ProHoster > Блог > rongo ipurangi > Tukunga o BIND DNS Server 9.18.0 me te tautoko mo DNS-over-TLS me DNS-over-HTTPS

Tukunga o BIND DNS Server 9.18.0 me te tautoko mo DNS-over-TLS me DNS-over-HTTPS

I muri i ngā tau e rua o te whanaketanga, kua tukuna e te rōpū ISC te tukunga pumau tuatahi o te peka matua hou o te tūmau DNS BIND 9.18. Ka whakaratohia te tautoko mō te peka 9.18 mō ngā tau e toru, ka mutu i te hauwhā tuarua o te tau 2025, hei wāhanga o te huringa tiaki roa. Ka mutu te tautoko mō te peka 9.11 i te marama o Poutū-te-rangi, ā, mō te peka 9.16, i waenganui o te tau 2023. Hei whakawhanake i te mahi a te putanga pumau e whai ake nei o BIND, kua hangaia he peka whakamātautau, BIND 9.19.0.

He mea rongonui te tukunga o BIND 9.18.0 mō tana tautoko i te DNS over HTTPS (DoH) me te DNS over TLS (DoT), tae atu ki te tikanga XoT (XFR-over-TLS) mō te whakawhiti haumaru i ngā ihirangi rohe DNS i waenga i ngā tūmau (e tautokona ana te tuku me te whiwhi i ngā rohe mā te XoT). Mā te whirihoranga tika, ka taea e tētahi tukanga kotahi kua whakaingoatia te whakahaere i ngā patai DNS tuku iho me ngā patai e tukuna ana mā te whakamahi i te DNS-over-HTTPS me te DNS-over-TLS. Kua hangaia te tautoko kiritaki mō te DNS-over-TLS ki roto i te taputapu keri, ka taea te whakamahi hei tuku patai mā te TLS ina tohua te haki "+tls".

Ko te whakatinanatanga o te kawa HTTP/2 e whakamahia ana i roto i te DoH e ahu mai ana i te whare pukapuka nghttp2, e whakaurua ana hei whakawhirinakitanga hanga kōwhiringa. Ka taea te whakarato i ngā tiwhikete mō te DoH me te DoT e te kaiwhakamahi, ka taea rānei te whakaputa aunoa i te wā tīmatanga.

Ka whakahohea te tukatuka tono mā te whakamahi i te DoH me te DoT mā te tāpiri i ngā kōwhiringa "http" me te "tls" ki te tohutohu whakarongo-ake. Hei tautoko i te DNS-over-HTTP kāore i whakamunatia, tohua "tls none" i roto i ngā tautuhinga. Kua tautuhia ngā kī i roto i te wāhanga "tls". Ka taea te whakakore i ngā tauranga whatunga paerewa 853 mō te DoT, 443 mō te DoH, me te 80 mō te DNS-over-HTTP mā te whakamahi i ngā tawhā tls-port, https-port, me te http-port. Hei tauira:

tls local-tls { kī-kōnae "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server { pito { "/dns-query"; }; }; kōwhiringa { https-port 443; tauranga whakarongo-ki-runga 443 tls local-tls http myserver {any;}; }

Ko tētahi āhuatanga matua o te whakatinanatanga o te DoH a BIND ko te kaha ki te tuku i ngā mahi whakamunatanga TLS ki tētahi tūmau motuhake, he mea tika pea ina rongoatia ngā tiwhikete TLS ki tētahi pūnaha motuhake (hei tauira, i roto i tētahi hanganga tūmau tukutuku) ā, e tiakina ana e ngā kaimahi rerekē. Kua whakatinanahia te tautoko mō te DNS-over-HTTP kāore i whakamunatia hei whakahaere i te patuiro me te mea he paparanga mō te tuku atu ki tētahi atu tūmau i runga i te whatunga ā-roto (hei tuku i te whakamunatanga ki tētahi tūmau motuhake). Ka taea te whakamahi i a Nginx i runga i te tūmau o waho o te pae hei whakaputa i ngā waka TLS, he rite ki te whakatinanatanga o te HTTPS mō ngā paetukutuku.

Ko tētahi atu āhuatanga ko te whakaurunga o te DoH hei kawe whānui, e taea ai te whakamahi ehara i te mea mō te tukatuka i ngā tono a te kiritaki ki te kaiwhakatau, engari mō te whakawhiti raraunga i waenga i ngā tūmau, mō te whakawhiti rohe e te tūmau DNS mana, me te tukatuka i ngā tono e tautokona ana e ētahi atu kawe DNS.

I roto i ngā ngoikoretanga ka taea te whakaiti mā te whakakore i te hanganga DoH/DoT, te neke rānei i te whakamunatanga ki tētahi atu tūmau, ka kitea te uauatanga whānui o te pūtake waehere: ka tāpirihia he tūmau HTTP me te whare pukapuka TLS kua hangaia, ka taea pea te pupuri i ngā ngoikoretanga me te mahi hei huarahi whakaeke tāpiri. Ka whakanuia hoki e te DoH te rere o ngā raraunga.

Kia maumahara tātou he whai hua te DNS-over-HTTPS mō te ārai i ngā turuturu o ngā mōhiohio mō ngā ingoa kaihautū e tonoa ana mā roto i ngā tūmau DNS a ngā kaiwhakarato, te whawhai ki ngā whakaekenga MITM me te whakakapinga o ngā waka DNS (hei tauira, ina hono ana ki te Wi-Fi tūmatanui), me te ātete ki te aukati i te taumata DNS (kāore e taea e te DNS-over-HTTPS te whakakapi VPN (i roto i te wāhanga o te karo i te aukati i whakatinanahia i te taumata DPI) mō te whakarite mahi rānei i ngā wā kāore e taea te uru tika ki ngā tūmau DNS (hei tauira, ina mahi ana mā te takawaenga). I roto i te āhuatanga noa, ka tukuna tika ngā patai DNS ki ngā tūmau DNS kua tautuhia i roto i te whirihoranga pūnaha, i roto i te take o te DNS-over-HTTPS, ko te tono mō te whakatau Wāhitau IP Ka whakaurua te kaihautū ki roto i te waka HTTPS, ka tukuna ki tētahi tūmau HTTP, ka tukatukahia ngā tono e te kaiwhakatau mā te API Tukutuku.

He rerekē te "DNS over TLS" i te "DNS over HTTPS" nā te mea e whakamahi ana i te kawa DNS paerewa (e whakamahi ana i te tauranga whatunga 853) kua takaihia ki roto i tētahi hongere whakawhitiwhiti kōrero kua whakamunahia i whakatūria mā te whakamahi i te kawa TLS me te manatoko manatoko kaihautū mā ngā tiwhikete TLS/SSL kua manatokohia e tētahi mana tohu. Ko te paerewa DNSSEC o nāianei e whakamahi ana i te whakamunatanga mō te manatoko kiritaki me te tūmau anake, engari kāore e tiaki i te waka mai i te hopunga, e whakamana rānei i te muna o ngā tono.

Ētahi atu āhuatanga hou:

  • Kua tāpirihia ngā tautuhinga tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer, me te udp-send-buffer hei whirihora i ngā rahi pūrua e whakamahia ana i te wā e tuku ana, e whiwhi ana hoki i ngā tono mā te TCP me te UDP. I ngā tūmau pukumahi, mā te whakanui ake i ngā rahi pūrua e haere mai ana ka ārai i ngā hekenga mōkihi i te wā e piki ana te maha o ngā tāngata e toro atu ana, ā, mā te whakaiti i aua rahi ka āwhina i te ārai i te raruraru mahara mai i ngā tono tawhito.
  • Kua tāpirihia he kāwai rangitaki hou, "rpz-passthru", e āhei ai te takiuru motuhake o ngā mahi whakawhiti RPZ (Rohe Kaupapa Here Urupare).
  • Kei te wāhanga kaupapa here-whakautu te kōwhiringa "nsdname-wait-recurse", ā, ina whakatakotoria ki te "kāo" ka pāngia ngā ture RPZ NSDNAME mēnā ka kitea he tūmau ingoa mana kua keterokihia mō te tono; ki te kore, ka warewarehia te ture RPZ NSDNAME, engari ka tikina ngā mōhiohio i te papamuri, ā, ka pāngia ki ngā tono e whai ake nei.
  • Mō ngā tuhinga me ngā momo HTTPS me SVCB, kua whakatinanahia te tukatuka o te wāhanga "TĀPIRI".
  • Kua tāpirihia ngā momo ture kaupapa here-whakahou ritenga—krb5-subdomain-self-rhs me ms-subdomain-self-rhs—hei whakawhāiti i ngā whakahōutanga ki ngā pūkete SRV me PTR. Mā ngā poraka kaupapa here-whakahou ka taea e koe te whakatakoto i ngā rohe tatau pūkete mō ia momo.
  • Kua tāpirihia ngā mōhiohio mō te kawa kawe (UDP, TCP, TLS, HTTPS) me ngā kupumatua DNS64 ki te putanga o te taputapu dig. Mō ngā mahi patuiro, mā te dig ka taea e koe te tohu i tētahi ID tono motuhake (dig +qid= ).
  • Kua tāpirihia te tautoko mō te whare pukapuka OpenSSL 3.0.
  • Hei whakatika i ngā take wehewehe IP i te tukatuka i ngā karere DNS nui, e ai ki te kaupapa DNS Flag Day 2020, kua tangohia te waehere e whakatika ana i te rahi o te arai EDNS ina kore he pātai e whakautua mai i te kaiwhakatau. Kua whakatakotoria te rahi o te arai EDNS ki te rahi pumau (edns-udp-size) mō ngā pātai katoa e puta atu ana.
  • Kua hurihia te pūnaha hanga ki te whakamahi i te huinga o te autoconf, automake, me te libtool.
  • Kua mutu te tautoko mō ngā kōnae rohe i te whakatakotoranga "mahere" (mahere whakatakotoranga-kōnae matua). Me huri ngā kaiwhakamahi o tēnei whakatakotoranga i ngā rohe ki te whakatakotoranga mata mā te whakamahi i te taputapu named-compilezone.
  • Kua mutu te tautoko mō ngā taraiwa DLZ (Dynamically Loadable Zones) tawhito, ā, kua whakakapia ki ngā kōwae DLZ.
  • Kua mutu te tautoko i te hanga me te whakahaere i te tūāpapa. WindowsKo te peka whakamutunga ka taea te tāuta ki roto Windows, kei te toe tonu te BIND 9.16.

Source: opennet.ru

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster