Masu bi Kamfanin Google game da niyyar gudanar da gwaji don gwada aiwatar da "DNS over HTTPS" (DoH, DNS over HTTPS) da ake haɓakawa don mai binciken Chrome. Chrome 78, wanda aka shirya don 22 ga Oktoba, zai sami wasu nau'ikan masu amfani ta tsohuwa don amfani da DoH. Masu amfani kawai waɗanda saitunan tsarin yanzu suka ƙididdige wasu masu samar da DNS da aka gane a matsayin masu jituwa tare da DoH za su shiga cikin gwajin don kunna DoH.
Farar jerin masu samar da DNS sun haɗa da Google (8.8.8.8, 8.8.4.4) 1.1.1.1, 1.0.0.1) da DNS.SB (208.67.222.222, 208.67.220.220). Idan saitunan DNS na mai amfani sun ƙayyade ɗaya daga cikin sabobin DNS da aka ambata a sama, DoH a cikin Chrome za a kunna ta tsohuwa. Ga waɗanda ke amfani da sabar DNS da mai samar da Intanet suka samar, komai ba zai canza ba kuma za a ci gaba da amfani da mai warware tsarin don tambayoyin DNS.
Bambanci mai mahimmanci daga aiwatar da DoH a Firefox, wanda a hankali ya kunna DoH ta tsohuwa riga a ƙarshen Satumba, shine rashin ɗaure ga sabis na DoH ɗaya. Idan a cikin Firefox ta tsohuwa Sabar DNS ta CloudFlare, sannan Chrome zai sabunta hanyar aiki tare da DNS kawai zuwa sabis ɗin daidai, ba tare da canza mai bada DNS ba. Misali, idan mai amfani yana da DNS 8.8.8.8 da aka ƙayyade a cikin saitunan tsarin, to Chrome zai Sabis na Google DoH ("https://dns.google.com/dns-query"), idan DNS shine 1.1.1.1, to, sabis na Cloudflare DoH ("https://cloudflare-dns.com/dns-query").
Idan ana so, mai amfani zai iya kunna ko kashe DoH ta amfani da saitin "chrome://flags/#dns-over-https". Ana tallafawa hanyoyin aiki guda uku: amintacce, atomatik da kashewa. A cikin yanayin “amintaccen”, ana ƙididdige runduna ne kawai bisa amintattun ƙimar da aka adana a baya (wanda aka karɓa ta hanyar amintaccen haɗi) da buƙatun ta hanyar DoH; ba a amfani da koma baya ga DNS na yau da kullun. A cikin yanayin "atomatik", idan babu DoH da amintaccen cache, za'a iya dawo da bayanai daga ma'ajin mara tsaro da samun dama ta hanyar DNS na gargajiya. A cikin yanayin "kashe", an fara bincika cache ɗin da aka raba kuma idan babu bayanai, ana aika buƙatar ta hanyar tsarin DNS. An saita yanayin ta hanyar kDnsOverHttpsMode , da samfurin taswirar uwar garken ta hanyar kDnsOverHttpsTemplates.
Gwajin don ba da damar DoH za a gudanar da shi a kan duk dandamalin da ke tallafawa a cikin Chrome, ban da Linux da iOS saboda yanayin rashin ƙaranci na saitunan warwarewa da hana damar shiga saitunan DNS. Idan, bayan kunna DoH, akwai matsalolin aika buƙatun zuwa uwar garken DoH (misali, saboda toshewarsa, haɗin yanar gizo ko gazawar), mai binciken zai dawo da saitunan DNS ta atomatik.
Manufar gwajin ita ce ta ƙarshe gwada aiwatar da DoH da nazarin tasirin amfani da DoH akan aiki. Ya kamata a lura cewa a gaskiya goyon bayan DoH ya kasance zuwa cikin codebase na Chrome a cikin Fabrairu, amma don saitawa da kunna DoH ƙaddamar da Chrome tare da tuta ta musamman da zaɓin da ba a bayyane yake ba.
Bari mu tuna cewa DoH na iya zama da amfani don hana leaks na bayanai game da sunayen rundunar da ake buƙata ta hanyar sabar DNS na masu samarwa, yaƙar hare-haren MITM da ɓarkewar zirga-zirgar ababen hawa na DNS (misali, lokacin haɗawa da Wi-Fi na jama'a), hana toshewa a DNS. matakin (DoH ba zai iya maye gurbin VPN ba a cikin yanki na toshe toshewa wanda aka aiwatar a matakin DPI) ko don tsara aiki idan ba zai yiwu ba kai tsaye zuwa sabar DNS (misali, lokacin aiki ta hanyar wakili). Idan a cikin yanayi na al'ada ana aika buƙatun DNS kai tsaye zuwa sabar DNS da aka ayyana a cikin tsarin tsarin, to, a cikin yanayin DoH, buƙatar tantance adireshin IP ɗin mai watsa shiri yana cikin zirga-zirgar HTTPS kuma a aika zuwa uwar garken HTTP, inda masu warware matsalar ke aiwatarwa. buƙatun ta hanyar API ɗin Yanar Gizo. Ma'auni na DNSSEC na yanzu yana amfani da ɓoyewa kawai don tabbatar da abokin ciniki da uwar garken, amma baya kare zirga-zirga daga shiga tsakani kuma baya bada garantin sirrin buƙatun.
source: budenet.ru