Tom qab ob xyoos ntawm txoj kev loj hlob, lub koom haum ISC tau tshaj tawm thawj qhov kev tso tawm ruaj khov ntawm ib ceg tshiab loj ntawm BIND 9.18 DNS server. Kev them nyiaj yug rau ceg 9.18 yuav muab rau peb xyoos txog rau lub quarter thib ob ntawm 2 uas yog ib feem ntawm kev txhawb nqa txuas ntxiv. Kev txhawb nqa rau 2025 ceg yuav xaus rau lub Peb Hlis, thiab kev txhawb nqa rau 9.11 ceg hauv nruab nrab-9.16. Txhawm rau txhim kho kev ua haujlwm ntawm qhov ruaj khov tom ntej ntawm BIND, ib ceg sim BIND 2023 tau tsim.
Kev tso tawm ntawm BIND 9.18.0 yog qhov tseem ceeb rau kev siv kev txhawb nqa rau DNS dhau HTTPS (DoH, DNS dhau HTTPS) thiab DNS dhau TLS (DoT, DNS dhau TLS), nrog rau XoT (XFR-over-TLS) mechanism rau kev ruaj ntseg hloov chaw ntawm cov ntsiab lus DNS. thaj chaw nruab nrab ntawm cov servers (ob qho tib si xa thiab tau txais cov cheeb tsam ntawm XoT tau txais kev txhawb nqa). Nrog rau cov chaw tsim nyog, ib tus txheej txheem npe tam sim no tuaj yeem ua haujlwm tsis yog cov lus nug DNS ib txwm, tab sis kuj tseem muaj cov lus nug xa mus siv DNS-over-HTTPS thiab DNS-dhau-TLS. Cov neeg siv khoom txhawb nqa rau DNS-tshaj-TLS yog tsim rau hauv cov khoom siv khawb, uas tuaj yeem siv los xa cov lus thov hla TLS thaum tus chij "+tls" tau teev tseg.
Kev ua raws li HTTP/2 raws tu qauv siv hauv DoH yog raws li kev siv lub tsev qiv ntawv nghttp2, uas yog suav nrog kev xaiv los ua ke ntawm kev vam khom. Daim ntawv pov thawj rau DoH thiab DoT tuaj yeem muab los ntawm tus neeg siv lossis tsim tau los ntawm lub sijhawm pib.
Thov kev siv DoH thiab DoT yog qhib los ntawm kev ntxiv "http" thiab "tls" cov kev xaiv rau cov lus qhia mloog. Txhawm rau txhawb nqa DNS-tshaj-HTTP tsis tau encrypted, koj yuav tsum qhia meej tias "tls tsis muaj" hauv qhov chaw. Cov yuam sij tau txhais hauv ntu "tls". Lub neej ntawd network ports 853 rau DoT, 443 rau DoH thiab 80 rau DNS-dhau-HTTP tuaj yeem hla dhau ntawm tls-port, https-port thiab http-port tsis. Piv txwv li:
tls local-tls { key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server { endpoints { "/dns-query"; }; }; kev xaiv { https-port 443; mloog-ntawm chaw nres nkoj 443 tls hauv zos-tls http myserver {ib yam;}; }
Ib qho ntawm cov yam ntxwv ntawm DoH kev siv hauv BIND yog lub peev xwm txav kev ua haujlwm encryption rau TLS mus rau lwm tus neeg rau zaub mov, uas tej zaum yuav tsim nyog nyob rau hauv cov xwm txheej uas TLS daim ntawv pov thawj khaws cia rau lwm qhov system (piv txwv li, hauv kev tsim kho nrog web servers) thiab khaws cia. los ntawm lwm tus neeg ua haujlwm. Kev them nyiaj yug rau unencrypted DNS-dhau-HTTP yog siv los ua kom yooj yim debugging thiab ua ib txheej rau xa mus rau lwm tus neeg rau zaub mov ntawm lub network sab hauv (rau kev txav encryption mus rau ib lub server cais). Ntawm lub chaw ua haujlwm tej thaj chaw deb, nginx tuaj yeem siv los tsim TLS kev khiav tsheb, zoo ib yam li HTTPS kev sib khi li cas rau cov vev xaib.
Lwm qhov tshwj xeeb yog kev koom ua ke ntawm DoH raws li kev thauj mus los dav dav uas tuaj yeem siv tsis tau tsuas yog los tswj cov neeg thov kev thov rau tus neeg daws teeb meem, tab sis kuj thaum sib txuas lus ntawm cov servers, thaum hloov chaw los ntawm tus neeg rau zaub mov tso cai DNS, thiab thaum ua cov lus nug txhawb los ntawm lwm cov DNS. thauj.
Ntawm cov kev tsis txaus siab uas tuaj yeem them rov qab los ntawm kev cuam tshuam kev tsim nrog DoH / DoT lossis txav qhov encryption mus rau lwm tus neeg rau zaub mov, qhov teeb meem dav dav ntawm lub hauv paus code sawv tawm - ib qho built-in HTTP server thiab TLS lub tsev qiv ntawv ntxiv, uas tuaj yeem muaj peev xwm muaj. vulnerabilities thiab ua raws li cov vectors ntxiv rau kev tawm tsam. Tsis tas li ntawd, thaum siv DoH, kev khiav tsheb nce.
Cia peb nco qab tias DNS-dhau-HTTPS tuaj yeem muaj txiaj ntsig zoo rau kev tiv thaiv kev xau ntawm cov ntaub ntawv hais txog cov npe thov los ntawm DNS servers ntawm cov chaw muab kev pabcuam, tawm tsam MITM kev tawm tsam thiab DNS kev spoofing (piv txwv li, thaum txuas rau pej xeem Wi-Fi), countering thaiv ntawm qib DNS (DNS-dhau-HTTPS tsis tuaj yeem hloov lub VPN hauv kev hla kev thaiv kev siv ntawm DPI qib) lossis rau kev teeb tsa ua haujlwm thaum nws tsis tuaj yeem nkag ncaj qha rau DNS servers (piv txwv li, thaum ua haujlwm los ntawm lub npe). Yog hais tias nyob rau hauv ib qho xwm txheej DNS thov raug xa ncaj qha mus rau DNS servers uas tau teev tseg hauv qhov system teeb tsa, ces nyob rau hauv rooj plaub ntawm DNS-over-HTTPS qhov kev thov kom txiav txim siab tus tswv tsev IP chaw nyob yog encapsulated hauv HTTPS tsheb thiab xa mus rau HTTP server, qhov twg tus daws teeb meem thov los ntawm Web API.
"DNS dhau TLS" txawv ntawm "DNS dhau HTTPS" hauv kev siv tus qauv DNS raws tu qauv (network chaw nres nkoj 853 feem ntau yog siv), qhwv hauv kev sib txuas lus encrypted channel tsim siv TLS raws tu qauv nrog tus tswv tsev siv tau los ntawm TLS / SSL daim ntawv pov thawj los ntawm ib tug ntawv pov thawj txoj cai. Tus txheej txheem DNSSEC uas twb muaj lawm siv encryption tsuas yog txhawm rau txheeb xyuas tus neeg siv khoom thiab cov neeg rau zaub mov, tab sis tsis tiv thaiv kev tsheb los ntawm kev cuam tshuam thiab tsis lees paub qhov tsis pub lwm tus paub ntawm kev thov.
Qee qhov kev tsim kho tshiab:
- Ntxiv tcp-receive-buffer, tcp-xa-buffer, udp-receive-buffer thiab udp-xa-buffer teeb tsa los teeb tsa qhov ntau thiab tsawg ntawm buffers siv thaum xa thiab tau txais kev thov dhau TCP thiab UDP. Ntawm cov servers tsis khoom, nce buffers tuaj yuav pab kom tsis txhob ntim cov pob khoom poob thaum lub sijhawm tsheb khiav ceev, thiab txo lawv yuav pab tshem tawm cov cim xeeb clogging nrog cov lus thov qub.
- Ib pawg tshiab "rpz-passthru" tau ntxiv, uas tso cai rau koj cais tawm RPZ (Response Policy Zones) kev xa mus ua haujlwm.
- Nyob rau hauv nqe lus teb-txoj cai, qhov "nsdname-tos-recurse" xaiv tau raug ntxiv, thaum teem rau "tsis muaj", RPZ NSDNAME cov cai tsuas yog siv yog tias cov ntawv tso cai lub npe servers nyob hauv cache raug pom rau qhov kev thov, txwv tsis pub RPZ NSDNAME txoj cai tsis quav ntsej, tab sis cov ntaub ntawv raug muab rov qab rau hauv keeb kwm yav dhau thiab siv rau kev thov tom ntej.
- Rau cov ntaub ntawv nrog HTTPS thiab SVCB hom, kev ua haujlwm ntawm ntu "Ntxiv" tau siv.
- Ntxiv kev cai hloov tshiab-txoj cai txoj cai hom - krb5-subdomain-self-rhs thiab ms-subdomain-self-rhs, uas tso cai rau koj txwv qhov hloov tshiab ntawm SRV thiab PTR cov ntaub ntawv. Cov kev hloov tshiab-txoj cai blocks kuj ntxiv lub peev xwm los teeb tsa cov ntaub ntawv teev tseg, tus kheej rau txhua hom.
- Ntxiv cov ntaub ntawv hais txog kev thauj mus los (UDP, TCP, TLS, HTTPS) thiab DNS64 ua ntej rau qhov tso tawm ntawm cov khoom siv khawb. Rau kev debugging lub hom phiaj, khawb tau ntxiv lub peev xwm los piav qhia qhov kev thov tshwj xeeb (dig + qid = ).
- Ntxiv kev txhawb nqa rau OpenSSL 3.0 tsev qiv ntawv.
- Txhawm rau daws cov teeb meem nrog IP fragmentation thaum ua cov lus DNS loj uas tau txheeb xyuas los ntawm DNS Flag Hnub 2020, cov cai uas hloov kho EDNS tsis muaj qhov loj me thaum tsis muaj lus teb rau qhov kev thov tau raug tshem tawm ntawm tus neeg daws teeb meem. EDNS tsis yog tam sim no tau teeb tsa mus tas li (edns-udp-loj) rau txhua qhov kev thov tawm.
- Lub kaw lus tsim tau raug hloov mus rau kev siv ua ke ntawm autoconf, automake thiab libtool.
- Kev them nyiaj yug rau cov ntaub ntawv cheeb tsam hauv "daim ntawv qhia" hom (masterfile-format map) tau txiav lawm. Cov neeg siv ntawm hom ntawv no raug pom zoo kom hloov cov cheeb tsam mus rau hom ntawv nyoos siv lub npe hu ua-compilezone utility.
- Kev them nyiaj yug rau cov laus DLZ (Dynamically Loadable Zones) cov tsav tsheb tau raug txiav tawm, hloov los ntawm DLZ modules.
- Tsim thiab khiav kev txhawb nqa rau lub Windows platform tau raug txiav lawm. Cov ceg kawg uas tuaj yeem ntsia tau rau ntawm Windows yog BIND 9.16.
Tau qhov twg los: opennet.ru