Iyo BIND DNS server vagadziri yakafumurwa mazuva mazhinji apfuura kujoina iro rekuyedza bazi 9.17, kuiswa kwe kutsigirwa kwe sevha yetekinoroji DNS pamusoro peHTTPS (DoH, DNS pamusoro peHTTPS) uye DNS pamusoro peTLS (DoT, DNS pamusoro peTLS), pamwe neXFR.
Kuitwa kweiyo HTTP / 2 protocol inoshandiswa muDoH inoenderana nekushandiswa kwe nghttp2 raibhurari, iyo inosanganisirwa mune yekuvaka kutsamira (mune ramangwana zvakarongwa kuendesa raibhurari kune yakasarudzika kutsamira).
Nekwakakodzera kumisikidzwa, imwe chete inonzi maitiro anogona ikozvino kushandira kwete chete echinyakare DNS zvikumbiro, asi zvakare zvikumbiro zvinotumirwa uchishandisa DoH (DNS pamusoro peHTTPS) uye DoT (DNS pamusoro peTLS).
HTTPS mutengi-parutivi rutsigiro (dig) haisati yaitwa, nepo XFR-pamusoro-TLS rutsigiro ruripo rwezvikumbiro zvinouya nekubuda
Kugadzirisa zvikumbiro uchishandisa DoH uye DoT inogoneswa nekuwedzera iyo http uye tls sarudzo kune yekuteerera-pane rairo. Kuti utsigire DNS pamusoro peHTTP isina kunyorwa, unofanirwa kudoma "tls none" mukugadzirisa. Makiyi anotsanangurwa muchikamu che "tls". Iyo yakajairwa network network ports 853 yeDoT, 443 yeDoH, uye makumi masere yeDNS pamusoro peHTTP inogona kukurirwa kuburikidza ne-tls-port, https-port, uye http-port parameter.
Pakati pezvikamu yekuzadzikiswa kweDoH muBIND, zvinoonekwa kuti zvinokwanisika kuendesa kunyorera mashandiro eTLS kune imwe server, Izvi zvinogona kudikanwa mumamiriro ezvinhu apo kuchengeterwa kweTLS zvitifiketi kunoitwa pane imwe sisitimu (semuenzaniso, mune zvivakwa nemaseva ewebhu) uye inopindwa nevamwe vashandi.
Tsigiro ye DNS pamusoro peHTTP isina kunyorwa inoitwa kuitira kurerutsa kugadzirisa uye seyadhi yekutenderera pane yemukati network, pahwaro hwekuti encryption inogona kurongwa pane imwe server. Pane server iri kure, nginx inogona kushandiswa kuburitsa TLS traffic, nekufananidza nenzira iyo HTTPS yekusunga yakarongeka kune saiti.
Chimwe chiitiko ndechekubatanidzwa kweDoH seyese yekufambisa, iyo inogona kushandiswa kwete chete kugadzirisa zvikumbiro zvevatengi kune iyo inogadzirisa, asiwo kana uchichinjana dhata pakati pemaseva, uchichinjisa nzvimbo uchishandisa chiremera cheDNS server, uye kugadzirisa chero zvikumbiro zvinotsigirwa nedzimwe DNS kutakura.
Pakati pezvikanganiso zvinogona kugadzirwa nekuremadza kusangana neDoH / DoT kana kufambisa kunyorera kune imwe server, kuomarara kuzhinji kweiyo codebase kunoratidzwa- Yakavakirwa-muHTTP server uye raibhurari yeTLS yakawedzerwa mukuumbwa, uko kunogona kuve nenjodzi uye kuita sekuwedzera kurwisa veki. Zvakare, kana DoH ichishandiswa, traffic inowedzera.
Tinofanira kurangarira izvozvo DNS-pamusoro-HTTPS inogona kubatsira kudzivirira ruzivo rwekuvuza sshanda pane akakumbira mazita ekugamuchira kuburikidza nevapiveri 'maSeva eDNS, kurwisa MITM kurwisa uye spoof DNS traffic, kupikisa DNS-chikamu ichivharira kana kuronga basa mukasaitika kusakwanisika kwekuwana mukana wakananga kumaseva eDNS.
Hongu, mune yakajairwa mamiriro, zvikumbiro zveDNS zvinotumirwa zvakananga kumaseva eDNS akatsanangurwa musystem system, saka, mune iyo kesi ye - DNS pamusoro peHTTPS, chikumbiro chekuona iyo IP kero yemuiti yakavharirwa muHTTPS traffic uye inotumirwa kune server yeHTTP, mairi kugadzirisa matanho kunokumbira kuburikidza newebhu webhu.
"DNS pamusoro peTLS" inopesana ne "DNS pamusoro peHTTPS" nekushandisa yakajairwa DNS protocol (kazhinji network port 853 inoshandiswa) yakaputirwa nenzira yakavharidzirwa yekutaurirana yakarongedzwa ichishandisa iyo TLS protocol ine inomisikidzwa inomiririra kuburikidza nezvitupa zveTLS / SSL zvinosimbiswa nesitifiketi. chiremera.
Chekupedzisira, zvinonzi izvo DoH inowanikwa kuyedzwa mushanduro 9.17.10 uye rutsigiro rweDoT ranga ruripo kubvira 9.17.7, uye kamwechete zvadzikama, tsigiro yeDoT neDoH ichaenda kubazi rakatsiga re9.16.