Abaphuhlisi beFirefox malunga nokugqitywa kovavanyo lwenkxaso ye-DNS phezu kwe-HTTPS (i-DoH, i-DNS phezu kwe-HTTPS) kunye nenjongo yokwenza le teknoloji ngokuzenzakalelayo kubasebenzisi base-US ekupheleni kukaSeptemba. Ukusebenza kuya kuqhutywa ngokuqhubekayo, ekuqaleni kwiipesenti ezimbalwa zabasebenzisi, kwaye ukuba akukho ngxaki, ngokuthe ngcembe inyuka ukuya kwi-100%. Nje ukuba i-US ikhuselwe, i-DoH iya kuqwalaselwa ukuze ibandakanywe nakwamanye amazwe.
Uvavanyo oluqhutywe unyaka wonke lubonise ukuthembeka nokusebenza kakuhle kwenkonzo, kwaye lwenze ukuba kwenzeke ukuchonga iimeko ezithile apho i-DoH inokukhokelela kwiingxaki kwaye iphuhlise izisombululo zokuziphepha (umzekelo, ukuchithwa. ngokulungiswa kwetrafikhi kuthungelwano lokuhanjiswa komxholo, ulawulo lwabazali kunye nemimandla ye-DNS yangaphakathi yequmrhu).
Ukubaluleka koguqulelo oluntsonkothileyo lwetrafikhi ye-DNS ivavanywa njengeyona nto ibalulekileyo ekukhuseleni abasebenzisi, ngoko ke kwagqitywa ekubeni i-DoH isebenze ngokungagqibekanga, kodwa kwinqanaba lokuqala kuphela kubasebenzisi abavela e-United States. Emva kokuvula i-DoH, umsebenzisi uya kufumana isilumkiso esiya kuvumela, ukuba uyanqweneleka, ukwala ukuqhagamshelana neeseva ze-DNS ze-DNS ezisembindini kwaye abuyele kwisikimu semveli sokuthumela izicelo ezingafihlwanga kwiseva ye-DNS yomnikezeli (endaweni yokusasazwa kweziseko zoncedo zabasombululi be-DNS, I-DoH isebenzisa ukubophelela kwinkonzo ethile ye-DoH, enokuthi ithathwe njengenqaku elinye lokusilela).
Ukuba i-DoH iyasebenza, iisistim zolawulo lwabazali kunye nothungelwano lwamashishini ezisebenzisa i-network yangaphakathi kuphela yesakhiwo samagama e-DNS ukusombulula iidilesi ze-intranet kunye nababuki zindwendwe basenokuphazamiseka. Ukusombulula iingxaki ngezixokelelwano ezinjalo, inkqubo yokutshekisha iye yongezwa ethi ivale ngokuzenzekelayo i-DoH. Iitshekhi zenziwa rhoqo xa isikhangeli siqaliswa okanye xa kubhaqwe utshintsho lwe-subnet.
Imbuyekezo ezenzekelayo ekusebenziseni isisombululi senkqubo yokusebenza esemgangathweni ikwabonelelwa ukuba ukusilela kwenzeka ngexesha lesisombululo nge-DoH (umzekelo, ukuba ukufumaneka kothungelwano nomnikezeli we-DoH kuphazamisekile okanye ukusilela kwenzeka kwiziseko zayo). Intsingiselo yolo vavanyo iyathandabuzeka, kuba akukho mntu unqanda abahlaseli abalawula ukusebenza kwesisombululi okanye abakwaziyo ukuphazamisa i-traffic ekufaniseni ukuziphatha okufanayo ukuvala ukubethelwa kwetrafikhi ye-DNS. Ingxaki yasonjululwa ngokongeza into ethi "DoH rhoqo" kwiisetingi (zithule zingasebenzi), xa zisetiwe, ukuvala ngokuzenzekelayo akwenziwanga, okuyiyo i-compromises efanelekileyo.
Ukuchonga izisombululi zeshishini, imimandla engaqhelekanga yenqanaba lokuqala (TLDs) iyajongwa kwaye isisombululi senkqubo sibuyisela iidilesi ze-intranet. Ukugqiba ukuba ngaba ulawulo lwabazali lunikwe amandla, kwenziwa inzame yokusombulula igama elithi exampleadultsite.com kwaye ukuba isiphumo asihambelani ne-IP yangempela, kucingwa ukuba ukuvinjelwa komxholo wabantu abadala kuyasebenza kwinqanaba le-DNS. Iidilesi ze-IP zikaGoogle nezakwaYouTube zijongiwe njengeempawu ukubona ukuba endaweni yazo kufakwe restrict.youtube.com, forcesafesearch.google.com kunye ne-restrictmoderate.youtube.com. IMozilla eyongezelelweyo sebenzisa umamkeli wovavanyo olunye , ii-ISPs kunye neenkonzo zolawulo lwabazali ezinokuzisebenzisa njengeflegi ukuvala i-DoH (ukuba umamkeli akabonwa, iFirefox iyayivala i-DoH).
Ukusebenza ngenkonzo enye ye-DoH nako kunokukhokelela kwiingxaki zokulungiswa kwe-traffic kuthungelwano lonikezelo lomxholo olulinganisa i-traffic usebenzisa i-DNS (iseva ye-DNS yenethiwekhi ye-CDN ivelisa impendulo ethathela ingqalelo idilesi yomxazululi kwaye inikezela ngoyena mntu ukufutshane ukufumana umxholo). Ukuthumela umbuzo we-DNS ukusuka kumsombululi okufutshane nomsebenzisi kwezo CDN iziphumo zokubuyisela idilesi yenginginya ekufutshane kumsebenzisi, kodwa ukuthumela umbuzo we-DNS osuka kwisisombululo esiphakathi kuya kubuyisela idilesi yenginginya ekufutshane kwiseva ye-DNS-phezu kwe-HTTPS. . Uvavanyo ekusebenzeni lubonise ukuba ukusetyenziswa kwe-DNS-over-HTTP xa usebenzisa i-CDN kukhokelela ekubeni kungabikho kulibaziseka ngaphambi kokuba kuqale ukuhanjiswa komxholo (ukunxibelelana ngokukhawuleza, ukulibaziseka akuzange kudlule i-10 millisecond, kwaye nokusebenza ngokukhawuleza kwabonwa kwiindlela zonxibelelwano ezicothayo. ). Ukusetyenziswa kwe-EDNS Client Subnet extension kwacatshangelwa ukubonelela ngolwazi lwendawo yomxhasi kwi-CDN solver.
Masikhumbule ukuba i-DoH inokuba luncedo ekuthinteleni ukuvuza kolwazi malunga namagama aceliweyo omamkeli ngokusebenzisa iiseva ze-DNS zababoneleli, ukulwa nohlaselo lwe-MITM kunye nokuphangwa kwetrafikhi ye-DNS, ukubala ukuthintela kwinqanaba le-DNS, okanye ukulungiselela umsebenzi kwimeko apho akunakwenzeka ukufikelela ngokuthe ngqo kwiiseva ze-DNS (umzekelo, xa usebenza ngeproxy). Ukuba kwimeko yesiqhelo izicelo ze-DNS zithunyelwa ngokuthe ngqo kwiiseva ze-DNS ezichazwe kuqwalaselo lwenkqubo, ngoko kwimeko ye-DoH, isicelo sokumisela idilesi ye-IP yomninimzi sifakwe kwitrafikhi ye-HTTPS kwaye sithunyelwe kwiseva ye-HTTP, apho inkqubo yokusombulula. izicelo ngeWeb API. Umgangatho okhoyo we-DNSSEC usebenzisa i-encryption kuphela ukuqinisekisa umxhasi kunye neseva, kodwa ayikhuseli i-traffic kwi-interception kwaye ayiqinisekisi ubumfihlo bezicelo.
Ukwenza i-DoH isebenze malunga ne-:config, kufuneka utshintshe ixabiso le-network.trr.mode variable, exhaswe ukususela kwiFirefox 60. Ixabiso elingu-0 livala i-DoH ngokupheleleyo; I-1 - i-DNS okanye i-DoH isetyenzisiweyo, nayiphi na ekhawulezayo; 2 - I-DoH isetyenziswa ngokungagqibekanga, kwaye i-DNS isetyenziswa njengokhetho lokubuyela umva; 3 - yi-DoH kuphela esetyenziswayo; I-4 - i-mirroring mode apho i-DoH kunye ne-DNS zisetyenziswa ngokufanayo. Ngokungagqibekanga, iseva ye-DNS ye-CloudFlare isetyenzisiwe, kodwa inokutshintshwa ngeparameter yenethiwekhi.trr.uri, umzekelo, unokuseta "https://dns.google.com/experimental" okanye "https://9.9.9.9 .XNUMX/dns-query "
umthombo: opennet.ru