Cov tsim tawm ntawm BIND DNS neeg rau zaub mov tshaj tawm ntxiv cov neeg rau zaub mov txhawb nqa rau DNS dhau HTTPS (DoH, DNS dhau HTTPS) thiab DNS dhau TLS (DoT, DNS dhau TLS) thev naus laus zis, nrog rau XFR-tshaj-TLS mechanism kom ruaj ntseg hloov cov ntsiab lus ntawm DNS zones ntawm servers. DoH muaj rau kev sim hauv kev tso tawm 9.17, thiab kev txhawb nqa DoT tau muaj txij li thaum tso tawm 9.17.10. Tom qab kev ruaj khov, DoT thiab DoH kev txhawb nqa yuav rov qab mus rau qhov ruaj khov 9.17.7 ceg.
Kev ua raws li HTTP/2 raws tu qauv siv hauv DoH yog raws li kev siv nghttp2 lub tsev qiv ntawv, uas suav nrog cov kev sib koom ua ke (nyob rau yav tom ntej, lub tsev qiv ntawv tau npaj yuav hloov mus rau cov naj npawb ntawm cov kev xaiv xaiv). Ob leeg encrypted (TLS) thiab unencrypted HTTP/2 kev sib txuas tau txais kev txhawb nqa. Nrog rau cov chaw tsim nyog, ib tus txheej txheem npe tam sim no tuaj yeem ua haujlwm tsis yog cov lus nug DNS ib txwm muaj, tab sis kuj tseem muaj cov lus nug xa mus siv DoH (DNS-over-HTTPS) thiab DoT (DNS-over-TLS). HTTPS kev txhawb nqa ntawm tus neeg siv khoom sab (dig) tseem tsis tau siv. XFR-over-TLS kev txhawb nqa muaj rau ob qho tib si sab hauv thiab sab nraud thov.
Thov kev ua tiav siv DoH thiab DoT yog qhib los ntawm kev ntxiv http thiab tls cov kev xaiv rau cov lus qhia mloog. Txhawm rau txhawb nqa DNS-tshaj-HTTP tsis tau encrypted, koj yuav tsum qhia meej tias "tls tsis muaj" hauv qhov chaw. Cov yuam sij tau txhais hauv ntu "tls". Lub neej ntawd network ports 853 rau DoT, 443 rau DoH thiab 80 rau DNS-dhau-HTTP tuaj yeem hla dhau ntawm tls-port, https-port thiab http-port tsis. Piv txwv li: tls local-tls { key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server { endpoints { "/dns-query"; }; }; kev xaiv { https-port 443; mloog-ntawm chaw nres nkoj 443 tls hauv zos-tls http myserver {ib yam;}; }
Ntawm cov yam ntxwv ntawm DoH kev siv hauv BIND, kev sib koom ua ke tau sau tseg tias yog kev thauj mus los dav dav, uas tuaj yeem siv tsis tau tsuas yog ua cov neeg thov kev thov rau tus neeg daws teeb meem, tab sis kuj thaum sib pauv cov ntaub ntawv ntawm servers, thaum hloov chaw los ntawm kev tso cai DNS server, thiab thaum ua cov kev thov txhawb nqa los ntawm lwm cov kev thauj mus los DNS .
Lwm qhov tshwj xeeb yog muaj peev xwm txav tau cov haujlwm encryption rau TLS mus rau lwm tus neeg rau zaub mov, uas tej zaum yuav tsim nyog nyob rau hauv cov xwm txheej uas TLS daim ntawv pov thawj khaws cia rau lwm qhov system (piv txwv li, hauv ib qho chaw nrog cov web servers) thiab tswj hwm los ntawm lwm tus neeg ua haujlwm. Kev them nyiaj yug rau unencrypted DNS-dhau-HTTP yog siv los ua kom yooj yim debugging thiab ua ib txheej rau kev xa mus rau hauv lub network sab hauv, raws li qhov encryption tuaj yeem teeb tsa ntawm lwm tus neeg rau zaub mov. Ntawm lub chaw ua haujlwm tej thaj chaw deb, nginx tuaj yeem siv los tsim TLS kev khiav tsheb, zoo ib yam li HTTPS kev sib khi li cas rau cov vev xaib.
Cia peb nco qab tias DNS-dhau-HTTPS tuaj yeem muaj txiaj ntsig zoo rau kev tiv thaiv kev xau ntawm cov ntaub ntawv hais txog cov npe thov los ntawm DNS servers ntawm cov chaw muab kev pabcuam, tawm tsam MITM kev tawm tsam thiab DNS kev spoofing (piv txwv li, thaum txuas rau pej xeem Wi-Fi), countering thaiv ntawm qib DNS (DNS-dhau-HTTPS tsis tuaj yeem hloov lub VPN hauv kev hla kev thaiv kev siv ntawm DPI qib) lossis rau kev teeb tsa ua haujlwm thaum nws tsis tuaj yeem nkag ncaj qha rau DNS servers (piv txwv li, thaum ua haujlwm los ntawm lub npe). Yog hais tias nyob rau hauv ib qho xwm txheej DNS thov raug xa ncaj qha mus rau DNS servers uas tau teev tseg hauv qhov system teeb tsa, ces nyob rau hauv rooj plaub ntawm DNS-over-HTTPS qhov kev thov kom txiav txim siab tus tswv tsev IP chaw nyob yog encapsulated hauv HTTPS tsheb thiab xa mus rau HTTP server, qhov twg tus daws teeb meem thov los ntawm Web API.
"DNS dhau TLS" txawv ntawm "DNS dhau HTTPS" hauv kev siv tus qauv DNS raws tu qauv (network chaw nres nkoj 853 feem ntau yog siv), qhwv hauv kev sib txuas lus encrypted channel tsim siv TLS raws tu qauv nrog tus tswv tsev siv tau los ntawm TLS / SSL daim ntawv pov thawj los ntawm ib tug ntawv pov thawj txoj cai. Tus txheej txheem DNSSEC uas twb muaj lawm siv encryption tsuas yog txhawm rau txheeb xyuas tus neeg siv khoom thiab cov neeg rau zaub mov, tab sis tsis tiv thaiv kev tsheb los ntawm kev cuam tshuam thiab tsis lees paub qhov tsis pub lwm tus paub ntawm kev thov.
Tau qhov twg los: opennet.ru