Horumarinta server-ka BIND DNS waxay ku dhawaaqeen in lagu daray taageerada server-ka ee DNS ka badan HTTPS (DoH, DNS over HTTPS) iyo DNS ka sarreeya TLS (DoT, DNS ka sarreeya TLS), iyo sidoo kale habka XFR-over-TLS ee ammaan ah. wareejinta waxa ku jira aagagga DNS ee u dhexeeya server-yada. DoH waxay diyaar u tahay tijaabinta siideynta 9.17, iyo taageerada DoT waxay jirtay tan iyo markii la sii daayay 9.17.10. xasilinta ka dib, taageerada DoT iyo DoH waxaa lagu celin doonaa laanta xasilloon ee 9.17.7.
Hirgelinta nidaamka HTTP/2 ee lagu isticmaalo DoH wuxuu ku salaysan yahay isticmaalka maktabadda nghttp2, taas oo ka mid ah ku-tiirsanaanta golaha (mustaqbalka, maktabadda waxaa loo qorsheeyay in lagu wareejiyo tirada ku-tiirsanaanta ikhtiyaariga ah). Labadaba isku xidhka sir ah (TLS) iyo HTTP/2 ee aan qarsoodiga ahayn waa la taageeray. Marka la eego goobaha ku habboon, hal nidaam oo magaciisu yahay hadda ma u adeegi karo oo keliya weydiimaha DNS-dhaqameedka, laakiin sidoo kale su'aalaha la soo diro iyadoo la adeegsanayo DoH (DNS-over-HTTPS) iyo DoT (DNS-over-TLS). Taageerada HTTPS ee dhinaca macmiilka (dig) wali lama hirgelin. Taageerada XFR-over-TLS waxay diyaar u tahay codsiyada gudaha iyo dibadda labadaba.
Codsiga habbaynta addoo isticmaalaya DoH iyo DoT waxa lagu dadajiyaa iyadoo lagu darayo fursadaha http iyo tls dardaaranka dhageysiga Si aad u taageerto DNS-over-HTTP ee aan qarsoodi ahayn, waa inaad ku qeexdaa "tls ma jiro" goobaha. Furayaasha waxaa lagu qeexay qaybta "tls". Dekadaha shabakada caadiga ah ee 853 ee DoT, 443 ee DoH iyo 80 ee DNS-over-HTTP ayaa laga saari karaa tls-port, https-port iyo xuduudaha http-port. Tusaale ahaan: tls local-tls {key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server {dhammaadka barta {"/dns-query"; }; }; fursadaha {https-dekedda 443; dekedda dhegayso 443 tls local-tls http myserver {mid;}; }
Waxaa ka mid ah sifooyinka fulinta DoH ee BIND, isdhexgalka waxaa lagu xusay gaadiid guud, kaas oo loo isticmaali karo ma aha oo kaliya in lagu socodsiiyo codsiyada macmiilka xaliyaha, laakiin sidoo kale marka la isweydaarsado xogta u dhaxaysa server-yada, marka loo wareejinayo aagagga server-ka DNS ee awoodda leh, iyo marka la baaraayo codsi kasta oo ay taageerayaan gaadiidka kale ee DNS .
Sifada kale waa awooda lagu wareejinayo hawlaha sirta ah ee TLS oo loo wareejiyo server kale, taas oo laga yaabo inay lagama maarmaan noqoto xaaladaha shahaadooyinka TLS lagu kaydiyo nidaam kale (tusaale, kaabayaasha leh server-yada shabakada) oo ay hayaan shaqaale kale. Taageerada aan qarsoodi ahayn ee DNS-over-HTTP waxaa loo fuliyaa si loo fududeeyo qaladka iyo sida lakabka loogu gudbiyo shabakada gudaha, taas oo ku saleysan sirta lagu habeyn karo server kale. Seerfar fog, nginx waxaa loo isticmaali karaa in lagu soo saaro taraafikada TLS, oo la mid ah sida HTTPS loogu habeeyo shabakadaha.
Aynu xasuusanno in DNS-over-HTTPS ay faa'iido u yeelan karto ka hortagga siidaynta macluumaadka ku saabsan magacyada martida loo codsaday iyada oo loo marayo server-yada DNS ee bixiyeyaasha, la dagaallanka weerarrada MITM iyo taraafikada DNS (tusaale ahaan, marka lagu xiro Wi-Fi dadweynaha), ka hortagga xannibidda heerka DNS (DNS-over-HTTPS ma beddeli karto VPN ka-hortagga xannibista ee lagu hirgeliyay heerka DPI) ama abaabulka shaqada marka aysan suurtagal ahayn in si toos ah loo galo server-yada DNS (tusaale, marka la adeegsanayo wakiil). Haddii xaalad caadi ah codsiyada DNS si toos ah loogu diro server-yada DNS ee lagu qeexay qaabeynta nidaamka, markaa kiiska DNS-over-HTTPS codsiga lagu go'aaminayo cinwaanka IP-ga martida loo yahay waxaa lagu soo koobay taraafikada HTTPS waxaana loo diraa server-ka HTTP, halkaasoo xaliyahu wuxuu ku socodsiiyaa codsiyada isagoo adeegsanaya Web API.
"DNS over TLS" way ka duwan tahay "DNS ka badan HTTPS" isticmaalka caadiga ah ee borotokoolka DNS (dekedda 853 inta badan waa la isticmaalaa), ku duudduubay kanaalka isgaarsiinta sir ah oo habaysan iyadoo la adeegsanayo borotokoolka TLS oo leh hubinta ansaxnimada martida loo marayo shahaadooyinka TLS/SSL. by hay'ad shahaado. Heerka DNSSEC ee jira wuxuu isticmaalaa sirta kaliya si loo xaqiijiyo macmiilka iyo server-ka, laakiin kama ilaaliyo taraafikada dhexda mana dammaanad qaadayso sirta codsiyada.
Source: opennet.ru