Onjiniyela beFirefox mayelana nokuvumela i-DNS ngemodi ye-HTTPS (DoH, DNS phezu kwe-HTTPS) ngokuzenzakalelayo kubasebenzisi base-US. Ukubethela kwethrafikhi ye-DNS kuthathwa njengento ebalulekile ekuvikeleni abasebenzisi. Kusukela namuhla, konke ukufakwa okusha ngabasebenzisi base-US kuzoba ne-DoH enikwe amandla ngokuzenzakalela. Abasebenzisi abakhona base-US bahlelelwe ukuthi bashintshelwe ku-DoH phakathi namaviki ambalwa. E-European Union nakwamanye amazwe, vula i-DoH ngokuzenzakalelayo okwamanje .
Ngemva kokuvula i-DoH, isixwayiso siyavezwa kumsebenzisi, esivumela, uma sifisa, ukwenqaba ukuxhumana namaseva e-DoH DNS aphakathi nendawo futhi abuyele ohlelweni oluvamile lokuthumela imibuzo engabetheliwe kuseva ye-DNS yomhlinzeki. Esikhundleni sengqalasizinda esabalalisiwe yezixazululi ze-DNS, i-DoH isebenzisa ukubophezela kusevisi ethile ye-DoH, engathathwa njengephuzu elilodwa lokwehluleka. Njengamanje, umsebenzi unikezwa ngabahlinzeki ababili be-DNS - CloudFlare (okuzenzakalelayo) kanye .
Shintsha umhlinzeki noma vala i-DoH kumasethingi okuxhumana kwenethiwekhi. Isibonelo, ungacacisa enye iseva ye-DoH “https://dns.google/dns-query” ukuze ufinyelele iziphakeli ze-Google, “https://dns.quad9.net/dns-query” - Quad9 kanye nokuthi “https:/ /doh .opendns.com/dns-query" - OpenDNS. I-About:config iphinde ihlinzeke ngokusetha kwe-network.trr.mode, ongashintsha ngayo imodi yokusebenza ye-DoH: inani elingu-0 liyikhubaza ngokuphelele i-DoH; 1 - I-DNS noma i-DoH isetshenzisiwe, noma yikuphi okusheshayo; 2 - I-DoH isetshenziswa ngokuzenzakalelayo, futhi i-DNS isetshenziswa njengenketho yokubuyela emuva; 3 - kusetshenziswa i-DoH kuphela; 4 - Imodi yokubukisa lapho kusetshenziswa i-DoH ne-DNS ngokuhambisana.
Khumbula ukuthi i-DoH ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama abasingathi aceliwe ngokusebenzisa amaseva e-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokukhwabanisa kwethrafikhi ye-DNS (isibonelo, lapho uxhuma ku-Wi-Fi yomphakathi), ukuvinjwa okuphikisayo ezingeni le-DNS (DoH ayikwazi ukufaka esikhundleni se-VPN endaweni yokweqa ukuvimbela okwenziwa ezingeni le-DPI) noma ukuhlela umsebenzi uma kwenzeka kungenakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, lapho usebenza ngommeleli). Nakuba ngokuvamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, esimweni se-DoH, isicelo sokunquma ikheli le-IP lomsingathi sifakwe kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula izicelo nge-. i-Web API. Izinga lamanje le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Ukukhetha abahlinzeki be-DoH abanikezwa kuFirefox, kuzixazululi ezithembekile ze-DNS, ngokuya ngokuthi u-opharetha we-DNS angasebenzisa idatha etholiwe ukuze axazulule kuphela ukuze aqinisekise ukusebenza kwesevisi, akumele agcine izingodo amahora angaphezu kwama-24, akakwazi ukudlulisa idatha kwabanye abantu, futhi kudingeka adalule ulwazi. mayelana nezindlela zokucubungula idatha. Isevisi kufanele futhi izibophezele ukuthi ngeke ihlole, ihlunge, iphazamise, noma ivimbe ithrafikhi ye-DNS, ngaphandle uma kudingwa umthetho.
I-DoH kufanele isetshenziswe ngokuqapha. Isibonelo, e-Russian Federation, amakheli e-IP 104.16.248.249 kanye no-104.16.249.249 ahlotshaniswa neseva ye-DoH ezenzakalelayo mozilla.cloudflare-dns.com anikezwa kuFirefox, в ngesicelo senkantolo yase-Stavropol yangoJuni 10.06.2013, XNUMX.
I-DoH ingase futhi ibangele izinkinga ezindaweni ezifana nezinhlelo zokulawula abazali, ukufinyelela ezindaweni zamagama zangaphakathi ezinhlelweni zezinkampani, ukukhetha imizila ezinhlelweni zokuthuthukisa ukulethwa kokuqukethwe, kanye nokuhambisana nemiyalelo yenkantolo endaweni yokulwa nokusatshalaliswa kokuqukethwe okungekho emthethweni kanye nokuxhashazwa. abancane. Ukuze kugwenywe izinkinga ezinjalo, uhlelo lokuhlola seluqalisiwe futhi lwahlolwa oluvala i-DoH ngokuzenzakalelayo ngaphansi kwezimo ezithile.
Ukuze uhlonze izixazululi zebhizinisi, izizinda zezinga lokuqala (i-TLDs) ziyahlolwa futhi isixazululi sesistimu sibuyisela amakheli e-intranet. Ukuze unqume ukuthi izilawuli zabazali zinikwe amandla yini, kuzanywa ukuxazulula igama elithi exampleadultsite.com futhi uma umphumela ungafani ne-IP yangempela, kubhekwa ukuthi ukuvinjwa kokuqukethwe kwabantu abadala kuyasebenza ezingeni le-DNS. Amakheli e-IP we-Google nawe-YouTube nawo ayahlolwa njengezimpawu ukubona ukuthi athathelwe indawo yi-restrict.youtube.com, forcesafesearch.google.com kanye ne-restrictmoderate.youtube.com. Lokhu kuhlola kuvumela abahlaseli abalawula ukusebenza kwesixazululi noma abakwazi ukuphazamisa ithrafikhi ukuze balingise ukuziphatha okunjalo ukuze bakhubaze ukubethela kwethrafikhi ye-DNS.
Ukusebenza ngensizakalo eyodwa ye-DoH nakho kungase kuholele ezinkingeni ngokuthuthukiswa kwethrafikhi kumanethiwekhi okulethwa kokuqukethwe abhalansisa ithrafikhi kusetshenziswa i-DNS (iseva ye-DNS yenethiwekhi ye-CDN ikhiqiza impendulo icabangela ikheli lesixazululi futhi inikeza umsingathi oseduze ukuze amukele okuqukethwe). Ukuthumela umbuzo we-DNS kusuka kusixazululi esiseduze kakhulu nomsebenzisi kulawa ma-CDN kuphumela ekubuyiseleni ikheli lomsingathi eliseduze kakhulu nomsebenzisi, kodwa ukuthumela umbuzo we-DNS kusuka kusixazululi esimaphakathi kuzobuyisela ikheli lomsingathi eliseduze neseva ye-DNS-over-HTTPS. . Ukuhlola okwenziwayo kubonise ukuthi ukusetshenziswa kwe-DNS-over-HTTP uma usebenzisa i-CDN kuholele ekubambezelekeni okungekho ngaphambi kokuqala kokudluliswa kokuqukethwe (ngoxhumano olusheshayo, ukubambezeleka akuzange kudlule ama-millisecond angu-10, futhi ngisho nokusebenza okusheshayo kwabonwa eziteshini zokuxhumana ezihamba kancane. ). Ukusetshenziswa kwesandiso se-Subnet Yeklayenti le-EDNS kuphinde kwacatshangelwa njengokuhlinzeka ngolwazi lwendawo yeklayenti kusixazululi se-CDN.
Source: opennet.ru