Abubuwan da ake so da waɗanda ba a so: DNS akan HTTPS

Muna nazarin ra'ayoyi game da fasalulluka na DNS akan HTTPS, waɗanda kwanan nan suka zama "kashi na jayayya" tsakanin masu samar da Intanet da masu haɓaka mai bincike.

/Unsplash/ Steve Halama

Asalin rashin jituwa

Kwanan nan, manyan kafofin watsa labarai и dandalin jigogi (ciki har da Habr), sukan rubuta game da DNS akan HTTPS (DoH) yarjejeniya. Yana ɓoye buƙatun zuwa uwar garken DNS da martani gare su. Wannan hanya tana ba ku damar ɓoye sunayen rundunan da mai amfani ya shiga. Daga wallafe-wallafen za mu iya yanke shawarar cewa sabuwar yarjejeniya (a cikin IETF amince da shi a cikin 2018) ya raba al'ummar IT zuwa sansani biyu.

Rabin sun yi imanin cewa sabuwar yarjejeniya za ta inganta tsaro ta Intanet kuma suna aiwatar da ita a cikin aikace-aikace da ayyukansu. Sauran rabin yana da tabbacin cewa fasaha kawai yana sa aikin masu gudanar da tsarin ya fi wahala. A gaba, za mu yi nazarin muhawarar bangarorin biyu.

Yadda DoH ke aiki

Kafin mu shiga cikin dalilin da yasa ISPs da sauran mahalarta kasuwa suke don ko suna adawa da DNS akan HTTPS, bari mu ɗan duba yadda yake aiki.

A cikin yanayin DoH, buƙatar ƙayyade adireshin IP an ɓoye shi a cikin zirga-zirgar HTTPS. Daga nan sai ta je uwar garken HTTP, inda ake sarrafa ta ta amfani da API. Anan akwai buƙatar misali daga RFC 8484 (shafi na 6):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

Don haka, zirga-zirgar DNS yana ɓoye a cikin zirga-zirgar HTTPS. Abokin ciniki da uwar garken suna sadarwa akan daidaitaccen tashar jiragen ruwa 443. A sakamakon haka, buƙatun ga tsarin sunan yankin ya kasance ba a san su ba.

Me ya sa ba a fifita shi?

Masu adawa da DNS akan HTTPS ka cecewa sabuwar yarjejeniya za ta rage tsaron hanyoyin sadarwa. By a cewar Paul Vixie, memba na ƙungiyar ci gaban DNS, zai sa ya fi wahala ga masu gudanar da tsarin su toshe shafukan yanar gizo masu haɗari. Masu amfani na yau da kullun za su rasa ikon saita yanayin kulawar iyaye a cikin masu bincike.

Masu ba da intanet na Burtaniya suna raba ra'ayoyin Bulus. Dokokin kasar wajibci toshe su daga albarkatu tare da abubuwan da aka haramta. Amma tallafi ga DoH a cikin masu bincike yana dagula aikin tace zirga-zirga. Masu sukar sabuwar yarjejeniya kuma sun haɗa da Cibiyar Sadarwar Gwamnati a Ingila (GCHQda Internet Watch Foundation (IMF), wanda ke kula da rijistar albarkatun da aka toshe.

A cikin shafinmu na Habré:

• Yakin robocall na Amurka - wanda ke cin nasara kuma me yasa
• Kamfanonin sadarwa na Biritaniya za su biya diyya ga masu biyan kuɗi don katsewar sabis

Masana sun lura cewa DNS akan HTTPS na iya zama barazanar tsaro ta yanar gizo. A farkon Yuli, kwararrun tsaro na bayanai daga Netlab gano kwayar cutar ta farko da ta yi amfani da sabuwar yarjejeniya don kai hare-haren DDoS - Godiya. Malware sun shiga DoH don samun bayanan rubutu (TXT) da fitar da umarni da sarrafa URLs uwar garken.

Ba a gane buƙatun DoH da aka ɓoye ta software na riga-kafi ba. Kwararrun tsaro na bayanai tsorocewa bayan Godlua sauran malware za su zo, ganuwa ga m DNS saka idanu.

Amma ba kowa ne ke adawa da shi ba

Don kare DNS akan HTTPS akan shafin sa yayi magana Injiniyan APNIC Geoff Houston. A cewarsa, sabuwar yarjejeniyar za ta ba da damar yakar hare-haren satar bayanai na DNS, wanda a baya-bayan nan ya zama ruwan dare gama gari. Wannan gaskiyar ya tabbatar Rahoton Janairu daga kamfanin yanar gizo na FireEye. Manyan kamfanonin IT kuma sun goyi bayan haɓaka ƙa'idar.

A farkon shekarar da ta gabata, an fara gwada DoH a Google. Kuma wata daya da suka wuce kamfanin gabatar Gabaɗaya Sigar Samar da sabis na DoH ɗin sa. A kan Google fata, cewa zai ƙara tsaro na bayanan sirri akan hanyar sadarwa tare da kariya daga hare-haren MITM.

Wani mai haɓaka mai bincike - Mozilla - goyon bayan DNS akan HTTPS tun lokacin bazara. A lokaci guda, kamfanin yana haɓaka sabbin fasaha a cikin yanayin IT. Don wannan, Ƙungiyar Masu Ba da Sabis na Intanet (ISPA) har ma da aka zaba Mozilla don Kyautar Villain na Shekarar Intanet. A cikin martani, wakilan kamfanin lura, wadanda ke cike da takaicin yadda kamfanonin sadarwa ke kin inganta abubuwan da suka wuce na Intanet.

/Unsplash/ TETrebbien

A goyon bayan Mozilla Manyan kafafen yada labarai sun yi magana da wasu masu samar da Intanet. Musamman, a British Telecom yi la’akaricewa sabuwar yarjejeniya ba za ta shafi tace abun ciki ba kuma za ta inganta tsaron masu amfani da Burtaniya. Karkashin matsin lambar jama'a ISPA dole a tuna "Villain" gabatarwa.

Masu samar da girgije kuma sun ba da shawarar gabatar da DNS akan HTTPS, misali Cloudflare. Sun riga sun ba da sabis na DNS bisa sabuwar yarjejeniya. Ana samun cikakken jerin masu bincike da abokan ciniki waɗanda ke goyan bayan DoH a GitHub.

Ko ta yaya, har yanzu ba a yi magana kan kawo karshen arangamar da aka yi tsakanin sansanonin biyu ba. Kwararrun IT sun yi hasashen cewa idan DNS akan HTTPS an ƙaddara ya zama wani ɓangare na babban tarin fasahar Intanet, zai ɗauka. fiye da shekaru goma.

Me kuma muka rubuta game da shi a cikin rukunin yanar gizon mu:

• Yadda aka gina cibiyar sadarwar mai bada Intanet
• Asalin sabis a cibiyoyin sadarwar mai bada Intanet
• Haɗuwa da haɗin kai - ayyuka da yawa akan na'ura ɗaya

source: www.habr.com