Madivelopa a Firefox za kutsirizidwa kwa kuyesa thandizo la DNS pa HTTPS (DoH, DNS pa HTTPS) ndi cholinga chothandizira ukadaulo uwu mwachisawawa kwa ogwiritsa ntchito aku US kumapeto kwa Seputembala. Kutsegula kudzachitika pang'onopang'ono, poyambirira kwa ochepa peresenti ya ogwiritsa ntchito, ndipo ngati palibe mavuto, pang'onopang'ono kuwonjezeka mpaka 100%. Dziko la US likadzagwiritsidwa ntchito, DoH idzaganiziridwa kuti iphatikizidwe m'mayiko ena.
Mayesero omwe anachitika chaka chonse adawonetsa kudalirika komanso magwiridwe antchito abwino a ntchitoyi, komanso adapangitsa kuti azitha kuzindikira zinthu zina zomwe DoH ingabweretse mavuto ndikupanga njira zopewera (mwachitsanzo, kugawanitsa). ndi kukhathamiritsa kwa magalimoto pamanetiweki operekera zinthu, kuwongolera kwa makolo ndi magawo amakampani amkati a DNS).
Kufunika kosungira kuchuluka kwa magalimoto a DNS kumayesedwa ngati chinthu chofunikira kwambiri poteteza ogwiritsa ntchito, chifukwa chake adaganiza zopangitsa DoH mwachisawawa, koma pagawo loyamba kwa ogwiritsa ntchito ku United States okha. Pambuyo poyambitsa DoH, wogwiritsa ntchito adzalandira chenjezo lomwe lingalole, ngati angafune, kukana kulumikizana ndi ma seva apakati a DoH DNS ndikubwerera ku dongosolo lakale lotumiza zopempha zosabisika ku seva ya DNS ya woperekayo (m'malo mwa magawo ogawidwa a DNS resolutioners, DoH imagwiritsa ntchito kumangirira ku ntchito inayake ya DoH , yomwe ingaganizidwe ngati yolephera imodzi).
Ngati DoH yayatsidwa, machitidwe owongolera makolo ndi maukonde amakampani omwe amagwiritsa ntchito dzina lamkati la DNS lokhalo kuti athetse maadiresi a intranet ndi osunga makampani akhoza kusokonezedwa. Kuti athetse mavuto ndi machitidwe otere, njira yowunika yawonjezeredwa yomwe imalepheretsa DoH yokha. Macheke amachitidwa nthawi iliyonse msakatuli akatsegulidwa kapena kusintha kwa subnet kuzindikirika.
Kubwerera pompopompo pakugwiritsa ntchito chosinthira chokhazikika kumaperekedwanso ngati zolephera zichitika panthawi yokonza kudzera pa DoH (mwachitsanzo, ngati kupezeka kwa netiweki ndi wothandizira wa DoH kwasokonekera kapena kulephera kuchitika pazitukuko zake). Tanthauzo la macheke oterowo ndi okayikitsa, chifukwa palibe amene amaletsa owukira omwe amawongolera magwiridwe antchito kapena omwe amatha kusokoneza magalimoto kuti asatengere machitidwe omwewo kuti aletse kubisa kwa magalimoto a DNS. Vutoli linathetsedwa powonjezera chinthu cha "DoH nthawi zonse" ku zoikamo (chete osagwira ntchito), pamene kukhazikitsidwa, kutsekedwa kwadzidzidzi sikugwiritsidwa ntchito, ndiko kusagwirizana koyenera.
Kuti muzindikire othetsa mabizinesi, madomeni amtundu woyamba (TLDs) amawunikidwa ndipo wokonza dongosolo amabwezera ma adilesi a intranet. Kuti mudziwe ngati zowongolera za makolo zimayatsidwa, kuyesa kumapangidwa kuti athetse dzina la exampleadultsite.com ndipo ngati zotsatira zake sizikugwirizana ndi IP yeniyeni, zimaganiziridwa kuti kuletsa kwa akuluakulu kumagwira ntchito pamlingo wa DNS. Ma adilesi a IP a Google ndi YouTube amawunikidwanso ngati zizindikilo kuti awone ngati asinthidwa ndi restrict.youtube.com, forcesafesearch.google.com ndi restrictmoderate.youtube.com. Zowonjezera za Mozilla khazikitsani mayeso amodzi , zomwe ma ISPs ndi mautumiki owongolera makolo angagwiritse ntchito ngati mbendera kuti aletse DoH (ngati wolandirayo sapezeka, Firefox imalepheretsa DoH).
Kugwira ntchito kudzera muutumiki umodzi wa DoH kungathenso kubweretsa mavuto pakukhathamiritsa kwa magalimoto pamanetiweki operekera zinthu omwe amayendetsa kuchuluka kwa magalimoto pogwiritsa ntchito DNS (seva ya CDN ya DNS imapanga yankho poganizira adilesi yosinthira ndikupereka wolandirayo wapafupi kuti alandire zomwe zili). Kutumiza funso la DNS kuchokera kwa wosankha yemwe ali pafupi kwambiri ndi wogwiritsa ntchito mu ma CDN oterowo kumabweretsa kubweza adilesi ya wolandirayo yemwe ali pafupi kwambiri ndi wogwiritsa ntchito, koma kutumiza funso la DNS kuchokera kwa wotsimikiza wapakati kudzabwezera adilesi yomwe ili pafupi kwambiri ndi seva ya DNS-over-HTTPS. . Kuyesa m'machitidwe kunawonetsa kuti kugwiritsa ntchito DNS-over-HTTP mukamagwiritsa ntchito CDN kudapangitsa kuti kuchedwetsedwe kusanayambe kusamutsa zinthu (polumikizana mwachangu, kuchedwa sikunapitirire 10 milliseconds, ndipo ngakhale magwiridwe antchito achangu adawonedwa pamakina olankhulirana pang'onopang'ono. ). Kugwiritsiridwa ntchito kwa EDNS Client Subnet extension kunaganiziridwanso kuti kumapereka chidziwitso cha malo a kasitomala kwa CDN solver.
Tikumbukire kuti DoH ikhoza kukhala yothandiza popewa kutulutsa kwa chidziwitso cha mayina omwe afunsidwa kudzera pa seva za DNS za othandizira, kuthana ndi kuukira kwa MITM ndikuwononga magalimoto a DNS, kuletsa kutsekereza pamlingo wa DNS, kapena kukonza ntchito ngati ndizosatheka kupeza ma seva a DNS mwachindunji (mwachitsanzo, mukamagwira ntchito ndi proxy). Ngati muzochitika zachilendo zopempha za DNS zimatumizidwa mwachindunji ku ma seva a DNS omwe amafotokozedwa mu kasinthidwe kachitidwe, ndiye kuti pa DoH, pempho loti mudziwe adilesi ya IP ya wolandirayo likuphatikizidwa mumayendedwe a HTTPS ndikutumizidwa ku seva ya HTTP, kumene wotsutsa amachitira. zopempha kudzera pa Web API. Muyezo womwe ulipo wa DNSSEC umagwiritsa ntchito kubisa kokha kuti utsimikizire kasitomala ndi seva, koma siziteteza magalimoto kuti zisasokonezedwe ndipo sizikutsimikizira chinsinsi cha zopempha.
Kuti mulowetse DoH mu about:config, muyenera kusintha mtengo wa network.trr.mode variable, yomwe yakhala ikuthandizidwa kuyambira Firefox 60. Mtengo wa 0 umayimitsa DoH kwathunthu; 1 - DNS kapena DoH imagwiritsidwa ntchito, chomwe chili mwachangu; 2 - DoH imagwiritsidwa ntchito mwachisawawa, ndipo DNS imagwiritsidwa ntchito ngati njira yobwerera; 3 - DoH yokha ndiyomwe imagwiritsidwa ntchito; 4 - mirroring mode imene DoH ndi DNS ntchito limodzi. Mwachikhazikitso, seva ya CloudFlare DNS imagwiritsidwa ntchito, koma imatha kusinthidwa kudzera pa network.trr.uri parameter, mwachitsanzo, mutha kukhazikitsa "https://dns.google.com/experimental" kapena "https://9.9.9.9 .XNUMX/dns-funso "
Source: opennet.ru