Abaphuhlisi beFirefox malunga nokwenza i-DNS ngaphezulu kwe-HTTPS (DoH, DNS ngaphezulu kwe-HTTPS) indlela ngokungagqibekanga kubasebenzisi base-US. Uguqulelo oluntsonkothileyo lwetrafikhi ye-DNS luthathwa njengento ebaluleke kakhulu ekukhuseleni abasebenzisi. Ukuqala namhlanje, lonke ufakelo olutsha ngabasebenzisi base-US luya kuba ne-DoH isebenze ngokungagqibekanga. Abasebenzisi baseMelika abakhoyo bacwangciselwe ukutshintshelwa kwi-DoH kwiiveki ezimbalwa. KwiManyano yaseYurophu nakwamanye amazwe, yenza i-DoH isebenze ngokungagqibekanga okwangoku .
Emva kokuvula i-DoH, isilumkiso siboniswa kumsebenzisi, esivumela, ukuba uyanqweneleka, ukwala ukuqhagamshelana neeseva ze-DNS ze-DoH ezisembindini kunye nokubuyela kwisikimu sesiqhelo sokuthumela imibuzo engafihlwanga kwiseva ye-DNS yomnikezeli. Endaweni yeziseko ezingundoqo ezisasazwayo zabasombululi be-DNS, i-DoH isebenzisa isibophelelo kwinkonzo ethile ye-DoH, enokuthi ithathwe njengenqaku elinye lokusilela. Okwangoku, umsebenzi unikezelwa ngababoneleli be-DNS ababini - CloudFlare (engagqibekanga) kunye .
Guqula umboneleli okanye uvale i-DoH kwisethingi yoqhagamshelo lwenethiwekhi. Umzekelo, ungakhankanya enye iseva ye-DoH “https://dns.google/dns-query” ukufikelela kwiiseva zikaGoogle, “https://dns.quad9.net/dns-query” - Quad9 kunye “https:/ /doh .opendns.com/dns-query"-OpenDNS. Malunga ne:config ikwabonelela ngesicwangciso sendlela yenethiwekhi.trr.onokuthi ngayo utshintshe indlela yokusebenza ye-DoH: ixabiso elingu-0 likhubaza ngokupheleleyo i-DoH; I-1 - i-DNS okanye i-DoH isetyenzisiweyo, nayiphi na ekhawulezayo; 2 - I-DoH isetyenziswa ngokungagqibekanga, kwaye i-DNS isetyenziswa njengokhetho lokubuyela umva; 3 - yi-DoH kuphela esetyenziswayo; I-4 - i-mirroring mode apho i-DoH kunye ne-DNS zisetyenziswa ngokufanayo.
Masikhumbule ukuba i-DoH inokuba luncedo ekuthinteleni ukuvuza kolwazi malunga namagama aceliwe abamba umkhosi ngokusebenzisa iiseva ze-DNS zababoneleli, ukulwa nokuhlaselwa kwe-MITM kunye ne-DNS ye-traffic spoofing (umzekelo, xa uqhagamshela kwi-Wi-Fi yoluntu), ukubala ukuthintela kwi-DNS. inqanaba (i-DoH ayinakuthatha indawo ye-VPN kwindawo yokudlula ibhlokhi ephunyezwe kwinqanaba le-DPI) okanye ukulungelelanisa umsebenzi ukuba akunakwenzeka ukufikelela ngokuthe ngqo kwiiseva ze-DNS (umzekelo, xa usebenza nge-proxy). Ukuba kwimeko eqhelekileyo izicelo ze-DNS zithunyelwa ngokuthe ngqo kwiiseva ze-DNS ezichazwe kuqwalaselo lwenkqubo, ngoko kwimeko ye-DoH, isicelo sokugqiba idilesi ye-IP yomninimzi sifakwe kwi-traffic ye-HTTPS kwaye sithunyelwe kumncedisi we-HTTP, apho inkqubo yokusombulula. izicelo ngeWeb API. Umgangatho okhoyo we-DNSSEC usebenzisa i-encryption kuphela ukuqinisekisa umxhasi kunye neseva, kodwa ayikhuseli i-traffic kwi-interception kwaye ayiqinisekisi ubumfihlo bezicelo.
Ukukhetha ababoneleli beDoH ababonelelwe kwiFirefox, kubasombululi be-DNS abathembekileyo, ngokutsho ukuba umqhubi we-DNS unokusebenzisa idatha efunyenweyo kwisisombululo kuphela ukuqinisekisa ukusebenza kwenkonzo, akufuneki agcine izingodo ngaphezu kweeyure ezingama-24, akakwazi ukudlulisela idatha kubantu besithathu kwaye unyanzelekile ukuba achaze ulwazi malunga iindlela zokucwangcisa idatha. Inkonzo kufuneka kwakhona ivume ukungabandakanyi, ukuhluza, ukuphazamisa okanye ukuvimba i-DNS traffic, ngaphandle kweemeko ezibonelelwe ngumthetho.
I-DoH kufuneka isetyenziswe ngobunono. Umzekelo, kwiRussian Federation, iidilesi ze-IP 104.16.248.249 kunye 104.16.249.249 ezinxulumene neseva ye-DoH engagqibekanga mozilla.cloudflare-dns.com enikezelwa kwiFirefox, в ngokwesicelo senkundla yaseStavropol yomhla we-10.06.2013 kaJuni, XNUMX.
I-DoH inokubangela iingxaki kwimimandla efana neenkqubo zolawulo lwabazali, ukufikelela kwiindawo zamagama zangaphakathi kwiinkqubo zequmrhu, ukukhetha iindlela kwiinkqubo zokuphucula ukuhanjiswa komxholo, kunye nokuthotyelwa kwemiyalelo yenkundla kwindawo yokulwa nokusasazwa komxholo ongekho mthethweni kunye nokusetyenziswa kakubi abantwana. Ukuthintela iingxaki ezinjalo, inkqubo yokutshekisha iye yaphunyezwa yaza yavavanywa eyenza i-DoH ingasebenzi ngokuzenzekelayo phantsi kweemeko ezithile.
Ukuchonga izisombululi zeshishini, imimandla engaqhelekanga yenqanaba lokuqala (TLDs) iyajongwa kwaye isisombululi senkqubo sibuyisela iidilesi ze-intranet. Ukugqiba ukuba ngaba ukulawulwa kwabazali kunikwe amandla, kwenziwa inzame yokusombulula igama elithi exampleadultsite.com kwaye ukuba isiphumo asihambelani ne-IP yangempela, kuthathwa ukuba ukuvimba umxholo wabantu abadala kuyasebenza kwinqanaba le-DNS. Iidilesi ze-IP zikaGoogle kunye ne-YouTube zikwajongiwe njengeempawu ukubona ukuba endaweni yazo kufakwe restrict.youtube.com, forcesafesearch.google.com kunye ne-restrictmoderate.youtube.com. Olu vavanyo luvumela abahlaseli abalawula ukusebenza kwesisombululi okanye abakwaziyo ukuphazamisana netrafikhi ukuze balinganise ukuziphatha okunjalo ukuvala uguqulelo oluntsonkothileyo lwetrafikhi ye-DNS.
Ukusebenza ngenkonzo enye ye-DoH nako kunokukhokelela kwiingxaki zokulungiswa kwe-traffic kuthungelwano lonikezelo lomxholo olulinganisa i-traffic usebenzisa i-DNS (iseva ye-DNS yenethiwekhi ye-CDN ivelisa impendulo ethathela ingqalelo idilesi yomxazululi kwaye inikezela ngoyena mntu ukufutshane ukufumana umxholo). Ukuthumela umbuzo we-DNS ukusuka kumsombululi okufutshane nomsebenzisi kwezo CDN iziphumo zokubuyisela idilesi yenginginya ekufutshane kumsebenzisi, kodwa ukuthumela umbuzo we-DNS osuka kwisisombululo esiphakathi kuya kubuyisela idilesi yenginginya ekufutshane kwiseva ye-DNS-phezu kwe-HTTPS. . Uvavanyo ekusebenzeni lubonise ukuba ukusetyenziswa kwe-DNS-over-HTTP xa usebenzisa i-CDN kukhokelela ekubeni kungabikho kulibaziseka ngaphambi kokuba kuqale ukuhanjiswa komxholo (ukunxibelelana ngokukhawuleza, ukulibaziseka akuzange kudlule i-10 millisecond, kwaye nokusebenza ngokukhawuleza kwabonwa kwiindlela zonxibelelwano ezicothayo. ). Ukusetyenziswa kwe-EDNS Client Subnet extension kwacatshangelwa ukubonelela ngolwazi lwendawo yomxhasi kwi-CDN solver.
umthombo: opennet.ru