Maitiro eku Encrypt Yako DNS Pasina Kubata Router Yako neDoH: A Complete Guide

¿Maitiro ekuvharisa DNS yako pasina kubata router yako uchishandisa DNS pamusoro peHTTPS? Kana iwe uchinetsekana kuti ndiani anogona kuona kuti ndeapi mawebhusaiti aunobatanidza nawo, Encrypt Domain Name System mibvunzo ine DNS pamusoro peHTTPS Ndiyo imwe yedzakareruka nzira dzekuwedzera kuvanzika kwako pasina kurwa nerouter yako. NeDoH, muturikiri anoshandura madomasi kuita kero dzeIP anomira kufamba munzvimbo dzakajeka uye oenda nemukoto weHTTPS.

Mugwaro rino iwe unowana, mumutauro wakananga uye pasina yakawandisa jargon, Chii chaizvo chinonzi DoH, kuti inosiyana sei nedzimwe sarudzo seDoT, maitiro ekuigonesa mumabhurawuza uye masisitimu anoshanda (kusanganisira Windows Server 2022), maitiro ekuona kuti iri kunyatso kushanda, maseva anotsigirwa, uye, kana uchinzwa kushinga, kunyangwe kuseta yako wega DoH resolution. Zvese, pasina kubata router…kunze kwechikamu chesarudzo kune avo vanoda kuimisa paMikroTik.

Chii chinonzi DNS pamusoro peHTTPS (DoH) uye nei ungave nehanya

Paunonyora mudura (semuenzaniso, Xataka.com) komputa inobvunza DNS solver kuti IP yayo chii; Maitiro aya anowanzo mugwaro rakajeka Uye chero munhu ari panetiweki yako, mupi wako weInternet, kana zvishandiso zvepakati anogona kusnoop kana kuishandisa. Ichi ndicho musimboti wekare DNS: nekukurumidza, ubiquitous… uye pachena kune vechitatu mapato.

Apa ndipo panouya DoH: Inofambisa iyo DNS mibvunzo nemhinduro kune imwecheteyo yakavharidzirwa chiteshi inoshandiswa newebhu yakachengeteka (HTTPS, port 443)Mhedzisiro yacho ndeyekuti havachafambi "pachena," zvichideredza mukana wevasori, kubvunzurudza, uye kumwe kurwiswa kwemurume-pakati. Uyezve, mune miedzo yakawanda latency haina kuipa zvakanyanya uye inogona kuvandudzwa nekuda kwekutakura optimizations.

Chinhu chikuru ndechekuti DoH inogona kugoneswa pane application kana system level, saka haufanirwe kuvimba nemutakuri wako kana router kugonesa chero chinhu. Ndokunge, iwe unogona kuzvidzivirira "kubva kubrowser kunze," pasina kubata chero network network.

Zvakakosha kusiyanisa DoH kubva kuDoT (DNS pamusoro peTLS): DoT encrypts DNS pachiteshi 853 zvakananga pamusoro peTLS, nepo DoH ichibatanidza muHTTP(S). DoT iri nyore mune dzidziso, asi Inonyanya kuvharwa nemafirewalls izvo zvinocheka zviteshi zvisina kujairika; DoH, nekushandisa 443, zvirinani kunzvenga zvirambidzo izvi uye inodzivirira kumanikidzwa "kusundira kumashure" kurwiswa kune isina kunyorwa DNS.

Pakuvanzika: Kushandisa HTTPS hazvireve makuki kana kuronda muDoH; zviyero zvinopa zano zvakanangana nekushandiswa kwayo Muchirevo chechinyorwa chino, TLS 1.3 zvakare inoderedza kukosha kwekutangazve masesisheni, kuderedza kuwirirana. Uye kana iwe uchinetsekana nekuita, HTTP/3 pamusoro peQUIC inogona kupa imwe gadziriso nekuwanda kwemibvunzo pasina kuvharira.

Mashandiro anoita DNS, njodzi dzakajairika, uye panopinda DoH

Iyo inoshanda sisitimu inowanzodzidza kuti ndechipi chinogadzirisa chekushandisa kuburikidza neDHCP; Kumba unowanzo shandisa ISP's, muhofisi, network yemakambani. Kana kutaurirana uku kusina kunyoreswa (UDP/TCP 53), chero munhu ari paWi-Fi yako kana ari munzira anogona kuona akabvunzwa madomasi, kubaya mhinduro dzemanyepo, kana kukuendesa kutsvakiridzo kana domain isipo, sezvinoita vamwe vashandisi.

Kuongororwa kwetraffic kwakajairika kunoratidza madoko, sosi / nzvimbo yekuenda IPs, uye iyo dura pachayo yakagadziriswa; Izvi hazvingofumuri maitiro ekubhurawuza chete, zvakare zvinoita kuti zvive nyore kuwiriranisa zvinotevera zvinongedzo, semuenzaniso, kune kero dze Twitter kana zvakafanana, uye kuona kuti ndeapi mapeji chaiwo awashanyira.

NeDoT, iyo DNS meseji inopinda mukati meTLS pachiteshi 853; pamwe neDoH, iyo DNS query yakavharirwa mune yakajairwa HTTPS chikumbiro, iyo inogonesawo kushandiswa kwayo newebhu maapplication kuburikidza nebrowser APIs. Maitiro ese ari maviri anogovera hwaro hwakafanana: kuvimbiswa kweseva nechitupa uye yekupedzisira-kusvika-kumagumo encrypted chiteshi.

Dambudziko rine zviteshi zvitsva nderekuti zvakajairika kune mamwe ma network anovhara 853, inokurudzira software "kudzokera kumashure" kune isina kunyorwa DNS. DoH inodzikamisa izvi nekushandisa 443, inova yakajairika pawebhu. DNS/QUIC iripowo seimwe sarudzo inovimbisa, kunyangwe ichida UDP yakavhurika uye isingawanzo kuwanikwa.

Kunyangwe kana encrypting yekufambisa, chenjera neimwe nuance: Kana mugadziri akanyepa, cipher haagadzirise.Nechinangwa ichi, DNSSEC iripo, iyo inobvumira kusimbiswa kwekutendeseka kwemhinduro, kunyangwe kutorwa kwayo kusiri kupararira uye vamwe vanopindirana vanotyora mashandiro ayo. Zvakadaro, DoH inodzivirira mapato echitatu munzira kubva kudongorera kana kukanganisa mibvunzo yako.

Ishandise pasina kubata router: mabhurawuza uye masisitimu

Nzira iri nyore yekutanga ndeye kugonesa DoH mubrowser yako kana sisitimu yekushandisa. Aya ndiwo maitiro aunodzivirira mibvunzo kubva kuchikwata chako pasina zvichienderana neiyo router firmware.

Google Chrome

Mune shanduro dzemazuva ano unogona kuenda chrome://settings/security uye, pasi pe "Shandisa yakachengeteka DNS", activate sarudzo uye sarudza mupi (wako iye zvino anopa kana vakatsigira DoH kana imwe kubva kuGoogle rondedzero se Cloudflare kana Google DNS).

Mune shanduro dzakapfuura, Chrome yakapa shanduko yekuyedza: mhando chrome://flags/#dns-over-https, tsvaga "Chengetedza DNS lookups" uye chinja kubva kuDefault kuenda Kunogoneswa. Tangazve browser yako kuti ushandise shanduko.

Microsoft Edge (Chromium)

Chromium-yakavakirwa Edge inosanganisira yakafanana sarudzo. Kana uchida, enda edge://flags/#dns-over-https, tsvaga "Chengetedza DNS lookups" uye gonesa mukati InogoneswaMushanduro dzemazuva ano, activation inowanikwawo mumaseting ako ekuvanzika.

Mozilla Firefox

Vhura menyu (kumusoro kurudyi)> Zvirongwa> Zvakawanda> skira pasi ku“Network Settings”, tinya Kugadziriswa uye maka"Bvisa DNS pamusoro peHTTPS”. Unogona kusarudza kubva kune vanopa seCloudflare kana NextDNS.

Kana iwe uchida kutonga kwakanaka, in about:config gadzirisa network.trr.mode: 2 (opportunist) inoshandisa DoH uye inodzosera kumashure kana isiripo; 3 (strict) mandates DoH uye anokundikana kana pasina tsigiro. Nekuomarara modhi, tsanangura iyo bootstrap resolution se network.trr.bootstrapAddress=1.1.1.1.

Opera

Kubva vhezheni 65, Opera inosanganisira sarudzo yeku gonesa DoH ne 1.1.1.1. Inouya yakaremara neyakagadzika uye inoshanda mune mukana: kana 1.1.1.1:443 ikadaira, ichashandisa DoH; kana zvisina kudaro, inowira kumashure kune isina kunyorwa resolution.

Windows 10/11: Autodetect (AutoDoH) uye Registry

Windows inogona kugonesa DoH otomatiki nemamwe magadzirirwo anozivikanwa. Mushanduro dzekare, unogona kumanikidza maitiro kubva kuRegistry: run regedit uye enda ku HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.

Gadzira DWORD (32-bit) inonzi EnableAutoDoh ine kukosha 2 y Tangazve komputaIzvi zvinoshanda kana uri kushandisa maseva eDNS anotsigira DoH.

Windows Server 2022: DNS mutengi ane yekuzvarwa DoH

Iyo yakavakirwa-mukati DNS mutengi muWindows Server 2022 inotsigira DoH. Unokwanisa chete kushandisa DoH nemasevha ari pa “Inozivikanwa DoH” runyorwa. kana kuti unozviwedzera. Kuigadzirisa kubva kune graphical interface:

1. Vhura Windows Settings > Network neInternet.
2. Pinda Ethernet uye sarudza yako interface.
3. Painetiweki skrini, skira pasi kuenda Zvirongwa zveDNS wobva wadzvanya Chinja.
4. Sarudza "Manual" kutsanangura akasarudzika uye mamwe maseva.
5. Kana kero idzo dziri pachirongwa chinozivikanwa cheDoH, chinobatidzwa "Inodiwa DNS Encryption" nezvisarudzo zvitatu:
   • Encryption chete (DNS pamusoro peHTTPS): Simba DoH; kana sevha isingatsigire DoH, hapazove nekugadziriswa.
   • Sarudzo encryption, bvumidza isina kunyorwa: Kuedza DoH uye kana ikatadza, inodzokera kune isina kunyorwa yekirasi DNS.
   • Uncrypted chete: Inoshandisa chinyakare chakajeka DNS.
6. Chengetedza kushandisa shanduko.

Iwe unogona zvakare kubvunza uye kuwedzera rondedzero yevanozivikanwa DoH kugadzirisa uchishandisa PowerShell. Kuti uone rondedzero iripo:

Get-DNSClientDohServerAddress

Kunyoresa server itsva inozivikanwa yeDoH netemplate yako, shandisa:

Add-DnsClientDohServerAddress -ServerAddress "<IP-del-resolutor>" -DohTemplate "<URL-plantilla-DoH>" -AllowFallbackToUdp $False -AutoUpgrade $True

Ziva kuti iyo cmdlet Set-DNSClientServerAddress haizvidzori kushandiswa kweDoH; encryption inoenderana nekuti kero idzodzo dziri patafura yemaseva eDoH anozivikanwa. Iwe haugone kugadzirira ikozvino DoH yeWindows Server 2022 DNS mutengi kubva kuWindows Admin Center kana ne sconfig.cmd.

Group Policy muWindows Server 2022

Pane directive inonzi "Gadzirisa DNS pamusoro peHTTPS (DoH)" en Configuración del equipo\Directivas\Plantillas administrativas\Red\Cliente DNS. Kana yagoneswa, unogona kusarudza:

• Bvumira DoH: Shandisa DoH kana sevha ichiitsigira; zvimwe, mubvunzo unencrypted.
• Ban DoH: haimboshandisi DoH.
• Inoda DoH: mauto DoH; kana pasina rutsigiro, sarudzo inokundikana.

Zvakakosha: Usagone kuti "Inodei DoH" pamakomputa akabatanidzwa-domainActive Directory inovimba neDNS, uye Windows Server DNS Server basa haritsigire mibvunzo yeDoH. Kana iwe uchida kuchengetedza DNS traffic mukati meAD nharaunda, funga kushandisa IPsec mitemo pakati pevatengi nevagadziri vemukati.

Kana iwe uchifarira kutungamira mamwe madomasi kune chaiwo magadzirirwo, unogona kushandisa iyo NRPT (Zita Resolution Policy Table). Kana sevha yekusvika iri pane inozivikanwa DoH list, kubvunzana ikoko achafamba neDoH.

Android, iOS uye Linux

Pa Android 9 uye pamusoro, iyo sarudzo DNS Yakavanzika inobvumira DoT (kwete DoH) ine mamodhi maviri: "Otomatiki" (inogoneka, inotora network inogadzirisa) uye "Yakasimba" (iwe unofanirwa kutsanangura zita remugamuchiri rinosimbiswa nechitupa; yakananga IPs haitsigirwe).

PaIOS uye Android, iyo app 1.1.1.1 Cloudflare inogonesa DoH kana DoT mune yakasimba modhi ichishandisa VPN API kubata zvikumbiro zvisina kunyorwa uye. vaendese nemugero wakachengeteka.

MuLinux, systemd-resolved inotsigira DoT kubvira systemd 239. Yakavharwa nekusingaperi; inopa mukana wekuita pasina kusimbisa zvitupa uye yakasimba modhi (kubvira 243) ine CA kusimbiswa asi isina SNI kana zita verification, iyo inonetesa chimiro chekuvimba pamusoro pevanorwisa mumugwagwa.

PaLinux, macOS, kana Windows, unogona kusarudza yakasimba mode DoH mutengi senge cloudflared proxy-dns (nekusagadzika inoshandisa 1.1.1.1, kunyange zvakadaro unogona kutsanangura mafambiro dzimwe nzira).

Anozivikanwa eDoH Servers (Windows) uye maitiro ekuwedzera zvimwe

Windows Server inosanganisira rondedzero yevanogadzirisa vanozivikanwa kutsigira DoH. Unogona kuzvitarisa nePowerShell uye wedzera zvinyorwa zvitsva kana uchida.

Idzi ndidzo anozivikanwa maseva eDoH kunze kwebhokisi:

Muridzi weSeva	DNS server IP kero
Kupisa kwegore	1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
Google	8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Quad9	9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::fe:9

Zve Ona runyorwa, mhanya:

Get-DNSClientDohServerAddress

Zve wedzera mugadziri weDoH mutsva netemplate yayo, anoshandisa:

Add-DnsClientDohServerAddress -ServerAddress "<IP-del-resolutor>" -DohTemplate "<URL-plantilla-DoH>" -AllowFallbackToUdp $False -AutoUpgrade $True

Kana iwe ukagadzirisa akawanda mazita enzvimbo, iyo NRPT inokutendera iwe kuti udaro maneja madomasi chaiwo kune chimwe chinogadzirisa chinotsigira DoH.

Nzira yekutarisa kana DoH iri kushanda

Mumabrowser, shanya https://1.1.1.1/help; ipapo uchaona kana traffic yako iri kushandisa DoH ne 1.1.1.1 kana kwete. Muyedzo unokurumidza kuona kuti wakamira sei.

In Windows 10 (vhezheni 2004), unogona kutarisa yemhando yepamusoro DNS traffic (port 53) ine pktmon kubva kune ropafadzo console:

pktmon filter add -p 53
pktmon start --etw -m real-time

Kana inogara ichiyerera yemapakiti ichionekwa pa53, zvinogoneka kudaro uchiri kushandisa isina kunyorwa DNS. Rangarira: parameter --etw -m real-time inoda 2004; mumashanduro ekutanga iwe uchaona "isingazivikanwe paramende" kukanganisa.

Sarudzo: gadzirisa pane router (MikroTik)

Kana iwe uchida kuisa pakati encryption pane router, unogona kugonesa DoH nyore paMikroTik zvishandiso. Kutanga, pinza mudzi CA iyo ichasainwa neseva yauchabatanidza nayo. Kune Cloudflare unogona kudhawunirodha DigiCertGlobalRootCA.crt.pem.

Isa iyo faira kune router (nekuikwevera ku "Files"), uye enda ku System> Zvitupa> Import kuibatanidza. Zvadaro, gadzirisa DNS ye router ne Cloudflare DoH URLsKana yangoshanda, iyo router inotungamira iyo yakavharidzirwa yekubatanidza pamusoro peiyo default isina kunyorwa DNS.

Kuti uone kuti zvinhu zvese zviri mugwara, shanya 1.1.1.1/rubatsiro kubva pakombuta kuseri kwerouter. Iwe unogona zvakare kuita zvese kuburikidza neiyo terminal muRouterOS kana uchida.

Kuita, kuwedzera kuvanzika uye miganhu yemaitiro

Kana zvasvika pakumhanya, maviri metrics ane basa: nguva yekugadzirisa uye chaiyo peji rekutakura. Miedzo yakazvimirira (yakadai saSamKnows) Vanogumisa kuti mutsauko pakati peDoH neDNS yekare (Do53) uri pamucheto pamativi ose maviri; mukuita, haufanirwe kuona chero kunonoka.

DoH encrypts iyo "DNS query," asi kune mamwe masaini panetiweki. Kunyangwe iwe ukavanza DNS, ISP inogona kukanganisa zvinhu kuburikidza neTLS yekubatanidza (semuenzaniso, SNI mune mamwe mamiriro enhaka) kana zvimwe zvinoteedzerwa. Kuti uwedzere kuvanzika, unogona kuongorora DoT, DNSCrypt, DNSCurve, kana vatengi vanoderedza metadata.

Haasi ese ecosystem anotsigira DoH parizvino. Vazhinji vanogadzirisa nhaka havapi izvi., kumanikidza kuvimba neruzhinji masosi (Cloudflare, Google, Quad9, nezvimwewo). Izvi zvinovhura gakava repakati: kuisa pfungwa pamibvunzo kune vashoma vatambi kunosanganisira kuvanzika uye mutengo wekuvimba.

Munzvimbo dzemakambani, DoH inogona kupesana nemitemo yekuchengetedza iyo yakavakirwa pa DNS yekutarisa kana kusefa (malware, kudzora kwevabereki, kutevedzera zviri pamutemo). Mhinduro dzinosanganisira MDM/Group Policy yekuseta DoH/DoT solver kune yakasimba modhi, kana kusanganiswa ne-application-level controls, ayo akanyatsojeka kupfuura domain-based blocking.

DNSSEC inoenderana neDoH: DoH inodzivirira kutakurwa; DNSSEC inosimbisa mhinduroAdoption haina kuenzana, uye mimwe michina yepakati inoityora, asi maitiro akanaka. Pamwe munzira pakati pevanogadzirisa uye maseva ane chiremera, DNS tsika inoramba isina kunyorwa; kwatove nemiedzo inoshandisa DoT pakati pevashandisi vakuru (semuenzaniso, 1.1.1.1 nemasevha ane chiremera eFacebook) kuwedzera dziviriro.

Imwe nzira yepakati ndeye encrypt pakati chete router uye kugadzirisa, ichisiya kubatana pakati pemidziyo uye router isina kunyorwa. Inobatsira pane akachengeteka mawaya network, asi isingakurudzirwe pane yakavhurika Wi-Fi network: vamwe vashandisi vaigona kunosora kana kushandisa iyi mibvunzo mukati meLAN.

Gadzira yako DoH solver

Kana iwe uchida rusununguko rwakakwana, unogona kuendesa yako kugadzirisa. Unbound + Redis (L2 cache) + Nginx musanganiswa wakakurumbira wekushandira maDoH URLs uye kusefa madomasi ane otomatiki rondedzero.

Iyi stack inomhanya zvakakwana paVPS ine mwero (semuenzaniso, imwe musimboti/2 waya kumhuri). Kune madhairekitori ane akagadzirira-kushandisa-mirairo, senge ino repository: github.com/ousatov-ua/dns-filtering. Vamwe vanopa VPS vanopa zvikwereti zvinogamuchirwa kune vashandisi vatsva, saka unogona kuseta muyedzo nemutengo wakaderera.

Nechigadziriso chako chakavanzika, unogona kusarudza yako yekusefa masosi, sarudza mitemo yekuchengetedza uye dzivisa kuisa pakati pemibvunzo yako kune vechitatu mapato. Mukudzoka, iwe unotarisira kuchengetedza, kuchengetedza, uye kuwanikwa kwepamusoro.

Usati wavhara, chinyorwa chechokwadi: paInternet, sarudzo, menyu uye mazita anochinja kazhinji; mamwe madhairekitori ekare ndeechinyakare (Semuenzaniso, kupinda nepakati pe "mureza" muChrome hazvichakoshi mushanduro dzichangoburwa.) Gara uchitarisa nebrowser yako kana zvinyorwa zvehurongwa.

Kana wazviita kusvika apa, unotoziva zvinoita DoH, kuti inopinda sei mupuzzle neDoT neDNSSEC, uye zvakanyanya kukosha, nzira yekuimisa iko zvino pane yako kifaa kudzivirira DNS kufamba munzvimbo dzakajeka. Nekudzvanya kushoma mubrowser yako kana zvigadziriso muWindows (kunyangwe padanho repolicy muServer 2022) unenge uine mibvunzo yakavharidzirwa; kana iwe uchida kuendesa zvinhu kune inotevera nhanho, unogona kufambisa iyo encryption kune iyo MikroTik router kana kuvaka yako pachako kugadzirisa. Chikuru ndechekuti, Pasina kubata router yako, unogona kudzivirira imwe yeakanyanya makuhwa-nezvezvikamu zvetraffic yako nhasi..