"DNS over HTTPS（DoH）与DNS安全策略最佳实践"

DNS over HTTPS（DoH）与DNS安全策略最佳实践概述DoH提供加密的DNS解析通道。结合解析器白名单与缓存治理，可提升隐私与安全性。DoH查询示例async function dohQuery(name: string, type: string): Promise<any> { const endpoint = 'https://cloudflare-dns.com/dns-query' const url = `${endpoint}?name=${encodeURIComponent(name)}&type=${encodeURIComponent(type)}` const res = await fetch(url, { headers: { 'accept': 'application/dns-json' } }) return await res.json() } 解析器白名单function resolverAllowed(endpoint: string): boolean { const allow = ['https://cloudflare-dns.com/dns-query', 'https://dns.google/dns-query'] return allow.includes(endpoint) } 缓存治理class DnsCache { store = new Map<string, { value: any; expiresAt: number }>() set(key: string, value: any, ttlMs: number) { this.store.set(key, { value, expiresAt: Date.now() + ttlMs }) } get(key: string): any | null { const v = this.store.get(key) if (!v) return null if (Date.now() > v.expiresAt) { this.store.delete(key); return null } return v.value } } 运维要点使用受信任解析器并在应用层实施白名单按TTL治理缓存并清理过期记录配合DNSSEC与CAA记录提升域名安全性通过DoH与安全解析策略，可在Web场景中实现加密、可信与可治理的DNS基线。