Vagadziri veFirefox nezve kugonesa DNS pamusoro peHTTPS (DoH, DNS pamusoro peHTTPS) modhi nekusarudzika kune vashandisi veUS. Encryption yeDNS traffic inoonekwa sechinhu chakakosha mukuchengetedza vashandisi. Kutanga nhasi, kuisirwa kwese kutsva nevashandisi veUS kuchaita kuti DoH igoneswe nekusarudzika. Vashandisi varipo vekuUS vakarongerwa kuchinjira kuDoH mukati memavhiki mashoma. MuEuropean Union nedzimwe nyika, shandisa DoH nekusarudzika izvozvi .
Mushure mekuita DoH, yambiro inoratidzwa kumushandisi, iyo inobvumira, kana zvichidikanwa, kuramba kubata maseva epakati eDoH DNS uye kudzokera kuhurongwa hwechinyakare hwekutumira mibvunzo isina kunyorwa kune mupi weDNS server. Panzvimbo penzvimbo yakagovaniswa yevanogadzirisa DNS, DoH inoshandisa chinosunga kune chaiyo DoH sevhisi, iyo inogona kutorwa sechinhu chimwe chekutadza. Parizvino, basa rinopihwa kuburikidza nevaviri veDNS vanopa - CloudFlare (default) uye .
Chinja mupi kana kudzima DoH mune network yekubatanidza marongero. Semuenzaniso, unogona kudoma imwe sevha yeDoH “https://dns.google/dns-query” kuti uwane maseva eGoogle, “https://dns.quad9.net/dns-query” - Quad9 uye “https:/ /doh .opendns.com/dns-query" - OpenDNS. About:config inopawo network.trr.mode setting, kuburikidza nayo iwe unogona kushandura DoH operating mode: kukosha kwe0 kunodzima zvachose DoH; 1 - DNS kana DoH inoshandiswa, chero inokurumidza; 2 - DoH inoshandiswa nekusingaperi, uye DNS inoshandiswa sechisarudzo chekudzokera shure; 3 - DoH chete ndiyo inoshandiswa; 4 - mirroring mode umo DoH neDNS inoshandiswa zvakafanana.
Ngatiyeukei kuti DoH inogona kubatsira kudzivirira kubuda kweruzivo nezve akakumbirwa mazita ekugamuchira kuburikidza nemaseva eDNS evanopa, kurwisa MITM kurwiswa uye DNS traffic spoofing (semuenzaniso, kana uchibatanidza kune yeruzhinji Wi-Fi), kuverengera kuvharira paDNS. nhanho (DoH haigone kutsiva VPN munzvimbo yekupfuura nekuvharira kunoitwa padanho reDPI) kana kuronga basa kana zvisingaite kuwana zvakananga DNS maseva (semuenzaniso, paunenge uchishanda kuburikidza neproxy). Kana zviri zvakajairika zvikumbiro zveDNS zvakatumirwa zvakananga kumaseva eDNS anotsanangurwa mukugadziriswa kwehurongwa, saka mune yeDoH, chikumbiro chekuona iyo IP kero yakavharirwa muHTTPS traffic uye inotumirwa kuHTTP server, uko kunogadzirisa maitiro. zvikumbiro kuburikidza neWebhu API. Iyo iripo DNSSEC chiyero inoshandisa encryption chete kuratidza mutengi uye server, asi haidzivirire traffic kubva pakubata uye haivimbisi kuvanzika kwezvikumbiro.
Kusarudza vanopa veDoH vanopihwa muFirefox, kune vanovimbika DNS vagadzirisi, maererano neiyo DNS mushandisi anogona kushandisa iyo data yakagamuchirwa kugadzirisa chete kuti ave nechokwadi chekushanda kwesevhisi, haifanire kuchengetedza matanda kweanopfuura maawa makumi maviri nemana, haigone kuendesa data kune wechitatu mapato uye inosungirwa kuburitsa ruzivo nezve. nzira dzekugadzirisa data. Iyo sevhisi inofanirwawo kubvumirana kusaongorora, kusefa, kukanganisa kana kuvhara DNS traffic, kunze kwemamiriro akapihwa nemutemo.
DoH inofanira kushandiswa nekuchenjerera. Semuyenzaniso, muRussian Federation, IP kero 104.16.248.249 uye 104.16.249.249 ine chekuita neiyo default DoH server mozilla.cloudflare-dns.com inopihwa muFirefox, в pachikumbiro chedare reStavropol remusi waChikumi 10.06.2013, XNUMX.
DoH inogona zvakare kukonzera matambudziko munzvimbo dzakaita senge masystem ekudzora evabereki, kuwana nzvimbo dzemukati dzemazita mumasisitimu emakambani, kusarudzwa kwenzira mumasisitimu ekupa zvirimo, uye kutevedzera mirairo yedare munzvimbo yekurwisa kugoverwa kwezvinhu zvisiri pamutemo uye kubiridzira. vadiki. Kunzvenga matambudziko akadai, cheki system yakaitwa uye yakaedzwa inodzima DoH otomatiki mune mamwe mamiriro.
Kuti uone vanogadzirisa bhizinesi, atypical ekutanga-level domains (TLDs) anotariswa uye iyo system solver inodzorera intranet kero. Kuti uone kana kutonga kwevabereki kunogoneswa, kuedza kunoitwa kugadzirisa zita rekuti exampleadultsite.com uye kana mhedzisiro isingaenderane neiyo IP chaiyo, inofungidzirwa kuti yevakuru kuvharisa kunoshanda padanho reDNS. Google neYouTube IP kero dzinotariswawo sezviratidzo kuona kana dzatsiviwa nerestrict.youtube.com, forcesafesearch.google.com uye restrictmoderate.youtube.com. Macheki aya anobvumira vanorwisa vanodzora kushanda kweanogadzirisa kana vanokwanisa kukanganisa traffic kuti vatevedze maitiro akadaro kudzima encryption yeDNS traffic.
Kushanda kuburikidza nesevhisi imwe chete yeDoH kunogona zvakare kukonzera matambudziko nekugadzirisa traffic mumatanho ekutakura emukati anoyera traffic uchishandisa DNS (iyo CDN network's DNS server inoburitsa mhinduro ichifunga nezvekero yegadziriso uye inopa mugamuchiri wepedyo kuti agamuchire zvirimo). Kutumira mubvunzo weDNS kubva kumugadzirisi ari padyo nemushandisi mune akadaro maCDN zvinoguma nekudzosera kero yemugamuchiri ari padyo nemushandisi, asi kutumira mubvunzo weDNS kubva kumugadzirisi wepakati kunodzosera kero yevaenzi padyo neDNS-pamusoro-HTTPS server. . Kuedza mukuita kwakaratidza kuti kushandiswa kweDNS-pamusoro-HTTP kana uchishandisa CDN kwakaita kuti pasave nekunonoka kusati kwatanga kufambiswa kwemukati (yekukurumidza kubatanidza, kunonoka hakuna kudarika 10 milliseconds, uye kunyange nekukurumidza kuita kwakaonekwa painononoka nzira yekutaurirana. ) Iko kushandiswa kweEDNS Client Subnet yekuwedzera kwaifungidzirwawo kupa ruzivo rwenzvimbo yemutengi kune CDN inogadzirisa.
Source: opennet.ru