Onjiniyela beFirefox mayelana nokuqedwa kokusekelwa kokuhlola kwe-DNS nge-HTTPS (DoH, DNS phezu kwe-HTTPS) kanye nenjongo yokuvumela lobu buchwepheshe ngokuzenzakalelayo kubasebenzisi base-US ekupheleni kukaSepthemba. Ukwenza kusebenze kuzokwenziwa ngokuqhubekayo, ekuqaleni kumaphesenti ambalwa wabasebenzisi, futhi uma zingekho izinkinga, kancane kancane zikhula zibe ngu-100%. Uma i-US isikhaviwe, i-DoH izocatshangelwa ukuthi ifakwe kwamanye amazwe.
Ukuhlola okwenziwa unyaka wonke kubonise ukwethembeka nokusebenza kahle kwenkonzo, futhi kwenze kwaba nokwenzeka ukuhlonza izimo ezithile lapho i-DoH ingaholela ezinkingeni futhi ithuthukise izixazululo zokuzigwema (ngokwesibonelo, ukuhlakazwa. ngokuthuthukiswa kwethrafikhi kumanethiwekhi okulethwa kokuqukethwe, izilawuli zabazali nezindawo ze-DNS zangaphakathi zebhizinisi).
Ukubaluleka kokubethela ithrafikhi ye-DNS kuhlolwa njengento ebaluleke kakhulu ekuvikeleni abasebenzisi, ngakho kwanqunywa ukunika amandla i-DoH ngokuzenzakalelayo, kodwa esigabeni sokuqala kuphela kubasebenzisi abavela e-United States. Ngemva kokwenza i-DoH isebenze, umsebenzisi uzothola isexwayiso esizovumela, uma efunwa, ukwenqaba ukuthintana namaseva e-DoH DNS aphakathi nendawo futhi abuyele ohlelweni oluvamile lokuthumela izicelo ezingabhaliwe kuseva ye-DNS yomhlinzeki (esikhundleni sengqalasizinda esabalalisiwe yezixazululi ze-DNS, I-DoH isebenzisa ukubophezela kusevisi ethile ye-DoH , engathathwa njengephuzu elilodwa lokwehluleka).
Uma i-DoH yenziwe yasebenza, amasistimu okulawula abazali namanethiwekhi ezinkampani asebenzisa ukwakheka kwegama lenethiwekhi yenethiwekhi kuphela ye-DNS ukuze kuxazululwe amakheli e-intranethi kanye nabasingathi bezinkampani kungase kuphazamiseke. Ukuze kuxazululwe izinkinga ngezinhlelo ezinjalo, isistimu yokuhlola yengezwe evala i-DoH ngokuzenzakalelayo. Ukuhlola kwenziwa njalo lapho isiphequluli siqaliswa noma lapho kutholwa ushintsho lwe-subnet.
Ukubuyisela okuzenzakalelayo ekusebenziseni isixazululi sesistimu yokusebenza esijwayelekile kunikezwa uma ukwehluleka kwenzeka ngesikhathi sokulungiswa nge-DoH (isibonelo, uma ukutholakala kwenethiwekhi nomhlinzeki we-DoH kuphazamiseka noma kwenzeka ukwehluleka engqalasizinda yayo). Incazelo yokuhlola okunjalo iyangabazeka, njengoba kungekho noyedwa ovimbela abahlaseli abalawula ukusebenza kwesixazululi noma abakwazi ukuphazamisa ithrafikhi kusukela ekulingiseni ukuziphatha okufanayo ukuvala ukubethela kwethrafikhi ye-DNS. Inkinga yaxazululwa ngokungeza into ethi βDoH njaloβ kuzilungiselelo (ingasebenzi buthule), lapho kusethiwe, ukuvala shaqa okuzenzakalelayo akusetshenziswa, okuwukuyekethisa okunengqondo.
Ukuze uhlonze izixazululi zebhizinisi, izizinda zezinga lokuqala (i-TLDs) ziyahlolwa futhi isixazululi sesistimu sibuyisela amakheli e-intranet. Ukuze unqume ukuthi izilawuli zabazali zinikwe amandla yini, kuzanywa ukuxazulula igama elithi exampleadultsite.com futhi uma umphumela ungafani ne-IP yangempela, kubhekwa ukuthi ukuvinjwa kokuqukethwe kwabantu abadala kuyasebenza ezingeni le-DNS. Amakheli e-IP we-Google nawe-YouTube nawo ayahlolwa njengezimpawu ukubona ukuthi athathelwe indawo yi-restrict.youtube.com, forcesafesearch.google.com kanye ne-restrictmoderate.youtube.com. I-Mozilla eyengeziwe sebenzisa umsingathi wokuhlola oyedwa , ama-ISP kanye nezinsizakalo zokulawula zabazali ezingazisebenzisa njengefulegi ukukhubaza i-DoH (uma umsingathi engatholwa, iFirefox ikhubaza i-DoH).
Ukusebenza ngensizakalo eyodwa ye-DoH nakho kungase kuholele ezinkingeni ngokuthuthukiswa kwethrafikhi kumanethiwekhi okulethwa kokuqukethwe abhalansisa ithrafikhi kusetshenziswa i-DNS (iseva ye-DNS yenethiwekhi ye-CDN ikhiqiza impendulo icabangela ikheli lesixazululi futhi inikeza umsingathi oseduze ukuze amukele okuqukethwe). Ukuthumela umbuzo we-DNS kusuka kusixazululi esiseduze kakhulu nomsebenzisi kulawa ma-CDN kuphumela ekubuyiseleni ikheli lomsingathi eliseduze kakhulu nomsebenzisi, kodwa ukuthumela umbuzo we-DNS kusuka kusixazululi esimaphakathi kuzobuyisela ikheli lomsingathi eliseduze neseva ye-DNS-over-HTTPS. . Ukuhlola okwenziwayo kubonise ukuthi ukusetshenziswa kwe-DNS-over-HTTP uma usebenzisa i-CDN kuholele ekubambezelekeni okungekho ngaphambi kokuqala kokudluliswa kokuqukethwe (ngoxhumano olusheshayo, ukubambezeleka akuzange kudlule ama-millisecond angu-10, futhi ngisho nokusebenza okusheshayo kwabonwa eziteshini zokuxhumana ezihamba kancane. ). Ukusetshenziswa kwesandiso se-Subnet Yeklayenti le-EDNS kuphinde kwacatshangelwa njengokuhlinzeka ngolwazi lwendawo yeklayenti kusixazululi se-CDN.
Masikhumbule ukuthi i-DoH ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama aceliwe osokhaya ngokusebenzisa amaseva e-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokucekelwa phansi kwethrafikhi ye-DNS, ukuvimbela ukuvimba ezingeni le-DNS, noma ukuhlela umsebenzi uma kwenzeka akunakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, lapho usebenza ngommeleli). Uma esimweni esivamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, khona-ke esimweni se-DoH, isicelo sokunquma ikheli le-IP lomsingathi sihlanganiswa kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula khona. izicelo nge-Web API. Izinga elikhona le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Ukuze uvumele i-DoH ku- about:config, kufanele uguqule inani le-network.trr.mode variable, eye yasekelwa kusukela kuFirefox 60. Inani elingu-0 liyikhubaza i-DoH ngokuphelele; 1 - I-DNS noma i-DoH isetshenzisiwe, noma yikuphi okusheshayo; 2 - I-DoH isetshenziswa ngokuzenzakalelayo, futhi i-DNS isetshenziswa njengenketho yokubuyela emuva; 3 - kusetshenziswa i-DoH kuphela; 4 - Imodi yokubukisa lapho kusetshenziswa i-DoH ne-DNS ngokuhambisana. Ngokuzenzakalelayo, iseva ye-CloudFlare DNS iyasetshenziswa, kodwa ingashintshwa ngepharamitha yenethiwekhi.trr.uri, isibonelo, ungasetha okuthi βhttps://dns.google.com/experimentalβ noma βhttps://9.9.9.9 .XNUMX/dns-query "
Source: opennet.ru