Abathuthukisi beFirefox bamemezele ukunwetshwa kwe-DNS phezu kwemodi ye-HTTPS (DoH), ezovulwa ngokuzenzakalelayo kubasebenzisi baseCanada (ngaphambilini, i-DoH ibikade izenzakalelayo yase-US). Ukunika amandla i-DoH kubasebenzisi base-Canadian kuhlukaniswe ngezigaba ezimbalwa: NgoJulayi 20, i-DoH izosebenza ku-1% wabasebenzisi base-Canadian futhi, ngaphandle kwezinkinga ezingalindelekile, ukufakwa kuzokwenyuka kube ngu-100% ekupheleni kukaSepthemba.
Ukushintshwa kwabasebenzisi beFirefox yaseCanada baye ku-DoH kwenziwa ngokubamba iqhaza kwe-CIRA (Canadian Internet Registration Authority), elawula ukuthuthukiswa kwe-inthanethi e-Canada futhi inesibopho sesizinda esiphezulu esithi “ca”. I-CIRA iphinde yabhalisela i-TRR (Trusted Recursive Resolver) futhi ingomunye wabahlinzeki be-DNS-over-HTTPS abatholakala kuFirefox.
Ngemva kokuvula i-DoH, isexwayiso sizovezwa ohlelweni lomsebenzisi, esivumela, uma kudingekile, ukwenqaba ukushintshela ku-DoH futhi uqhubeke nokusebenzisa uhlelo oluvamile lokuthumela izicelo ezingabhaliwe kuseva ye-DNS yomhlinzeki. Ungashintsha umhlinzeki noma ukhubaze i-DoH kuzilungiselelo zokuxhuma kunethiwekhi. Ngokungeziwe kumaseva e-CIRA DoH, ungakhetha amasevisi e-Cloudflare kanye ne-NextDNS.
Abahlinzeki be-DoH abanikezwa kuFirefox bakhethwa ngokuvumelana nezimfuneko zezixazululi ze-DNS ezinokwethenjelwa, ngokuya ngokuthi u-opharetha we-DNS angasebenzisa idatha eyamukelwe ukuze axazululwe kuphela ukuze aqinisekise ukusebenza kwesevisi, akumele agcine izingodo isikhathi esingaphezu kwamahora angu-24, futhi akakwazi. dlulisela idatha kwabanye abantu futhi kudingeka ukuthi kudalule ulwazi mayelana nezindlela zokucubungula idatha. Isevisi kufanele futhi ivume ukuthi ngeke ivalwe, ihlunge, iphazamise noma ivimbe ithrafikhi ye-DNS, ngaphandle kwasezimweni ezihlinzekwe ngumthetho.
Khumbula ukuthi i-DoH ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama abasingathi aceliwe ngokusebenzisa amaseva e-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokukhwabanisa kwethrafikhi ye-DNS (isibonelo, lapho uxhuma ku-Wi-Fi yomphakathi), ukuvinjwa okuphikisayo ezingeni le-DNS (DoH ayikwazi ukufaka esikhundleni se-VPN endaweni yokweqa ukuvimbela okwenziwa ezingeni le-DPI) noma ukuhlela umsebenzi uma kwenzeka kungenakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, lapho usebenza ngommeleli). Nakuba ngokuvamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, esimweni se-DoH, isicelo sokunquma ikheli le-IP lomsingathi sifakwe kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula izicelo nge-. i-Web API. Izinga lamanje le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Source: opennet.ru