Firefox Developers game da kunna DNS akan HTTPS (DoH, DNS akan HTTPS) ta tsohuwa don masu amfani da Amurka. Ana ɗaukar boye-boye na zirga-zirgar DNS a matsayin muhimmin abu mai mahimmanci don kare masu amfani. Tun daga yau, duk sabbin kayan aiki na masu amfani da Amurka za a kunna DoH ta tsohuwa. Ana shirin canza masu amfani da Amurka na yanzu zuwa DoH a cikin 'yan makonni. A cikin Tarayyar Turai da sauran ƙasashe, kunna DoH ta tsohuwa a yanzu .
Bayan kunna DoH, ana nuna gargadi ga mai amfani, wanda ke ba da damar, idan ana so, don ƙin tuntuɓar sabar DoH DNS ta tsakiya kuma komawa cikin tsarin gargajiya na aika tambayoyin da ba a ɓoye ba zuwa uwar garken DNS na mai bayarwa. Maimakon abubuwan da aka rarraba na masu warwarewar DNS, DoH yana amfani da ɗaure zuwa takamaiman sabis na DoH, wanda za'a iya la'akari da maki guda na gazawa. A halin yanzu, ana ba da aiki ta hanyar masu samar da DNS guda biyu - CloudFlare (tsoho) da .
Canja mai bada ko kashe DoH a cikin saitunan haɗin cibiyar sadarwa. Misali, zaku iya saka madadin uwar garken DoH "https://dns.google/dns-query" don samun damar sabar Google, "https://dns.quad9.net/dns-query" - Quad9 da "https:/ /doh .opendns.com/dns-query" - OpenDNS. Game da: config kuma yana ba da saitin network.trr.mode, ta hanyar da za ku iya canza yanayin aiki na DoH: darajar 0 ta hana DoH gaba daya; 1 - Ana amfani da DNS ko DoH, duk wanda ya fi sauri; 2 - Ana amfani da DoH ta tsohuwa, kuma ana amfani da DNS azaman zaɓi na koma baya; 3 - DoH kawai ake amfani da shi; 4 - yanayin madubi wanda ake amfani da DoH da DNS a layi daya.
Bari mu tuna cewa DoH na iya zama da amfani don hana leaks na bayanai game da sunayen rundunar da ake buƙata ta hanyar sabar DNS na masu samarwa, yaƙar hare-haren MITM da ɓarkewar zirga-zirgar ababen hawa na DNS (misali, lokacin haɗawa da Wi-Fi na jama'a), hana toshewa a DNS. matakin (DoH ba zai iya maye gurbin VPN ba a cikin yanki na toshe toshewa wanda aka aiwatar a matakin DPI) ko don tsara aiki idan ba zai yiwu ba kai tsaye zuwa sabar DNS (misali, lokacin aiki ta hanyar wakili). Idan a cikin yanayi na al'ada ana aika buƙatun DNS kai tsaye zuwa sabar DNS da aka ayyana a cikin tsarin tsarin, to, a cikin yanayin DoH, buƙatar tantance adireshin IP ɗin mai watsa shiri yana cikin zirga-zirgar HTTPS kuma a aika zuwa uwar garken HTTP, inda masu warware matsalar ke aiwatarwa. buƙatun ta hanyar API ɗin Yanar Gizo. Ma'auni na DNSSEC na yanzu yana amfani da ɓoyewa kawai don tabbatar da abokin ciniki da uwar garken, amma baya kare zirga-zirga daga shiga tsakani kuma baya bada garantin sirrin buƙatun.
Don zaɓar masu samar da DoH da aka bayar a Firefox, zuwa amintattun masu yanke shawara na DNS, bisa ga abin da ma'aikacin DNS zai iya amfani da bayanan da aka karɓa don ƙuduri kawai don tabbatar da aikin sabis ɗin, ba dole ba ne ya adana rajistan ayyukan fiye da sa'o'i 24, ba zai iya canja wurin bayanai zuwa wasu kamfanoni ba kuma yana da alhakin bayyana bayanai game da su. hanyoyin sarrafa bayanai. Sabis ɗin kuma dole ne ya yarda ba don tantancewa, tacewa, tsoma baki ko toshe zirga-zirgar DNS ba, sai dai cikin yanayin da doka ta tanadar.
Ya kamata a yi amfani da DoH tare da taka tsantsan. Misali, a cikin Tarayyar Rasha, adiresoshin IP 104.16.248.249 da 104.16.249.249 masu alaƙa da tsohuwar uwar garken DoH mozilla.cloudflare-dns.com da aka bayar a Firefox, в bisa bukatar kotun Stavropol ta ranar 10.06.2013.
Hakanan DoH na iya haifar da matsaloli a fannoni kamar tsarin kula da iyaye, samun damar yin amfani da wuraren suna a cikin tsarin kamfanoni, zaɓin hanya a cikin tsarin haɓaka abun ciki, da bin umarnin kotu a fagen yaƙi da rarraba abubuwan da ba bisa ka'ida ba da kuma amfani da su. kananan yara. Don kauce wa irin waɗannan matsalolin, an aiwatar da tsarin dubawa kuma an gwada shi wanda ke kashe DoH ta atomatik a ƙarƙashin wasu sharuɗɗa.
Don gano masu warwarewar kasuwanci, ana bincika wuraren yanki na matakin farko (TLDs) kuma mai warware tsarin ya dawo da adiresoshin intanet. Don sanin ko ana kunna ikon iyaye, ana ƙoƙarin warware sunan exampleadultsite.com kuma idan sakamakon bai dace da ainihin IP ba, ana ɗaukar cewa toshe abun ciki na manya yana aiki a matakin DNS. Ana kuma bincika adiresoshin IP na Google da YouTube a matsayin alamu don ganin ko an maye gurbinsu da restrict.youtube.com, forcefesearch.google.com da restrictmoderate.youtube.com. Waɗannan gwaje-gwajen suna ba da damar maharan waɗanda ke sarrafa aikin mai warwarewa ko kuma ke da ikon kutsawa cikin zirga-zirga don yin kwatankwacin irin wannan ɗabi'ar don murkushe ɓoyayyen zirga-zirgar DNS.
Yin aiki ta hanyar sabis na DoH guda ɗaya na iya haifar da matsaloli tare da haɓaka zirga-zirgar ababen hawa a cikin hanyoyin sadarwar abun ciki waɗanda ke daidaita zirga-zirga ta amfani da DNS (Sabar DNS na cibiyar sadarwar CDN ta haifar da amsa la'akari da adireshin mai warwarewa kuma yana ba da mafi kusancin masaukin don karɓar abun ciki). Aika tambaya ta DNS daga mai warwarewa mafi kusa da mai amfani a cikin irin waɗannan CDNs yana haifar da dawo da adireshin mai watsa shiri mafi kusa da mai amfani, amma aika tambayar DNS daga mai warwarewa ta tsakiya zai dawo da adireshin mai masaukin kusa da uwar garken DNS-over-HTTPS. . Gwaji a aikace ya nuna cewa yin amfani da DNS-over-HTTP lokacin amfani da CDN ya haifar da kusan babu jinkiri kafin fara canja wurin abun ciki (don haɗin sauri, jinkirin bai wuce millisecond 10 ba, kuma har ma an lura da saurin aiki akan jinkirin tashoshi na sadarwa. ). An kuma yi la'akari da yin amfani da tsawo na EDNS Client Subnet don samar da bayanin wurin abokin ciniki ga mai warware CDN.
source: budenet.ru