ProHoster > Блог > labaran intanet > Saki na BIND DNS Server 9.18.0 tare da goyan bayan DNS-over-TLS da DNS-over-HTTPS

Saki na BIND DNS Server 9.18.0 tare da goyan bayan DNS-over-TLS da DNS-over-HTTPS

Bayan shekaru biyu na haɓakawa, ƙungiyar ISC ta fito da ingantaccen sakin babban sabon reshe na uwar garken DNS 9.18 BIND. Za a ba da tallafi ga reshe na 9.18 na tsawon shekaru uku har zuwa kwata na 2nd na 2025 a matsayin wani ɓangare na ƙarin zagaye na tallafi. Taimakon reshe na 9.11 zai ƙare a watan Maris, kuma tallafi ga reshen 9.16 a tsakiyar 2023. Don haɓaka aikin ingantaccen sigar BIND na gaba, an kafa reshen gwaji BIND 9.19.0.

Sakin BIND 9.18.0 sananne ne don aiwatar da tallafi don DNS akan HTTPS (DoH, DNS akan HTTPS) da DNS akan TLS (DoT, DNS akan TLS), da tsarin XoT (XFR-over-TLS). don amintaccen canja wurin abun ciki na DNS. Yankuna tsakanin sabar (duka yanki na aikawa da karɓa ta XoT ana goyan bayan). Tare da saitunan da suka dace, tsari guda ɗaya mai suna yanzu zai iya yin aiki ba kawai tambayoyin DNS na gargajiya ba, har ma da tambayoyin da aka aika ta amfani da DNS-over-HTTPS da DNS-over-TLS. Tallafin abokin ciniki don DNS-over-TLS an gina shi a cikin kayan aikin tono, wanda za'a iya amfani dashi don aika buƙatun akan TLS lokacin da aka ayyana tutar "+tls".

Aiwatar da ka'idar HTTP/2 da aka yi amfani da ita a DoH ta dogara ne akan amfani da ɗakin karatu na nghttp2, wanda aka haɗa a matsayin abin dogaro na zaɓi na zaɓi. Za a iya bayar da takaddun shaida na DoH da DoT ta mai amfani ko ƙirƙirar ta atomatik a lokacin farawa.

Ana kunna buƙatar aiki ta amfani da DoH da DoT ta ƙara zaɓuɓɓukan "http" da "tls" zuwa umarnin saurare. Don goyan bayan DNS-over-HTTP da ba a ɓoye ba, ya kamata ka saka “tls none” a cikin saitunan. Ana bayyana maɓallai a cikin sashin "tls". Matsalolin cibiyar sadarwa na 853 don DoT, 443 don DoH da 80 don DNS-over-HTTP ana iya soke su ta hanyar tls-tashar jiragen ruwa, tashar tashar https-tashar jiragen ruwa da sigogin tashar tashar http. Misali:

tls local-tls {key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-uwar garken {maƙalar ƙarshen {"/dns-query"; }; }; zažužžukan {https-tashar jiragen ruwa 443; saurare-on tashar jiragen ruwa 443 tls local-tls http myserver {kowa;}; }

Ɗaya daga cikin fasalulluka na aiwatar da DoH a cikin BIND shine ikon motsa ayyukan ɓoyewa don TLS zuwa wani sabar, wanda zai iya zama dole a cikin yanayin da ake adana takaddun shaida na TLS akan wani tsarin (misali, a cikin kayan aiki tare da sabar yanar gizo) da kuma kiyaye su. da sauran ma'aikata. Ana aiwatar da goyan bayan DNS-over-HTTP da ba a ɓoye ba don sauƙaƙe gyara kuskure kuma azaman Layer don turawa zuwa wani sabar akan hanyar sadarwa ta ciki (don matsar ɓoyewa zuwa sabar daban). A kan sabar mai nisa, ana iya amfani da nginx don samar da zirga-zirgar TLS, kama da yadda aka tsara ɗaurin HTTPS don gidajen yanar gizo.

Wani fasali shine haɗin DoH a matsayin sufuri na gaba ɗaya wanda za'a iya amfani dashi ba kawai don ɗaukar buƙatun abokin ciniki ga mai warwarewa ba, har ma lokacin sadarwa tsakanin sabobin, lokacin canja wurin yankuna ta uwar garken DNS mai iko, da kuma lokacin sarrafa duk tambayoyin da wasu DNS ke tallafawa. sufuri.

Daga cikin gazawar da za a iya ramawa ta hanyar kashe ginin tare da DoH/DoT ko motsawar ɓoyewa zuwa wani uwar garken, babban rikitarwa na tushen lambar ya fito waje - an ƙara sabar HTTP da aka gina a ciki da ɗakin karatu na TLS, wanda zai iya ƙunsar lahani. kuma yi aiki azaman ƙarin hare-hare. Hakanan, lokacin amfani da DoH, zirga-zirga yana ƙaruwa.

Bari mu tuna cewa DNS-over-HTTPS na iya zama da amfani don hana leaks na bayanai game da sunan rundunar da ake nema ta hanyar sabar DNS na masu samarwa, yaƙar hare-haren MITM da ɓarkewar zirga-zirgar DNS (misali, lokacin haɗawa da Wi-Fi na jama'a), magancewa. toshewa a matakin DNS (DNS-over-HTTPS ba zai iya maye gurbin VPN ba ta hanyar toshewa da aka aiwatar a matakin DPI) ko don tsara aiki lokacin da ba zai yuwu a kai tsaye zuwa sabar DNS ba (misali, lokacin aiki ta hanyar wakili). Idan a cikin yanayi na al'ada ana aika buƙatun DNS kai tsaye zuwa sabar DNS da aka ayyana a cikin tsarin tsarin, to, a cikin yanayin DNS-over-HTTPS buƙatun don tantance adireshin IP ɗin mai masaukin yana cikin zirga-zirgar HTTPS kuma a aika zuwa sabar HTTP, inda. mai warwarewa yana aiwatar da buƙatun ta hanyar API na Yanar Gizo.

"DNS akan TLS" ya bambanta da "DNS akan HTTPS" a cikin amfani da daidaitaccen ka'idar DNS (ana amfani da tashar tashar 853 ta hanyar sadarwa yawanci), an nannade shi a cikin hanyar sadarwar rufaffiyar da aka tsara ta amfani da ka'idar TLS tare da tabbatar da ingancin rundunar ta takaddun takaddun TLS/SSL. ta hukumar ba da takardar shaida. Ma'auni na DNSSEC na yanzu yana amfani da ɓoyewa kawai don tabbatar da abokin ciniki da uwar garken, amma baya kare zirga-zirga daga shiga tsakani kuma baya bada garantin sirrin buƙatun.

Wasu sabbin sabbin abubuwa:

  • Ƙara tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer da udp-send-buffer saituna don saita girman buffers da aka yi amfani da su lokacin aikawa da karɓar buƙatun akan TCP da UDP. A kan sabar masu aiki, haɓaka buffers masu shigowa zai taimaka guje wa fakitin jefar da su yayin kololuwar zirga-zirga, kuma rage su zai taimaka kawar da toshe ƙwaƙwalwar ajiya tare da tsoffin buƙatun.
  • An ƙara sabon nau'in log "rpz-passthru", wanda ke ba ku damar shiga ayyukan isar da RPZ daban-daban.
  • A cikin ɓangaren manufofin amsawa, an ƙara zaɓin "nsdname-wait-recurse", lokacin da aka saita zuwa "a'a", ana amfani da dokokin RPZ NSDNAME kawai idan an sami sabar suna masu izini da ke cikin cache don buƙatar, in ba haka ba An yi watsi da dokar RPZ NSDNAME, amma ana dawo da bayanin a bango kuma ana amfani da buƙatun na gaba.
  • Don bayanan da ke da nau'ikan HTTPS da SVCB, an aiwatar da aikin sashin "ƘARUWA".
  • Ƙara nau'ikan ƙa'idodin ƙa'idodin sabunta al'ada - krb5-subdomain-self-rhs da ms-subdomain-self-rhs, waɗanda ke ba ku damar iyakance sabunta bayanan SRV da PTR. Sabunta-manufofin tubalan kuma suna ƙara ikon saita iyaka akan adadin bayanai, mutum ɗaya ga kowane nau'in.
  • Ƙarin bayani game da ka'idar sufuri (UDP, TCP, TLS, HTTPS) da kuma DNS64 prefixes zuwa fitowar kayan aikin tono. Don dalilai na gyara kurakurai, digo ya ƙara ikon tantance takamaiman buƙatun mai ganowa (dig +qid= ).
  • Ƙara tallafi don ɗakin karatu na OpenSSL 3.0.
  • Don magance batutuwa tare da rarrabuwar IP lokacin sarrafa manyan saƙon DNS da aka gano ta ranar Tutar DNS 2020, lambar da ke daidaita girman buffer EDNS lokacin da babu amsa ga buƙata an cire shi daga mai warwarewa. Girman buffer na EDNS yanzu an saita shi zuwa akai-akai (edns-udp-size) don duk buƙatun masu fita.
  • An canza tsarin ginin zuwa yin amfani da haɗin autoconf, automake da libtool.
  • Tallafin fayilolin yanki a cikin tsarin “taswira” (taswirar tsari-masterfile) an daina dakatar da shi. Ana ba da shawarar masu amfani da wannan sigar su canza shiyyaye zuwa ingantaccen tsari ta amfani da mai amfani-compilezone mai suna.
  • An daina goyan bayan tsofaffin DLZ (Yanayin Loadable Loadable) direbobi, maye gurbinsu da DLZ.
  • Gina da gudanar da tallafi don dandalin Windows an daina. Reshe na ƙarshe wanda za'a iya sanyawa akan Windows shine BIND 9.16.

source: budenet.ru

Add a comment