- DoH yana ɓoye tambayoyin DNS ta amfani da HTTPS (tashar jiragen ruwa 443), inganta sirrin sirri da hana lalata.
- Ana iya kunna shi a cikin masu bincike da tsarin (ciki har da Windows Server 2022) ba tare da dogaro da na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba.
- Aiki mai kama da classic DNS; wanda DNSSEC ya cika don tabbatar da martani.
- Shahararrun sabar DoH (Cloudflare, Google, Quad9) da ikon ƙarawa ko saita mai warwarewar ku.
¿Yadda ake ɓoye DNS ɗin ku ba tare da taɓa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta amfani da DNS akan HTTPS ba? Idan kun damu da wa zai iya ganin gidajen yanar gizon da kuke haɗa su, Rufe tambayoyin tsarin Sunan yanki tare da DNS akan HTTPS Yana ɗaya daga cikin mafi sauƙi hanyoyin da za a ƙara sirrinka ba tare da yin fada da na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba. Tare da DoH, mai fassarar da ke canza yanki zuwa adiresoshin IP yana dakatar da tafiya a fili kuma ya bi ta hanyar HTTPS.
A cikin wannan jagorar za ku sami, cikin yare kai tsaye kuma ba tare da jargon da yawa ba. Menene ainihin DoH, yadda ya bambanta da sauran zaɓuɓɓuka kamar DoT, yadda ake kunna shi a cikin masu bincike da tsarin aiki (ciki har da Windows Server 2022), yadda ake tabbatar da cewa yana aiki da gaske, sabar masu tallafi, da kuma, idan kuna da ƙarfin hali, har ma da yadda ake saita naku DoH solver. Komai, ba tare da taɓa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba...sai dai wani sashe na zaɓi ga waɗanda suke son saita shi akan MikroTik.
Menene DNS akan HTTPS (DoH) kuma me yasa zaku iya kulawa
Lokacin da ka rubuta a cikin yanki (misali, Xataka.com) kwamfutar ta tambayi mai warware DNS menene IP ɗinta; Wannan tsari yawanci yana cikin rubutu bayyananne Kuma duk wanda ke kan hanyar sadarwar ku, mai ba da Intanet ɗinku, ko na'urori masu tsaka-tsaki na iya ƙwace ko sarrafa shi. Wannan shine ainihin asali na DNS: mai sauri, a ko'ina… kuma bayyananne ga wasu kamfanoni.
Wannan shine inda DoH ya shigo: Yana motsa waɗannan tambayoyin DNS da amsoshi zuwa tashar rufaffiyar hanyar da amintaccen gidan yanar gizo ke amfani da shi (HTTPS, tashar jiragen ruwa 443)Sakamakon shi ne cewa ba su ƙara yin balaguro "a buɗe ba," suna rage yiwuwar yin leƙen asiri, satar tambayoyi, da wasu hare-hare na mutum-mutumi. Bugu da ƙari, a cikin gwaje-gwaje da yawa latency ba ya tsananta da godiya kuma za a iya inganta har ma da godiya ga ingantawar sufuri.
Babban fa'ida ita ce Ana iya kunna DoH a matakin aikace-aikace ko tsarin, don haka ba dole ba ne ka dogara ga mai ɗaukar hoto ko na'ura mai ba da hanya tsakanin hanyoyin sadarwa don kunna wani abu. Wato, za ku iya kare kanku "daga mai bincike," ba tare da taɓa kowane kayan sadarwa ba.
Yana da mahimmanci a rarrabe DoH daga DoT (DNS akan TLS): DoT yana ɓoye DNS akan tashar jiragen ruwa 853 kai tsaye akan TLS, yayin da DoH ya haɗa shi cikin HTTP(S). DoT ya fi sauƙi a ka'idar, amma Zai fi yiwuwa a toshe ta ta hanyar wuta wanda ke yanke tashoshin jiragen ruwa da ba a saba gani ba; DoH, ta hanyar amfani da 443, mafi kyawun keɓance waɗannan hane-hane kuma yana hana tilastawa harin "pushback" zuwa DNS mara ɓoye.
Akan sirri: Amfani da HTTPS baya nufin kukis ko bin diddigi a DoH; ka'idodin sun ba da shawara a bayyane game da amfani da shi A cikin wannan mahallin, TLS 1.3 kuma yana rage buƙatar sake farawa zaman, yana rage alaƙa. Kuma idan kun damu game da aiki, HTTP/3 akan QUIC na iya samar da ƙarin haɓakawa ta hanyar yin tambayoyi da yawa ba tare da toshewa ba.
Yadda DNS ke aiki, haɗarin gama gari, da kuma inda DoH ya dace
Tsarin aiki kullum yana koyon wane mai warwarewa zai yi amfani da shi ta hanyar DHCP; A gida yawanci kuna amfani da ISP's, a ofis, cibiyar sadarwar kamfanoni. Lokacin da ba a ɓoye wannan hanyar sadarwa (UDP/TCP 53), duk wanda ke cikin Wi-Fi ɗinku ko kan hanya zai iya ganin wuraren da ake tambaya, allurar martanin karya, ko tura ku zuwa bincike lokacin da babu yankin, kamar yadda wasu masu aiki ke yi.
Binciken zirga-zirgar ababen hawa na yau da kullun yana nuna tashoshin jiragen ruwa, tushen / IPs, kuma yankin da kansa ya warware; Wannan ba kawai yana fallasa halayen bincike ba, yana kuma sauƙaƙa daidaita haɗin gwiwa na gaba, misali, zuwa adiresoshin Twitter ko makamantansu, da kuma zana ainihin shafukan da kuka ziyarta.
Tare da DoT, saƙon DNS yana shiga cikin TLS akan tashar jiragen ruwa 853; da DoH, An shigar da tambayar DNS a cikin daidaitaccen buƙatun HTTPS, wanda kuma yana ba da damar amfani da shi ta aikace-aikacen yanar gizo ta hanyar APIs mai bincike. Duk hanyoyin biyu suna raba tushe ɗaya: ingantaccen uwar garken tare da takaddun shaida da tashar rufaffiyar ƙarshen-zuwa-ƙarshen.
Matsalar sababbin tashoshin jiragen ruwa ita ce ta gama gari don Wasu cibiyoyin sadarwa sun toshe 853, ƙarfafa software don "fadawa baya" zuwa DNS da ba a ɓoye ba. DoH yana rage wannan ta amfani da 443, wanda ya zama ruwan dare ga yanar gizo. DNS/QUIC kuma yana kasancewa azaman wani zaɓi mai ban sha'awa, kodayake yana buƙatar buɗe UDP kuma ba koyaushe yake samuwa ba.
Ko da lokacin ɓoye abubuwan sufuri, yi hankali da nuance ɗaya: Idan mai warwarewa ya yi ƙarya, sifa ba ta gyara shi.Don wannan dalili, DNSSEC ya wanzu, wanda ke ba da izinin tabbatar da amincin amsawa, kodayake ɗaukar sa ba ya yaɗu kuma wasu masu shiga tsakani suna karya ayyukan sa. Duk da haka, DoH yana hana wasu ɓangarori na uku a kan hanya yin zamewa ko ɓata tambayoyinku.
Kunna shi ba tare da taɓa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba: masu bincike da tsarin
Hanya mafi sauƙi don farawa ita ce kunna DoH a cikin burauzar ku ko tsarin aiki. Wannan shine yadda kuke kare tambayoyi daga ƙungiyar ku ba tare da dogara ga na'ura mai ba da hanya tsakanin hanyoyin sadarwa firmware.
Google Chrome
A cikin sigar yanzu zaku iya zuwa chrome://settings/security kuma, a ƙarƙashin "Yi amfani da amintaccen DNS", kunna zaɓi kuma zaɓi mai bayarwa (mai bada sabis ɗin ku na yanzu idan sun goyi bayan DoH ko ɗaya daga jerin Google kamar Cloudflare ko Google DNS).
A cikin sigogin da suka gabata, Chrome ya ba da canjin gwaji: nau'in chrome://flags/#dns-over-https, bincika "Secure DNS lookups" da canza shi daga Default zuwa An kunna. Sake kunna burauzar ku don amfani da canje-canje.
Microsoft Edge (Chromium)
Edge na tushen Chromium ya haɗa da zaɓi iri ɗaya. Idan kana bukata, je zuwa edge://flags/#dns-over-https, gano "Secure DNS lookups" da kunna shi a KunnawaA cikin nau'ikan zamani, ana samun kunnawa a cikin saitunan keɓantacce.
Mozilla Firefox
Bude menu (a saman dama)> Saituna> Gaba ɗaya> gungura ƙasa zuwa "Saitunan cibiyar sadarwa", matsa Saita da mark"Kunna DNS akan HTTPS” Kuna iya zaɓar daga masu samarwa kamar Cloudflare ko NextDNS.
Idan kun fi son iko mai kyau, a ciki about:config daidaita network.trr.mode: 2 (mai dama) yana amfani da DoH kuma yana yin koma baya idan babu samuwa; 3 (m) umarni DoH kuma ya kasa idan babu tallafi. Tare da tsayayyen yanayi, ayyana mai warware bootstrap azaman network.trr.bootstrapAddress=1.1.1.1.
Opera
Tun daga sigar 65, Opera ta ƙunshi zaɓi don kunna DoH tare da 1.1.1.1. Ya zo a kashe ta tsohuwa kuma yana aiki a yanayin dama: idan 1.1.1.1:443 ya amsa, zai yi amfani da DoH; in ba haka ba, yana komawa ga mai warwarewar da ba a ɓoye ba.
Windows 10/11: Autodetect (AutoDoH) da Rijista
Windows na iya kunna DoH ta atomatik tare da wasu sanannun masu warwarewa. A cikin tsofaffin nau'ikan, za ka iya tilasta hali daga Registry: gudu regedit kuma ku je zuwa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
Ƙirƙiri DWORD (32-bit) da ake kira EnableAutoDoh da daraja 2 y Sake kunna kwamfutarWannan yana aiki idan kuna amfani da sabar DNS masu goyan bayan DoH.
Windows Server 2022: Abokin ciniki na DNS tare da DoH na asali
Abokin ciniki na DNS da aka gina a cikin Windows Server 2022 yana goyan bayan DoH. Za ku iya amfani da DoH kawai tare da sabar da ke cikin jerin "Sanannun DoH". ko kuma ka kara da kanka. Don saita shi daga mahaɗar hoto:
- Bude Saitunan Windows> Cibiyar sadarwa da Intanet.
- Shigar Ethernet kuma zaɓi wurin dubawa.
- A kan allon cibiyar sadarwa, gungura ƙasa zuwa Saitunan DNS kuma danna Gyara.
- Zaɓi "Manual" don ayyana waɗanda aka fi so da madadin sabar.
- Idan waɗannan adiresoshin suna cikin sanannun jerin DoH, za a kunna shi "Encryption ɗin DNS da aka zaɓa" tare da zabi uku:
- Rufewa kawai (DNS akan HTTPS): Tilastawa DoH; idan uwar garken baya goyan bayan DoH, ba za a sami ƙuduri ba.
- Fi son ɓoyewa, ba da izini ba a ɓoye ba: Ƙoƙarin DoH kuma idan ya kasa, ya koma zuwa ga DNS classic mara ɓoyewa.
- Ba a ɓoyewa kawai: Yana amfani da DNS bayyananne na gargajiya.
- Ajiye don aiwatar da canje-canje.
Hakanan zaka iya tambaya da tsawaita jerin sanannun masu warware DoH ta amfani da PowerShell. Don ganin lissafin yanzu:
Get-DNSClientDohServerAddressDon yin rajistar sabuwar sananniyar uwar garken DoH tare da samfurin ku, yi amfani da:
Add-DnsClientDohServerAddress -ServerAddress "<IP-del-resolutor>" -DohTemplate "<URL-plantilla-DoH>" -AllowFallbackToUdp $False -AutoUpgrade $TrueLura cewa cmdlet Set-DNSClientServerAddress baya sarrafa kanta amfani da DoH; boye-boye ya dogara da ko waɗancan adiresoshin suna cikin teburin sanannun sabar DoH. A halin yanzu ba za ku iya saita DoH don abokin ciniki na Windows Server 2022 DNS daga Cibiyar Gudanarwa ta Windows ko tare da sconfig.cmd.
Manufar Rukuni a cikin Windows Server 2022
Akwai umarni da ake kira "Shigar da DNS akan HTTPS (DoH)" en Configuración del equipo\Directivas\Plantillas administrativas\Red\Cliente DNS. Lokacin da aka kunna, zaku iya zaɓar:
- Izinin DoH: Yi amfani da DoH idan uwar garken yana goyan bayan shi; in ba haka ba, tambaya ba a ɓoye ba.
- Ban DoH: baya amfani da DoH.
- Bukatar DoH: tilasta DoH; idan babu tallafi, ƙuduri ya gaza.
Muhimmi: Kar a kunna "Bukatar DoH" akan kwamfutocin da suka haɗa yankiActive Directory ya dogara da DNS, kuma aikin Windows Server DNS Server ba ya goyan bayan tambayoyin DoH. Idan kana buƙatar amintaccen zirga-zirgar DNS a cikin yanayin AD, yi la'akari da amfani dokokin IPsec tsakanin abokan ciniki da masu warwarewar ciki.
Idan kuna sha'awar tura takamaiman yanki zuwa takamaiman masu warwarewa, zaku iya amfani da NRPT (Table Policy Resolution Policy). Idan uwar garken manufa tana kan jerin sunayen DoH, wadanda shawarwari zai yi tafiya ta DoH.
Android, iOS da Linux
A kan Android 9 kuma mafi girma, zaɓi DNS na sirri yana ba da damar DoT (ba DoH) tare da hanyoyi guda biyu: "Automatic" (dama, yana ɗaukar mai warware hanyar sadarwa) da "Maɗaukaki" (dole ne ku saka sunan mai masaukin da aka inganta ta takaddun shaida; IPs kai tsaye ba su da tallafi).
A kan iOS da Android, app 1.1.1.1 Cloudflare yana ba da damar DoH ko DoT a cikin tsauraran yanayi ta amfani da VPN API don satar buƙatun da ba a ɓoye ba kuma tura su ta kafaffen tasha.
A cikin Linux, an warware matsalar tsarin yana goyan bayan DoT tun tsarin 239. An kashe shi ta tsohuwa; yana ba da yanayin dama ba tare da ingantattun takaddun shaida da yanayi mai tsauri (tun 243) tare da ingancin CA amma ba tare da SNI ko tabbatar da suna ba, wanda yana raunana tsarin amana akan maharan akan hanya.
A kan Linux, macOS, ko Windows, zaku iya zaɓar abokin ciniki mai ƙarfi na DoH kamar cloudflared proxy-dns (ta tsohuwa yana amfani da 1.1.1.1, kodayake za ka iya ayyana sama madadin).
Sanannen Sabar DoH (Windows) da yadda ake ƙara ƙari
Windows Server ya haɗa da jerin masu warwarewa waɗanda aka sani don tallafawa DoH. Kuna iya duba shi tare da PowerShell kuma ƙara sababbin shigarwar idan kuna buƙata.
Waɗannan su ne sanannun sabobin DoH daga cikin akwatin:
| Mai Sabar | Adireshin IP na uwar garken DNS |
|---|---|
| Girgizar girgije | 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 |
| 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 |
|
| Quad9 | 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::fe:9 |
Domin Duba jerin, gudu:
Get-DNSClientDohServerAddressDomin ƙara sabon mai warware DoH tare da samfurin sa, amfani:
Add-DnsClientDohServerAddress -ServerAddress "<IP-del-resolutor>" -DohTemplate "<URL-plantilla-DoH>" -AllowFallbackToUdp $False -AutoUpgrade $TrueIdan kuna sarrafa wuraren suna da yawa, NRPT zai ba ku damar sarrafa takamaiman yanki zuwa takamaiman mai warwarewa wanda ke goyan bayan DoH.
Yadda ake bincika idan DoH na aiki
A cikin masu bincike, ziyarci https://1.1.1.1/help; can za ku gani ko zirga-zirgar ku na amfani da DoH tare da 1.1.1.1 ko a'a. Gwaji ne mai sauri don ganin halin da kuke ciki.
A cikin Windows 10 (Sigar 2004), zaku iya saka idanu don zirga-zirgar zirga-zirgar DNS na gargajiya (tashar jiragen ruwa 53) tare da pktmon daga console mai gata:
pktmon filter add -p 53
pktmon start --etw -m real-timeIdan akai-akai na fakiti ya bayyana akan 53, yana da yuwuwar hakan har yanzu kuna amfani da DNS mara ɓoyewa. Tuna: siga --etw -m real-time yana buƙatar 2004; a cikin sigar farko za ku ga kuskuren “unknown parameter”.
Na zaɓi: saita shi akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa (MikroTik)
Idan kun fi son sanya ɓoye ɓoye a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, zaku iya kunna DoH cikin sauƙi akan na'urorin MikroTik. Na farko, shigo da tushen CA wanda uwar garken da za ku haɗa da ita za ta sanya hannu. Don Cloudflare zaka iya saukewa DigiCertGlobalRootCA.crt.pem.
Loda fayil ɗin zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa (ta jawo shi zuwa "Files"), kuma je zuwa Tsarin > Takaddun shaida > Shigo don haɗa shi. Bayan haka, saita DNS na mai ba da hanya tsakanin hanyoyin sadarwa tare da Cloudflare DoH URLsDa zarar yana aiki, na'ura mai ba da hanya tsakanin hanyoyin sadarwa zai ba da fifiko ga haɗin da aka rufaffen akan tsohowar DNS mara rufaffiyar.
Don tabbatar da cewa komai yana cikin tsari, ziyarci 1.1.1.1/taimako daga kwamfuta a bayan na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Hakanan zaka iya yin komai ta hanyar tashoshi a cikin RouterOS idan kun fi so.
Aiki, ƙarin keɓantawa da iyakokin tsarin
Idan ya zo ga sauri, ma'auni biyu suna da mahimmanci: lokacin ƙuduri da ainihin nauyin shafi. Gwaje-gwaje masu zaman kansu (kamar SamKnows) Sun ƙare da cewa bambanci tsakanin DoH da classic DNS (Do53) yana da iyaka a bangarorin biyu; a aikace, bai kamata ku lura da wani jinkiri ba.
DoH yana ɓoye "tambayoyin DNS," amma akwai ƙarin sigina akan hanyar sadarwa. Ko da kun ɓoye DNS, ISP na iya haifar da abubuwa ta hanyar haɗin TLS (misali, SNI a wasu al'amuran gado) ko wasu alamu. Don haɓaka keɓantawa, zaku iya bincika DoT, DNSCrypt, DNSCurve, ko abokan ciniki waɗanda ke rage metadata.
Ba duk tsarin muhalli ke goyan bayan DoH ba tukuna. Yawancin masu warware gadon baya ba da wannan., tilasta dogaro ga kafofin jama'a (Cloudflare, Google, Quad9, da sauransu). Wannan yana buɗe muhawara game da haɗakarwa: mayar da hankali kan tambayoyi kan ƴan wasan kwaikwayo ya haɗa da keɓantawa da ƙimar amana.
A cikin mahallin kamfanoni, DoH na iya yin karo da manufofin tsaro waɗanda suka dogara da su Kulawa na DNS ko tacewa (malware, sarrafa iyaye, bin doka). Magani sun haɗa da Manufar MDM/Ƙungiya don saita mai warware DoH/DoT zuwa yanayi mai tsauri, ko haɗe tare da sarrafa matakin aikace-aikace, waɗanda suka fi daidai toshe tushen yanki.
DNSSEC ya cika DoH: DoH yana kare sufuri; DNSSEC yana tabbatar da amsaƊaukaka ba daidai ba ne, kuma wasu na'urori masu tsaka-tsaki suna karya shi, amma yanayin yana da kyau. Tare da hanyar tsakanin masu warwarewa da sabar masu iko, DNS a al'ada ya kasance ba a ɓoye ba; an riga an yi gwaje-gwaje ta amfani da DoT tsakanin manyan masu aiki (misali, 1.1.1.1 tare da sabar masu izini na Facebook) don haɓaka kariya.
Matsakaicin madadin shine rufa-rufa kawai tsakanin na'ura mai ba da hanya tsakanin hanyoyin sadarwa da warwarewa, barin haɗin tsakanin na'urori da na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba a ɓoye ba. Yana da amfani akan amintattun cibiyoyin sadarwar waya, amma ba'a bada shawara akan buɗaɗɗen cibiyoyin sadarwar Wi-Fi: sauran masu amfani zasu iya yin leƙen asiri ko sarrafa waɗannan tambayoyin a cikin LAN.
Yi naku mai warware DoH
Idan kuna son cikakken 'yancin kai, zaku iya tura mai warwarewar ku. Unbound + Redis (L2 cache) + Nginx sanannen haɗin gwiwa ne don hidimar URLs na DoH da wuraren tacewa tare da jerin abubuwan sabuntawa ta atomatik.
Wannan tari yana gudana daidai akan VPS mai sauƙi (misali, daya core/2 wayoyi ga iyali). Akwai jagorori tare da shirye-shiryen amfani, kamar wannan ma'ajiyar: github.com/ousatov-ua/dns-filtering. Wasu masu samar da VPS suna ba da ƙima maraba don sababbin masu amfani, don haka zaku iya saita gwaji akan farashi mai rahusa.
Tare da mai warwarewar ku na sirri, zaku iya zaɓar hanyoyin tacewa, yanke manufofin riƙewa da kauce wa karkata tambayoyinku zuwa wasu kamfanoni. A sakamakon haka, kuna sarrafa tsaro, kulawa, da wadatuwa mai yawa.
Kafin rufewa, bayanin ingancin inganci: akan Intanet, zaɓuɓɓuka, menus da sunaye suna canzawa akai-akai; wasu tsofaffin jagororin sun tsufa (Misali, yin amfani da "tuta" a cikin Chrome ba lallai ba ne a cikin sigar baya-bayan nan.) Koyaushe bincika burauzarku ko takaddun tsarinku.
Idan kun yi shi har zuwa yanzu, kun riga kun san abin da DoH ke yi, yadda ya dace da wasa tare da DoT da DNSSEC, kuma mafi mahimmanci, yadda zaka kunna shi a yanzu akan na'urarka don hana DNS daga tafiya a fili. Tare da dannawa kaɗan a cikin burauzar ku ko daidaitawa a cikin Windows (ko da a matakin manufofin a cikin Server 2022) zaku sami rufaffen tambayoyin; idan kuna son ɗaukar abubuwa zuwa mataki na gaba, zaku iya matsar da ɓoyewa zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa MikroTik ko gina naku mai warwarewa. Makullin shine, Ba tare da taɓa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba, zaku iya kare ɗaya daga cikin mafi yawan jita-jita-game da sassan zirga-zirgar ku a yau..
Sha'awar fasaha tun yana karami. Ina son zama na zamani a cikin sashin kuma, sama da duka, sadarwa da shi. Abin da ya sa na sadaukar da kai ga sadarwa a shafukan yanar gizo na fasaha da na wasan bidiyo shekaru da yawa. Kuna iya samuna na rubutu game da Android, Windows, MacOS, iOS, Nintendo ko duk wani batu mai alaƙa da ke zuwa hankali.