Mushure memakore maviri ebudiriro, iyo ISC consortium yakaburitsa yekutanga yakagadzikana kuburitswa kwebazi guru idzva reBIND 9.18 DNS server. Tsigiro yebazi 9.18 ichapihwa kwemakore matatu kusvika 2nd kota ye2025 sechikamu chekuwedzera rutsigiro. Kutsigira kwebazi re9.11 kuchapera muna March, uye tsigiro yebazi 9.16 pakati pa2023. Kugadzira kushanda kweiyo inotevera yakagadzikana vhezheni yeBIND, bazi rekuyedza BIND 9.19.0 rakaumbwa.
Kuburitswa kweBIND 9.18.0 kwakakosha pakuitwa kwerutsigiro rweDNS pamusoro peHTTPS (DoH, DNS pamusoro peHTTPS) uye DNS pamusoro peTLS (DoT, DNS pamusoro peTLS), pamwe neXoT (XFR-over-TLS) mashandiro. kuitira kuchinjisa zvakachengeteka zvemukati zveDNS. nzvimbo dziri pakati pemaseva (zvese kutumira uye kugamuchira nzvimbo kuburikidza neXoT zvinotsigirwa). Nezvirongwa zvakakodzera, imwe chete ine zita maitiro ikozvino inogona kushandira kwete zvechinyakare DNS mibvunzo, asiwo mibvunzo inotumirwa uchishandisa DNS-pamusoro-HTTPS uye DNS-pamusoro-TLS. Tsigiro yemutengi yeDNS-over-TLS yakavakirwa mukati medhigi utility, inogona kushandiswa kutumira zvikumbiro pamusoro peTLS kana "+tls" mureza watsanangurwa.
Kuitwa kweHTTP/2 protocol inoshandiswa muDoH kunobva pakushandiswa kwe nghttp2 raibhurari, iyo inosanganisirwa sechinhu chakasarudzika chekutsamira pagungano. Zvitupa zveDoH neDoT zvinogona kupihwa nemushandisi kana kuti kugadzirwa otomatiki panguva yekutanga.
Kukumbira kugadzirisa uchishandisa DoH neDoT kunogoneswa nekuwedzera "http" uye "tls" sarudzo kune yekuteerera-pane kuraira. Kuti utsigire isina kunyorwa DNS-pamusoro-HTTP, iwe unofanirwa kutsanangura "tls hapana" muzvirongwa. Makiyi anotsanangurwa muchikamu che "tls". Iyo default network ports 853 yeDoT, 443 yeDoH uye 80 yeDNS-pamusoro-HTTP inogona kudhindwa kuburikidza netls-port, https-port uye http-port parameters. Semuyenzaniso:
tls local-tls {kiyi-faira "/path/to/priv_key.pem"; cert-faira "/path/to/cert_chain.pem"; }; http local-http-server { endpoints {"/dns-query"; }; }; sarudzo { https-port 443; teerera-pachiteshi 443 tls local-tls http myserver {chero;}; }
Chimwe chezvimiro zvekuitwa kweDoH muBIND ndiko kugona kufambisa encryption mashandiro eTLS kune imwe sevha, izvo zvingave zvichidikanwa mumamiriro ezvinhu apo zvitupa zveTLS zvinochengetwa pane imwe system (semuenzaniso, mune zvivakwa zvine maseva ewebhu) uye inochengetwa. nevamwe vashandi. Tsigiro yeDNS-over-HTTP isina kuvharirwa inoshandiswa kurerutsa kugadzirisa uye sedhizaini yekuendesa kune imwe sevha pane yemukati network (yekufambisa encryption kune yakaparadzana sevha). Pane sevha iri kure, nginx inogona kushandiswa kugadzira TLS traffic, yakafanana nekurongeka kweHTTPS kumawebhusaiti.
Chimwe chinhu kubatanidzwa kweDoH sechifambiso chakajairika chinogona kushandiswa kwete chete kubata zvikumbiro zvevatengi kune anogadzirisa, asiwo pakutaurirana pakati pemaseva, pakuendesa nzvimbo neane mvumo DNS server, uye kana uchigadzirisa chero mibvunzo inotsigirwa neimwe DNS. transports.
Pakati pezvikanganiso zvinogona kubhadharwa nekudzima chivakwa neDoH/DoT kana kufambisa iyo encryption kune imwe sevha, iyo yakazara complication yekodhi base inomira pachena - yakavakirwa-mukati HTTP server neTLS raibhurari inowedzerwa, iyo inogona kunge iine. kushaya simba uye kuita semamwe mavheji ekurwiswa. Zvakare, kana uchishandisa DoH, traffic inowedzera.
Ngatiyeukei kuti DNS-pamusoro-HTTPS inogona kubatsira kudzivirira kubuda kweruzivo nezve akakumbirwa mazita evatambi kuburikidza nemaseva eDNS evanopa, kurwisa MITM kurwiswa uye DNS traffic spoofing (semuenzaniso, kana ichibatanidza kune yeruzhinji Wi-Fi), kuverengera. kuvharira padanho reDNS (DNS-pamusoro-HTTPS haigone kutsiva VPN mukunzvenga kuvharira kunoitwa padanho reDPI) kana kuronga basa kana zvisingaite kuwana zvakananga DNS maseva (semuenzaniso, kana uchishanda kuburikidza neproxy). Kana zviri zvakajairika zvikumbiro zveDNS zvakatumirwa zvakananga kumaseva eDNS anotsanangurwa mukugadziriswa kwehurongwa, saka kana iri DNS-pamusoro-HTTPS chikumbiro chekutarisa iyo IP kero yakavharirwa muHTTPS traffic uye inotumirwa kuHTTP server, uko. iyo solver inogadzira zvikumbiro kuburikidza neWebhu API.
"DNS pamusoro peTLS" inosiyana ne "DNS pamusoro peHTTPS" mukushandiswa kweiyo yakajairwa DNS protocol (network port 853 inowanzo shandiswa), yakaputirwa mune yakavanzika nzira yekutaurirana yakarongwa uchishandisa iyo TLS protocol ine host yechokwadi inotarisa kuburikidza neTLS/SSL zvitupa zvakasimbiswa. nechiremera chekupa zvitupa. Iyo iripo DNSSEC chiyero inoshandisa encryption chete kuratidza mutengi uye server, asi haidzivirire traffic kubva pakubata uye haivimbisi kuvanzika kwezvikumbiro.
Zvimwe zvitsva:
- Yakawedzerwa tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer uye udp-send-buffer marongero kuseta saizi yebhafa inoshandiswa pakutumira nekugamuchira zvikumbiro pamusoro peTCP neUDP. Pamasevha akabatikana, kuwedzera mabuffers anouya kunobatsira kudzivirira mapaketi kudonhedzwa panguva yekukwira kwetraffic, uye kudzidzikisa kunobatsira kubvisa ndangariro kuvharika nezvikumbiro zvekare.
- Iyo nyowani yelogi chikamu "rpz-passthru" yawedzerwa, iyo inokutendera iwe kuti ugadzikane RPZ (Response Policy Zones) zviito zvekutumira.
- Muchikamu chemitemo-yemhinduro, sarudzo ye "nsdname-wait-recurse" yawedzerwa, kana yaiswa kuti "kwete", mitemo yeRPZ NSDNAME inoshandiswa chete kana maseva ane chiremera emazita aripo mu cache awanikwa pakukumbira, zvikasadaro RPZ NSDNAME mutemo unofuratirwa, asi ruzivo rwunotorwa kumashure uye runoshanda kune zvinotevera zvikumbiro.
- Kune marekodhi ane HTTPS neSVCB marudzi, kugadzirisa kwe "ADDITIONAL" chikamu kwaitwa.
- Yakawedzera tsika yekuvandudza-policy mitemo mhando - krb5-subdomain-self-rhs uye ms-subdomain-self-rhs, iyo inokubvumira kudzikamisa kugadziridzwa kweSRV uye PTR zvinyorwa. Iyo yekuvandudza-policy zvivharo inowedzerawo kugona kuseta miganhu pahuwandu hwemarekodhi, ega ega ega emhando.
- Yakawedzera ruzivo nezve yekufambisa protocol (UDP, TCP, TLS, HTTPS) uye DNS64 prefixes kune inobuda yedhigi utility. Nekuda kugadzirisa, dig yakawedzera kugona kutsanangura chaiyo chikumbiro chiziviso (dig +qid= )
- Yakawedzera rutsigiro rweOpenSSL 3.0 raibhurari.
- Kugadzirisa nyaya neIP kupatsanurwa paunenge uchigadzira mameseji makuru eDNS akaonekwa neDNS Flag Day 2020, kodhi inogadzirisa saizi ye EDNS buffer kana pasina mhinduro kuchikumbiro yabviswa kubva kumugadziri. Iyo EDNS buffer saizi yave kuisirwa kugara (edns-udp-saizi) kune zvese zvinobuda zvikumbiro.
- Iyo yekuvaka sisitimu yakachinjirwa kushandisa musanganiswa we autoconf, automake uye libtool.
- Tsigiro yemafaira enzvimbo mu "mepu" fomati (masterfile-format mepu) yakamiswa. Vashandisi vefomati iyi vanokurudzirwa kushandura nzvimbo kuita mbishi fomati vachishandisa iyo inonzi-compilezone utility.
- Tsigiro yevakuru veDLZ (Dynamically Loadable Zones) vatyairi yakamiswa, yakatsiviwa neDLZ module.
- Vaka uye mhanya tsigiro yeWindows chikuva yakamiswa. Bazi rekupedzisira rinogona kuiswa paWindows ndiro BIND 9.16.
Source: opennet.ru