Not long ago, 360, which has always held high the banner of free, announced that its browser will soon launch a paid membership, although the official statement later said that the fee was actually a small-scale test of personalized value-added services by the browser team. However, the six VIP benefits of 360 Browser have also attracted much attention from the outside world, especially the DoH security anti-hijacking function, which made many people know for the first time that in addition to complaining to the Ministry of Industry and Information Technology, DoH (DNS Over Https) can actually solve the problem of DNS hijacking. Just as DoH began to enter the user's sight, Apple, which has always paid attention to user privacy and security, also announced a few days ago that it has cooperated with Cloudflare, a world-renowned network security service provider, and Fastly, the second largest content delivery network (CDN) provider in the United States, to develop a new Internet protocol. This protocol, called "Oblivious DNS-over-HTTPS" or "ODoH", is not difficult to find that it is an upgraded version of DoH, and its role is to make it more difficult for network service providers to know the "footprints" left by users on the network. To understand how Apple's ODoH can help us surf the Internet in daily life, we have to start from how we use a computer or mobile phone to access the Internet. I believe many friends still remember that around the millennium, Internet access was not as convenient as it is today. Dial-up Internet access was the most mainstream way of Internet access at that time, and dialing the ISP's access number to access the Internet was also a common memory of many people born in the 1980s. As for why we had to use the phone to access the Internet in the past, it was because a typical Internet access process was like this. Suppose we want to visit the official website of Sanyi Life, the browser needs to first resolve the URL www.3elife.net through the DNS protocol, query the IP address of the website, and then use the TCP protocol to package the information into a data packet and hand it over to the network card, and then use the http protocol to access the web server. Then, according to the corresponding IP address, the network card converts the data packet into an electrical signal and sends it out through the telephone line. If it is converted into an optical signal during this process, it is the optical fiber that we are more familiar with today. After completing local information processing, the data packet enters the network transmission stage. In this stage, the data packet will first pass through the access network to connect to the user's network operator (such as China Telecom or China Unicom), and then enter the backbone network through the router of the Internet Service Provider (ISP). According to the corresponding IP address, it will eventually reach the local area network where the web server specified by the IP address is located, and after passing through the server's firewall, it will enter the server to obtain the corresponding web page. If the above process is reversed, the HTML web page file copied from the website server can be stored in your computer, and finally the obtained web page data can be displayed on the computer screen. In this seemingly complicated process description, we actually omitted a key step, which needs to be taken out separately, that is, how to obtain the IP address of the target website. In fact, if you want to obtain the real IP address of the input URL, you need the DNS service provider behind the DNS protocol to complete it. Simply put, the DNS server provider is responsible for telling you that the IP address of website A is AAA and the IP address of website B is BBB. This means that if someone wants to know which websites users frequently visit on the Internet, DNS query records will be one of the best and most accurate ways. Generally speaking, most people's DNS service providers are the corresponding network operators, but the actual situation is that the operators may add advertisements to the browser page by writing JavaScript in the return page for some unknown purpose, even though the user is visiting website A. If there is no DoH, in such a situation, users can only complain to the Telecom User Complaint Acceptance Center of the Ministry of Industry and Information Technology. Among them, DoH can be understood as the encrypted transmission of Domain Name Resolution Service (DNS) requests through Https connection. Since DNS requests in the traditional sense are not encrypted, in addition to DNS service providers, hackers can also obtain them by looking for vulnerable DNS server caches. Https is Http+SSL/, which can verify the identity of the server through SSL certificates and encrypt the communication between the browser and the server, achieving end-to-end encryption between the user end and the resolution server. At present, in addition to DoH using the Https protocol, there is also DNS over TLS (DoT) using the TLS protocol, but the disadvantage of DoT is that it may be blocked by the server's firewall. The O in ODoH, which stands for Oblivious, is mainly to further enhance the level of privacy protection by adding a proxy server to encrypt DNS queries, thereby separating DNS queries from user behavior. If DoH is more about preventing DNS from being hijacked/contaminated, ODoH is to ensure that network operators and DNS providers can no longer see which websites users browse. However, it should be noted that ODoH can only ensure privacy if the proxy and DNS server are not controlled by the same entity. But for users, whether using DoH or ODoH, there is a certain price, because using these two functions means that the local host file cannot be used to implement ad blocking. At the same time, both the trusted DNS resolution servers provided by Google and Apple's partner Cloudflare are public, Google's is 8.8.8.8, and Cloudflare's is 1.1.1.1, which means that ISPs can block these DNS server addresses, so that users can switch to other mirror servers and let network access directly fall back to the traditional Http protocol. In fact, except for some selfish ISPs or hackers, not everyone is happy about DoH/ODoH. As early as two years ago when the Internet Engineering Task Force (IETF) officially adopted the DoH standard, relevant industry insiders pointed out that DoH is a branch between enterprises and other private networks, and DNS is part of the control plane (signaling). DoH moves the control plane messages to the data plane (message forwarding), which means that network operators can no longer control related information, which may greatly increase the possibility of domain name attacks by malware, and also triggered a debate about whether the network itself is more important or the user is more important. Of course, the reason why Google and Apple are so eager to promote the latter, in addition to privacy protection factors, may also have their own selfish motives. As we all know. All domain name queries start from the root server, and there are currently only 13 groups of DNS root servers, numbered from A to M, operated by 12 operators, but Google and Apple are not among them. If DoH/ODoH is adopted, the status of Google's own public DNS and Apple's partner Cloudflare DNS server will rise rapidly. This can undoubtedly be regarded as a step for the two to expand to the more basic bottom layer of the Internet and seek greater voice for themselves. |
>>: Hand-write a Nodejs program that imitates WeChat login
With the upcoming decommissioning of 2G/3G networ...
In recent years, the global satellite communicat...
1. How to locate the problem that an Eth-Trunk in...
Digital transformation is being used as a powerfu...
The tribe has not shared information about Digita...
BGPTO is a foreign independent server sales site ...
AI technology and TOT technology Ultimately, this...
Open source has become a trend, and almost all te...
It’s been nearly 30 years since the first unoffic...
Megalayer has launched a Christmas and 2024 New Y...
[October 13, Yangquan, Shanxi] On October 13, the...
Maxthon Hosting has long provided 20% discount co...
[51CTO.com original article] Although the 2017 Hu...
With the rapid development of information technol...
On September 24, during Huawei Connect 2020, Huaw...