Abathuthukisi beseva le-BIND DNS bavuliwe ezinsukwini eziningana ezedlule ukujoyina igatsha lokuhlola 9.17, ukuqaliswa kwe- ukusekelwa kwe- iseva yezobuchwepheshe I-DNS ngaphezulu kwe-HTTPS (DoH, DNS ngaphezulu kwe-HTTPS) kanye ne-DNS ngaphezulu kwe-TLS (DoT, DNS ngaphezulu kwe-TLS), kanye ne-XFR.
Ukusetshenziswa komthetho olandelwayo we-HTTP / 2 osetshenziswe ku-DoH kusekelwe ekusetshenzisweni komtapo wezincwadi we-nghttp2, okufakiwe kokuncika kokwakha (ngokuzayo kuhlelwe ukudlulisa umtapo wezincwadi kokuncika kokuzikhethela).
Ngokumiswa okulungile, inqubo eyodwa enegama manje ayikwazi ukusebenzela hhayi kuphela izicelo zendabuko ze-DNS, kepha nezicelo ezithunyelwa kusetshenziswa i-DoH (DNS ngaphezulu kwe-HTTPS) ne-DoT (DNS ngaphezulu kwe-TLS).
Ukusekelwa kohlangothi lwekhasimende le-HTTPS (dig) akukasetshenziswa, ngenkathi ukusekelwa kwe-XFR-over-TLS kutholakala ngezicelo ezingenayo neziphumayo.
Icubungula izicelo zisebenzisa i-DoH ne-DoT inikwe amandla ngokwengeza izinketho ze-http ne-tls kusiqondisi sokulalela. Ukusekela i-DNS ngaphezu kwe-HTTP engabhalwanga, kufanele ucacise u- "tls none" ekucushweni. Okhiye bachazwa esigabeni "tls". Amachweba wenethiwekhi ajwayelekile 853 we-DoT, 443 we-DoH, nama-80 we-DNS ngaphezulu kwe-HTTP angabhalwa ngaphezulu ngamapharamitha we-tls-port, https-port, kanye ne-http-port.
Phakathi kwezici kokuqaliswa kwe-DoH ku-BIND, kuyaziwa ukuthi kungenzeka ukudlulisa imisebenzi yokubethela ye-TLS kwenye iseva, Lokhu kungadingeka ezimeni lapho ukugcinwa kwezitifiketi ze-TLS kwenziwa kolunye uhlelo (isibonelo, kwingqalasizinda enamaseva wewebhu) futhi kuhanjelwa abanye abasebenzi.
Ukusekelwa kwe- I-DNS ngaphezulu kwe-HTTP engabhalwanga iyasetshenziswa ukwenza lula ukulungisa iphutha futhi njengesendlalelo sokudlulisa kunethiwekhi yangaphakathi, ngesisekelo lapho ukubethela kungahlelwa kwenye iseva. Kwiseva ekude, i-nginx ingasetshenziselwa ukukhiqiza i-TLS traffic, ngokufanisa nendlela ukubopha kwe-HTTPS okuhlelwe ngayo kumasayithi.
Esinye isici ukuhlanganiswa kweDoH njengezinto zokuhamba ezijwayelekile, engasetshenziswanga nje kuphela ukucubungula izicelo zamakhasimende kusixazululo, kepha futhi nalapho kushintshaniswa idatha phakathi kwamaseva, lapho kudluliswa izindawo kusetshenziswa iseva enegunya le-DNS, nalapho kucubungulwa noma yiziphi izicelo ezisekelwa okunye ukuhanjiswa kwe-DNS.
Phakathi kwamaphutha angenziwa ngokukhubaza ukuhlanganiswa ne-DoH / DoT noma ukuhambisa ukubethela kwenye iseva, inkinga ejwayelekile yekhodebase iyagqanyiswa- Iseva ye-HTTP eyakhelwe ngaphakathi nelabhulali ye-TLS ingeziwe ekwakhiweni, okungahle kuqukathe ukuba sengozini futhi isebenze njengama-veector wokuhlasela angeziwe. Futhi, lapho i-DoH isetshenziswa, ithrafikhi iyanda.
Kufanele ukhumbule lokho I-DNS-over-HTTPS ingaba wusizo ukugwema ukuvuza kolwazi ssebenzela amagama wokubamba aceliwe ngokusebenzisa amaseva we-DNS abahlinzeki, ukulwa nokuhlaselwa kwe-MITM kanye ne-spoof DNS traffic, ukumelana nokuvinjelwa kwezinga le-DNS noma ukuhlela umsebenzi uma kwenzeka kungenzeki ukufinyelela ngqo kumaseva we-DNS.
Yebo, esimweni esijwayelekile, izicelo ze-DNS zithunyelwa ngqo kumaseva we-DNS achazwe ekucushweni kohlelo, lapho-ke, esimweni se- I-DNS ngaphezulu kwe-HTTPS, isicelo sokunquma ikheli le-IP lomphathi ifakwe ngaphakathi kwethrafikhi ye-HTTPS futhi ithunyelwe kuseva ye-HTTP, lapho izinqubo zokuxazulula zicela nge-web API.
"I-DNS ngaphezulu kwe-TLS" yehlukile kune- "DNS ngaphezulu kwe-HTTPS" ngokusebenzisa umthetho olandelwayo we-DNS ojwayelekile (ngokujwayelekile imbobo yenethiwekhi 853 iyasetshenziswa) isongwe ngesiteshi sokuxhumana esibethelwe esihlelwe kusetshenziswa umthetho olandelwayo we-TLS ngokuqinisekiswa komsingathi ngezitifiketi ze-TLS / SSL eziqinisekiswe isitifiketi. igunya.
Ekugcineni, kushiwo lokho I-DoH iyatholakala ukuze ihlolwe kunguqulo 9.17.10 nokwesekwa kwe-DoT bekukhona kusukela ngo-9.17.7, futhi uma sekuzinzile, ukwesekwa kwe-DoT ne-DoH kuzoya egatsheni elizinzile le-9.16.