Masu haɓaka uwar garken DNS na BIND sun ba da sanarwar ƙarin tallafin uwar garken don DNS akan HTTPS (DoH, DNS akan HTTPS) da kuma fasahar DNS akan TLS (DoT, DNS akan TLS), da kuma tsarin XFR-over-TLS don amintattu. canja wurin abubuwan da ke cikin yankunan DNS tsakanin sabobin. DoH yana samuwa don gwaji a cikin sakin 9.17, kuma goyon bayan DoT yana nan tun lokacin da aka saki 9.17.10. Bayan daidaitawa, za a mayar da tallafin DoT da DoH zuwa madaidaicin reshen 9.17.7.
Aiwatar da ka'idar HTTP/2 da aka yi amfani da ita a DoH ta dogara ne akan amfani da ɗakin karatu na nghttp2, wanda aka haɗa a cikin masu dogara da taro (a nan gaba, an tsara ɗakin ɗakin karatu zuwa adadin masu dogara na zaɓi). Dukkanin rufaffiyar (TLS) da haɗin HTTP/2 mara rufaffen suna da goyan baya. Tare da saitunan da suka dace, tsari guda ɗaya mai suna yanzu zai iya yin aiki ba kawai tambayoyin DNS na gargajiya ba, har ma da tambayoyin da aka aika ta amfani da DoH (DNS-over-HTTPS) da DoT (DNS-over-TLS). Tallafin HTTPS a gefen abokin ciniki (tono) ba a aiwatar da shi ba tukuna. Tallafin XFR-over-TLS yana samuwa don buƙatun mai shiga da waje.
Ana kunna buƙatar aiki ta amfani da DoH da DoT ta ƙara zaɓuɓɓukan http da tls zuwa umarnin saurare. Don goyan bayan DNS-over-HTTP da ba a ɓoye ba, ya kamata ka saka “tls none” a cikin saitunan. Ana bayyana maɓallai a cikin sashin "tls". Matsalolin cibiyar sadarwa na 853 don DoT, 443 don DoH da 80 don DNS-over-HTTP ana iya soke su ta hanyar tls-tashar jiragen ruwa, tashar tashar https-tashar jiragen ruwa da sigogin tashar tashar http. Misali: tls local-tls {key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-uwar garken {maƙalar ƙarshen {"/dns-query"; }; }; zažužžukan {https-tashar jiragen ruwa 443; saurare-on tashar jiragen ruwa 443 tls local-tls http myserver {kowa;}; }
Daga cikin fasalulluka na aiwatar da DoH a cikin BIND, ana lura da haɗin kai azaman jigilar kayayyaki gabaɗaya, wanda za'a iya amfani dashi ba kawai don aiwatar da buƙatun abokin ciniki ga mai warwarewa ba, har ma lokacin musayar bayanai tsakanin sabobin, lokacin canja wurin yankuna ta hanyar uwar garken DNS mai iko, da lokacin sarrafa kowane buƙatun da wasu jigilar DNS ke goyan bayan .
Wani fasali shine ikon motsa ayyukan ɓoyewa don TLS zuwa wani uwar garken, wanda zai iya zama dole a cikin yanayin da ake adana takaddun shaida na TLS akan wani tsarin (misali, a cikin kayan more rayuwa tare da sabar yanar gizo) kuma wasu ma'aikata ke kiyaye su. Ana aiwatar da goyan bayan DNS-over-HTTP da ba a ɓoye ba don sauƙaƙe debugging kuma azaman Layer don turawa a cikin hanyar sadarwar ciki, akan abin da za'a iya tsara ɓoyayyen ɓoye akan wani sabar. A kan sabar mai nisa, ana iya amfani da nginx don samar da zirga-zirgar TLS, kama da yadda aka tsara ɗaurin HTTPS don gidajen yanar gizo.
Bari mu tuna cewa DNS-over-HTTPS na iya zama da amfani don hana leaks na bayanai game da sunan rundunar da ake nema ta hanyar sabar DNS na masu samarwa, yaƙar hare-haren MITM da ɓarkewar zirga-zirgar DNS (misali, lokacin haɗawa da Wi-Fi na jama'a), magancewa. toshewa a matakin DNS (DNS-over-HTTPS ba zai iya maye gurbin VPN ba ta hanyar toshewa da aka aiwatar a matakin DPI) ko don tsara aiki lokacin da ba zai yuwu a kai tsaye zuwa sabar DNS ba (misali, lokacin aiki ta hanyar wakili). Idan a cikin yanayi na al'ada ana aika buƙatun DNS kai tsaye zuwa sabar DNS da aka ayyana a cikin tsarin tsarin, to, a cikin yanayin DNS-over-HTTPS buƙatun don tantance adireshin IP ɗin mai masaukin yana cikin zirga-zirgar HTTPS kuma a aika zuwa sabar HTTP, inda. mai warwarewa yana aiwatar da buƙatun ta hanyar API na Yanar Gizo.
"DNS akan TLS" ya bambanta da "DNS akan HTTPS" a cikin amfani da daidaitaccen ka'idar DNS (ana amfani da tashar tashar 853 ta hanyar sadarwa yawanci), an nannade shi a cikin hanyar sadarwar rufaffiyar da aka tsara ta amfani da ka'idar TLS tare da tabbatar da ingancin rundunar ta takaddun takaddun TLS/SSL. ta hukumar ba da takardar shaida. Ma'auni na DNSSEC na yanzu yana amfani da ɓoyewa kawai don tabbatar da abokin ciniki da uwar garken, amma baya kare zirga-zirga daga shiga tsakani kuma baya bada garantin sirrin buƙatun.
source: budenet.ru