Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa BIND DNS Server 9.18.0 ndi chithandizo cha DNS-over-TLS ndi DNS-over-HTTPS

Kutulutsidwa kwa BIND DNS Server 9.18.0 ndi chithandizo cha DNS-over-TLS ndi DNS-over-HTTPS

Pambuyo pa zaka ziwiri za chitukuko, ISC consortium yatulutsa kutulutsidwa koyamba kokhazikika kwa nthambi yayikulu yatsopano ya seva ya BIND 9.18 DNS. Thandizo la nthambi 9.18 lidzaperekedwa kwa zaka zitatu mpaka gawo la 2nd la 2025 ngati gawo la nthawi yowonjezera yothandizira. Thandizo la nthambi ya 9.11 lidzatha m’mwezi wa March, ndipo thandizo la nthambi ya 9.16 m’katikati mwa 2023. Kukulitsa magwiridwe antchito a mtundu wotsatira wokhazikika wa BIND, nthambi yoyesera BIND 9.19.0 yapangidwa.

Kutulutsidwa kwa BIND 9.18.0 ndikodziwika pakukhazikitsa kuthandizira kwa DNS pa HTTPS (DoH, DNS pa HTTPS) ndi DNS pa TLS (DoT, DNS pa TLS), komanso makina a XoT (XFR-over-TLS) zone pakati pa ma seva (zonse zotumiza ndi kulandira kudzera pa XoT zimathandizidwa). Ndi zoikamo zoyenera, njira imodzi yokhayo yomwe ingatchulidwe tsopano sungangopereka mafunso achikhalidwe a DNS, komanso zotumizidwa pogwiritsa ntchito DNS-over-HTTPS ndi DNS-over-TLS. Thandizo la kasitomala pa DNS-over-TLS limapangidwa mu dig utility, yomwe ingagwiritsidwe ntchito kutumiza zopempha kudzera pa TLS pamene mbendera ya "+tls" yatchulidwa.

Kukhazikitsidwa kwa protocol ya HTTP/2 yogwiritsidwa ntchito ku DoH kutengera kugwiritsa ntchito laibulale ya nghttp2, yomwe imaphatikizidwa ngati kudalira kwa msonkhano. Zikalata za DoH ndi DoT zitha kuperekedwa ndi wogwiritsa ntchito kapena kupangidwa zokha panthawi yoyambira.

Kufunsira kukonza pogwiritsa ntchito DoH ndi DoT kumayatsidwa powonjezera zosankha za "http" ndi "tls" pamalangizo omvera. Kuti muthandizire DNS-over-HTTP yosasungidwa, muyenera kutchula "tls none" pazokonda. Makiyi akufotokozedwa mu gawo la "tls". Ma doko a netiweki osasintha 853 a DoT, 443 a DoH ndi 80 a DNS-over-HTTP atha kupitilizidwa kudzera pa tls-port, https-port ndi http-port parameters. Mwachitsanzo:

tls local-tls {makiyi-fayilo "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server {mapeto {"/dns-query"; }; }; zosankha { https-port 443; mverani-pa doko 443 tls local-tls http myserver {aliyense;}; }

Chimodzi mwazinthu zakukhazikitsidwa kwa DoH mu BIND ndikutha kusuntha ma encryption a TLS kupita ku seva ina, zomwe zingakhale zofunikira ngati ziphaso za TLS zimasungidwa pamakina ena (mwachitsanzo, mnyumba yokhala ndi ma seva) ndikusungidwa. ndi antchito ena. Thandizo la DNS-over-HTTP losasindikizidwa limakhazikitsidwa kuti lichepetse zolakwika komanso ngati wosanjikiza wotumizira ku seva ina pa netiweki yamkati (yosunthira kubisa ku seva yosiyana). Pa seva yakutali, nginx ingagwiritsidwe ntchito kupanga magalimoto a TLS, mofanana ndi momwe HTTPS imapangidwira mawebusayiti.

Chinthu chinanso ndikuphatikiza kwa DoH ngati choyendera chamba chomwe chingagwiritsidwe ntchito osati kungoyankha zopempha za kasitomala kwa wokonza, komanso polumikizana pakati pa ma seva, posamutsa madera ndi seva yovomerezeka ya DNS, komanso pokonza mafunso aliwonse omwe amathandizidwa ndi DNS ina. zonyamula.

Zina mwazolephera zomwe zitha kulipidwa poletsa kumanga ndi DoH/DoT kapena kusamutsa kubisa ku seva ina, vuto lalikulu la code base likuwonekera - seva yomangidwa mu HTTP ndi laibulale ya TLS ikuwonjezedwa, yomwe ikhoza kukhala zofooka ndikukhala ngati ma vector owonjezera pakuwukira. Komanso, mukamagwiritsa ntchito DoH, kuchuluka kwa magalimoto kumawonjezeka.

Tikumbukire kuti DNS-over-HTTPS itha kukhala yothandiza poletsa kutayikira kwa chidziwitso cha mayina omwe afunsidwa kudzera pa seva za DNS za opereka, kuthana ndi kuukira kwa MITM ndi kuwononga magalimoto a DNS (mwachitsanzo, polumikiza pagulu la Wi-Fi), kuwerengera. kutsekereza pamlingo wa DNS (DNS-over-HTTPS sikungalowe m'malo mwa VPN podutsa kutsekereza komwe kumayendetsedwa pamlingo wa DPI) kapena kukonza ntchito pomwe sikungatheke kupeza ma seva a DNS mwachindunji (mwachitsanzo, pogwira ntchito kudzera pa proxy). Ngati muzochitika zachilendo, zopempha za DNS zimatumizidwa mwachindunji ku ma seva a DNS omwe amafotokozedwa mu kasinthidwe kachitidwe, ndiye kuti pa DNS-over-HTTPS pempho loti mudziwe adilesi ya IP yomwe imasungidwa imasungidwa mumayendedwe a HTTPS ndikutumizidwa ku seva ya HTTP, komwe. othetsa amakonza zopempha kudzera pa Web API.

"DNS over TLS" imasiyana ndi "DNS over HTTPS" pakugwiritsa ntchito DNS protocol (network port 853 nthawi zambiri imagwiritsidwa ntchito), yokulungidwa ndi njira yolumikizirana yosungidwa yokonzedwa pogwiritsa ntchito protocol ya TLS yokhala ndi zovomerezeka za wolandila kudzera pa satifiketi ya TLS/SSL yotsimikizika. ndi bungwe la certification. Muyezo womwe ulipo wa DNSSEC umagwiritsa ntchito kubisa kokha kuti utsimikizire kasitomala ndi seva, koma siziteteza magalimoto kuti zisasokonezedwe ndipo sizikutsimikizira chinsinsi cha zopempha.

Zatsopano zina:

  • Zowonjezera tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer ndi udp-send-buffer zoikamo kuti zikhazikitse kukula kwa mabafa omwe amagwiritsidwa ntchito potumiza ndi kulandira zopempha pa TCP ndi UDP. Pama seva otanganidwa, kuchulukitsa kwa ma buffers omwe akubwera kudzathandiza kupewa kuti mapaketi atsitsidwe pakakwera magalimoto, ndipo kuwachepetsa kumathandizira kuchotsa kukumbukira kukumbukira ndi zopempha zakale.
  • Gulu latsopano la chipika "rpz-passthru" lawonjezedwa, lomwe limakulolani kuti mulowetse padera RPZ (Response Policy Zones) zotumizira.
  • Mu gawo la ndondomeko yoyankhira, njira ya "nsdname-wait-recurse" yawonjezedwa, ikayikidwa kuti "ayi", malamulo a RPZ NSDNAME amagwiritsidwa ntchito pokhapokha ngati ma seva ovomerezeka omwe ali mu cache akupezeka pa pempho, apo ayi Lamulo la RPZ NSDNAME silinanyalanyazidwe, koma zambiri zimatengedwa kumbuyo ndipo zimagwira ntchito pazopempha zotsatila.
  • Pamarekodi okhala ndi mitundu ya HTTPS ndi SVCB, kukonza gawo la "ADDITIONAL" kwakhazikitsidwa.
  • Mitundu yowonjezeredwa ya malamulo a ndondomeko - krb5-subdomain-self-rhs ndi ms-subdomain-self-rhs, zomwe zimakulolani kuchepetsa zosintha za SRV ndi PTR record. Zoletsa-ndondomeko zimawonjezeranso kuthekera koyika malire pa kuchuluka kwa marekodi, munthu pamtundu uliwonse.
  • Zowonjezera zokhudzana ndi protocol yamayendedwe (UDP, TCP, TLS, HTTPS) ndi ma prefixes a DNS64 pazotulutsa za dig utility. Pazolinga zothetsa vuto, dig yawonjezera kuthekera kofotokozera chizindikiritso cha pempho (dig +qid= ).
  • Zowonjezera zothandizira laibulale ya OpenSSL 3.0.
  • Kuthana ndi zovuta pakugawikana kwa IP mukakonza mauthenga akulu a DNS odziwika ndi DNS Flag Day 2020, kachidindo kamene kamasintha kukula kwa buffer ya EDNS pomwe palibe yankho ku pempho lachotsedwa kwa wotsimikiza. Kukula kwa buffer kwa EDNS tsopano kwakhazikika (edns-udp-size) pazopempha zonse zomwe zatuluka.
  • Makina omanga asinthidwa kuti agwiritse ntchito kuphatikiza kwa autoconf, automake ndi libtool.
  • Kuthandizira mafayilo amagawo mumtundu wa "mapu" (mapu amtundu wa masterfile) kwathetsedwa. Ogwiritsa ntchito mawonekedwewa akulimbikitsidwa kuti asinthe madera kukhala mawonekedwe aiwisi pogwiritsa ntchito pulogalamu yotchedwa-compilezone.
  • Thandizo la madalaivala akale a DLZ (Dynamically Loadable Zones) adasiyidwa, m'malo mwake ndi ma module a DLZ.
  • Kumanga ndi kuyendetsa chithandizo cha nsanja ya Windows kwatha. Nthambi yomaliza yomwe ikhoza kukhazikitsidwa pa Windows ndi BIND 9.16.

Source: opennet.ru

Kuwonjezera ndemanga