After two years of development Consortium ISC introduced the first stable release of the new The significant branch of the DNS server Bind 9.18. Support for the branch of 9.18 will be carried out within three years before the 2nd quarter of 2025 as part of an extended accompaniment cycle. Updates for the last LTS branch 9.11 will continue to be released until December 2021. Support for the branch 9.11 will stop in March, and branches 9.16 in mid-2023 . For the development of the functionality of the next stable version of the Bind, the Bind 9.19.0 experimental branch was formed.
Bind 9.18.0 release is notable for supporting support for “DNS over HTTPS” technology (DOH, DNS OVER HTTPS) and DNS over TLS (DOT, DNS OVER TLS), as well as XOT mechanism (XFR-OVER-TLS) for safe transmission The contents of DNS zones between servers (supported both returns and xot zones). With the appropriate settings, one Named process can now serve not only traditional DNS requests, but also requests sent using DNS-OVER-HTTPS and DNS-OVER-TLS. Client support for DNS-OVER-TLS is built into the DIG utility, which can be used to send requests over TLS when specifying the flag “+ TLS”.
Implementing the HTTP / 2 protocol used in DOH is based on the use of the ngHTTP2 , which is included in the number of optional assembly dependences. Certificates for DOH and DOT can be provided by the user or generated automatically during startup.
Request processing using Doh and dot turns on via Adding options “http “And” TLS “in the Listen-ON directive. To support the unencrypted DNS-Over-HTTP in the settings, you should specify “TLS NONE”. Keys are defined in the “TLS” section. Standard network ports 853 for DOT, 443 for DOH and 80 for DNS-Over-HTTP can be redefined through the TLS-Port, HTTPS-Port and HTTP-Port parameters. For example:
TLS Local-TLS {Key-file “/path/to/priv_key.pem”; CERT-FILE “/PATH/TO/CERT_CHAIN.PEM”; }; HTTP Local-HTTP-Server {endpoints {“/ DNS-QUERY”; }; }; Options {https-port 443; Listen-on port 443 TLS Local-TLS HTTP MYSERVER {Any;}; }
The features of the DOH implementation in Bind notes the possibility of carrying out encryption operations for TLS to another server, which may be needed under conditions when storing TLS certificates is carried out on another system (for example, in the infrastructure with Web servers) and serviced by other personnel . Support for unencrypted DNS-OVER-HTTP is implemented to simplify debugging and as a level for a forwarding to another server in the internal network (for the seizure of the encryption to a separate server). On a remote server for the formation of TLS traffic can be used by NGINX, by analogy with how HTTPS is organized for sites.