Firefox Developers game da kammala gwajin goyan bayan DNS akan HTTPS (DoH, DNS akan HTTPS) da niyyar ba da damar wannan fasaha ta tsohuwa ga masu amfani da Amurka a ƙarshen Satumba. Za a aiwatar da kunnawa a hankali, da farko don ƴan kashi dari na masu amfani, kuma idan babu matsaloli, sannu a hankali yana ƙaruwa zuwa 100%. Da zarar an rufe Amurka, za a yi la'akari da DoH don haɗawa a wasu ƙasashe.
Gwaje-gwajen da aka gudanar a duk shekara sun nuna aminci da kyakkyawan aikin sabis, kuma sun ba da damar gano wasu yanayi inda DoH zai iya haifar da matsaloli da samar da hanyoyin magance su (alal misali, tarwatsawa). tare da haɓaka zirga-zirga a cikin hanyoyin sadarwar isar da abun ciki, kulawar iyaye da yankuna na ciki na DNS).
Muhimmancin ɓoye zirga-zirgar DNS ana ƙididdige shi azaman muhimmin mahimmanci don kare masu amfani, don haka an yanke shawarar ba da damar DoH ta tsohuwa, amma a matakin farko kawai ga masu amfani daga Amurka. Bayan kunna DoH, mai amfani zai karɓi gargaɗin da zai ba da izini, idan ana so, don ƙin tuntuɓar sabar DoH DNS ta tsakiya kuma komawa cikin tsarin gargajiya na aika buƙatun da ba a ɓoye ba zuwa uwar garken DNS na mai bayarwa (maimakon rarraba kayan aikin masu gyara DNS, DoH yana amfani da ɗaure zuwa takamaiman sabis na DoH , wanda za'a iya la'akari da maki guda na gazawa).
Idan an kunna DoH, tsarin kula da iyaye da cibiyoyin sadarwa na kamfanoni waɗanda ke amfani da tsarin sunan cibiyar sadarwa na cikin gida-kawai don warware adiresoshin intranet da rundunonin kamfanoni na iya rushewa. Don magance matsaloli tare da irin waɗannan tsarin, an ƙara tsarin bincike wanda ke kashe DoH ta atomatik. Ana yin cak a duk lokacin da aka ƙaddamar da mai lilo ko lokacin da aka gano canjin subnet.
Hakanan ana bayar da dawowa ta atomatik zuwa amfani da daidaitaccen tsarin aiki idan kasawa ta faru yayin ƙuduri ta hanyar DoH (misali, idan wadatar hanyar sadarwa tare da mai bada DoH ta lalace ko gazawa ta faru a cikin kayan aikinta). Ma'anar irin waɗannan cak ɗin abin tambaya ne, tunda babu wanda ke hana maharan da ke sarrafa aikin mai warwarewa ko kuma suna iya tsoma baki tare da zirga-zirgar ababen hawa daga yin irin wannan ɗabi'a don murkushe ɓoyayyen zirga-zirgar DNS. An magance matsalar ta ƙara abin "DoH ko da yaushe" zuwa saitunan (ba a aiki da shiru), lokacin da aka saita, ba a amfani da kashewa ta atomatik, wanda shine daidaitawa mai ma'ana.
Don gano masu warwarewar kasuwanci, ana bincika wuraren yanki na matakin farko (TLDs) kuma mai warware tsarin ya dawo da adiresoshin intanet. Don sanin ko ana kunna ikon iyaye, ana ƙoƙarin warware sunan exampleadultsite.com kuma idan sakamakon bai dace da ainihin IP ba, ana ɗaukar cewa toshe abun ciki na manya yana aiki a matakin DNS. Ana kuma bincika adiresoshin IP na Google da YouTube a matsayin alamun don ganin ko an maye gurbinsu da restrict.youtube.com, forcefesearch.google.com da restrictmoderate.youtube.com. More Mozilla aiwatar da rundunar gwaji guda ɗaya , wanda ISPs da sabis na kulawa na iyaye za su iya amfani da su azaman tuta don kashe DoH (idan ba a gano mai watsa shiri ba, Firefox ta kashe DoH).
Yin aiki ta hanyar sabis na DoH guda ɗaya na iya haifar da matsaloli tare da haɓaka zirga-zirgar ababen hawa a cikin hanyoyin sadarwar abun ciki waɗanda ke daidaita zirga-zirga ta amfani da DNS (Sabar DNS na cibiyar sadarwar CDN ta haifar da amsa la'akari da adireshin mai warwarewa kuma yana ba da mafi kusancin masaukin don karɓar abun ciki). Aika tambaya ta DNS daga mai warwarewa mafi kusa da mai amfani a cikin irin waɗannan CDNs yana haifar da dawo da adireshin mai watsa shiri mafi kusa da mai amfani, amma aika tambayar DNS daga mai warwarewa ta tsakiya zai dawo da adireshin mai masaukin kusa da uwar garken DNS-over-HTTPS. . Gwaji a aikace ya nuna cewa yin amfani da DNS-over-HTTP lokacin amfani da CDN ya haifar da kusan babu jinkiri kafin fara canja wurin abun ciki (don haɗin sauri, jinkirin bai wuce millisecond 10 ba, kuma har ma an lura da saurin aiki akan jinkirin tashoshi na sadarwa. ). An kuma yi la'akari da yin amfani da tsawo na EDNS Client Subnet don samar da bayanin wurin abokin ciniki ga mai warware CDN.
Bari mu tuna cewa DoH na iya zama da amfani don hana leaks na bayanai game da sunayen rundunar da ake buƙata ta hanyar sabar DNS na masu samarwa, yaƙar hare-haren MITM da ɓarkewar zirga-zirgar DNS, hana toshewa a matakin DNS, ko don shirya aiki a yayin da hakan ya faru. ba shi yiwuwa a kai tsaye zuwa sabar DNS (misali, lokacin aiki ta hanyar wakili). Idan a cikin yanayi na al'ada ana aika buƙatun DNS kai tsaye zuwa sabar DNS da aka ayyana a cikin tsarin tsarin, to, a cikin yanayin DoH, buƙatar ƙayyade adireshin IP na mai watsa shiri yana cikin zirga-zirgar HTTPS kuma a aika zuwa uwar garken HTTP, inda masu warware matsalar ke gudana. buƙatun ta hanyar API ɗin Yanar Gizo. Ma'auni na DNSSEC na yanzu yana amfani da ɓoyewa kawai don tabbatar da abokin ciniki da uwar garken, amma baya kare zirga-zirga daga shiga tsakani kuma baya bada garantin sirrin buƙatun.
Don kunna DoH a cikin game da: config, dole ne ku canza darajar hanyar sadarwa.trr.mode m, wanda aka goyan bayan Firefox 60. Ƙimar 0 ta hana DoH gaba daya; 1 - Ana amfani da DNS ko DoH, duk wanda ya fi sauri; 2 - Ana amfani da DoH ta tsohuwa, kuma ana amfani da DNS azaman zaɓi na koma baya; 3 - DoH kawai ake amfani da shi; 4 - yanayin madubi wanda ake amfani da DoH da DNS a layi daya. Ta hanyar tsoho, ana amfani da uwar garken DNS na CloudFlare, amma ana iya canza shi ta hanyar sigar network.trr.uri, misali, zaku iya saita “https://dns.google.com/experimental” ko “https://9.9.9.9 .XNUMX/dns-tambaya"
source: budenet.ru