"Uthando kunye nokungathandi": DNS phezu kwe-HTTPS

Sihlalutya izimvo malunga neempawu ze-DNS ngaphezulu kwe-HTTPS, esandul' ukuba "lithambo lengxabano" phakathi kwababoneleli be-Intanethi kunye nabaphuhlisi besiphequluli.

/unsplash/ USteve Halama

Undoqo wokungavisisani

Kungekudala, zosasazo ezinkulu и amaqonga anemixholo (kubandakanywa neHabr), bahlala bebhala malunga ne-DNS phezu kwe-HTTPS (DoH) protocol. Ifihla izicelo kwiseva ye-DNS kunye neempendulo kuzo. Le ndlela ikuvumela ukuba ufihle amagama eenginginya afikelela kuzo umsebenzisi. Ukusuka kupapasho sinokugqiba ukuba iprotocol entsha (kwi-IETF ivume ngo-2018) yahlula uluntu lwe-IT kwiinkampu ezimbini.

Isiqingatha sikholelwa ukuba iprotocol entsha iya kuphucula ukhuseleko lwe-Intanethi kwaye bayayisebenzisa kwizicelo zabo kunye neenkonzo. Esinye isiqingatha siqinisekile ukuba iteknoloji yenza kuphela umsebenzi wabalawuli benkqubo nzima ngakumbi. Okulandelayo, siya kuhlalutya iingxoxo zamacala omabini.

Isebenza njani i-DoH

Phambi kokuba singene ekubeni kutheni ii-ISPs kunye nabanye abathathi-nxaxheba bezentengiso okanye bechasene ne-DNS ngaphezulu kwe-HTTPS, makhe sijonge ngokufutshane ukuba isebenza njani.

Kwimeko ye-DoH, isicelo sokumisela idilesi ye-IP sifakwe kwitrafikhi ye-HTTPS. Emva koko iya kumncedisi we-HTTP, apho iqhutywe kusetyenziswa i-API. Nanku umzekelo wesicelo esivela kwi-RFC 8484 (iphepha 6):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

Ke, itrafikhi ye-DNS ifihliwe kwitrafikhi ye-HTTPS. Umxhasi kunye nomncedisi banxibelelana nge-port eqhelekileyo 443. Ngenxa yoko, izicelo kwinkqubo yegama lesizinda zihlala zingaziwa.

Kutheni engathandwa?

Abachasi be-DNS ngaphaya kwe-HTTPS yithiukuba inkqubo entsha iya kunciphisa ukhuseleko loqhagamshelwano. Ngu ngokwe UPaul Vixie, ilungu leqela lophuhliso lwe-DNS, liya kwenza kube nzima ngakumbi kubalawuli benkqubo ukuvimba iindawo ezinokuthi zibe nobubi. Abasebenzisi abaqhelekileyo baya kulahlekelwa ukukwazi ukuseta ulawulo lwabazali olunemiqathango kwiziphequluli.

Iimbono zikaPawulos kwabelwana ngazo ngababoneleli be-intanethi base-UK. Umthetho welizwe izibophelelo bathintele kwimithombo enomxholo owalelweyo. Kodwa inkxaso ye-DoH kwizikhangeli iwenza nzima umsebenzi wokucoca itrafikhi. Abagxeki beprothokholi entsha baquka iZiko loNxibelelwano likaRhulumente eNgilani (GCHQ) kunye neSiseko sokuLinda kwi-Intanethi (IMF), egcina irejista yemithombo evaliweyo.

Kwibhlog yethu kaHabré:

• Imfazwe kwi-robocalls e-USA - ngubani ophumeleleyo kwaye kutheni
• I-telecoms yaseBritane iya kuhlawula ababhalisi imbuyekezo ngenxa yokuphazamiseka kwenkonzo

Iingcali ziqaphela ukuba i-DNS ngaphezulu kwe-HTTPS inokuba sisongelo se-cybersecurity. Ekuqaleni kukaJulayi, iingcali zokhuseleko lolwazi ezivela kwi-Netlab ifunyenwe intsholongwane yokuqala eyayisebenzisa inkqubo entsha yokwenza uhlaselo lweDDoS - Godlua. I-malware ifikelele kwi-DoH ukufumana iirekhodi ezibhaliweyo (TXT) kunye nokukhupha umyalelo kunye nokulawula ii-URL zeseva.

Izicelo ezintsonkothileyo ze-DoH azikhange ziqatshelwe yi-antivirus software. Iingcali zokhuseleko lolwazi yoyikaukuba emva kokuba i-Godlua enye i-malware iza kuza, ingabonakali kujongo lwe-DNS.

Kodwa asingabo bonke abachasene nayo

Ukukhusela i-DNS phezu kwe-HTTPS kwiblogi yakhe wathetha phandle Injineli ye-APNIC uGeoff Houston. Ngokutsho kwakhe, iprotocol entsha iya kwenza ukuba kube lula ukulwa nokuhlaselwa kwe-DNS, okuye kwanda kuxhaphake. Le nyaniso iyaqinisekisa Ingxelo kaJanuwari evela kwinkampani yokhuseleko lwe-cyberEye. Iinkampani ezinkulu ze-IT nazo zaxhasa ukuphuhliswa kweprotocol.

Ekuqaleni konyaka ophelileyo, i-DoH yaqala ukuvavanywa kuGoogle. Kwaye kwinyanga edlulileyo inkampani thaca Inguqulelo yokuFumaneka ngokubanzi kwenkonzo yayo ye-DoH. KuGoogle ithemba, ukuba iya kwandisa ukhuseleko lwedatha yomntu kwinethiwekhi kwaye ikhusele ekuhlaselweni kwe-MITM.

Omnye umphuhlisi webrawuza-Mozilla- ixhasa I-DNS ngaphezulu kwe-HTTPS ukusukela kwihlobo elidlulileyo. Kwangaxeshanye, inkampani ikhuthalele ukukhuthaza itekhnoloji entsha kwindawo ye-IT. Kule nto, uMbutho wabaBoneleli beeNkonzo ze-Intanethi (ISPA) nokuba utyunjiwe IMozilla yeMbasa ye-Intanethi ye-Villain yoNyaka. Ukuphendula, abameli benkampani kuphawuliwe, abadangeleyo kukungathandi kwabaqhubi bee-telecom ukuphucula iziseko zabo ze-Intanethi eziphelelwe lixesha.

/unsplash/ TETrebbien

Ukuxhasa iMozilla Amajelo amakhulu athetha kunye nabanye ababoneleli be-Intanethi. Ngokukodwa, kwiBritish Telecom cingaukuba iprotocol entsha ayiyi kuchaphazela ukuhluzwa komxholo kwaye iya kuphucula ukhuseleko lwabasebenzisi base-UK. Phantsi koxinzelelo loluntu ISPA kwafuneka ukuba ukhunjulwe "inkohlakalo" ukutyunjwa.

Ababoneleli bamafu baye bakhuthaza ukuqaliswa kwe-DNS phezu kwe-HTTPS, umzekelo Cloudflare. Basele benikezela ngeenkonzo ze-DNS ngokusekwe kwiprotocol entsha. Uluhlu olupheleleyo lweebhrawuza kunye nabaxhasi abaxhasa i-DoH luyafumaneka GitHub.

Kuyo nayiphi na imeko, akukakwazi ukuthetha malunga nokuphela kongquzulwano phakathi kwezi nkampu zimbini. Iingcali ze-IT ziqikelela ukuba i-DNS ngaphezulu kwe-HTTPS imiselwe ukuba ibe yinxalenye yesitaki setekhnoloji ye-Intanethi, kuya kuthatha ngaphezu kweshumi leminyaka.

Yintoni enye esibhala ngayo kwibhlog yethu yeshishini:

• Yakhiwe njani inethiwekhi yomnikezeli we-Intanethi
• Iinkonzo ezisisiseko kwiinethiwekhi zababoneleli be-Intanethi
• Ukudibanisa kunye nokudibanisa - imisebenzi emininzi kwisixhobo esinye

umthombo: www.habr.com