ProHoster > Блог > ozi ịntanetị > Mwepụta nke BIND DNS Server 9.18.0 na nkwado maka DNS-over-TLS na DNS-over-HTTPS

Mwepụta nke BIND DNS Server 9.18.0 na nkwado maka DNS-over-TLS na DNS-over-HTTPS

Ka afọ abụọ nke mmepe gachara, ndị otu ISC ewepụtala ntọhapụ kwụsiri ike nke mbụ nke ngalaba ọhụrụ nke sava BIND 9.18 DNS. A ga-enye nkwado maka alaka 9.18 ruo afọ atọ ruo nkeji nke abụọ nke 2 dịka akụkụ nke usoro nkwado agbatị. Nkwado maka alaka 2025 ga-akwụsị na March, na nkwado maka alaka 9.11 n'etiti 9.16. Iji wulite ọrụ nke ụdị BIND kwụsiri ike na-esote, etolitela ngalaba nnwale BIND 2023.

Ntọhapụ nke BIND 9.18.0 bụ ihe ama ama maka mmejuputa nkwado maka DNS n'elu HTTPS (DoH, DNS n'elu HTTPS) na DNS n'elu TLS (DoT, DNS n'elu TLS), yana usoro XoT (XFR-over-TLS). maka mbufe ọdịnaya DNS nke dị n'etiti sava (a na-akwado ma mpaghara izipu na ịnweta site na XoT). Site na ntọala kwesịrị ekwesị, otu usoro aha ya nwere ike na-eje ozi ọ bụghị naanị ajụjụ DNS ọdịnala, kamakwa ajụjụ ezitere site na iji DNS-over-HTTPS na DNS-over-TLS. Ewubere nkwado ndị ahịa maka DNS-over-TLS n'ime akụrụngwa igwu, nke enwere ike iji zipu arịrịọ n'elu TLS mgbe akọwapụtara ọkọlọtọ "+tls".

Mmejuputa iwu HTTP/2 ejiri na DoH dabere na iji ọba akwụkwọ nghttp2, nke etinyere dị ka ndabere mgbakọ nhọrọ. Onye ọrụ nwere ike ịnye asambodo maka DoH na DoT ma ọ bụ mepụta ya na-akpaghị aka n'oge mmalite.

A na-akwado nhazi arịrịọ site na iji DoH na DoT site na ịgbakwunye nhọrọ "http" na "tls" na ntụziaka ntị. Iji kwado DNS-over-HTTP ezoro ezo, ị ga-ezipụta "tls ọ dịghị" na ntọala. A kọwapụtara igodo na ngalaba "tls". Enwere ike ihichapụ ọdụ ụgbọ mmiri netwọk 853 maka DoT, 443 maka DoH na 80 maka DNS-over-HTTP site na tls-port, https-port and http-port parameters. Ọmụmaatụ:

tls local-tls {igodo faịlụ "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-sava {njedebe {"/dns-query"; }; }; nhọrọ {https-ọdụ ụgbọ mmiri 443; ntị-na ọdụ ụgbọ mmiri 443 tls local-tls http myserver {ọ bụla;}; }

Otu n'ime njirimara nke mmejuputa DoH na BIND bụ ikike ịkwaga ọrụ nzuzo maka TLS na ihe nkesa ọzọ, nke nwere ike ịdị mkpa na ọnọdụ ebe a na-echekwa asambodo TLS na usoro ọzọ (dịka ọmụmaatụ, na akụrụngwa nwere sava weebụ) ma na-echekwa ya. site na ndị ọrụ ndị ọzọ. A na-emejuputa nkwado maka DNS-over-HTTP ezoro ezo iji mee ka nbipu dị mfe yana dịka oyi akwa maka ibuga na ihe nkesa ọzọ na netwọk dị n'ime (maka ịkwaga nzuzo na sava dị iche). Na sava dịpụrụ adịpụ, enwere ike iji nginx mepụta okporo ụzọ TLS, dịka otu esi ahazi njikọ HTTPS maka weebụsaịtị.

Akụkụ ọzọ bụ njikọ nke DoH dị ka ụgbọ njem n'ozuzu nke enwere ike iji ọ bụghị naanị iji dozie arịrịọ ndị ahịa na onye na-edozi ya, kamakwa mgbe ị na-ekwurịta okwu n'etiti sava, mgbe ị na-ebufe mpaghara site na ihe nkesa DNS nwere ikike, yana mgbe ị na-edozi ajụjụ ọ bụla nke DNS ndị ọzọ kwadoro. na-ebufe .

N'ime adịghị ike nke enwere ike ịkwụ ụgwọ site na iji gbanyụọ DoH/DoT ma ọ bụ bugharịa ihe nzuzo ahụ na ihe nkesa ọzọ, mgbagwoju anya n'ozuzu nke ntọala koodu pụtara - a na-agbakwunye ihe nkesa HTTP na TLS, nke nwere ike ịnwe. adịghị ike ma na-eme dị ka vector ọzọ maka ọgụ. Ọzọkwa, mgbe ị na-eji DoH, okporo ụzọ na-abawanye.

Ka anyị chetara gị na DNS-over-HTTPS nwere ike ịba uru maka igbochi mmịpụta ozi gbasara aha ndị ọbịa a rịọrọ site na sava DNS nke ndị na-enye ọrụ, ịlụ ọgụ megide mwakpo MITM na nnọchi okporo ụzọ DNS (dịka ọmụmaatụ, mgbe ejikọtara na Wi-Fi ọha), na iguzogide igbochi na ọkwa DNS (DNS-over-HTTPS enweghị ike dochie ya). Okwey n'ihe gbasara ịgafe mgbochi etinyere na ọkwa DPI) ma ọ bụ maka ịhazi ọrụ n'ọnọdụ ebe ohere ịnweta sava DNS agaghị ekwe omume (dịka ọmụmaatụ, mgbe ị na-arụ ọrụ site na proxy). Ọ bụ ezie na n'ọnọdụ nkịtị, a na-eziga ajụjụ DNS ozugbo na sava DNS akọwapụtara na nhazi sistemụ, n'ihe gbasara DNS-over-HTTPS arịrịọ maka mkpebi Adreesị IP A na-etinye onye nnabata ahụ na okporo ụzọ HTTPS ma zigara ya na sava HTTP, ebe onye na-edozi nsogbu na-ahazi arịrịọ site na Web API.

"DNS n'elu TLS" dị iche na "DNS n'elu HTTPS" na iji ọkọlọtọ DNS protocol (a na-ejikarị ọdụ ụgbọ mmiri 853), kechie na ọwa nkwurịta okwu ezoro ezo nke ahaziri site na iji usoro TLS nwere nkwenye nnabata site na asambodo TLS/SSL. site n'aka ikike asambodo. Ụkpụrụ DNSSEC dị ugbu a na-eji ezoro ezo naanị iji chọpụta onye ahịa na ihe nkesa, mana ọ naghị echebe okporo ụzọ site na interception na anaghị ekwe nkwa nzuzo nke arịrịọ.

Ụfọdụ ihe ọhụrụ ndị ọzọ:

  • Agbakwunyere tcp-nata-buffer, tcp-send-buffer, udp-nata-buffer na udp-send-buffer ntọala iji tọọ nha nke buffers eji mgbe izipu na ịnata arịrịọ n'elu TCP na UDP. Na sava ndị na-arụsi ọrụ ike, ịba ụba buffers na-abata ga-enyere aka izere ngwugwu ndị a na-atụba n'oge ọnụ ọgụgụ okporo ụzọ, na ibelata ha ga-enyere aka wepụ ebe nchekwa na-ekpuchi arịrịọ ochie.
  • Agbakwunyela ụdị ndekọ ọhụrụ "rpz-passthru", nke na-enye gị ohere ịbanye RPZ ( Mpaghara Amụma nzaghachi) iche iche omume mbugharị.
  • Na ngalaba nzaghachi-usoro iwu, agbakwunyere nhọrọ “nsdname-wait-recurse”, mgbe atọrọ ka “ee e”, a na-etinye iwu RPZ NSDNAME naanị ma ọ bụrụ na achọtara aha sava aha dị na cache maka arịrịọ ahụ, ma ọ bụghị ya. Agbagharaghị iwu RPZ NSDNAME, mana eweghachitere ozi a n'azụ wee metụta arịrịọ ndị na-esote.
  • Maka ndekọ nwere ụdị HTTPS na SVCB, emejuputala nhazi nke ngalaba “Mgbakwunye”.
  • Ụdị iwu nkwalite omenala agbakwunyere - krb5-subdomain-self-rhs na ms-subdomain-self-rhs, nke na-enye gị ohere ịmachi mmelite nke ndekọ SRV na PTR. Mmelite-atụmatụ blocks na-agbakwunyekwa ikike ịtọ oke na ọnụọgụ ndekọ, onye ọ bụla maka ụdị ọ bụla.
  • Ozi agbakwunyere gbasara usoro njem (UDP, TCP, TLS, HTTPS) na prefixes DNS64 na mmepụta nke akụrụngwa igwu. Maka ebumnuche ndozi, igwu agbakwunyela ikike ịkọwapụta ihe nchọpụta a kapịrị ọnụ (dig +qid= ).
  • Nkwado agbakwunyere maka ọbá akwụkwọ OpenSSL 3.0.
  • Iji dozie okwu na nkewa IP mgbe ị na-ahazi nnukwu ozi DNS nke a chọpụtara site na ụbọchị ọkọlọtọ DNS 2020, koodu na-edozi nha nchekwa EDNS mgbe enweghị nzaghachi na arịrịọ ewepụla na onye na-edozi ya. A na-edozi nha nchekwa EDNS ka ọ bụrụ mgbe niile (edns-udp-size) maka arịrịọ niile na-apụ apụ.
  • Agbanwela usoro ihe owuwu ahụ ka ọ bụrụ iji ngwakọta nke autoconf, automake na libtool.
  • Akwụsịla nkwado maka faịlụ mpaghara na usoro “map” (map-format map). A na-atụ aro ndị na-eji usoro a ka ha gbanwee mpaghara ka ọ bụrụ usoro akụrụngwa site na iji uru akpọrọ-compilezone.
  • Akwụsịla nkwado maka ndị ọkwọ ụgbọ ala DLZ megoro okenye, jiri modul DLZ dochie ya.
  • Akwụsịla iwulite ma na-akwado ikpo okwu ahụ. WindowsAlaka ikpeazụ enwere ike itinye na Windows, BIND 9.16 ka dị.

isi: opennet.ru

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster