Ukulandela Inkampani kaGoogle malunga nenjongo yokuqhuba uvavanyo lokuvavanya "i-DNS phezu kwe-HTTPS" (i-DoH, i-DNS phezu kwe-HTTPS) ukuphunyezwa kuphuhliswa kwisiphequluli se-Chrome. IChrome 78, ecwangciselwe i-22 ka-Oktobha, iya kuba neendidi zabasebenzisi ngokungagqibekanga ukusebenzisa i-DoH. Kuphela ngabasebenzisi abanesetingi zenkqubo yangoku ezichaza ababoneleli abathile be-DNS ababonwa njengabahambelanayo ne-DoH abaya kuthatha inxaxheba kuvavanyo ukwenza i-DoH isebenze.
Uluhlu olumhlophe lwababoneleli be-DNS lubandakanya Google (8.8.8.8, 8.8.4.4), Cloudflare (1.1.1.1, 1.0.0.1), OpenDNS (208.67.222.222, 208.67.220.220), Quad9 (9.9.9.9, 149.112.112.112ws185.228.168.168. 185.228.169.168 , 185.222.222.222) kunye ne-DNS.SB (185.184.222.222, XNUMX). Ukuba useto lwe-DNS yomsebenzisi lukhankanya enye yezi seva ze-DNS zikhankanywe ngasentla, i-DoH kwiChrome izakwenziwa ngokuzenzekela. Kwabo basebenzisa iiseva ze-DNS ezinikezelwe ngumboneleli wabo we-Intanethi wendawo, yonke into iya kuhlala ingatshintshi kwaye isicombululi senkqubo siya kuqhubeka sisetyenziselwa imibuzo ye-DNS.
Umahluko obalulekileyo ekuphunyezweni kwe-DoH kwiFirefox, eyenza i-DoH isebenze ngokuthe ngcembe sele ekupheleni kukaSeptemba, kukunqongophala kokubophelela kwinkonzo enye ye-DoH. Ukuba kwiFirefox ngokungagqibekanga Umncedisi we-CloudFlare DNS, emva koko i-Chrome iya kuhlaziya kuphela indlela yokusebenza kunye ne-DNS kwinkonzo elinganayo, ngaphandle kokutshintsha umboneleli we-DNS. Ngokomzekelo, ukuba umsebenzisi une-DNS 8.8.8.8 echazwe kwiisethingi zenkqubo, ngoko i-Chrome iya Inkonzo kaGoogle yeDoH (βhttps://dns.google.com/dns-queryβ), ukuba iDNS yi-1.1.1.1, emva koko inkonzo ye-Cloudflare DoH (βhttps://cloudflare-dns.com/dns-queryβ) Kwaye
Ukuba uyanqwena, umsebenzisi angenza okanye avale i-DoH esebenzisa i-βchrome://flags/#dns-over-httpsβ useto. Iindlela ezintathu zokusebenza zixhaswa: zikhuselekile, zizenzekelayo kwaye zivaliwe. Kwimowudi "ekhuselekileyo", iinginginya zimiselwa kuphela ngokusekelwe kumaxabiso akhuselweyo agcinwe ngaphambili (afunyenwe ngoqhagamshelo olukhuselekileyo) kwaye izicelo nge-DoH yokubuyela umva kwi-DNS eqhelekileyo ayisetyenziswa. Kwimo "ezenzekelayo", ukuba i-DoH kunye ne-cache ekhuselekileyo ayifumaneki, idatha inokufunyanwa kwi-cache engakhuselekanga kwaye ifikeleleke nge-DNS yendabuko. Kwimodi "yokucima", i-cache ekwabelwana ngayo ihlolwe kuqala kwaye ukuba akukho datha, isicelo sithunyelwa nge-DNS yenkqubo. Imowudi isetwe nge kDnsOverHttpsMode , kunye nomncedisi wokwenza itemplate nge kDnsOverHttpsTemplates.
Uvavanyo lokuvumela i-DoH luza kwenziwa kuwo onke amaqonga axhaswayo kwiChrome, ngaphandle kweLinux kunye ne-iOS ngenxa yobume obungabalulekanga bokwahlulahlula useto lwesixazululi kunye nokuthintela ufikelelo kwiisetingi zeDNS zesixokelelwano. Ukuba, emva kokuvumela i-DoH, kukho iingxaki zokuthumela izicelo kwiseva ye-DoH (umzekelo, ngenxa yokuvalwa kwayo, ukuqhagamshelwa kwenethiwekhi okanye ukusilela), isikhangeli siya kubuyisela isixokelelwano izicwangciso zeDNS ngokuzenzekelayo.
Injongo yolingelo kukuvavanya okokugqibela ukuphunyezwa kwe-DoH kunye nokufunda ifuthe lokusebenzisa i-DoH ekusebenzeni. Kufuneka kuqatshelwe ukuba enyanisweni inkxaso ye-DoH yayinjalo kwi-Chrome codebase emva ngoFebruwari, kodwa ukuqwalasela nokwenza i-DoH ukuqalisa iChrome ngeflegi ekhethekileyo kunye neseti engabonakaliyo yeenketho.
Masikhumbule ukuba i-DoH inokuba luncedo ekuthinteleni ukuvuza kolwazi malunga namagama aceliwe abamba umkhosi ngokusebenzisa iiseva ze-DNS zababoneleli, ukulwa nokuhlaselwa kwe-MITM kunye ne-DNS traffic spoofing (umzekelo, xa uqhagamshela kwi-Wi-Fi yoluntu), ukubala ukuthintela kwi-DNS. inqanaba (i-DoH ayinakuthatha indawo ye-VPN kwindawo yokudlula ibhlokhi ephunyezwe kwinqanaba le-DPI) okanye ukulungelelanisa umsebenzi ukuba akunakwenzeka ukufikelela ngokuthe ngqo kwiiseva ze-DNS (umzekelo, xa usebenza nge-proxy). Ukuba kwimeko eqhelekileyo izicelo ze-DNS zithunyelwa ngokuthe ngqo kwiiseva ze-DNS ezichazwe kuqwalaselo lwenkqubo, ngoko kwimeko ye-DoH, isicelo sokumisela idilesi ye-IP yomninimzi sifakwe kwi-traffic ye-HTTPS kwaye sithunyelwe kumncedisi we-HTTP, apho inkqubo yokusombulula. izicelo ngeWeb API. Umgangatho okhoyo we-DNSSEC usebenzisa i-encryption kuphela ukuqinisekisa umxhasi kunye neseva, kodwa ayikhuseli i-traffic kwi-interception kwaye ayiqinisekisi ubumfihlo bezicelo.
umthombo: opennet.ru