŦāĻ˛ā§, āĻŦāĻŋāĻļāĻĻā§ āĻ°āĻ¯āĻŧā§āĻā§āĨ¤
āĻĒā§āĻ°āĻĨāĻŽ āĻ¸āĻŽāĻ¸ā§āĻ¯āĻž āĻ¯āĻž DoH āĻāĻ° āĻŦā§āĻ¯āĻžāĻĒāĻ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°ā§āĻ° āĻ¸ā§āĻ¯ā§āĻāĻā§ āĻ¸ā§āĻŽāĻŋāĻ¤ āĻāĻ°ā§ āĻ¤āĻž āĻšāĻ˛ āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° āĻāĻ¯āĻŧā§āĻŦ āĻā§āĻ°āĻžāĻĢāĻŋāĻā§āĻ° āĻāĻĒāĻ° āĻĢā§āĻāĻžāĻ¸āĨ¤ āĻĒā§āĻ°āĻā§āĻ¤āĻĒāĻā§āĻˇā§, HTTP āĻĒā§āĻ°ā§āĻā§āĻāĻ˛ āĻāĻŦāĻ āĻāĻ° āĻŦāĻ°ā§āĻ¤āĻŽāĻžāĻ¨ āĻ¸āĻāĻ¸ā§āĻāĻ°āĻŖ HTTP/2, āĻ¯āĻžāĻ° āĻāĻĒāĻ° DoH āĻāĻŋāĻ¤ā§āĻ¤āĻŋāĻ, WWW āĻāĻ° āĻāĻŋāĻ¤ā§āĻ¤āĻŋāĨ¤ āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻāĻ¨ā§āĻāĻžāĻ°āĻ¨ā§āĻ āĻļā§āĻ§ā§ āĻāĻ¯āĻŧā§āĻŦ āĻ¨āĻ¯āĻŧāĨ¤ āĻāĻŽā§āĻ˛, āĻŦāĻŋāĻāĻŋāĻ¨ā§āĻ¨ āĻāĻ¨āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻ āĻŽā§āĻ¸ā§āĻā§āĻāĻžāĻ°, āĻĢāĻžāĻāĻ˛ āĻā§āĻ°āĻžāĻ¨ā§āĻ¸āĻĢāĻžāĻ° āĻ¸āĻŋāĻ¸ā§āĻā§āĻŽ, āĻŽāĻžāĻ˛ā§āĻāĻŋāĻŽāĻŋāĻĄāĻŋāĻ¯āĻŧāĻž āĻ¸ā§āĻā§āĻ°āĻŋāĻŽāĻŋāĻ āĻāĻ¤ā§āĻ¯āĻžāĻĻāĻŋāĻ° āĻŽāĻ¤ā§ āĻ āĻ¨ā§āĻ āĻāĻ¨āĻĒā§āĻ°āĻŋāĻ¯āĻŧ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻž āĻ°āĻ¯āĻŧā§āĻā§ āĻ¯āĻž HTTP āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻ¨āĻžāĨ¤ āĻāĻāĻāĻžāĻŦā§, āĻ āĻ¨ā§āĻā§āĻ° āĻĻā§āĻŦāĻžāĻ°āĻž āĻāĻāĻāĻŋ āĻĒā§āĻ¯āĻžāĻ¨ā§āĻ¸āĻŋāĻ¯āĻŧāĻž āĻšāĻŋāĻ¸āĻžāĻŦā§ āĻĄāĻŋāĻāĻāĻāĻ āĻāĻĒāĻ˛āĻŦā§āĻ§āĻŋ āĻ¸āĻ¤ā§āĻ¤ā§āĻŦā§āĻ, āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ° āĻĒā§āĻ°āĻ¯ā§āĻā§āĻ¤āĻŋ āĻāĻžāĻĄāĻŧāĻž āĻ āĻ¨ā§āĻ¯ āĻāĻŋāĻā§āĻ° āĻāĻ¨ā§āĻ¯ āĻ āĻ¤āĻŋāĻ°āĻŋāĻā§āĻ¤ (āĻāĻŦāĻ āĻ āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ) āĻĒā§āĻ°āĻā§āĻˇā§āĻāĻž āĻāĻžāĻĄāĻŧāĻžāĻ āĻāĻāĻŋ āĻĒā§āĻ°āĻ¯ā§āĻā§āĻ¯ āĻ¨āĻ¯āĻŧāĨ¤ āĻ¯āĻžāĻāĻšā§āĻ, āĻĄāĻŋāĻāĻ¨āĻāĻ¸-āĻāĻāĻžāĻ°-āĻāĻŋāĻāĻ˛āĻāĻ¸ āĻāĻ āĻā§āĻŽāĻŋāĻāĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻ āĻ¨ā§āĻ āĻŦā§āĻļāĻŋ āĻ¯ā§āĻā§āĻ¯ āĻĒā§āĻ°āĻžāĻ°ā§āĻĨā§āĻ° āĻŽāĻ¤ā§ āĻĻā§āĻāĻžāĻ¯āĻŧ, āĻ¯āĻž āĻ¨āĻŋāĻ°āĻžāĻĒāĻĻ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ āĻāĻŋāĻāĻ˛āĻāĻ¸ āĻĒā§āĻ°ā§āĻā§āĻāĻ˛ā§ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ āĻĄāĻŋāĻāĻ¨āĻāĻ¸ āĻā§āĻ°ā§āĻ¯āĻžāĻĢāĻŋāĻā§āĻ° āĻāĻ¨āĻā§āĻ¯āĻžāĻĒāĻ¸ā§āĻ˛ā§āĻļāĻ¨ āĻĒā§āĻ°āĻ¯āĻŧā§āĻ āĻāĻ°ā§āĨ¤
āĻĻā§āĻŦāĻŋāĻ¤ā§āĻ¯āĻŧ āĻ¸āĻŽāĻ¸ā§āĻ¯āĻž, āĻ¯āĻž āĻ¸āĻŽā§āĻāĻžāĻŦā§āĻ¯āĻāĻžāĻŦā§ āĻĒā§āĻ°āĻĨāĻŽāĻāĻŋāĻ° āĻā§āĻ¯āĻŧā§ āĻ āĻ¨ā§āĻ āĻŦā§āĻļāĻŋ āĻ¤āĻžā§āĻĒāĻ°ā§āĻ¯āĻĒā§āĻ°ā§āĻŖ, āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ° āĻ¸ā§āĻāĻŋāĻāĻ¸ā§ āĻ¨āĻŋāĻ°ā§āĻĻāĻŋāĻˇā§āĻ āĻāĻ°āĻž āĻāĻāĻāĻŋ āĻāĻāĻ DoH āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°ā§āĻ° āĻĒāĻā§āĻˇā§ āĻĄāĻŋāĻāĻžāĻāĻ¨ā§āĻ° āĻĻā§āĻŦāĻžāĻ°āĻž DNS-āĻāĻ° āĻ āĻ¨ā§āĻ¤āĻ°ā§āĻ¨āĻŋāĻšāĻŋāĻ¤ āĻŦāĻŋāĻā§āĻ¨ā§āĻĻā§āĻ°ā§āĻāĻ°āĻŖā§āĻ° āĻĒā§āĻ°āĻā§āĻ¤ āĻĒāĻ°āĻŋāĻ¤ā§āĻ¯āĻžāĻāĨ¤ āĻŦāĻŋāĻļā§āĻˇ āĻāĻ°ā§, Mozilla Cloudflare āĻĨā§āĻā§ āĻāĻāĻāĻŋ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻž āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻžāĻ° āĻĒāĻ°āĻžāĻŽāĻ°ā§āĻļ āĻĻā§āĻ¯āĻŧāĨ¤ āĻāĻāĻāĻŋ āĻ āĻ¨ā§āĻ°ā§āĻĒ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻž āĻ āĻ¨ā§āĻ¯āĻžāĻ¨ā§āĻ¯ āĻŦāĻŋāĻļāĻŋāĻˇā§āĻ āĻāĻ¨ā§āĻāĻžāĻ°āĻ¨ā§āĻ āĻŦā§āĻ¯āĻā§āĻ¤āĻŋāĻ¤ā§āĻŦ, āĻŦāĻŋāĻļā§āĻˇ āĻāĻ°ā§ Google āĻĻā§āĻŦāĻžāĻ°āĻž āĻāĻžāĻ˛ā§ āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻāĻŋāĻ˛āĨ¤ āĻĻā§āĻāĻž āĻ¯āĻžāĻā§āĻā§ āĻ¯ā§ DNS-āĻāĻāĻžāĻ°-HTTPS āĻ¯ā§ āĻĢāĻ°ā§āĻŽā§ āĻāĻāĻŋ āĻŦāĻ°ā§āĻ¤āĻŽāĻžāĻ¨ā§ āĻĒā§āĻ°āĻ¸ā§āĻ¤āĻžāĻŦāĻŋāĻ¤ āĻšāĻ¯āĻŧā§āĻā§ āĻ¤āĻž āĻŦāĻžāĻ¸ā§āĻ¤āĻŦāĻžāĻ¯āĻŧāĻ¨ āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° āĻŦā§āĻšāĻ¤ā§āĻ¤āĻŽ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻžāĻ° āĻāĻĒāĻ° āĻļā§āĻˇ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ°āĻāĻžāĻ°ā§āĻĻā§āĻ° āĻ¨āĻŋāĻ°ā§āĻāĻ°āĻ¤āĻž āĻŦāĻžāĻĄāĻŧāĻžāĻ¯āĻŧāĨ¤ āĻāĻāĻŋ āĻā§āĻ¨ āĻā§āĻĒāĻ¨ āĻŦāĻŋāĻˇāĻ¯āĻŧ āĻ¨āĻ¯āĻŧ āĻ¯ā§ āĻĄāĻŋāĻāĻ¨āĻāĻ¸ āĻĒā§āĻ°āĻļā§āĻ¨āĻā§āĻ˛āĻŋāĻ° āĻŦāĻŋāĻļā§āĻ˛ā§āĻˇāĻŖ āĻ¯ā§ āĻ¤āĻĨā§āĻ¯ āĻĒā§āĻ°āĻĻāĻžāĻ¨ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§ āĻ¤āĻž āĻāĻāĻŋ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻāĻ°āĻ āĻŦā§āĻļāĻŋ āĻĄā§āĻāĻž āĻ¸āĻāĻā§āĻ°āĻš āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§, āĻ¸ā§āĻāĻ¸āĻžāĻĨā§ āĻāĻ° āĻ¯āĻĨāĻžāĻ°ā§āĻĨāĻ¤āĻž āĻāĻŦāĻ āĻĒā§āĻ°āĻžāĻ¸āĻā§āĻāĻŋāĻāĻ¤āĻž āĻŦā§āĻĻā§āĻ§āĻŋ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤
āĻāĻ āĻŦāĻŋāĻˇāĻ¯āĻŧā§, āĻ˛ā§āĻāĻ DNS-over-HTTPS āĻ¨āĻ¯āĻŧ, DNS-over-TLS-āĻāĻ° āĻ¸āĻžāĻĨā§ DNSSEC/DANE-āĻāĻ° āĻ¸āĻžāĻ°ā§āĻŦāĻāĻ¨ā§āĻ¨, āĻ¸ā§āĻ°āĻā§āĻˇāĻŋāĻ¤ āĻāĻŦāĻ āĻāĻ¨ā§āĻāĻžāĻ°āĻ¨ā§āĻā§āĻ° āĻāĻ°āĻ āĻā§āĻ¨ā§āĻĻā§āĻ°ā§āĻāĻ°āĻŖā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻĒāĻ¯ā§āĻā§ āĻ¨āĻ¯āĻŧ āĻšāĻŋāĻ¸āĻžāĻŦā§ āĻŦā§āĻ¯āĻžāĻĒāĻ āĻŦāĻžāĻ¸ā§āĻ¤āĻŦāĻžāĻ¯āĻŧāĻ¨ā§āĻ° āĻ¸āĻŽāĻ°ā§āĻĨāĻ āĻāĻŋāĻ˛ā§āĻ¨ āĻāĻŦāĻ āĻ°āĻ¯āĻŧā§āĻā§āĻ¨āĨ¤ DNS āĻā§āĻ°āĻžāĻĢāĻŋāĻā§āĻ° āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻž āĻ¨āĻŋāĻļā§āĻāĻŋāĻ¤ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯āĨ¤ āĻĻā§āĻ°ā§āĻāĻžāĻā§āĻ¯āĻŦāĻļāĻ¤, āĻ¸ā§āĻ¸ā§āĻĒāĻˇā§āĻ āĻāĻžāĻ°āĻŖā§, āĻā§āĻ āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ āĻ¸āĻĢā§āĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ°ā§ DoH āĻŦāĻŋāĻāĻ˛ā§āĻĒāĻā§āĻ˛āĻŋāĻ° āĻāĻ¨ā§āĻ¯ āĻŦā§āĻ¯āĻžāĻĒāĻ āĻ¸āĻŽāĻ°ā§āĻĨāĻ¨ā§āĻ° āĻĻā§āĻ°ā§āĻ¤ āĻĒā§āĻ°āĻŦāĻ°ā§āĻ¤āĻ¨ā§āĻ° āĻāĻļāĻž āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§ āĻ¨āĻž āĻāĻŦāĻ āĻāĻāĻŋ āĻāĻāĻ¨āĻ āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻž āĻĒā§āĻ°āĻ¯ā§āĻā§āĻ¤āĻŋ āĻāĻ¤ā§āĻ¸āĻžāĻšā§āĻĻā§āĻ° āĻĄā§āĻŽā§āĻ¨āĨ¤
āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻ¯ā§āĻšā§āĻ¤ā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻāĻžāĻā§ āĻāĻāĻ¨ DoH āĻāĻā§, āĻā§āĻ¨ āĻāĻ°ā§āĻĒā§āĻ°ā§āĻļāĻ¨āĻā§āĻ˛āĻŋ āĻ¤āĻžāĻĻā§āĻ° āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻ¨āĻŋāĻāĻ¸ā§āĻŦ āĻĄāĻŋāĻāĻ¨āĻāĻ¸-āĻāĻāĻžāĻ°-āĻāĻāĻāĻāĻŋāĻāĻŋāĻĒāĻŋāĻāĻ¸ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§ āĻ¸āĻŽā§āĻāĻžāĻŦā§āĻ¯ āĻ¨āĻāĻ°āĻĻāĻžāĻ°āĻŋ āĻāĻĄāĻŧāĻŋāĻ¯āĻŧā§ āĻ¯āĻžāĻāĻ¯āĻŧāĻžāĻ° āĻĒāĻ°ā§ āĻāĻāĻŋ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻŦā§ āĻ¨āĻž?
2. DNS-āĻāĻāĻžāĻ°-HTTPS āĻĒā§āĻ°ā§āĻā§āĻāĻ˛
āĻŽāĻžāĻ¨āĻĻāĻ¨ā§āĻĄ āĻĻā§āĻāĻ˛ā§ āĻĄāĻŋāĻāĻ¨āĻāĻ¸-āĻāĻāĻžāĻ°-āĻāĻāĻāĻāĻŋāĻāĻŋāĻĒāĻŋāĻāĻ¸ āĻĒā§āĻ°ā§āĻā§āĻāĻ˛ā§āĻ° āĻŦāĻ°ā§āĻŖāĻ¨āĻž āĻĻāĻŋāĻ¯āĻŧā§, āĻāĻĒāĻ¨āĻŋ āĻĻā§āĻāĻ¤ā§ āĻĒāĻžāĻā§āĻā§āĻ¨ āĻ¯ā§ āĻāĻāĻŋ āĻāĻ¸āĻ˛ā§ āĻāĻāĻāĻŋ āĻāĻ¯āĻŧā§āĻŦ API āĻ¯āĻž āĻāĻĒāĻ¨āĻžāĻā§ HTTP/2 āĻĒā§āĻ°ā§āĻā§āĻāĻ˛ā§ āĻāĻāĻāĻŋ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ āĻĄāĻŋāĻāĻ¨āĻāĻ¸ āĻĒā§āĻ¯āĻžāĻā§āĻ āĻāĻ¨āĻā§āĻ¯āĻžāĻĒāĻ¸ā§āĻ˛ā§āĻ āĻāĻ°āĻ¤ā§ āĻĻā§āĻ¯āĻŧāĨ¤ āĻāĻāĻŋ āĻŦāĻŋāĻļā§āĻˇ HTTP āĻļāĻŋāĻ°ā§āĻ¨āĻžāĻŽā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻĒā§āĻ°āĻ¯āĻŧā§āĻ āĻāĻ°āĻž āĻšāĻ¯āĻŧ, āĻ¸ā§āĻāĻ¸āĻžāĻĨā§ āĻĒā§āĻ°ā§āĻ°āĻŖ āĻāĻ°āĻž DNS āĻĄā§āĻāĻžāĻ° āĻŦāĻžāĻāĻ¨āĻžāĻ°āĻŋ āĻŦāĻŋāĻ¨ā§āĻ¯āĻžāĻ¸ā§āĻ° āĻ°ā§āĻĒāĻžāĻ¨ā§āĻ¤āĻ° (āĻĻā§āĻā§āĻ¨āĨ¤ āĻāĻŦāĻ āĻĒāĻ°āĻŦāĻ°ā§āĻ¤ā§ āĻ¨āĻĨāĻŋ) āĻāĻāĻāĻŋ āĻĢāĻ°ā§āĻŽā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻ¯āĻž āĻāĻĒāĻ¨āĻžāĻā§ āĻ¸ā§āĻā§āĻ˛āĻŋ āĻĒā§āĻ°ā§āĻ°āĻŖ āĻāĻŦāĻ āĻā§āĻ°āĻšāĻŖ āĻāĻ°āĻžāĻ° āĻĒāĻžāĻļāĻžāĻĒāĻžāĻļāĻŋ āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ āĻŽā§āĻāĻžāĻĄā§āĻāĻž āĻ¨āĻŋāĻ¯āĻŧā§ āĻāĻžāĻ āĻāĻ°āĻ¤ā§ āĻĻā§āĻ¯āĻŧāĨ¤
āĻŽāĻžāĻ¨ āĻ āĻ¨ā§āĻ¯āĻžāĻ¯āĻŧā§, āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° HTTP/2 āĻāĻŦāĻ āĻāĻāĻāĻŋ āĻ¨āĻŋāĻ°āĻžāĻĒāĻĻ TLS āĻ¸āĻāĻ¯ā§āĻ āĻ¸āĻŽāĻ°ā§āĻĨāĻŋāĻ¤āĨ¤
āĻāĻāĻāĻŋ DNS āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻĒāĻžāĻ āĻžāĻ¨ā§ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ GET āĻāĻŦāĻ POST āĻĒāĻĻā§āĻ§āĻ¤āĻŋ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤ āĻĒā§āĻ°āĻĨāĻŽ āĻā§āĻˇā§āĻ¤ā§āĻ°ā§, āĻ āĻ¨ā§āĻ°ā§āĻ§āĻāĻŋ āĻāĻāĻāĻŋ base64URL-āĻāĻ¨āĻā§āĻĄā§āĻĄ āĻ¸ā§āĻā§āĻ°āĻŋāĻ-āĻ āĻ°ā§āĻĒāĻžāĻ¨ā§āĻ¤āĻ°āĻŋāĻ¤ āĻšāĻ¯āĻŧ āĻāĻŦāĻ āĻĻā§āĻŦāĻŋāĻ¤ā§āĻ¯āĻŧāĻāĻŋāĻ¤ā§, āĻŦāĻžāĻāĻ¨āĻžāĻ°āĻŋ āĻāĻāĻžāĻ°ā§ POST āĻ āĻ¨ā§āĻ°ā§āĻ§ā§āĻ° āĻŽā§āĻ˛ āĻ āĻāĻļā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§āĨ¤ āĻāĻ āĻā§āĻˇā§āĻ¤ā§āĻ°ā§, DNS āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻāĻŦāĻ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻ° āĻ¸āĻŽāĻ¯āĻŧ āĻāĻāĻāĻŋ āĻŦāĻŋāĻļā§āĻˇ MIME āĻĄā§āĻāĻž āĻāĻžāĻāĻĒ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž āĻšāĻ¯āĻŧ āĻ ā§āĻ¯āĻžāĻĒā§āĻ˛āĻŋāĻā§āĻļāĻ¨/āĻĄāĻŋāĻāĻ¨āĻāĻ¸-āĻŦāĻžāĻ°ā§āĻ¤āĻž.
root@eprove:~ # curl -H 'accept: application/dns-message' 'https://my.domaint/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' -v
* Trying 2001:100:200:300::400:443...
* TCP_NODELAY set
* Connected to eprove.net (2001:100:200:300::400) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=my.domain
* start date: Jul 22 00:07:13 2019 GMT
* expire date: Oct 20 00:07:13 2019 GMT
* subjectAltName: host "my.domain" matched cert's "my.domain"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801441000)
> GET /dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE HTTP/2
> Host: eprove.net
> User-Agent: curl/7.65.3
> accept: application/dns-message
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: h2o/2.3.0-beta2
< content-type: application/dns-message
< cache-control: max-age=86274
< date: Thu, 12 Sep 2019 13:07:25 GMT
< strict-transport-security: max-age=15768000; includeSubDomains; preload
< content-length: 45
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 45)
* stopped the pause stream!
* Connection #0 to host eprove.net left intactāĻļāĻŋāĻ°ā§āĻ¨āĻžāĻŽā§āĻ° āĻĻāĻŋāĻā§āĻ āĻŽāĻ¨ā§āĻ¯ā§āĻ āĻĻāĻŋāĻ¨ āĻā§āĻ¯āĻžāĻļā§-āĻ¨āĻŋāĻ¯āĻŧāĻ¨ā§āĻ¤ā§āĻ°āĻŖ: āĻāĻ¯āĻŧā§āĻŦ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻĨā§āĻā§ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž. āĻĒā§āĻ¯āĻžāĻ°āĻžāĻŽāĻŋāĻāĻžāĻ°ā§ āĻ¸āĻ°ā§āĻŦā§āĻā§āĻ āĻŦāĻ¯āĻŧāĻ¸ āĻĄāĻŋāĻāĻ¨āĻāĻ¸ āĻ°ā§āĻāĻ°ā§āĻĄā§āĻ° āĻāĻ¨ā§āĻ¯ TTL āĻŽāĻžāĻ¨ āĻ°āĻ¯āĻŧā§āĻā§ (āĻ āĻĨāĻŦāĻž āĻ¤āĻžāĻĻā§āĻ° āĻāĻāĻāĻŋ āĻ¸ā§āĻ āĻĢā§āĻ°āĻ¤ āĻĻā§āĻāĻ¯āĻŧāĻž āĻšāĻ˛ā§ āĻ¸āĻ°ā§āĻŦāĻ¨āĻŋāĻŽā§āĻ¨ āĻŽāĻžāĻ¨)āĨ¤
āĻāĻĒāĻ°ā§āĻ° āĻāĻĒāĻ° āĻāĻŋāĻ¤ā§āĻ¤āĻŋ āĻāĻ°ā§, āĻāĻāĻāĻŋ DoH āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻāĻžāĻ°ā§āĻ¯āĻāĻžāĻ°āĻŋāĻ¤āĻž āĻŦāĻŋāĻāĻŋāĻ¨ā§āĻ¨ āĻ§āĻžāĻĒ āĻ¨āĻŋāĻ¯āĻŧā§ āĻāĻ āĻŋāĻ¤āĨ¤
- āĻāĻāĻāĻŋ HTTP āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻā§āĻ°āĻšāĻŖ āĻāĻ°ā§āĻ¨. āĻ¯āĻĻāĻŋ āĻāĻāĻŋ āĻāĻāĻāĻŋ GET āĻšāĻ¯āĻŧ āĻ¤āĻžāĻšāĻ˛ā§ base64URL āĻāĻ¨āĻā§āĻĄāĻŋāĻ āĻĨā§āĻā§ āĻĒā§āĻ¯āĻžāĻā§āĻāĻāĻŋ āĻĄāĻŋāĻā§āĻĄ āĻāĻ°ā§āĻ¨āĨ¤
- āĻāĻ āĻĒā§āĻ¯āĻžāĻā§āĻāĻāĻŋ DNS āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§ āĻĒāĻžāĻ āĻžāĻ¨āĨ¤
- DNS āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻĨā§āĻā§ āĻāĻāĻāĻŋ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻĒāĻžāĻ¨
- āĻĒā§āĻ°āĻžāĻĒā§āĻ¤ āĻ°ā§āĻāĻ°ā§āĻĄā§ āĻ¨ā§āĻ¯ā§āĻ¨āĻ¤āĻŽ TTL āĻŽāĻžāĻ¨ āĻā§āĻāĻā§āĻ¨āĨ¤
- HTTP āĻāĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻā§āĻ° āĻāĻžāĻā§ āĻāĻāĻāĻŋ āĻĒā§āĻ°āĻ¤āĻŋāĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻĢā§āĻ°āĻ¤ āĻĻāĻŋāĻ¨āĨ¤
3. āĻāĻĒāĻ¨āĻžāĻ° āĻ¨āĻŋāĻāĻ¸ā§āĻŦ DNS-āĻāĻāĻžāĻ°-HTTPS āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°
āĻāĻĒāĻ¨āĻžāĻ° āĻ¨āĻŋāĻā§āĻ° DNS-āĻāĻāĻžāĻ°-HTTPS āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻāĻžāĻ˛āĻžāĻ¨ā§āĻ° āĻ¸āĻŦāĻā§āĻ¯āĻŧā§ āĻ¸āĻšāĻ, āĻĻā§āĻ°ā§āĻ¤ āĻāĻŦāĻ āĻ¸āĻŦāĻā§āĻ¯āĻŧā§ āĻāĻžāĻ°ā§āĻ¯āĻāĻ° āĻāĻĒāĻžāĻ¯āĻŧ āĻšāĻ˛ āĻāĻāĻāĻŋ HTTP/2 āĻāĻ¯āĻŧā§āĻŦ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž , āĻ¯āĻž āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§ āĻ˛ā§āĻāĻ āĻāĻ¤āĻŋāĻŽāĻ§ā§āĻ¯ā§ āĻ¸āĻāĻā§āĻˇāĻŋāĻĒā§āĻ¤āĻāĻžāĻŦā§ āĻ˛āĻŋāĻā§āĻā§āĻ¨ (āĻĻā§āĻā§āĻ¨ "ÂĢ)āĨ¤
āĻāĻ āĻĒāĻāĻ¨ā§āĻĻāĻāĻŋ āĻāĻ āĻ¸āĻ¤ā§āĻ¯ āĻĻā§āĻŦāĻžāĻ°āĻž āĻ¸āĻŽāĻ°ā§āĻĨāĻŋāĻ¤ āĻ¯ā§ āĻāĻĒāĻ¨āĻžāĻ° āĻ¨āĻŋāĻā§āĻ° DoH āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻ¸āĻŽāĻ¸ā§āĻ¤ āĻā§āĻĄ āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖāĻ°ā§āĻĒā§ H2O-āĻ¤ā§ āĻ¸āĻāĻšāĻ¤ āĻāĻ¨ā§āĻāĻžāĻ°āĻĒā§āĻ°ā§āĻāĻžāĻ° āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻĒā§āĻ°āĻ¯āĻŧā§āĻ āĻāĻ°āĻž āĻ¯ā§āĻ¤ā§ āĻĒāĻžāĻ°ā§āĨ¤ . āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ āĻ˛āĻžāĻāĻŦā§āĻ°ā§āĻ°āĻŋ āĻāĻžāĻĄāĻŧāĻžāĻ, DNS āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°ā§āĻ° āĻ¸āĻžāĻĨā§ āĻĄā§āĻāĻž āĻāĻĻāĻžāĻ¨-āĻĒā§āĻ°āĻĻāĻžāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯, āĻāĻĒāĻ¨āĻžāĻ° āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ (mrbgem) āĻ¸āĻā§āĻ āĻ˛āĻžāĻāĻŦā§āĻ°ā§āĻ°āĻŋ, āĻ¯āĻž āĻ¸ā§āĻāĻžāĻā§āĻ¯āĻŦāĻļāĻ¤, H2O 2.3.0-beta2-āĻāĻ° āĻŦāĻ°ā§āĻ¤āĻŽāĻžāĻ¨ āĻŦāĻŋāĻāĻžāĻļ āĻ¸āĻāĻ¸ā§āĻāĻ°āĻŖā§ āĻāĻ¤āĻŋāĻŽāĻ§ā§āĻ¯ā§āĻ āĻ āĻ¨ā§āĻ¤āĻ°ā§āĻā§āĻā§āĻ¤ āĻ°āĻ¯āĻŧā§āĻā§āĨ¤ FreeBSD āĻĒā§āĻ°ā§āĻā§āĨ¤ āĻ¤āĻŦā§ āĻ°āĻŋāĻĒā§āĻāĻŋāĻāĻ°āĻŋ āĻā§āĻ˛ā§āĻ¨ āĻāĻ°ā§ āĻāĻā§āĻ° āĻ¯ā§āĻā§āĻ¨ā§ āĻ¸āĻāĻ¸ā§āĻāĻ°āĻŖā§ āĻ¯ā§āĻ āĻāĻ°āĻž āĻāĻ āĻŋāĻ¨ āĻ¨āĻ¯āĻŧ āĻā§āĻ¯āĻžāĻāĻžāĻ˛āĻ āĻĨā§āĻā§ /deps āĻ¸āĻāĻāĻ˛āĻ¨ā§āĻ° āĻāĻā§āĨ¤
root@beta:~ # uname -v
FreeBSD 12.0-RELEASE-p10 GENERIC
root@beta:~ # cd /usr/ports/www/h2o
root@beta:/usr/ports/www/h2o # make extract
===> License MIT BSD2CLAUSE accepted by the user
===> h2o-2.2.6 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by h2o-2.2.6 for building
===> Extracting for h2o-2.2.6.
=> SHA256 Checksum OK for h2o-h2o-v2.2.6_GH0.tar.gz.
===> h2o-2.2.6 depends on file: /usr/local/bin/ruby26 - found
root@beta:/usr/ports/www/h2o # cd work/h2o-2.2.6/deps/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # git clone https://github.com/iij/mruby-socket.git
ĐĐģĐžĐŊиŅОваĐŊиĐĩ в ÂĢmruby-socketÂģâĻ
remote: Enumerating objects: 385, done.
remote: Total 385 (delta 0), reused 0 (delta 0), pack-reused 385
ĐĐžĐģŅŅĐĩĐŊиĐĩ ОйŅĐĩĐēŅОв: 100% (385/385), 98.02 KiB | 647.00 KiB/s, ĐŗĐžŅОвО.
ĐĐŋŅĐĩĐ´ĐĩĐģĐĩĐŊиĐĩ иСĐŧĐĩĐŊĐĩĐŊиК: 100% (208/208), ĐŗĐžŅОвО.
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # ll
total 181
drwxr-xr-x 9 root wheel 18 12 авĐŗ. 16:09 brotli/
drwxr-xr-x 2 root wheel 4 12 авĐŗ. 16:09 cloexec/
drwxr-xr-x 2 root wheel 5 12 авĐŗ. 16:09 golombset/
drwxr-xr-x 4 root wheel 35 12 авĐŗ. 16:09 klib/
drwxr-xr-x 2 root wheel 5 12 авĐŗ. 16:09 libgkc/
drwxr-xr-x 4 root wheel 26 12 авĐŗ. 16:09 libyrmcds/
drwxr-xr-x 13 root wheel 32 12 авĐŗ. 16:09 mruby/
drwxr-xr-x 5 root wheel 11 12 авĐŗ. 16:09 mruby-digest/
drwxr-xr-x 5 root wheel 10 12 авĐŗ. 16:09 mruby-dir/
drwxr-xr-x 5 root wheel 10 12 авĐŗ. 16:09 mruby-env/
drwxr-xr-x 4 root wheel 9 12 авĐŗ. 16:09 mruby-errno/
drwxr-xr-x 5 root wheel 14 12 авĐŗ. 16:09 mruby-file-stat/
drwxr-xr-x 5 root wheel 10 12 авĐŗ. 16:09 mruby-iijson/
drwxr-xr-x 5 root wheel 11 12 авĐŗ. 16:09 mruby-input-stream/
drwxr-xr-x 6 root wheel 11 12 авĐŗ. 16:09 mruby-io/
drwxr-xr-x 5 root wheel 10 12 авĐŗ. 16:09 mruby-onig-regexp/
drwxr-xr-x 4 root wheel 10 12 авĐŗ. 16:09 mruby-pack/
drwxr-xr-x 5 root wheel 10 12 авĐŗ. 16:09 mruby-require/
drwxr-xr-x 6 root wheel 10 12 ŅĐĩĐŊŅ. 16:10 mruby-socket/
drwxr-xr-x 2 root wheel 9 12 авĐŗ. 16:09 neverbleed/
drwxr-xr-x 2 root wheel 13 12 авĐŗ. 16:09 picohttpparser/
drwxr-xr-x 2 root wheel 4 12 авĐŗ. 16:09 picotest/
drwxr-xr-x 9 root wheel 16 12 авĐŗ. 16:09 picotls/
drwxr-xr-x 4 root wheel 8 12 авĐŗ. 16:09 ssl-conservatory/
drwxr-xr-x 8 root wheel 18 12 авĐŗ. 16:09 yaml/
drwxr-xr-x 2 root wheel 8 12 авĐŗ. 16:09 yoml/
root@beta:/usr/ports/www/h2o/work/h2o-2.2.6/deps # cd ../../..
root@beta:/usr/ports/www/h2o # make install clean
...āĻāĻ¯āĻŧā§āĻŦ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻ¸āĻžāĻ§āĻžāĻ°āĻŖāĻ¤ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄāĨ¤
root@beta:/usr/ports/www/h2o # cd /usr/local/etc/h2o/
root@beta:/usr/local/etc/h2o # cat h2o.conf
# this sample config gives you a feel for how h2o can be used
# and a high-security configuration for TLS and HTTP headers
# see https://h2o.examp1e.net/ for detailed documentation
# and h2o --help for command-line options and settings
# v.20180207 (c)2018 by Max Kostikov http://kostikov.co e-mail: max@kostikov.co
user: www
pid-file: /var/run/h2o.pid
access-log:
path: /var/log/h2o/h2o-access.log
format: "%h %v %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i""
error-log: /var/log/h2o/h2o-error.log
expires: off
compress: on
file.dirlisting: off
file.send-compressed: on
file.index: [ 'index.html', 'index.php' ]
listen:
port: 80
listen:
port: 443
ssl:
cipher-suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
cipher-preference: server
dh-file: /etc/ssl/dhparams.pem
certificate-file: /usr/local/etc/letsencrypt/live/eprove.net/fullchain.pem
key-file: /usr/local/etc/letsencrypt/live/my.domain/privkey.pem
hosts:
"*.my.domain":
paths: &go_tls
"/":
redirect:
status: 301
url: https://my.domain/
"my.domain:80":
paths: *go_tls
"my.domain:443":
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
paths:
"/dns-query":
mruby.handler-file: /usr/local/etc/h2o/h2odoh.rbāĻāĻāĻŽāĻžāĻ¤ā§āĻ° āĻŦā§āĻ¯āĻ¤āĻŋāĻā§āĻ°āĻŽ āĻšāĻ˛ URL āĻšā§āĻ¯āĻžāĻ¨ā§āĻĄāĻ˛āĻžāĻ° /dns-query āĻ¯āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻāĻŽāĻžāĻĻā§āĻ° āĻĄāĻŋāĻāĻ¨āĻāĻ¸-āĻāĻāĻžāĻ°-āĻāĻāĻāĻāĻŋāĻāĻŋāĻĒāĻŋāĻāĻ¸ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ°, āĻŽā§āĻ°ā§āĻŦāĻŋāĻ¤ā§ āĻ˛ā§āĻāĻž āĻāĻŦāĻ āĻšā§āĻ¯āĻžāĻ¨ā§āĻĄāĻ˛āĻžāĻ° āĻŦāĻŋāĻāĻ˛ā§āĻĒā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻŦāĻ˛āĻž āĻšāĻ¯āĻŧā§āĻā§, āĻāĻ¸āĻ˛ā§ āĻĻāĻžāĻ¯āĻŧā§ mruby.handler-file.
root@beta:/usr/local/etc/h2o # cat h2odoh.rb
# H2O HTTP/2 web server as DNS-over-HTTP service
# v.20190908 (c)2018-2019 Max Kostikov https://kostikov.co e-mail: max@kostikov.co
proc {|env|
if env['HTTP_ACCEPT'] == "application/dns-message"
case env['REQUEST_METHOD']
when "GET"
req = env['QUERY_STRING'].gsub(/^dns=/,'')
# base64URL decode
req = req.tr("-_", "+/")
if !req.end_with?("=") && req.length % 4 != 0
req = req.ljust((req.length + 3) & ~3, "=")
end
req = req.unpack1("m")
when "POST"
req = env['rack.input'].read
else
req = ""
end
if req.empty?
[400, { 'content-type' => 'text/plain' }, [ "Bad Request" ]]
else
# --- ask DNS server
sock = UDPSocket.new
sock.connect("localhost", 53)
sock.send(req, 0)
str = sock.recv(4096)
sock.close
# --- find lowest TTL in response
nans = str[6, 2].unpack1('n') # number of answers
if nans > 0 # no DNS failure
shift = 12
ttl = 0
while nans > 0
# process domain name compression
if str[shift].unpack1("C") < 192
shift = str.index("x00", shift) + 5
if ttl == 0 # skip question section
next
end
end
shift += 6
curttl = str[shift, 4].unpack1('N')
shift += str[shift + 4, 2].unpack1('n') + 6 # responce data size
if ttl == 0 or ttl > curttl
ttl = curttl
end
nans -= 1
end
cc = 'max-age=' + ttl.to_s
else
cc = 'no-cache'
end
[200, { 'content-type' => 'application/dns-message', 'content-length' => str.size, 'cache-control' => cc }, [ str ] ]
end
else
[415, { 'content-type' => 'text/plain' }, [ "Unsupported Media Type" ]]
end
}āĻĻāĻ¯āĻŧāĻž āĻāĻ°ā§ āĻŽāĻ¨ā§ āĻ°āĻžāĻāĻŦā§āĻ¨ āĻ¯ā§ āĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻā§āĻ¯āĻžāĻļāĻŋāĻ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻāĻ āĻā§āĻˇā§āĻ¤ā§āĻ°ā§ DNS āĻĒā§āĻ¯āĻžāĻā§āĻ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻžāĻāĻ°āĻŖā§āĻ° āĻāĻ¨ā§āĻ¯ āĻĻāĻžāĻ¯āĻŧā§ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ āĻĢā§āĻ°āĻŋāĻŦāĻŋāĻāĻ¸āĻĄāĻŋ āĻĄāĻŋāĻ¸ā§āĻā§āĻ°āĻŋāĻŦāĻŋāĻāĻļāĻ¨ āĻĨā§āĻā§āĨ¤ āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻžāĻ° āĻĻā§āĻˇā§āĻāĻŋāĻā§āĻŖ āĻĨā§āĻā§, āĻāĻāĻŋ āĻ¸āĻ°ā§āĻŦā§āĻ¤ā§āĻ¤āĻŽ āĻ¸āĻŽāĻžāĻ§āĻžāĻ¨āĨ¤ āĻ¯āĻžāĻāĻšā§āĻ, āĻāĻŋāĻā§āĻ āĻāĻĒāĻ¨āĻžāĻā§ āĻĒā§āĻ°āĻ¤āĻŋāĻ¸ā§āĻĨāĻžāĻĒāĻ¨ āĻāĻ°āĻ¤ā§ āĻŦāĻžāĻ§āĻž āĻĻā§āĻ¯āĻŧ āĻ¨āĻž āĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻšā§āĻ¸ā§āĻ āĻāĻāĻāĻŋ āĻāĻŋāĻ¨ā§āĻ¨ DNS āĻ āĻŋāĻāĻžāĻ¨āĻž āĻ¯āĻž āĻāĻĒāĻ¨āĻŋ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻ¤ā§ āĻāĻžāĻ¨āĨ¤
root@beta:/usr/local/etc/h2o # local-unbound verison
usage: local-unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /var/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-p do not create a pidfile.
-v verbose (more times to increase verbosity)
Version 1.8.1
linked libs: mini-event internal (it uses select), OpenSSL 1.1.1a-freebsd 20 Nov 2018
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl
root@eprove:/usr/local/etc/h2o # sockstat -46 | grep unbound
unbound local-unbo 69749 3 udp6 ::1:53 *:*
unbound local-unbo 69749 4 tcp6 ::1:53 *:*
unbound local-unbo 69749 5 udp4 127.0.0.1:53 *:*
unbound local-unbo 69749 6 tcp4 127.0.0.1:53 *:*āĻ¯āĻž āĻŦāĻžāĻāĻŋ āĻĨāĻžāĻā§ āĻ¤āĻž āĻšāĻ˛ H2O āĻĒā§āĻ¨āĻ°āĻžāĻ¯āĻŧ āĻāĻžāĻ˛ā§ āĻāĻ°āĻž āĻāĻŦāĻ āĻāĻ° āĻĨā§āĻā§ āĻā§ āĻāĻ¸ā§ āĻ¤āĻž āĻĻā§āĻā§āĻ¨āĨ¤
root@beta:/usr/local/etc/h2o # service h2o restart
Stopping h2o.
Waiting for PIDS: 69871.
Starting h2o.
start_server (pid:70532) starting now...4. āĻĒāĻ°ā§āĻā§āĻˇāĻž
āĻ¸ā§āĻ¤āĻ°āĻžāĻ, āĻāĻ¸ā§āĻ¨ āĻāĻŦāĻžāĻ° āĻāĻāĻāĻŋ āĻĒāĻ°ā§āĻā§āĻˇāĻžāĻ° āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻĒāĻžāĻ āĻŋāĻ¯āĻŧā§ āĻāĻŦāĻ āĻāĻāĻāĻŋāĻ˛āĻŋāĻāĻŋ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻ¨ā§āĻāĻāĻ¯āĻŧāĻžāĻ°ā§āĻ āĻā§āĻ°ā§āĻ¯āĻžāĻĢāĻŋāĻ āĻĻā§āĻā§ āĻĢāĻ˛āĻžāĻĢāĻ˛āĻā§āĻ˛āĻŋ āĻĒāĻ°ā§āĻā§āĻˇāĻž āĻāĻ°āĻŋ tcpdump.
root@beta/usr/local/etc/h2o # curl -H 'accept: application/dns-message' 'https://my.domain/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
...
root@beta:~ # tcpdump -n -i lo0 udp port 53 -xx -XX -vv
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
16:32:40.420831 IP (tos 0x0, ttl 64, id 37575, offset 0, flags [none], proto UDP (17), length 57, bad cksum 0 (->e9ea)!)
127.0.0.1.21070 > 127.0.0.1.53: [bad udp cksum 0xfe38 -> 0x33e3!] 43981+ A? example.com. (29)
0x0000: 0200 0000 4500 0039 92c7 0000 4011 0000 ....E..9....@...
0x0010: 7f00 0001 7f00 0001 524e 0035 0025 fe38 ........RN.5.%.8
0x0020: abcd 0100 0001 0000 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01 mple.com.....
16:32:40.796507 IP (tos 0x0, ttl 64, id 37590, offset 0, flags [none], proto UDP (17), length 73, bad cksum 0 (->e9cb)!)
127.0.0.1.53 > 127.0.0.1.21070: [bad udp cksum 0xfe48 -> 0x43fa!] 43981 q: A? example.com. 1/0/0 example.com. A 93.184.216.34 (45)
0x0000: 0200 0000 4500 0049 92d6 0000 4011 0000 ....E..I....@...
0x0010: 7f00 0001 7f00 0001 0035 524e 0035 fe48 .........5RN.5.H
0x0020: abcd 8180 0001 0001 0000 0000 0765 7861 .............exa
0x0030: 6d70 6c65 0363 6f6d 0000 0100 01c0 0c00 mple.com........
0x0040: 0100 0100 0151 8000 045d b8d8 22 .....Q...].."
^C
2 packets captured
23 packets received by filter
0 packets dropped by kernelāĻāĻāĻāĻĒā§āĻ āĻĻā§āĻāĻžāĻ¯āĻŧ āĻāĻŋāĻāĻžāĻŦā§ āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻ āĻŋāĻāĻžāĻ¨āĻž āĻ¸āĻŽāĻžāĻ§āĻžāĻ¨ āĻāĻ°āĻ¤ā§ example.com DNS āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻĻā§āĻŦāĻžāĻ°āĻž āĻĒā§āĻ°āĻžāĻĒā§āĻ¤ āĻāĻŦāĻ āĻ¸āĻĢāĻ˛āĻāĻžāĻŦā§ āĻĒā§āĻ°āĻā§āĻ°āĻŋāĻ¯āĻŧāĻž āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻā§āĨ¤
āĻāĻāĻ¨ āĻ¯āĻž āĻŦāĻžāĻāĻŋ āĻāĻā§ āĻ¤āĻž āĻšāĻ˛ Firefox āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ°ā§ āĻāĻŽāĻžāĻĻā§āĻ° āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ¸āĻā§āĻ°āĻŋāĻ¯āĻŧ āĻāĻ°āĻžāĨ¤ āĻāĻāĻŋ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯, āĻāĻĒāĻ¨āĻžāĻā§ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ āĻĒā§āĻˇā§āĻ āĻžāĻā§āĻ˛āĻŋāĻ¤ā§ āĻŦā§āĻļ āĻāĻ¯āĻŧā§āĻāĻāĻŋ āĻ¸ā§āĻāĻŋāĻāĻ¸ āĻĒāĻ°āĻŋāĻŦāĻ°ā§āĻ¤āĻ¨ āĻāĻ°āĻ¤ā§ āĻšāĻŦā§ āĻ¸āĻŽā§āĻĒāĻ°ā§āĻā§: āĻāĻ¨āĻĢāĻŋāĻ.
āĻĒā§āĻ°āĻĨāĻŽāĻ¤, āĻāĻāĻŋ āĻāĻŽāĻžāĻĻā§āĻ° API āĻāĻ° āĻ āĻŋāĻāĻžāĻ¨āĻž āĻ¯ā§āĻāĻžāĻ¨ā§ āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ° DNS āĻ¤āĻĨā§āĻ¯ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻ āĻ¨ā§āĻ°ā§āĻ§ āĻāĻ°āĻŦā§ network.trr.uri. DNS āĻ ā§āĻ¯āĻžāĻā§āĻ¸ā§āĻ¸ āĻ¨āĻž āĻāĻ°ā§ āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ° āĻ¨āĻŋāĻā§āĻ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§ āĻ¨āĻŋāĻ°āĻžāĻĒāĻĻ IP āĻ°ā§āĻā§āĻ˛āĻŋāĻāĻļāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ URL āĻĨā§āĻā§ āĻĄā§āĻŽā§āĻ¨ āĻāĻāĻĒāĻŋ āĻ¨āĻŋāĻ°ā§āĻĻāĻŋāĻˇā§āĻ āĻāĻ°āĻžāĻ° āĻ¸ā§āĻĒāĻžāĻ°āĻŋāĻļ āĻāĻ°āĻž āĻšāĻ¯āĻŧ network.trr.bootstrapAddress. āĻāĻŦāĻ āĻ āĻŦāĻļā§āĻˇā§, āĻĒāĻ°āĻžāĻŽāĻŋāĻ¤āĻŋ āĻ¨āĻŋāĻā§āĻ network.trr.mode DoH āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻ¸āĻšāĨ¤ "3" āĻ¤ā§ āĻŽāĻžāĻ¨ āĻ¸ā§āĻ āĻāĻ°āĻž āĻŦā§āĻ°āĻžāĻāĻāĻžāĻ°āĻāĻŋāĻā§ āĻ¨āĻžāĻŽā§āĻ° āĻ°ā§āĻā§āĻ˛āĻŋāĻāĻļāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻāĻā§āĻāĻŋāĻ¯āĻŧāĻžāĻāĻžāĻŦā§ DNS-āĻāĻāĻžāĻ°-HTTPS āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻ¤ā§ āĻŦāĻžāĻ§ā§āĻ¯ āĻāĻ°āĻŦā§, āĻ¯āĻāĻ¨ āĻāĻ°āĻ āĻ¨āĻŋāĻ°ā§āĻāĻ°āĻ¯ā§āĻā§āĻ¯ āĻāĻŦāĻ āĻ¸ā§āĻ°āĻā§āĻˇāĻŋāĻ¤ "2" DoH-āĻā§ āĻ āĻā§āĻ°āĻžāĻ§āĻŋāĻāĻžāĻ° āĻĻā§āĻŦā§, āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ DNS āĻ˛ā§āĻāĻāĻĒāĻāĻŋāĻā§ āĻĢāĻ˛āĻŦā§āĻ¯āĻžāĻ āĻŦāĻŋāĻāĻ˛ā§āĻĒ āĻšāĻŋāĻ¸āĻžāĻŦā§ āĻā§āĻĄāĻŧā§ āĻĻā§āĻŦā§āĨ¤
5. āĻ˛āĻžāĻ!
āĻ¨āĻŋāĻŦāĻ¨ā§āĻ§āĻāĻŋ āĻ¸āĻšāĻžāĻ¯āĻŧāĻ āĻāĻŋāĻ˛? āĻ¤āĻžāĻšāĻ˛ā§ āĻ āĻ¨ā§āĻā§āĻ°āĻš āĻāĻ°ā§ āĻ˛āĻžāĻā§āĻ āĻšāĻŦā§āĻ¨ āĻ¨āĻž āĻāĻŦāĻ āĻ āĻ¨ā§āĻĻāĻžāĻ¨ āĻĢāĻ°ā§āĻŽā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§ āĻ āĻ°ā§āĻĨ āĻĻāĻŋāĻ¯āĻŧā§ āĻ¸āĻšāĻžāĻ¯āĻŧāĻ¤āĻž āĻāĻ°ā§āĻ¨ (āĻ¨ā§āĻā§)āĨ¤
āĻāĻ¤ā§āĻ¸: www.habr.com
