Makemake a makemake ʻole: DNS ma luna o HTTPS

Hoʻopili mākou i nā manaʻo e pili ana i nā hiʻohiʻona o DNS ma luna o HTTPS, i lilo i "iwi o ka paio" i waena o nā mea hoʻolako pūnaewele a me nā mea hoʻomohala polokalamu.

/Unsplash/ Steve Halama

ʻO ke kumu o ka ʻae ʻole

I kēia mau lā, media nui и nā papahana kumuhana (me ka Habr), kākau pinepine lākou e pili ana i ka DNS ma luna o ka protocol HTTPS (DoH). Hoʻopili ia i nā noi i ka server DNS a me nā pane iā lākou. ʻO kēia ala e hiki ai iā ʻoe ke hūnā i nā inoa o nā pūʻali i komo ai ka mea hoʻohana. Mai nā paʻi ʻana hiki iā mākou ke hoʻoholo i ka protocol hou (i ka IETF aponoia ma 2018) hoʻokaʻawale i ke kaiāulu IT i ʻelua mau kahua hoʻomoana.

Manaʻo ka hapalua e hoʻomaikaʻi ka protocol hou i ka palekana pūnaewele a ke hoʻokō nei i kā lākou noi a me nā lawelawe. Manaʻo ka hapa ʻē aʻe e paʻakikī wale ka ʻenehana i ka hana a nā luna hoʻomalu. A laila, e kālailai mākou i nā manaʻo o nā ʻaoʻao ʻelua.

Pehea ka hana a DoH

Ma mua o ko mākou komo ʻana i ke kumu no ka pili ʻana o nā ISP a me nā mea komo mākeke ʻē aʻe iā DNS ma HTTPS, e nānā pōkole i ke ʻano o ka hana.

Ma ka hihia o DoH, ua hoʻopili ʻia ka noi e hoʻoholo i ka helu IP i ka holo ʻana o HTTPS. A laila hele ia i ka server HTTP, kahi e hana ʻia ai me ka API. Eia kekahi laʻana noi mai RFC 8484 (ʻaoʻao 6):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

No laila, hūnā ʻia nā kaʻa DNS ma ka hele ʻana o HTTPS. Kūkākūkā ka mea kūʻai a me ke kikowaena ma luna o ke awa maʻamau 443. ʻO ka hopena, ʻaʻole ʻike ʻia nā noi i ka ʻōnaehana inoa.

No ke aha ʻaʻole i aloha ʻia ʻo ia?

ʻO nā ʻenemi o DNS ma luna o HTTPS e'ōlelo lākoue hōʻemi ka protocol hou i ka palekana o nā pilina. Na e like me ʻO Paul Vixie, he lālā o ka hui hoʻomohala DNS, e hoʻoikaika i ka paʻakikī i nā luna hoʻonohonoho ʻōnaehana e ālai i nā pūnaewele ʻino. E lilo nā mea hoʻohana maʻamau i ka hiki ke hoʻonohonoho i nā mana makua kūlana i nā polokalamu kele pūnaewele.

Hāʻawi ʻia nā manaʻo o Paul e nā mea hoʻolako pūnaewele UK. Kānāwai ʻāina koi aku e ālai iā lākou mai nā kumuwaiwai me nā mea i pāpā ʻia. Akā ʻo ke kākoʻo ʻana iā DoH i nā mākaʻikaʻi e paʻakikī i ka hana o ke kānana ʻana i nā kaʻa. ʻO nā mea hōʻino o ka protocol hou pū kekahi me ka Government Communications Center ma ʻEnelani (ʻO GCHQ) a me ka Internet Watch Foundation (IMF), ka mea e mālama i kahi papa inoa o nā kumuwaiwai i ālai ʻia.

Ma kā mākou blog ma Habré:

• ʻO ke kaua ma nā robocalls ma USA - ʻo wai ka lanakila a no ke aha
• E uku nā kelepona Pelekane i ka uku o ka poʻe kākau inoa no ka hoʻopau ʻana i ka lawelawe

Hoʻomaopopo ka poʻe loea e hiki ke lilo i DNS ma luna o HTTPS i mea hoʻoweliweli cybersecurity. I ka hoʻomaka ʻana o Iulai, nā loea palekana ʻike mai Netlab ʻike ʻia ʻO ka maʻi virus mua i hoʻohana i ka protocol hou e hoʻokō i nā hoʻouka DDoS - Godlua. Ua komo ka polokalamu kino iā DoH no ka loaʻa ʻana o nā moʻolelo kikokikona (TXT) a me ka unuhi ʻana i ke kauoha a me ka mālama ʻana i nā URL kikowaena.

ʻAʻole ʻike ʻia nā noi DoH i hoʻopili ʻia e ka polokalamu antivirus. Nā loea palekana ʻike makauma hope o Godlua e hele mai ana nā polokalamu ʻē aʻe, ʻike ʻole ʻia e ka nānā ʻana i ka DNS passive.

Akā ʻaʻole kūʻē nā kānaka a pau

I ka pale ʻana iā DNS ma luna o HTTPS ma kāna blog ʻōlelo mai ʻenehana APNIC ʻo Geoff Houston. Wahi a ia, hiki i ka protocol hou ke pale aku i ka hoʻouka kaua ʻana o DNS, i lilo i mea maʻamau. ʻO kēia ʻoiaʻiʻo hōʻoia Hōʻike ʻo Ianuali mai ka hui cybersecurity FireEye. Ua kākoʻo pū nā hui IT nui i ka hoʻomohala ʻana o ka protocol.

I ka hoʻomaka ʻana o ka makahiki i hala, ua hoʻomaka ʻo DoH e hoʻāʻo ʻia ma Google. A hoʻokahi mahina i hala aku nei ka hui hōʻike ʻia Mana Loaʻa Nui o kāna lawelawe DoH. Ma Google manaʻolana, e hoʻonui i ka palekana o nāʻikepili pilikino ma ka pūnaewele a pale aku i nā hōʻeha MITM.

ʻO kekahi mea hoʻomohala polokalamu - Mozilla - kākoʻo DNS ma luna o HTTPS mai ke kauwela i hala. I ka manawa like, hoʻolaha ikaika ka ʻoihana i ka ʻenehana hou i ka ʻenehana IT. No kēia, ʻo ka Internet Services Providers Association (ISPA) ua koho ʻia ʻO Mozilla no Internet Villain of the Year Award. Ma ka pane, nā ʻelele hui ʻike ʻia, ka poʻe i hōʻeha ʻia e ka makemake ʻole o nā mea lawelawe kelepona e hoʻomaikaʻi i kā lākou ʻoihana pūnaewele kahiko.

/Unsplash/ TETrebbien

Ma ke kākoʻo ʻana iā Mozilla ʻōlelo ʻia nā media nui a me kekahi mau mea hoʻolako pūnaewele. ʻO ka mea nui, ma British Telecom noonooʻaʻole e pili ka protocol hou i ka kānana ʻike a hoʻomaikaʻi i ka palekana o nā mea hoʻohana UK. Ma lalo o ke kaomi lehulehu ISPA pono e hoʻomanaʻo koho "inoa".

Ua kākoʻo pū nā mea hoʻolako Cloud i ka hoʻokomo ʻana o DNS ma luna o HTTPS, no ka laʻana Cloudflare. Hāʻawi lākou i nā lawelawe DNS e pili ana i ka protocol hou. Loaʻa ka papa inoa piha o nā polokalamu kele pūnaewele a me nā mea kūʻai aku e kākoʻo ana iā DoH ma GitHub.

I kekahi hihia, ʻaʻole hiki ke kamaʻilio e pili ana i ka pau ʻana o ka hakakā ma waena o nā kahua hoʻomoana ʻelua. Wahi a ka poʻe loea IT inā makemake ʻia ʻo DNS ma HTTPS e lilo i ʻāpana o ka ʻenehana ʻenehana pūnaewele nui, e lawe ia. ʻoi aku ma mua o hoʻokahi ʻumi makahiki.

He aha hou aʻe a mākou e kākau ai ma kā mākou blog hui:

• Pehea ke kūkulu ʻia ʻana o ka pūnaewele hoʻolako pūnaewele
• Nā lawelawe kumu ma nā pūnaewele hoʻolako pūnaewele
• Ka hui ʻana a me ka hoʻohui ʻana - nā hana he nui ma ka mea hoʻokahi

Source: www.habr.com