Onjiniyela beFirefox
Ngemva kokuvula i-DoH, isixwayiso siyavezwa kumsebenzisi, esivumela, uma sifisa, ukwenqaba ukuxhumana namaseva e-DoH DNS aphakathi nendawo futhi abuyele ohlelweni oluvamile lokuthumela imibuzo engabetheliwe kuseva ye-DNS yomhlinzeki. Esikhundleni sengqalasizinda esabalalisiwe yezixazululi ze-DNS, i-DoH isebenzisa ukubophezela kusevisi ethile ye-DoH, engathathwa njengephuzu elilodwa lokwehluleka. Njengamanje, umsebenzi unikezwa ngabahlinzeki ababili be-DNS - CloudFlare (okuzenzakalelayo) kanye
Shintsha umhlinzeki noma vala i-DoH
Khumbula ukuthi i-DoH ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama abasingathi aceliwe ngokusebenzisa amaseva e-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokukhwabanisa kwethrafikhi ye-DNS (isibonelo, lapho uxhuma ku-Wi-Fi yomphakathi), ukuvinjwa okuphikisayo ezingeni le-DNS (DoH ayikwazi ukufaka esikhundleni se-VPN endaweni yokweqa ukuvimbela okwenziwa ezingeni le-DPI) noma ukuhlela umsebenzi uma kwenzeka kungenakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, lapho usebenza ngommeleli). Nakuba ngokuvamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, esimweni se-DoH, isicelo sokunquma ikheli le-IP lomsingathi sifakwe kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula izicelo nge-. i-Web API. Izinga lamanje le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Ukukhetha abahlinzeki be-DoH abanikezwa kuFirefox,
I-DoH kufanele isetshenziswe ngokuqapha. Isibonelo, e-Russian Federation, amakheli e-IP 104.16.248.249 kanye no-104.16.249.249 ahlotshaniswa neseva ye-DoH ezenzakalelayo mozilla.cloudflare-dns.com anikezwa kuFirefox,
I-DoH ingase futhi ibangele izinkinga ezindaweni ezifana nezinhlelo zokulawula abazali, ukufinyelela ezindaweni zamagama zangaphakathi ezinhlelweni zezinkampani, ukukhetha imizila ezinhlelweni zokuthuthukisa ukulethwa kokuqukethwe, kanye nokuhambisana nemiyalelo yenkantolo endaweni yokulwa nokusatshalaliswa kokuqukethwe okungekho emthethweni kanye nokuxhashazwa. abancane. Ukuze kugwenywe izinkinga ezinjalo, uhlelo lokuhlola seluqalisiwe futhi lwahlolwa oluvala i-DoH ngokuzenzakalelayo ngaphansi kwezimo ezithile.
Ukuze uhlonze izixazululi zebhizinisi, izizinda zezinga lokuqala (i-TLDs) ziyahlolwa futhi isixazululi sesistimu sibuyisela amakheli e-intranet. Ukuze unqume ukuthi izilawuli zabazali zinikwe amandla yini, kuzanywa ukuxazulula igama elithi exampleadultsite.com futhi uma umphumela ungafani ne-IP yangempela, kubhekwa ukuthi ukuvinjwa kokuqukethwe kwabantu abadala kuyasebenza ezingeni le-DNS. Amakheli e-IP we-Google nawe-YouTube nawo ayahlolwa njengezimpawu ukubona ukuthi athathelwe indawo yi-restrict.youtube.com, forcesafesearch.google.com kanye ne-restrictmoderate.youtube.com. Lokhu kuhlola kuvumela abahlaseli abalawula ukusebenza kwesixazululi noma abakwazi ukuphazamisa ithrafikhi ukuze balingise ukuziphatha okunjalo ukuze bakhubaze ukubethela kwethrafikhi ye-DNS.
Ukusebenza ngensizakalo eyodwa ye-DoH nakho kungase kuholele ezinkingeni ngokuthuthukiswa kwethrafikhi kumanethiwekhi okulethwa kokuqukethwe abhalansisa ithrafikhi kusetshenziswa i-DNS (iseva ye-DNS yenethiwekhi ye-CDN ikhiqiza impendulo icabangela ikheli lesixazululi futhi inikeza umsingathi oseduze ukuze amukele okuqukethwe). Ukuthumela umbuzo we-DNS kusuka kusixazululi esiseduze kakhulu nomsebenzisi kulawa ma-CDN kuphumela ekubuyiseleni ikheli lomsingathi eliseduze kakhulu nomsebenzisi, kodwa ukuthumela umbuzo we-DNS kusuka kusixazululi esimaphakathi kuzobuyisela ikheli lomsingathi eliseduze neseva ye-DNS-over-HTTPS. . Ukuhlola okwenziwayo kubonise ukuthi ukusetshenziswa kwe-DNS-over-HTTP uma usebenzisa i-CDN kuholele ekubambezelekeni okungekho ngaphambi kokuqala kokudluliswa kokuqukethwe (ngoxhumano olusheshayo, ukubambezeleka akuzange kudlule ama-millisecond angu-10, futhi ngisho nokusebenza okusheshayo kwabonwa eziteshini zokuxhumana ezihamba kancane. ). Ukusetshenziswa kwesandiso se-Subnet Yeklayenti le-EDNS kuphinde kwacatshangelwa njengokuhlinzeka ngolwazi lwendawo yeklayenti kusixazululi se-CDN.
Source: opennet.ru