Abathuthukisi beseva ye-BIND DNS bamemezele ukwengezwa kosekelo lweseva ye-DNS nge-HTTPS (DoH, DNS phezu kwe-HTTPS) kanye ne-DNS phezu kobuchwepheshe be-TLS (DoT, DNS phezu kwe-TLS), kanye nendlela ye-XFR-over-TLS ukuze ivikeleke. ukudlulisa okuqukethwe kwezindawo ze-DNS phakathi kwamaseva. I-DoH iyatholakala ukuze ihlolwe ekukhishweni kwe-9.17, futhi ukwesekwa kwe-DoT bekukhona kusukela ku-9.17.10. Ngemva kokuzinzisa, ukwesekwa kwe-DoT ne-DoH kuzobuyiselwa egatsheni elizinzile 9.17.7.
Ukuqaliswa kwephrothokholi ye-HTTP/2 esetshenziswa ku-DoH kusekelwe ekusetshenzisweni komtapo wezincwadi we-nghttp2, ofakwe phakathi kokuncika komhlangano (ngokuzayo, umtapo wolwazi uhlelelwe ukuthi udluliselwe enanini lokuncika kokuzikhethela). Kokubili ukuxhumana okubethelwe (i-TLS) kanye ne-HTTP/2 engabetheliwe kuyasekelwa. Ngezilungiselelo ezifanele, inqubo eyodwa enegama manje ayikwazi ukunikeza imibuzo evamile ye-DNS kuphela, kodwa futhi nemibuzo ethunyelwa kusetshenziswa i-DoH (DNS-over-HTTPS) kanye ne-DoT (DNS-over-TLS). Usekelo lwe-HTTPS ohlangothini lweklayenti (dig) alukasetshenziswa. Usekelo lwe-XFR-over-TLS luyatholakala kuzo zombili izicelo ezingenayo neziphumayo.
Ukucutshungulwa kwesicelo kusetshenziswa i-DoH ne-DoT kunikwe amandla ngokwengeza izinketho ze-http kanye ne-tls kumyalelo wokulalela. Ukuze usekele i-DNS-over-HTTP engabethelwe, kufanele ucacise okuthi “tls none” kuzilungiselelo. Okhiye bachazwe esigabeni esithi "tls". Izimbobo zenethiwekhi ezizenzakalelayo 853 ze-DoT, 443 ze-DoH nezingu-80 ze-DNS-over-HTTP zingakhishwa nge-tls-port, i-https-port kanye namapharamitha embobo ye-http. Isibonelo: tls local-tls {key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http yendawo-http-server { endpoints {"/dns-query"; }; }; izinketho { https-port 443; listen-on port 443 tls local-tls http myserver {noma;}; }
Phakathi kwezici zokuqaliswa kwe-DoH ku-BIND, ukuhlanganisa kuphawulwa njengento yokuthutha evamile, engasetshenziswa hhayi kuphela ukucubungula izicelo zeklayenti kusixazululi, kodwa nalapho kushintshisana idatha phakathi kwamaseva, lapho kudluliselwa izindawo ngeseva ye-DNS egunyaziwe, futhi lapho ucubungula noma yiziphi izicelo ezisekelwa ezinye izinto zokuthutha ze-DNS .
Esinye isici ikhono lokuhambisa imisebenzi yokubethela ye-TLS iye kwenye iseva, okungase kudingeke ezimeni lapho izitifiketi ze-TLS zigcinwa kwenye isistimu (ngokwesibonelo, engqalasizinda enamaseva ewebhu) futhi inakekelwa abanye abasebenzi. Ukusekelwa kwe-DNS-over-HTTP engabetheliwe kusetshenziswa ukuze kwenziwe lula ukulungisa iphutha nanjengesendlalelo sokudlulisela kunethiwekhi yangaphakathi, ngesisekelo lapho ukubethela kungahlelwa kwenye iseva. Kuseva ekude, i-nginx ingasetshenziswa ukukhiqiza ithrafikhi ye-TLS, efana nendlela ukubopha kwe-HTTPS okuhlelelwa ngayo amawebhusayithi.
Masikhumbule ukuthi i-DNS-over-HTTPS ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama aceliwe osokhaya ngokusebenzisa amaseva e-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokukhwabanisa kwethrafikhi ye-DNS (isibonelo, lapho uxhuma ku-Wi-Fi yomphakathi), ukubala. ukuvimbela kuvuliwe ezingeni le-DNS (i-DNS-over-HTTPS ayikwazi ukufaka esikhundleni i-VPN ekuvimbeni ngokudlula okusetshenziswa ezingeni le-DPI) noma ngokuhlela umsebenzi lapho kungenakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, uma usebenza ngommeleli). Uma esimweni esivamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, khona-ke esimweni se-DNS-over-HTTPS isicelo sokunquma ikheli le-IP lomsingathi sifakwe kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula izicelo nge-Web API.
“I-DNS phezu kwe-TLS” ihlukile kokuthi “DNS phezu kwe-HTTPS” ekusetshenzisweni kwephrothokholi ye-DNS evamile (imbobo yenethiwekhi engu-853 ngokuvamile isetshenziswa), esongwe ngesiteshi sokuxhumana esibethelwe esihlelwe kusetshenziswa iphrothokholi ye-TLS enokuqinisekiswa komsingathi ngezitifiketi ze-TLS/SSL eziqinisekisiwe. ngesiphathimandla esinikeza izitifiketi. Izinga elikhona le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Source: opennet.ru