Ngemuva kweminyaka emibili yokuthuthuka, i-ISC consortium ikhiphe ukukhishwa kokuqala okuzinzile kwegatsha elikhulu elisha leseva ye-BIND 9.18 DNS. Ukusekelwa kwegatsha 9.18 kuzohlinzekwa iminyaka emithathu kuze kube ikota yesi-2 ka-2025 njengengxenye yomjikelezo wokwesekwa owandisiwe. Ukusekelwa kwegatsha le-9.11 kuzophela ngo-March, futhi ukusekelwa kwegatsha le-9.16 maphakathi no-2023. Ukuze kuthuthukiswe ukusebenza kwenguqulo ezinzile elandelayo ye-BIND, igatsha lokuhlola elithi BIND 9.19.0 selisunguliwe.
Ukukhishwa kwe-BIND 9.18.0 kuyaphawuleka ekusetshenzisweni kosekelo lwe-DNS nge-HTTPS (DoH, DNS phezu kwe-HTTPS) kanye ne-DNS phezu kwe-TLS (DoT, DNS phezu kwe-TLS), kanye nendlela ye-XoT (XFR-over-TLS) ukuze kudluliselwe okuphephile okuqukethwe kwe-DNS. izindawo phakathi kwamaseva (zombili izindawo zokuthumela nokwamukela nge-XoT ziyasekelwa). Ngezilungiselelo ezifanele, inqubo eyodwa enegama manje ayikwazi ukunikeza imibuzo evamile ye-DNS kuphela, kodwa futhi nemibuzo ethunyelwa kusetshenziswa i-DNS-over-HTTPS kanye ne-DNS-over-TLS. Usekelo lweklayenti lwe-DNS-over-TLS yakhelwe kunsiza yokumba, engasetshenziswa ukuthumela izicelo nge-TLS uma ifulegi elithi "+tls" licacisiwe.
Ukuqaliswa kwephrothokholi ye-HTTP/2 esetshenziswa ku-DoH kusekelwe ekusetshenzisweni komtapo wezincwadi we-nghttp2, ofakwe njengokuncika komhlangano ongakhetha kukho. Izitifiketi ze-DoH ne-DoT zinganikezwa umsebenzisi noma zenziwe ngokuzenzakalelayo ngesikhathi sokuqalisa.
Ukucutshungulwa kwesicelo kusetshenziswa i-DoH ne-DoT kunikwe amandla ngokwengeza izinketho ze-"http" kanye ne-"tls" kumyalelo wokulalela. Ukuze usekele i-DNS-over-HTTP engabethelwe, kufanele ucacise okuthi “tls none” kuzilungiselelo. Okhiye bachazwe esigabeni esithi "tls". Izimbobo zenethiwekhi ezizenzakalelayo 853 ze-DoT, 443 ze-DoH nezingu-80 ze-DNS-over-HTTP zingakhishwa nge-tls-port, https-port kanye namapharamitha embobo ye-http. Ngokwesibonelo:
tls local-tls {key-file "/path/to/priv_key.pem"; cert-file "/path/to/cert_chain.pem"; }; http yendawo-http-server { endpoints {"/dns-query"; }; }; izinketho { https-port 443; listen-on port 443 tls local-tls http myserver {noma;}; }
Esinye sezici zokusetshenziswa kwe-DoH ku-BIND yikhono lokuhambisa imisebenzi yokubethela ye-TLS iye kwenye iseva, okungase kudingeke ezimeni lapho izitifiketi ze-TLS zigcinwa kwenye isistimu (isibonelo, engqalasizinda enamaseva ewebhu) futhi inakekelwe. ngabanye abasebenzi. Ukusekelwa kwe-DNS-over-HTTP engabetheliwe kusetshenziswa ukuze kwenziwe lula ukulungisa iphutha nanjengesendlalelo sokudlulisela kwenye iseva kunethiwekhi yangaphakathi (yokuhambisa ukubethela kuseva ehlukile). Kuseva ekude, i-nginx ingasetshenziswa ukukhiqiza ithrafikhi ye-TLS, efana nendlela ukubopha kwe-HTTPS okuhlelelwa ngayo amawebhusayithi.
Esinye isici ukuhlanganiswa kwe-DoH njengesithuthi esivamile esingasetshenziswa hhayi kuphela ukuphatha izicelo zeklayenti kusixazululi, kodwa nalapho kuxhunywana phakathi kwamaseva, lapho kudluliswa izindawo ngeseva ye-DNS egunyaziwe, nalapho kusetshenzwa noma yimiphi imibuzo esekelwa enye i-DNS. ukuthutha.
Phakathi kokushiyeka okunganxeshezelwa ngokukhubaza isakhiwo nge-DoH/DoT noma ukuhambisa ukubethela kwenye iseva, inkinga evamile yesisekelo sekhodi igqamile - iseva ye-HTTP eyakhelwe ngaphakathi kanye nomtapo wolwazi we-TLS, okungenzeka ukuthi uqukathe. ubuthakathaka futhi usebenze njengama-vectors engeziwe okuhlaselwa. Futhi, uma usebenzisa i-DoH, ukugcwala kwabantu kuyanda.
Masikhumbule ukuthi i-DNS-over-HTTPS ingaba wusizo ekuvimbeleni ukuvuza kolwazi mayelana namagama aceliwe osokhaya ngokusebenzisa amaseva e-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye nokukhwabanisa kwethrafikhi ye-DNS (isibonelo, lapho uxhuma ku-Wi-Fi yomphakathi), ukubala. ukuvimbela kuvuliwe ezingeni le-DNS (i-DNS-over-HTTPS ayikwazi ukufaka esikhundleni i-VPN ekuvimbeni ngokudlula okusetshenziswa ezingeni le-DPI) noma ngokuhlela umsebenzi lapho kungenakwenzeka ukufinyelela ngokuqondile amaseva e-DNS (isibonelo, uma usebenza ngommeleli). Uma esimweni esivamile izicelo ze-DNS zithunyelwa ngokuqondile kumaseva e-DNS achazwe ekucushweni kwesistimu, khona-ke esimweni se-DNS-over-HTTPS isicelo sokunquma ikheli le-IP lomsingathi sifakwe kuthrafikhi ye-HTTPS futhi sithunyelwe kuseva ye-HTTP, lapho isixazululi sicubungula izicelo nge-Web API.
“I-DNS phezu kwe-TLS” ihlukile kokuthi “DNS phezu kwe-HTTPS” ekusetshenzisweni kwephrothokholi ye-DNS evamile (imbobo yenethiwekhi engu-853 ngokuvamile isetshenziswa), esongwe ngesiteshi sokuxhumana esibethelwe esihlelwe kusetshenziswa iphrothokholi ye-TLS enokuqinisekiswa komsingathi ngezitifiketi ze-TLS/SSL eziqinisekisiwe. ngesiphathimandla esinikeza izitifiketi. Izinga elikhona le-DNSSEC lisebenzisa ukubethela kuphela ukuze uqinisekise iklayenti neseva, kodwa alivikeli ithrafikhi ekungeneni futhi aliqinisekisi ukugcinwa kuyimfihlo kwezicelo.
Amanye amasu amasha:
- Kwengezwe izilungiselelo ze-tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer kanye nezilungiselelo ze-udp-send-buffer ukuze kusethwe osayizi bamabhafa asetshenziswa lapho kuthunyelwa futhi kwamukelwa izicelo nge-TCP ne-UDP. Kumaseva amatasatasa, ukukhulisa amabhafa angenayo kuzosiza ukugwema ukwehliswa kwamaphakethe phakathi neziqongo zethrafikhi, futhi ukuwanciphisa kuzosiza ukuqeda ukuvala inkumbulo ngezicelo ezindala.
- Isigaba esisha selogi "i-rpz-passthru" sengeziwe, esikuvumela ukuthi uloge ngokuhlukile izenzo zokudlulisela i-RPZ (Izindawo Zenqubomgomo Yezimpendulo).
- Esigabeni senqubomgomo yokuphendula, inketho ethi "nsdname-wait-recurse" yengeziwe, uma isethwe kokuthi "cha", imithetho ye-RPZ NSDNAME isetshenziswa kuphela uma amaseva wamagama agunyaziwe akhona kunqolobane etholakala esicelweni, ngaphandle kwalokho Umthetho we-RPZ NSDNAME uzitshwa, kodwa ulwazi lubuyiswa ngemuva futhi lusebenza ezicelweni ezilandelayo.
- Kumarekhodi anezinhlobo ze-HTTPS ne-SVCB, ukucutshungulwa kwesigaba esithi “ADDITIONAL” kusetshenzisiwe.
- Izinhlobo zemithetho yenqubomgomo yokubuyekeza ngokwezifiso - i-krb5-subdomain-self-rhs kanye ne-ms-subdomain-self-rhs, ekuvumela ukuthi ukhawulele ukubuyekezwa kwamarekhodi e-SRV kanye ne-PTR. Amabhulokhi wenqubomgomo yokuvuselela aphinde angeze amandla okusetha imikhawulo enanini lamarekhodi, ngamanye kuhlobo ngalunye.
- Ulwazi olungeziwe mayelana nephrothokholi yezokuthutha (i-UDP, i-TCP, i-TLS, i-HTTPS) neziqalo ze-DNS64 ekukhishweni kwensiza yokumba. Ngezinjongo zokulungisa iphutha, i-dig yengeze amandla okucacisa isihlonzi sesicelo esithile (dig +qid= ).
- Usekelo olungeziwe lwelabhulali ye-OpenSSL 3.0.
- Ukuze kubhekwane nezinkinga ngokuhlukaniswa kwe-IP lapho kucutshungulwa imilayezo emikhulu ye-DNS ekhonjwe i-DNS Flag Day 2020, ikhodi elungisa usayizi webhafa we-EDNS uma ingekho impendulo esicelweni ikhishiwe kusixazululi. Usayizi webhafa we-EDNS manje usethelwe kusayizi ofanayo (edns-udp-size) kuzo zonke izicelo eziphumayo.
- Uhlelo lokwakha lushintshelwe ekusebenziseni inhlanganisela ye-autoconf, i-automake ne-libtool.
- Ukusekelwa kwamafayela ezoni ngefomethi “yemephu” (imephu yefomethi yefayela eliyinhloko) kunqanyuliwe. Abasebenzisi bale fomethi bayanconywa ukuthi baguqule izindawo zibe yifomethi eluhlaza besebenzisa insiza ebizwa ngokuthi-compilezone.
- Ukusekelwa kwezishayeli ezindala ze-DLZ (Dynamically Loadable Zones) kunqanyuliwe, kwathathelwa indawo amamojula e-DLZ.
- Ukwakha bese usebenzisa usekelo lwenkundla yeWindows kunqanyuliwe. Igatsha lokugcina elingafakwa ku-Windows lithi BIND 9.16.
Source: opennet.ru