ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta BIND DNS Server 9.18.0 oo leh taageero DNS-over-TLS iyo DNS-over-HTTPS

Siideynta BIND DNS Server 9.18.0 oo leh taageero DNS-over-TLS iyo DNS-over-HTTPS

Laba sano oo horumarin ah ka dib, daladda ISC waxay soo saartay siidaynta xasilloonida ugu horreysa ee laan cusub oo cusub oo ah serfarka BIND 9.18 DNS. Taageerada laanta 9.18 waxaa la bixin doonaa saddex sano ilaa rubuci 2aad ee 2025 taasoo qayb ka ah wareegga taageerada la dheereeyey. Taageerada laanta 9.11 waxay dhamaan doontaa March, iyo taageerada laanta 9.16 badhtamaha 2023. Si loo horumariyo shaqada nooca xiga ee BIND, laan tijaabo ah BIND 9.19.0 ayaa la sameeyay.

Siideynta BIND 9.18.0 waxay caan ku tahay hirgelinta taageerada DNS ee HTTPS (DoH, DNS ka badan HTTPS) iyo DNS ka sarreeya TLS (DoT, DNS ka sarreeya TLS), iyo sidoo kale habka XoT (XFR-over-TLS) Aagagga u dhexeeya server-yada (labadaba aagagga dirida iyo kuwa laga helayo XoT waa la taageerayaa). Marka la eego goobaha ku habboon, hal nidaam oo magaciisu yahay hadda ma u adeegi karo oo keliya weydiimaha DNS-dhaqameedka, laakiin sidoo kale weydiimaha loo diro iyada oo la adeegsanayo DNS-over-HTTPS iyo DNS-over-TLS. Taageerada macmiilka ee DNS-over-TLS waxaa lagu dhex dhisay utility-ga qodista, kaas oo loo isticmaali karo in lagu diro codsiyada TLS marka calanka "+tls" la cayimo.

Hirgelinta borotokoolka HTTP/2 ee lagu isticmaalo DoH wuxuu ku salaysan yahay isticmaalka maktabadda nghttp2, kaas oo lagu soo daray ku tiirsanaanta isu imaatinka ikhtiyaariga ah. Shahaadooyinka DoH iyo DoT waxaa bixin kara isticmaaluhu ama si toos ah ayuu u curin karaa wakhtiga bilowga.

Codsiga habbaynta addoo isticmaalaya DoH iyo DoT waxa lagu dadajiyaa iyada oo lagu darayo xulashooyinka "http" iyo "tls" dardaaranka dhageysiga. Si aad u taageerto DNS-over-HTTP ee aan qarsoodi ahayn, waa inaad ku qeexdaa "tls ma jiro" goobaha. Furayaasha waxaa lagu qeexay qaybta "tls". Dekadaha shabakada caadiga ah ee 853 ee DoT, 443 ee DoH iyo 80 ee DNS-over-HTTP ayaa laga saari karaa tls-port, https-port iyo xuduudaha http-port. Tusaale ahaan:

tls local-tls {faylka furaha "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http local-http-server {dhammaadka barta {"/dns-query"; }; }; fursadaha {https-dekedda 443; dekedda dhegayso 443 tls local-tls http myserver {mid;}; }

Mid ka mid ah sifooyinka fulinta DoH ee BIND waa awoodda u wareejinta hawlaha sirta TLS ee server kale, taas oo laga yaabo inay lagama maarmaan noqoto xaaladaha shahaadooyinka TLS lagu kaydiyo nidaam kale (tusaale, kaabayaasha leh server-yada shabakadda) oo la ilaaliyo. shaqaale kale. Taageerada DNS-over-HTTP ee aan qarsoodi ahayn waxaa loo fuliyaa si loo fududeeyo khaladka iyo sida lakabka loogu gudbiyo server kale ee shabakada gudaha (si loo wareejiyo sirta server gaar ah). Seerfar fog, nginx waxaa loo isticmaali karaa in lagu soo saaro taraafikada TLS, oo la mid ah sida HTTPS loogu habeeyo shabakadaha.

Muuqaal kale ayaa ah is dhexgalka DoH oo ah gaadiid guud oo loo isticmaali karo oo keliya in lagu maareeyo codsiyada macmiilka ee xallinta, laakiin sidoo kale marka lala xiriirinayo server-yada, marka loo wareejinayo aagagga server-ka DNS ee awoodda leh, iyo marka la baarayo wixii su'aalo ah oo ay taageerayaan DNS kale. gaadiidka.

Waxaa ka mid ah cilladaha lagu magdhabi karo iyadoo la curyaamiyo dhismaha DoH/DoT ama u wareejinta sirta server kale, dhibka guud ee saldhigga koodhka ayaa taagan - server HTTP ku dhex jira iyo maktabad TLS ayaa lagu daray, kuwaas oo laga yaabo inay ku jiraan baylahda oo u dhaqmaan sidii fallaaro dheeraad ah oo weerarrada. Sidoo kale, marka la isticmaalayo DoH, taraafiggu wuu kordhaa.

Aynu xasuusanno in DNS-over-HTTPS ay faa'iido u yeelan karto ka hortagga siidaynta macluumaadka ku saabsan magacyada martida loo codsaday iyada oo loo marayo server-yada DNS ee bixiyeyaasha, la dagaallanka weerarrada MITM iyo taraafikada DNS (tusaale ahaan, marka lagu xiro Wi-Fi dadweynaha), ka hortagga xannibidda heerka DNS (DNS-over-HTTPS ma beddeli karto VPN ka-hortagga xannibista ee lagu hirgeliyay heerka DPI) ama abaabulka shaqada marka aysan suurtagal ahayn in si toos ah loo galo server-yada DNS (tusaale, marka la adeegsanayo wakiil). Haddii xaalad caadi ah codsiyada DNS si toos ah loogu diro server-yada DNS ee lagu qeexay qaabeynta nidaamka, markaa kiiska DNS-over-HTTPS codsiga lagu go'aaminayo cinwaanka IP-ga martida loo yahay waxaa lagu soo koobay taraafikada HTTPS waxaana loo diraa server-ka HTTP, halkaasoo xaliyahu wuxuu ku socodsiiyaa codsiyada isagoo adeegsanaya Web API.

"DNS over TLS" way ka duwan tahay "DNS ka badan HTTPS" isticmaalka caadiga ah ee borotokoolka DNS (dekedda 853 inta badan waa la isticmaalaa), ku duudduubay kanaalka isgaarsiinta sir ah oo habaysan iyadoo la adeegsanayo borotokoolka TLS oo leh hubinta ansaxnimada martida loo marayo shahaadooyinka TLS/SSL. by hay'ad shahaado. Heerka DNSSEC ee jira wuxuu isticmaalaa sirta kaliya si loo xaqiijiyo macmiilka iyo server-ka, laakiin kama ilaaliyo taraafikada dhexda mana dammaanad qaadayso sirta codsiyada.

Qaar ka mid ah hal-abuurka kale:

  • Waxaa lagu daray tcp-ceive-buffer, tcp-send-buffer, udp-heli-buffer iyo udp-send-buffer settings si loo dejiyo cabbirada kaydiyeyaasha la isticmaalo marka la dirayo oo la helayo codsiyada TCP iyo UDP. Adeegayaasha mashquulka ah, kordhinta kaydiyeyaasha soo galaya waxay kaa caawin doontaa inaad iska ilaaliso baakadaha la tuuray inta lagu jiro meelaha ugu sarreeya taraafikada, iyo dhimistooda waxay kaa caawin doontaa in laga takhaluso xusuusta xiritaanka codsiyada hore.
  • Qaybta cusub ee log "rpz-passthru" ayaa lagu daray, kaas oo kuu ogolaanaya inaad si gaar ah u gasho RPZ (Aagagga Siyaasadda Jawaabta) falalka gudbinta.
  • Qaybta siyaasadda jawaabta, "nsdname-wait-recurse" ikhtiyaarka ayaa lagu daray, marka loo dejiyo "maya", xeerarka RPZ NSDNAME waxa la dabaqaa oo keliya haddii adeegayaasha magaca awoodda leh ee ku jira kaydka loo helo codsiga, haddii kale Xeerka RPZ NSDNAME waa la iska indhotiray, laakiin macluumaadka waxaa laga soo saaray gadaasha oo waxay khusaysaa codsiyada xiga.
  • Diiwaanada leh HTTPS iyo noocyada SVCB, habaynta qaybta "DIRIRKA" waa la fuliyay.
  • Noocyada qaanuunka cusboonaysiinta-caadada ah ee lagu daray - krb5-subdomain-self-rhs iyo ms-subdomain-self-rhs, kaas oo kuu oggolaanaya inaad xaddido cusboonaysiinta diiwaannada SRV iyo PTR. Cusbooneysiinta-siyaasadda blocks waxay sidoo kale ku daraan awoodda lagu dejiyo xaddidaadda tirada diiwaannada, shakhsi ahaan nooc kasta.
  • Macluumaadka lagu daray ee ku saabsan borotokoolka gaadiidka (UDP, TCP, TLS, HTTPS) iyo horgalayaasha DNS64 ee soosaarka utility qodista. Ujeedooyinka wax-ka-hortagga, digku wuxuu ku daray awoodda lagu qeexo aqoonsiga codsi gaar ah (dig +qid= ).
  • Taageero lagu daray OpenSSL 3.0 maktabadda.
  • Si wax looga qabto arrimaha la xiriira kala-goynta IP-ga marka la farsameynayo farriimaha waaweyn ee DNS ee lagu aqoonsaday Maalinta Calanka DNS 2020, koodka hagaajinaya cabbirka EDNS buffer marka aysan jirin wax jawaab ah oo codsi ah ayaa laga saaray xaliyaha. Cabbirka kaydka EDNS hadda waxa loo dejiyay mid joogto ah (edns-udp-size) ee dhammaan codsiyada baxaya.
  • Nadaamka dhismuhu waxa loo beddelay isticmaalka isku-darka autoconf, automake iyo libtool.
  • Taageerada faylalka aagga qaabka "maabka" (masterfile-format map) waa la joojiyay. Isticmaalayaasha qaabkan waxaa lagula talinayaa in ay u beddelaan aagagga qaab cayriin iyaga oo isticmaalaya utility-gacan-ku-darka.
  • Taageerada darawalada DLZ ee da'da weyn (Dynamically Loadable Zones) waa la joojiyay, waxaana lagu bedelay qaybo DLZ.
  • Dhis iyo socodsiinta taageerada madal Windows waa la joojiyay. Laanta ugu dambeysa ee lagu rakibi karo Windows waa BIND 9.16.

Source: opennet.ru

Add a comment