Vagadziri veiyo BIND DNS server vakazivisa kuwedzera kwerutsigiro rweseva yeDNS pamusoro peHTTPS (DoH, DNS pamusoro peHTTPS) uye DNS pamusoro peTLS (DoT, DNS pamusoro peTLS) matekinoroji, pamwe neXFR-pamusoro-TLS nzira yekuchengetedza. kuendesa zviri mukati meDNS zone pakati pemaseva. DoH iripo kuti iedzwe mukuburitswa 9.17, uye rutsigiro rweDoT rwavepo kubva pakaburitswa 9.17.10. Mushure mekudzikamisa, rutsigiro rweDoT neDoH ruchadzoserwa kune yakagadzikana 9.17.7 bazi.
Kuitwa kweHTTP/2 protocol inoshandiswa muDoH kunobva pakushandiswa kwe nghttp2 raibhurari, iyo inosanganisirwa pakati pezvinotarisirwa pagungano (mune ramangwana, raibhurari inorongwa kuti iendeswe kunhamba yezvido zvesarudzo). Ese ari maviri encrypted (TLS) uye isina kuvharirwa HTTP/2 yekubatanidza inotsigirwa. Nezvirongwa zvakakodzera, imwe chete ine zita maitiro ikozvino inogona kushandira kwete zvechinyakare DNS mibvunzo, asiwo mibvunzo inotumirwa uchishandisa DoH (DNS-pamusoro-HTTPS) uye DoT (DNS-pamusoro-TLS). Tsigiro yeHTTPS padivi remutengi (dig) haisati yaitwa. XFR-pamusoro-TLS tsigiro inowanikwa kune zvese zviri mukati uye zvinobuda zvikumbiro.
Kumbira kugadzirisa uchishandisa DoH neDoT kunogoneswa nekuwedzera iyo http uye tls sarudzo kune yekuteerera-pane kuraira. Kuti utsigire isina kunyorwa DNS-pamusoro-HTTP, iwe unofanirwa kutsanangura "tls hapana" muzvirongwa. Makiyi anotsanangurwa muchikamu che "tls". Iyo default network ports 853 yeDoT, 443 yeDoH uye 80 yeDNS-pamusoro-HTTP inogona kudhindwa kuburikidza netls-port, https-port uye http-port parameters. Semuenzaniso: tls local-tls {kiyi-faira "/path/to/priv_key.pem"; cert-faira "/path/to/cert_chain.pem"; }; http local-http-server { endpoints {"/dns-query"; }; }; sarudzo { https-port 443; teerera-pachiteshi 443 tls local-tls http myserver {chero;}; }
Pakati pezvinhu zvekuitwa kweDoH muBIND, kubatanidzwa kunoonekwa sechifambiso chakazara, chinogona kushandiswa kwete chete kugadzirisa zvikumbiro zvevatengi kune anogadzirisa, asiwo pakuchinjana data pakati pemaseva, pakuendesa nzvimbo neane chiremera DNS server, uye paunenge uchigadzirisa chero zvikumbiro zvinotsigirwa nedzimwe DNS zvinotakura.
Chimwe chinhu kugona kufambisa encryption mashandiro eTLS kune imwe sevha, izvo zvingave zvakakosha mumamiriro ezvinhu apo zvitupa zveTLS zvakachengetwa pane imwe sisitimu (semuenzaniso, mune zvivakwa zvine mawebhu maseva) uye inochengetwa nevamwe vashandi. Tsigiro yeDNS-over-HTTP isina kuvharirwa inoshandiswa kurerutsa debugging uye sechitubu chekutumira kune yemukati network, pahwaro hweiyo encryption inogona kurongeka pane imwe sevha. Pane sevha iri kure, nginx inogona kushandiswa kugadzira TLS traffic, yakafanana nekurongeka kweHTTPS kumawebhusaiti.
Ngatiyeukei kuti DNS-pamusoro-HTTPS inogona kubatsira kudzivirira kubuda kweruzivo nezve akakumbirwa mazita evatambi kuburikidza nemaseva eDNS evanopa, kurwisa MITM kurwiswa uye DNS traffic spoofing (semuenzaniso, kana ichibatanidza kune yeruzhinji Wi-Fi), kuverengera. kuvharira padanho reDNS (DNS-pamusoro-HTTPS haigone kutsiva VPN mukunzvenga kuvharira kunoitwa padanho reDPI) kana kuronga basa kana zvisingaite kuwana zvakananga DNS maseva (semuenzaniso, kana uchishanda kuburikidza neproxy). Kana zviri zvakajairika zvikumbiro zveDNS zvakatumirwa zvakananga kumaseva eDNS anotsanangurwa mukugadziriswa kwehurongwa, saka kana iri DNS-pamusoro-HTTPS chikumbiro chekutarisa iyo IP kero yakavharirwa muHTTPS traffic uye inotumirwa kuHTTP server, uko. iyo solver inogadzira zvikumbiro kuburikidza neWebhu API.
"DNS pamusoro peTLS" inosiyana ne "DNS pamusoro peHTTPS" mukushandiswa kweiyo yakajairwa DNS protocol (network port 853 inowanzo shandiswa), yakaputirwa mune yakavanzika nzira yekutaurirana yakarongwa uchishandisa iyo TLS protocol ine host yechokwadi inotarisa kuburikidza neTLS/SSL zvitupa zvakasimbiswa. nechiremera chekupa zvitupa. Iyo iripo DNSSEC chiyero inoshandisa encryption chete kuratidza mutengi uye server, asi haidzivirire traffic kubva pakubata uye haivimbisi kuvanzika kwezvikumbiro.
Source: opennet.ru