Cov neeg tsim khoom ntawm BIND DNS server tau tshaj tawm tias ntxiv kev txhawb nqa rau server rau DNS dhau HTTPS (DoH) thiab DNS dhau TLS (DoT) thev naus laus zis rau ceg 9.17 sim, nrog rau XFR-over-TLS mechanism rau kev xa cov ntsiab lus DNS thaj chaw ruaj ntseg ntawm cov servers. DoH muaj rau kev sim hauv kev tso tawm 9.17.10, thiab kev txhawb nqa DoT tau muaj txij li kev tso tawm 9.17.7. Thaum ruaj khov, DoT thiab DoH kev txhawb nqa yuav raug xa rov qab mus rau ceg 9.16 ruaj khov.
Qhov kev siv HTTP/2 protocol uas siv hauv DoH yog raws li lub tsev qiv ntawv nghttp2, uas suav nrog ua qhov kev vam khom tsim (nws tau npaj yuav ua xaiv tau yav tom ntej). Ob qho kev sib txuas encrypted (TLS) thiab unencrypted HTTP/2 tau txais kev txhawb nqa. Nrog kev teeb tsa tsim nyog, ib qho txheej txheem muaj npe tam sim no tuaj yeem tswj hwm tsis yog cov lus nug DNS ib txwm muaj tab sis kuj cov lus nug xa los ntawm kev siv DoH (DNS-over-HTTPS) thiab DoT (DNS-over-TLS). Kev txhawb nqa HTTPS sab Client (dig) tseem tsis tau siv. Kev txhawb nqa XFR-over-TLS muaj rau ob qho kev thov tuaj thiab tawm.
Kev ua cov kev thov siv DoH thiab DoT yog qhib los ntawm kev ntxiv cov kev xaiv http thiab tls rau hauv cov lus qhia mloog-on. Txhawm rau txhawb nqa unencrypted DNS-over-HTTP, qhia "tls none" hauv qhov chaw. Cov yuam sij tau txhais hauv ntu "tls". Cov chaw nres nkoj network txheem 853 rau DoT, 443 rau DoH, thiab 80 rau DNS-over-HTTP tuaj yeem hloov pauv siv cov kev teeb tsa tls-port, https-port, thiab http-port. Piv txwv li: tls local-tls { key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server { endpoints { "/dns-query"; }; }; xaiv { https-port 443; listen-on port 443 tls local-tls http myserver {any;}; }
Ib qho ntawm cov yam ntxwv ntawm DoH kev siv hauv BIND yog nws txoj kev koom ua ke ua ib qho kev thauj mus los, uas tuaj yeem siv tsis yog rau kev ua cov neeg siv khoom thov rau tus neeg daws teeb meem, tab sis kuj rau kev sib pauv cov ntaub ntawv ntawm cov servers, rau kev hloov pauv thaj chaw los ntawm lub DNS server uas muaj cai, thiab rau kev ua cov kev thov txhawb nqa los ntawm lwm qhov kev thauj mus los DNS.
Lwm qhov tshwj xeeb yog lub peev xwm los xa cov haujlwm TLS encryption mus rau lwm lub server, uas tej zaum yuav tsim nyog thaum daim ntawv pov thawj TLS khaws cia rau lwm lub system (piv txwv li, hauv lub web server infrastructure) thiab tswj hwm los ntawm cov neeg ua haujlwm sib txawv. Kev txhawb nqa rau unencrypted DNS-over-HTTP tau siv los ua kom yooj yim debugging thiab ua ib txheej xa mus rau hauv lub network sab hauv, uas tuaj yeem siv los siv encryption rau lwm lub server. Ntawm lub server tawm ntawm qhov chaw, Nginx tuaj yeem siv los tsim TLS traffic, zoo ib yam li HTTPS tau teeb tsa rau cov vev xaib.
Cia peb nco ntsoov koj tias DNS-over-HTTPS tuaj yeem pab tau rau kev tiv thaiv kev xau ntawm cov ntaub ntawv hais txog cov npe host uas tau thov los ntawm DNS servers ntawm cov neeg muab kev pabcuam, tawm tsam MITM kev tawm tsam thiab kev hloov pauv DNS (piv txwv li, thaum txuas rau Wi-Fi pej xeem), thiab tiv thaiv kev thaiv ntawm DNS theem (DNS-over-HTTPS tsis tuaj yeem hloov pauv VPN nyob rau hauv thaj chaw ntawm kev hla dhau kev thaiv uas tau siv ntawm qib DPI) lossis rau kev teeb tsa kev ua haujlwm hauv cov xwm txheej uas nkag mus rau DNS servers ncaj qha tsis tau (piv txwv li, thaum ua haujlwm los ntawm tus neeg sawv cev). Thaum nyob rau hauv qhov xwm txheej ib txwm muaj DNS cov lus nug raug xa ncaj qha mus rau DNS servers txhais hauv qhov system configuration, nyob rau hauv cov ntaub ntawv ntawm DNS-dhau-HTTPS qhov kev thov rau kev txiav txim siab IP chaw nyob Tus tswv tsev raug kaw hauv HTTPS tsheb khiav thiab xa mus rau HTTP server, qhov twg tus neeg daws teeb meem ua cov kev thov ntawm Web API.
"DNS dhau TLS" txawv ntawm "DNS dhau HTTPS" hauv kev siv tus qauv DNS raws tu qauv (network chaw nres nkoj 853 feem ntau yog siv), qhwv hauv kev sib txuas lus encrypted channel tsim siv TLS raws tu qauv nrog tus tswv tsev siv tau los ntawm TLS / SSL daim ntawv pov thawj los ntawm ib tug ntawv pov thawj txoj cai. Tus txheej txheem DNSSEC uas twb muaj lawm siv encryption tsuas yog txhawm rau txheeb xyuas tus neeg siv khoom thiab cov neeg rau zaub mov, tab sis tsis tiv thaiv kev tsheb los ntawm kev cuam tshuam thiab tsis lees paub qhov tsis pub lwm tus paub ntawm kev thov.
Tau qhov twg los: opennet.ru
