Omwe akupanga seva ya BIND DNS adalengeza kuwonjezera kwa seva yothandizira DNS pa HTTPS (DoH, DNS pa HTTPS) ndi DNS paukadaulo wa TLS (DoT, DNS over TLS), komanso njira ya XFR-over-TLS yotetezedwa. kusamutsa zomwe zili m'magawo a DNS pakati pa maseva. DoH ilipo kuti iyesedwe mu kutulutsidwa kwa 9.17, ndipo thandizo la DoT lakhalapo kuyambira kutulutsidwa kwa 9.17.10. Pambuyo pokhazikika, thandizo la DoT ndi DoH lidzatumizidwa kunthambi yokhazikika ya 9.17.7.
Kukhazikitsidwa kwa protocol ya HTTP/2 yogwiritsidwa ntchito ku DoH kutengera kugwiritsa ntchito laibulale ya nghttp2, yomwe imaphatikizidwa pakati pa zodalira pamisonkhano (m'tsogolomu, laibulale ikukonzekera kusamutsidwa ku chiwerengero cha zomwe zimadalira). Maulumikizidwe a encrypted (TLS) ndi HTTP/2 osabisa amathandizidwa. Ndi zoikamo zoyenerera, njira imodzi yokhayo yomwe ingatchulidwe tsopano ikhoza kupereka osati mafunso achikhalidwe a DNS okha, komanso mafunso otumizidwa pogwiritsa ntchito DoH (DNS-over-HTTPS) ndi DoT (DNS-over-TLS). Thandizo la HTTPS kumbali ya kasitomala (dig) silinakwaniritsidwebe. Thandizo la XFR-over-TLS likupezeka pazopempha zolowa ndi zotuluka.
Pemphani kukonza pogwiritsa ntchito DoH ndi DoT kumayatsidwa powonjezera zosankha za http ndi tls ku malangizo omvera. Kuti muthandizire DNS-over-HTTP yosasungidwa, muyenera kutchula "tls none" pazokonda. Makiyi akufotokozedwa mu gawo la "tls". Ma doko a netiweki osakhazikika 853 a DoT, 443 a DoH ndi 80 a DNS-over-HTTP atha kupitilizidwa kudzera pa tls-port, https-port ndi http-port parameters. Mwachitsanzo: tls local-tls {key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server {mapeto {"/dns-query"; }; }; zosankha { https-port 443; mverani-pa doko 443 tls local-tls http myserver {aliyense;}; }
Zina mwazinthu za kukhazikitsidwa kwa DoH mu BIND, kuphatikizika kumawonedwa ngati njira yoyendera, yomwe ingagwiritsidwe ntchito osati kungokonza zopempha zamakasitomala, komanso posinthanitsa deta pakati pa ma seva, posamutsa madera ndi seva yovomerezeka ya DNS, ndi pokonza zopempha zilizonse zothandizidwa ndi zotengera zina za DNS.
Chinthu chinanso ndikutha kusuntha ma encryption a TLS kupita ku seva ina, zomwe zingakhale zofunikira ngati ziphaso za TLS zimasungidwa pamakina ena (mwachitsanzo, mnyumba yokhala ndi ma seva) ndikusamalidwa ndi anthu ena. Thandizo la DNS-over-HTTP losasindikizidwa limakhazikitsidwa kuti lichepetse zolakwika komanso ngati wosanjikiza wotumizira mu netiweki yamkati, pamaziko omwe kubisa kumatha kukonzedwa pa seva ina. Pa seva yakutali, nginx ingagwiritsidwe ntchito kupanga magalimoto a TLS, mofanana ndi momwe HTTPS imapangidwira mawebusayiti.
Tikumbukire kuti DNS-over-HTTPS itha kukhala yothandiza poletsa kutayikira kwa chidziwitso cha mayina omwe afunsidwa kudzera pa seva za DNS za opereka, kuthana ndi kuukira kwa MITM ndi kuwononga magalimoto a DNS (mwachitsanzo, polumikiza pagulu la Wi-Fi), kuwerengera. kutsekereza pamlingo wa DNS (DNS-over-HTTPS sikungalowe m'malo mwa VPN podutsa kutsekereza komwe kumayendetsedwa pamlingo wa DPI) kapena kukonza ntchito pomwe sikungatheke kupeza ma seva a DNS mwachindunji (mwachitsanzo, pogwira ntchito kudzera pa proxy). Ngati muzochitika zachilendo, zopempha za DNS zimatumizidwa mwachindunji ku ma seva a DNS omwe amafotokozedwa mu kasinthidwe kachitidwe, ndiye kuti pa DNS-over-HTTPS pempho loti mudziwe adilesi ya IP yomwe imasungidwa imasungidwa mumayendedwe a HTTPS ndikutumizidwa ku seva ya HTTP, komwe. othetsa amakonza zopempha kudzera pa Web API.
"DNS over TLS" imasiyana ndi "DNS over HTTPS" pakugwiritsa ntchito DNS protocol (network port 853 nthawi zambiri imagwiritsidwa ntchito), yokulungidwa ndi njira yolumikizirana yosungidwa yokonzedwa pogwiritsa ntchito protocol ya TLS yokhala ndi zovomerezeka za wolandila kudzera pa satifiketi ya TLS/SSL yotsimikizika. ndi bungwe la certification. Muyezo womwe ulipo wa DNSSEC umagwiritsa ntchito kubisa kokha kuti utsimikizire kasitomala ndi seva, koma siziteteza magalimoto kuti zisasokonezedwe ndipo sizikutsimikizira chinsinsi cha zopempha.
Source: opennet.ru