9.18 幎éã®éçºãçµãŠãISC ã³ã³ãœãŒã·ã¢ã ã¯ãBIND 9.18 DNS ãµãŒããŒã®äž»èŠãªæ°ãããã©ã³ãã®æåã®å®å®çãªãªãŒã¹ããªãªãŒã¹ããŸããã ãã©ã³ã 2 ã®ãµããŒãã¯ã延é·ãµããŒã ãµã€ã¯ã«ã®äžç°ãšããŠã2025 幎ã®ç¬¬ 9.11 ååæãŸã§ã® 9.16 幎éæäŸãããŸãã 2023 ãã©ã³ãã®ãµããŒã㯠9.19.0 æã«çµäºããXNUMX ãã©ã³ãã®ãµããŒã㯠XNUMX 幎åã°ã«çµäºããŸãã BIND ã®æ¬¡ã®å®å®ããŒãžã§ã³ã®æ©èœãéçºããããã«ãå®éšçãªãã©ã³ã BIND XNUMX ãäœæãããŸããã
BIND 9.18.0 ã®ãªãªãŒã¹ã¯ãDNS over HTTPS (DoHãDNS over HTTPS) ããã³ DNS over TLS (DoTãDNS over TLS)ãããã³ XoT (XFR-over-TLS) ã¡ã«ããºã ã®ãµããŒãã®å®è£ ã§æ³šç®ã«å€ããŸãã DNS ã³ã³ãã³ããå®å šã«è»¢éããããã®ãµãŒããŒéã®ãŸãŒã³ (XoT ãä»ããéä¿¡ãŸãŒã³ãšåä¿¡ãŸãŒã³ã®äž¡æ¹ããµããŒããããŠããŸã)ã é©åãªèšå®ã䜿çšãããšãåäžã®ååä»ãããã»ã¹ã§åŸæ¥ã® DNS ã¯ãšãªã ãã§ãªããDNS-over-HTTPS ããã³ DNS-over-TLS ã䜿çšããŠéä¿¡ãããã¯ãšãªãåŠçã§ããããã«ãªããŸãã DNS-over-TLS ã®ã¯ã©ã€ã¢ã³ã ãµããŒã㯠dig ãŠãŒãã£ãªãã£ã«çµã¿èŸŒãŸããŠãããã+tlsããã©ã°ãæå®ãããŠããå Žåã« TLS çµç±ã§ãªã¯ãšã¹ããéä¿¡ããããã«äœ¿çšã§ããŸãã
DoH ã§äœ¿çšããã HTTP/2 ãããã³ã«ã®å®è£ ã¯ããªãã·ã§ã³ã®ã¢ã»ã³ããªäŸåé¢ä¿ãšããŠå«ãŸãã nghttp2 ã©ã€ãã©ãªã®äœ¿çšã«åºã¥ããŠããŸãã DoH ããã³ DoT ã®èšŒææžã¯ããŠãŒã¶ãŒãæäŸããããšããèµ·åæã«èªåçã«çæããããšãã§ããŸãã
DoH ããã³ DoT ã䜿çšãããªã¯ãšã¹ãåŠçã¯ãlisten-on ãã£ã¬ã¯ãã£ãã«ãhttpãããã³ãtlsããªãã·ã§ã³ãè¿œå ããããšã§æå¹ã«ãªããŸãã æå·åãããŠããªã DNS-over-HTTP ããµããŒãããã«ã¯ãèšå®ã§ãtls noneããæå®ããå¿ èŠããããŸãã ããŒã¯ãtlsãã»ã¯ã·ã§ã³ã§å®çŸ©ãããŸãã ããã©ã«ãã®ãããã¯ãŒã¯ ããŒã (DoT ã®å Žå㯠853ãDoH ã®å Žå㯠443ãDNS-over-HTTP ã®å Žå㯠80) ã¯ãtls-portãhttps-portãããã³ http-port ãã©ã¡ãŒã¿ãéããŠãªãŒããŒã©ã€ãã§ããŸãã äŸãã°ïŒ
tls local-tls { ããŒãã¡ã€ã« "/path/to/priv_key.pem"; 蚌ææžãã¡ã€ã« "/path/to/cert_chain.pem"; }; http local-http-server { ãšã³ããã€ã³ã { "/dns-query"; }; }; ãªãã·ã§ã³ { https-ããŒã 443; ãªãã¹ã³ãªã³ ããŒã 443 tls local-tls http myserver {ä»»æ;}; }
BIND ã§ã® DoH å®è£ ã®æ©èœã® XNUMX ã€ã¯ãTLS ã®æå·åæäœãå¥ã®ãµãŒããŒã«ç§»åã§ããããšã§ããããã¯ãTLS 蚌ææžãå¥ã®ã·ã¹ãã (ããšãã°ãWeb ãµãŒããŒã®ããã€ã³ãã©ã¹ãã©ã¯ãã£) ã«ä¿åãããç¶æãããŠããç¶æ³ã§å¿ èŠã«ãªãå ŽåããããŸããä»ã®è·å¡ã«ããã æå·åãããŠããªã DNS-over-HTTP ã®ãµããŒãã¯ããããã°ãç°¡çŽ åãããããããã³å éšãããã¯ãŒã¯äžã®å¥ã®ãµãŒããŒã«è»¢éããããã®å±€ (æå·åãå¥ã®ãµãŒããŒã«ç§»åãããã) ãšããŠå®è£ ãããŠããŸãã ãªã¢ãŒã ãµãŒããŒã§ã¯ãWeb ãµã€ã㧠HTTPS ãã€ã³ãã£ã³ã°ãæ§æããæ¹æ³ãšåæ§ã«ãnginx ã䜿çšã㊠TLS ãã©ãã£ãã¯ãçæã§ããŸãã
ãã XNUMX ã€ã®æ©èœã¯ããªãŸã«ããŒãžã®ã¯ã©ã€ã¢ã³ãèŠæ±ãåŠçããããã ãã§ãªãããµãŒããŒéã®éä¿¡æãæš©åš DNS ãµãŒããŒã«ãããŸãŒã³è»¢éæãããã³ä»ã® DNS ã§ãµããŒããããŠããã¯ãšãªã®åŠçæã«ã䜿çšã§ããäžè¬çãªãã©ã³ã¹ããŒããšã㊠DoH ãçµ±åããŠããããšã§ãã茞éããŸãã
DoH/DoT ã§ãã«ããç¡å¹ã«ããããæå·åãå¥ã®ãµãŒããŒã«ç§»åããããšã§è£ãããšãã§ããæ¬ ç¹ã®äžã§ããã³ãŒã ããŒã¹ã®äžè¬çãªè€éããéç«ã£ãŠããŸããçµã¿èŸŒã¿ã® HTTP ãµãŒããŒãš TLS ã©ã€ãã©ãªãè¿œå ãããŠãããããã«ã¯æœåšçã«ä»¥äžã®ãã®ãå«ãŸããå¯èœæ§ããããŸããè匱æ§ãçºèŠããè¿œå ã®æ»æãã¯ãã«ãšããŠæ©èœããŸãã ãŸããDoH ã䜿çšãããšãã©ãã£ãã¯ãå¢å ããŸãã
DNS-over-HTTPS ã¯ããããã€ããŒã® DNS ãµãŒããŒãä»ããèŠæ±ããããã¹ãåã«é¢ããæ å ±ã®æŒæŽ©ãé²æ¢ããMITM æ»æã DNS ãã©ãã£ã㯠ã¹ããŒãã£ã³ã° (ããšãã°ãå ¬è¡ Wi-Fi ã«æ¥ç¶ããå Žå) ãšéããæ»æã«å¯Ÿæããã®ã«åœ¹ç«ã€ããšãæãåºããŠãã ããã DNS ã¬ãã«ã§ã®ããã㯠(DNS-over-HTTPS ã¯ãDPI ã¬ãã«ã§å®è£ ããããããã¯ããã€ãã¹ãã VPN ã«ä»£ããããšã¯ã§ããŸãã)ããŸã㯠DNS ãµãŒããŒã«çŽæ¥ã¢ã¯ã»ã¹ã§ããªãå Žå (ãããã·çµç±ã§äœæ¥ããå Žåãªã©) ã«äœæ¥ãæŽçããããã«äœ¿çšããŸãã éåžžã®ç¶æ³ã§ã¯ãDNS ãªã¯ãšã¹ããã·ã¹ãã æ§æã§å®çŸ©ããã DNS ãµãŒããŒã«çŽæ¥éä¿¡ãããå ŽåãDNS-over-HTTPS ã®å Žåããã¹ã IP ã¢ãã¬ã¹ã決å®ãããªã¯ãšã¹ã㯠HTTPS ãã©ãã£ãã¯ã«ã«ãã»ã«åãã㊠HTTP ãµãŒããŒã«éä¿¡ãããŸãããªãŸã«ããŒã¯ Web API çµç±ã§ãªã¯ãšã¹ããåŠçããŸãã
ãDNS over TLSãã¯ãæšæºã® DNS ãããã³ã« (éåžžã¯ãããã¯ãŒã¯ ããŒã 853 ã䜿çšãããŸã) ã䜿çšããç¹ã§ãDNS over HTTPSããšã¯ç°ãªããTLS ãããã³ã«ã䜿çšããŠçµç¹ãããæå·åéä¿¡ãã£ãã«ã§ã©ãããããèªèšŒããã TLS/SSL 蚌ææžã«ãããã¹ãã®æå¹æ§ãã§ãã¯ãè¡ãããŸããèªèšŒå±ã«ããã æ¢åã® DNSSEC æšæºã§ã¯ãã¯ã©ã€ã¢ã³ããšãµãŒããŒã®èªèšŒã«ã®ã¿æå·åã䜿çšãããŸããããã©ãã£ãã¯ãååããä¿è·ãããããªã¯ãšã¹ãã®æ©å¯æ§ãä¿èšŒãããããããšã¯ãããŸããã
ãã®ä»ã®ã€ãããŒã·ã§ã³:
- TCP ããã³ UDP çµç±ã§ãªã¯ãšã¹ããéåä¿¡ãããšãã«äœ¿çšããããããã¡ãŒã®ãµã€ãºãèšå®ããããã® tcp-receive-bufferãtcp-send-bufferãudp-receive-bufferãããã³ udp-send-buffer èšå®ãè¿œå ããŸããã è² è·ã®é«ããµãŒããŒã§ã¯ãåä¿¡ãããã¡ãå¢ãããšããã©ãã£ãã¯ã®ããŒã¯æã«ãã±ããããããããããã®ãé¿ããããšãã§ããåä¿¡ãããã¡ãæžãããšãå€ããªã¯ãšã¹ãã«ããã¡ã¢ãªã®è©°ãŸããåãé€ãããšãã§ããŸãã
- æ°ãããã° ã«ããŽãªãrpz-passthruããè¿œå ãããRPZ (ã¬ã¹ãã³ã¹ ããªã·ãŒ ãŸãŒã³) 転éã¢ã¯ã·ã§ã³ãåå¥ã«èšé²ã§ããããã«ãªããŸããã
- å¿çããªã·ãŒ ã»ã¯ã·ã§ã³ã«ããnsdname-wait-recurseããªãã·ã§ã³ãè¿œå ãããŸããããnoãã«èšå®ãããšããã£ãã·ã¥å ã«ååšããæš©éã®ããããŒã ãµãŒããŒããªã¯ãšã¹ãã«å¯ŸããŠèŠã€ãã£ãå Žåã«ã®ã¿ RPZ NSDNAME ã«ãŒã«ãé©çšãããŸãã RPZ NSDNAME ã«ãŒã«ã¯ç¡èŠãããŸãããæ å ±ã¯ããã¯ã°ã©ãŠã³ãã§ååŸãããåŸç¶ã®ãªã¯ãšã¹ãã«é©çšãããŸãã
- HTTPS ããã³ SVCB ã¿ã€ãã®ã¬ã³ãŒãã«ã€ããŠã¯ããADDITIONALãã»ã¯ã·ã§ã³ã®åŠçãå®è£ ãããŸããã
- ã«ã¹ã¿ã æŽæ°ããªã·ãŒ ã«ãŒã« ã¿ã€ã - krb5-subdomain-self-rhs ããã³ ms-subdomain-self-rhs ãè¿œå ãããŸãããããã«ãããSRV ããã³ PTR ã¬ã³ãŒãã®æŽæ°ãå¶éã§ããŸãã update-policy ãããã¯ã«ãããã¿ã€ãããšã«ã¬ã³ãŒãæ°ã®å¶éãèšå®ããæ©èœãè¿œå ãããŸãã
- dig ãŠãŒãã£ãªãã£ã®åºåã«ããã©ã³ã¹ããŒã ãããã³ã« (UDPãTCPãTLSãHTTPS) ããã³ DNS64 ãã¬ãã£ãã¯ã¹ã«é¢ããæ å ±ãè¿œå ããŸããã ãããã°ç®çã§ãdig ã«ã¯ç¹å®ã®ãªã¯ãšã¹ãèå¥å (dig +qid=) ãæå®ããæ©èœãè¿œå ãããŸããã ïŒã
- OpenSSL 3.0 ã©ã€ãã©ãªã®ãµããŒããè¿œå ãããŸããã
- 2020 幎㮠DNS Flag Day ã§ç¹å®ããã倧èŠæš¡ãª DNS ã¡ãã»ãŒãžãåŠçããéã® IP ãã©ã°ã¡ã³ããŒã·ã§ã³ã®åé¡ã«å¯ŸåŠããããã«ããªã¯ãšã¹ãã«å¯Ÿããå¿çããªãå Žåã« EDNS ãããã¡ ãµã€ãºã調æŽããã³ãŒãããªãŸã«ããŒããåé€ãããŸããã EDNS ãããã¡ ãµã€ãºã¯ããã¹ãŠã®çºä¿¡ãªã¯ãšã¹ãã«å¯ŸããŠå®æ° (edns-udp-size) ã«èšå®ãããããã«ãªããŸããã
- ãã«ã ã·ã¹ãã ã¯ãautoconfãautomakeãlibtool ã®çµã¿åããã䜿çšããããã«åãæ¿ããããŸããã
- ããããã圢åŒã®ãŸãŒã³ ãã¡ã€ã« (ãã¹ã¿ãŒãã¡ã€ã«åœ¢åŒã®ããã) ã®ãµããŒãã¯å»æ¢ãããŸããã ãã®åœ¢åŒã®ãŠãŒã¶ãŒã¯ãnamed-compilezone ãŠãŒãã£ãªãã£ã䜿çšããŠãŸãŒã³ã raw 圢åŒã«å€æããããšããå§ãããŸãã
- å€ã DLZ (Dynamically Loadable Zones) ãã©ã€ããŒã®ãµããŒãã¯å»æ¢ãããDLZ ã¢ãžã¥ãŒã«ã«çœ®ãæããããŸããã
- Windows ãã©ãããã©ãŒã ã®ãã«ããšå®è¡ã®ãµããŒãã¯å»æ¢ãããŸããã Windows ã«ã€ã³ã¹ããŒã«ã§ããæåŸã®ãã©ã³ã㯠BIND 9.16 ã§ãã
åºæïŒ ãªãŒãã³ããã.ru