Ukulandela Inkampani yakwaGoogle mayelana nenhloso yokwenza isilingo sokuhlola ukusetshenziswa kwe-“DNS phezu kwe-HTTPS” (DoH, DNS phezu kwe-HTTPS) okwenzelwe isiphequluli se-Chrome. I-Chrome 78, ihlelelwe u-Okthoba 22, izoba nezigaba ezithile zabasebenzisi ngokuzenzakalela ukusebenzisa i-DoH. Abasebenzisi kuphela izilungiselelo zabo zesistimu zamanje ezicacisa abahlinzeki abathile be-DNS ababonwa njengabasebenzisana ne-DoH abazobamba iqhaza ekuhloleni ukuze kunikwe amandla i-DoH.
Uhlu olumhlophe lwabahlinzeki be-DNS luhlanganisa I-Google (8.8.8.8, 8.8.4.4), Cloudflare (1.1.1.1, 1.0.0.1), i-OpenDNS (208.67.222.222, 208.67.220.220), Quad9 (9.9.9.9, 149.112.112.112wsing185.228.168.168. 185.228.169.168 , 185.222.222.222) kanye ne-DNS.SB (185.184.222.222, XNUMX). Uma izilungiselelo ze-DNS zomsebenzisi zicacisa enye yeziphakeli ze-DNS ezishiwo ngenhla, i-DoH ku-Chrome izonikwa amandla ngokuzenzakalelayo. Kulabo abasebenzisa amaseva e-DNS ahlinzekwa abahlinzeki babo be-inthanethi bendawo, yonke into izohlala ingashintshile futhi isixazululi sesistimu sizoqhubeka sisetshenziselwa imibuzo ye-DNS.
Umehluko obalulekile kusukela ekusetshenzisweni kwe-DoH ku-Firefox, okwenza kancane kancane i-DoH isebenze ngokuzenzakalelayo vele ekupheleni kukaSepthemba, ukuntuleka kokubophezela enkonzweni eyodwa ye-DoH. Uma ukuFirefox ngokuzenzakalelayo Iseva ye-CloudFlare DNS, bese i-Chrome izobuyekeza kuphela indlela yokusebenza ne-DNS kusevisi efanayo, ngaphandle kokushintsha umhlinzeki we-DNS. Isibonelo, uma umsebenzisi ene-DNS 8.8.8.8 ecaciswe kuzilungiselelo zesistimu, i-Chrome izoba khona Isevisi ye-Google DoH (“https://dns.google.com/dns-query”), uma i-DNS ithi 1.1.1.1, bese kuba yisevisi ye-Cloudflare DoH (“https://cloudflare-dns.com/dns-query”) Futhi
Uma ethanda, umsebenzisi anganika amandla noma akhubaze i-DoH esebenzisa isilungiselelo esithi “chrome://flags/#dns-over-https”. Kusekelwa izindlela ezintathu zokusebenza: zivikelekile, ziyazenzakalela futhi zivaliwe. Kumodi "evikelekile", ababungazi banqunywa kuphela ngokusekelwe kumanani avikelekile agcinwe kunqolobane yangaphambilini (atholwe ngoxhumano oluvikelekile) kanye nezicelo nge-DoH; ukubuyela emuva ku-DNS evamile akusetshenziswa. Kumodi "ezenzakalelayo", uma i-DoH nenqolobane evikelekile ingatholakali, idatha ingabuyiswa kunqolobane engavikelekile futhi ifinyelelwe nge-DNS evamile. Kumodi "yokucisha", inqolobane eyabiwe iqala ihlolwe futhi uma ingekho idatha, isicelo sithunyelwa ngohlelo lwe-DNS. Imodi isethwe nge kDnsOverHttpsMode , kanye nesifanekiso semephu yeseva nge-kDnsOverHttpsTemplates.
Ukuhlolwa kokunika amandla i-DoH kuzokwenziwa kuzo zonke izinkundla ezisekelwa ku-Chrome, ngaphandle kwe-Linux ne-iOS ngenxa yokungeyona into encane yokuhlukanisa izilungiselelo zesixazululi kanye nokukhawulela ukufinyelela kuzilungiselelo zesistimu ye-DNS. Uma, ngemva kokunika i-DoH amandla, kunezinkinga zokuthumela izicelo kuseva ye-DoH (isibonelo, ngenxa yokuvinjwa kwayo, ukuxhumeka kwenethiwekhi noma ukwehluleka), isiphequluli sizobuyisela ngokuzenzakalelayo izilungiselelo zesistimu ye-DNS.
Inhloso yocwaningo ukuhlola okokugcina ukuqaliswa kwe-DoH nokutadisha umthelela wokusebenzisa i-DoH ekusebenzeni. Kufanele kuqashelwe ukuthi empeleni kwaba ukwesekwa kwe-DoH ku-codebase ye-Chrome emuva ngoFebruwari, kodwa ukuze ulungiselele futhi unike amandla i-DoH yethula i-Chrome enefulegi elikhethekile kanye nesethi yezinketho ezingacacile.
Masikhumbule ukuthi i-DoH ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama aceliwe osokhaya ngokusebenzisa iziphakeli ze-DNS zabahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokukhwabanisa kwethrafikhi ye-DNS (isibonelo, lapho uxhuma ku-Wi-Fi yomphakathi), ukuphikisana nokuvinjwa ku-DNS. ileveli (i-DoH ayikwazi ukufaka esikhundleni i-VPN endaweni yokuvimbela ukudlula okwenziwa ezingeni le-DPI) noma yokuhlela umsebenzi uma kungenakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, uma usebenza ngommeleli). Uma esimweni esivamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, khona-ke esimweni se-DoH, isicelo sokunquma ikheli le-IP lomsingathi sihlanganiswa kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula khona. izicelo nge-Web API. Izinga elikhona le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Source: opennet.ru