Vagadziri veFirefox nezve kupedzwa kwekuyedza kutsigirwa kweDNS pamusoro peHTTPS (DoH, DNS pamusoro peHTTPS) uye chinangwa chekugonesa tekinoroji iyi nekusarudzika kune vashandisi veUS pakupera kwaGunyana. Iko kushandiswa kuchaitwa zvishoma nezvishoma, pakutanga kune vashoma muzana yevashandisi, uye kana pasina matambudziko, zvishoma nezvishoma kuwedzera kusvika ku100%. Kana US yavharwa, DoH ichatariswa kuti ibatanidzwe mune dzimwe nyika.
Miedzo yakaitwa gore rose yakaratidza kuvimbika nekushanda kwakanaka kwesevhisi, uye zvakare yakaita kuti zvikwanisike kuona mamwe mamiriro ezvinhu apo DoH inogona kuunza matambudziko uye kugadzira mhinduro dzekuanzvenga (semuenzaniso, kupatsanurwa. ine traffic optimization mune zvemukati zvekutumira network, kudzora kwevabereki uye emakambani emukati DNS zones).
Kukosha kwekuvharidzira DNS traffic inoongororwa sechinhu chakakosha pakuchengetedza vashandisi, saka zvakasarudzwa kugonesa DoH nekukasira, asi padanho rekutanga chete kune vashandisi vanobva kuUnited States. Mushure mekuita DoH, mushandisi anogashira yambiro inozobvumira, kana zvichidikanwa, kuramba kubata maseva epakati eDoH DNS uye kudzokera kuhurongwa hwechinyakare hwekutumira zvikumbiro zvisina kuvharwa kune server yeDNS yevanopa (panzvimbo yenzvimbo yakagoverwa yeDNS solvers, DoH inoshandisa kusunga kune imwe sevhisi yeDoH, inogona kutorwa sechinhu chimwe chekutadza).
Kana DoH ikabatidzwa, masisitimu ekudzora kwevabereki uye manetiweki emakambani anoshandisa iyo yemukati metiweki-chete DNS zita rekugadzirisa kugadzirisa kero dzeindaneti uye makambani anotambira anogona kukanganisa. Kugadzirisa matambudziko nemasisitimu akadaro, hurongwa hwekutarisa hwawedzerwa iyo inodzima DoH otomatiki. Cheki dzinoitwa pese panotangwa bhurawuza kana kana subnet shanduko yaonekwa.
Kudzoserwa otomatiki pakushandisa yakajairwa sisitimu yekugadziridza kunopihwawo kana kutadza kukaitika panguva yekugadzirisa kuburikidza neDoH (semuenzaniso, kana kuwanikwa kwenetiweki nemupi weDoH kwakakanganiswa kana kutadza kuitika muzvivakwa zvayo). Zvinorehwa nemacheki akadaro zvine mubvunzo, sezvo pasina anodzivirira vanorwisa vanodzora mashandiro emugadziri kana vanokwanisa kuvhiringa traffic kubva mukutevedzera maitiro akafanana kudzima encryption yeDNS traffic. Dambudziko rakagadziriswa nekuwedzera chinhu che "DoH nguva dzose" kune zvigadziro (chinyararire chisingaiti), pazvinenge zvakagadzirirwa, kudzima otomatiki hakushandiswi, iko kukanganisa kunonzwisisika.
Kuti uone vanogadzirisa bhizinesi, atypical ekutanga-level domains (TLDs) anotariswa uye iyo system solver inodzorera intranet kero. Kuti uone kana kutonga kwevabereki kunogoneswa, kuedza kunoitwa kugadzirisa zita rekuti exampleadultsite.com uye kana mhedzisiro isingaenderane neiyo IP chaiyo, inofungidzirwa kuti yevakuru kuvharisa kunoshanda padanho reDNS. Google neYouTube IP kero dzinotariswawo sezviratidzo kuona kana dzatsiviwa nerestrict.youtube.com, forcesafesearch.google.com uye restrictmoderate.youtube.com. Kuwedzera Mozilla shandisa imwe test host , iyo maISPs uye masevhisi ekudzora kwevabereki anogona kushandisa semureza kudzima DoH (kana mugadziri akasaonekwa, Firefox inodzima DoH).
Kushanda kuburikidza nesevhisi imwe chete yeDoH kunogona zvakare kukonzera matambudziko nekugadzirisa traffic mumatanho ekutakura emukati anoyera traffic uchishandisa DNS (iyo CDN network's DNS server inoburitsa mhinduro ichifunga nezvekero yegadziriso uye inopa mugamuchiri wepedyo kuti agamuchire zvirimo). Kutumira mubvunzo weDNS kubva kumugadzirisi ari padyo nemushandisi mune akadaro maCDN zvinoguma nekudzosera kero yemugamuchiri ari padyo nemushandisi, asi kutumira mubvunzo weDNS kubva kumugadzirisi wepakati kunodzosera kero yevaenzi padyo neDNS-pamusoro-HTTPS server. . Kuedza mukuita kwakaratidza kuti kushandiswa kweDNS-pamusoro-HTTP kana uchishandisa CDN kwakaita kuti pasave nekunonoka kusati kwatanga kufambiswa kwemukati (yekukurumidza kubatanidza, kunonoka hakuna kudarika 10 milliseconds, uye kunyange nekukurumidza kuita kwakaonekwa painononoka nzira yekutaurirana. ) Iko kushandiswa kweEDNS Client Subnet yekuwedzera kwaifungidzirwawo kupa ruzivo rwenzvimbo yemutengi kune CDN inogadzirisa.
Ngatiyeukei kuti DoH inogona kubatsira kudzivirira kuburitswa kweruzivo nezve akakumbirwa mazita evagamuchiri kuburikidza nemaseva eDNS evanopa, kurwisa kurwiswa kweMITM uye kupaza kweDNS traffic, kuvharidzira kuvharira padanho reDNS, kana kuronga basa kana raita. hazvibviri kuwana zvakananga DNS maseva (semuenzaniso, kana uchishanda kuburikidza neproxy). Kana zviri zvakajairika zvikumbiro zveDNS zvakatumirwa zvakananga kumaseva eDNS anotsanangurwa mukugadziriswa kwehurongwa, saka mune yeDoH, chikumbiro chekuona iyo IP kero yakavharirwa muHTTPS traffic uye inotumirwa kuHTTP server, uko kunogadzirisa maitiro. zvikumbiro kuburikidza neWebhu API. Iyo iripo DNSSEC chiyero inoshandisa encryption chete kuratidza mutengi uye server, asi haidzivirire traffic kubva pakubata uye haivimbisi kuvanzika kwezvikumbiro.
Kugonesa DoH mune about:config, unofanira kushandura kukosha kwe network.trr.mode variable, iyo yave ichitsigirwa kubva paFirefox 60. Huwandu hwe0 hunodzima DoH zvachose; 1 - DNS kana DoH inoshandiswa, chero inokurumidza; 2 - DoH inoshandiswa nekusingaperi, uye DNS inoshandiswa sechisarudzo chekudzokera shure; 3 - DoH chete ndiyo inoshandiswa; 4 - mirroring mode umo DoH neDNS inoshandiswa zvakafanana. Nekutadza, CloudFlare DNS server inoshandiswa, asi inogona kushandurwa kuburikidza netiweki.trr.uri parameter, semuenzaniso, unogona kuseta "https://dns.google.com/experimental" kana "https://9.9.9.9 .XNUMX/dns-mubvunzo"
Source: opennet.ru