{"id":3869,"date":"2025-12-31T23:59:46","date_gmt":"2025-12-31T20:59:46","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/dns-over-https-doh-ve-dns-over-tls-dot-nedir-gizlilik-guvenlik-ve-hosting-altyapisina-etkileri\/"},"modified":"2025-12-31T23:59:46","modified_gmt":"2025-12-31T20:59:46","slug":"dns-over-https-doh-ve-dns-over-tls-dot-nedir-gizlilik-guvenlik-ve-hosting-altyapisina-etkileri","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/dns-over-https-doh-ve-dns-over-tls-dot-nedir-gizlilik-guvenlik-ve-hosting-altyapisina-etkileri\/","title":{"rendered":"DNS over HTTPS (DoH) ve DNS over TLS (DoT) Nedir? Gizlilik, G\u00fcvenlik ve Hosting Altyap\u0131s\u0131na Etkileri"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#DNS_Trafigi_Neden_Bu_Kadar_Onemli_Hale_Geldi\"><span class=\"toc_number toc_depth_1\">1<\/span> DNS Trafi\u011fi Neden Bu Kadar \u00d6nemli Hale Geldi?<\/a><\/li><li><a href=\"#DNS_Temelleri_Ustune_Ne_Ekledigimizi_Bilmek\"><span class=\"toc_number toc_depth_1\">2<\/span> DNS Temelleri: \u00dcst\u00fcne Ne Ekledi\u011fimizi Bilmek<\/a><\/li><li><a href=\"#DNS_over_HTTPS_DoH_Nedir\"><span class=\"toc_number toc_depth_1\">3<\/span> DNS over HTTPS (DoH) Nedir?<\/a><ul><li><a href=\"#DoHun_Calisma_Mantigi\"><span class=\"toc_number toc_depth_2\">3.1<\/span> DoH\u2019un \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131<\/a><\/li><li><a href=\"#DoHun_Avantajlari\"><span class=\"toc_number toc_depth_2\">3.2<\/span> DoH\u2019un Avantajlar\u0131<\/a><\/li><li><a href=\"#DoHun_Sinirlamalari\"><span class=\"toc_number toc_depth_2\">3.3<\/span> DoH\u2019un S\u0131n\u0131rlamalar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#DNS_over_TLS_DoT_Nedir\"><span class=\"toc_number toc_depth_1\">4<\/span> DNS over TLS (DoT) Nedir?<\/a><ul><li><a href=\"#DoTun_Calisma_Mantigi\"><span class=\"toc_number toc_depth_2\">4.1<\/span> DoT\u2019un \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131<\/a><\/li><li><a href=\"#DoH_ve_DoT_Arasindaki_Farklar\"><span class=\"toc_number toc_depth_2\">4.2<\/span> DoH ve DoT Aras\u0131ndaki Farklar<\/a><\/li><\/ul><\/li><li><a href=\"#Gizlilik_Perspektifi_Kim_Ne_Gorebiliyor\"><span class=\"toc_number toc_depth_1\">5<\/span> Gizlilik Perspektifi: Kim Ne G\u00f6rebiliyor?<\/a><\/li><li><a href=\"#Guvenlik_Perspektifi_Hangi_Problemi_Cozer_Hangisini_Cozmez\"><span class=\"toc_number toc_depth_1\">6<\/span> G\u00fcvenlik Perspektifi: Hangi Problemi \u00c7\u00f6zer, Hangisini \u00c7\u00f6zmez?<\/a><ul><li><a href=\"#Cozdugu_veya_Azalttigi_Riskler\"><span class=\"toc_number toc_depth_2\">6.1<\/span> \u00c7\u00f6zd\u00fc\u011f\u00fc veya Azaltt\u0131\u011f\u0131 Riskler<\/a><\/li><li><a href=\"#Cozmedigi_Riskler\"><span class=\"toc_number toc_depth_2\">6.2<\/span> \u00c7\u00f6zmedi\u011fi Riskler<\/a><\/li><\/ul><\/li><li><a href=\"#Hosting_ve_Sunucu_Altyapisina_Etkileri\"><span class=\"toc_number toc_depth_1\">7<\/span> Hosting ve Sunucu Altyap\u0131s\u0131na Etkileri<\/a><ul><li><a href=\"#1_paylasimli_hosting_ve_Web_Siteleri_Acisindan\"><span class=\"toc_number toc_depth_2\">7.1<\/span> 1. payla\u015f\u0131ml\u0131 hosting ve Web Siteleri A\u00e7\u0131s\u0131ndan<\/a><\/li><li><a href=\"#2_VPS_ve_Dedicated_Sunucularda_DNS_Mimarisi\"><span class=\"toc_number toc_depth_2\">7.2<\/span> 2. VPS ve Dedicated Sunucularda DNS Mimarisi<\/a><\/li><li><a href=\"#3_Kurumsal_Aglar_Ajanslar_ve_Coklu_Musteri_Mimarileri\"><span class=\"toc_number toc_depth_2\">7.3<\/span> 3. Kurumsal A\u011flar, Ajanslar ve \u00c7oklu M\u00fc\u015fteri Mimarileri<\/a><\/li><\/ul><\/li><li><a href=\"#Gercek_Senaryolar_Hangi_Durumda_DoHDoT_Mantikli\"><span class=\"toc_number toc_depth_1\">8<\/span> Ger\u00e7ek Senaryolar: Hangi Durumda DoH\/DoT Mant\u0131kl\u0131?<\/a><ul><li><a href=\"#Senaryo_1_Freelance_Gelistirici_ve_Kamusal_WiFi\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Senaryo 1: Freelance Geli\u015ftirici ve Kamusal Wi\u2011Fi<\/a><\/li><li><a href=\"#Senaryo_2_ETicaret_Sitesi_ve_Coklu_Sunucu_Mimarisi\"><span class=\"toc_number toc_depth_2\">8.2<\/span> Senaryo 2: E\u2011Ticaret Sitesi ve \u00c7oklu Sunucu Mimarisi<\/a><\/li><li><a href=\"#Senaryo_3_Ajans_ve_Onlarca_Musteri_Sitesi\"><span class=\"toc_number toc_depth_2\">8.3<\/span> Senaryo 3: Ajans ve Onlarca M\u00fc\u015fteri Sitesi<\/a><\/li><\/ul><\/li><li><a href=\"#DoHDoT_Kullanirken_Dikkat_Etmeniz_Gereken_Noktalar\"><span class=\"toc_number toc_depth_1\">9<\/span> DoH\/DoT Kullan\u0131rken Dikkat Etmeniz Gereken Noktalar<\/a><ul><li><a href=\"#1_Gozlemlenebilirlik_ve_Loglama\"><span class=\"toc_number toc_depth_2\">9.1<\/span> 1. G\u00f6zlemlenebilirlik ve Loglama<\/a><\/li><li><a href=\"#2_Performans_ve_Onbellek_Kullanimi\"><span class=\"toc_number toc_depth_2\">9.2<\/span> 2. Performans ve \u00d6nbellek Kullan\u0131m\u0131<\/a><\/li><li><a href=\"#3_Kurumsal_Politikalar_ve_Harici_DoH_Engelleme\"><span class=\"toc_number toc_depth_2\">9.3<\/span> 3. Kurumsal Politikalar ve Harici DoH Engelleme<\/a><\/li><\/ul><\/li><li><a href=\"#Kendi_DoHDoT_Resolverinizi_Kurmak_Yuksek_Seviyeli_Yol_Haritasi\"><span class=\"toc_number toc_depth_1\">10<\/span> Kendi DoH\/DoT Resolver\u2019\u0131n\u0131z\u0131 Kurmak: Y\u00fcksek Seviyeli Yol Haritas\u0131<\/a><\/li><li><a href=\"#Tarayici_ve_Isletim_Sistemlerinde_DoHDoT_Nasil_Aktif_Edilir\"><span class=\"toc_number toc_depth_1\">11<\/span> Taray\u0131c\u0131 ve \u0130\u015fletim Sistemlerinde DoH\/DoT Nas\u0131l Aktif Edilir?<\/a><ul><li><a href=\"#Modern_Tarayicilarda\"><span class=\"toc_number toc_depth_2\">11.1<\/span> Modern Taray\u0131c\u0131larda<\/a><\/li><li><a href=\"#Isletim_Sistemlerinde\"><span class=\"toc_number toc_depth_2\">11.2<\/span> \u0130\u015fletim Sistemlerinde<\/a><\/li><\/ul><\/li><li><a href=\"#DNS_Nameserver_ve_Tasima_Stratejileriyle_Birlikte_Dusunmek\"><span class=\"toc_number toc_depth_1\">12<\/span> DNS, Nameserver ve Ta\u015f\u0131ma Stratejileriyle Birlikte D\u00fc\u015f\u00fcnmek<\/a><\/li><li><a href=\"#DCHost_Perspektifi_Nasil_Bir_Yol_Haritasi_Oneriyoruz\"><span class=\"toc_number toc_depth_1\">13<\/span> DCHost Perspektifi: Nas\u0131l Bir Yol Haritas\u0131 \u00d6neriyoruz?<\/a><\/li><li><a href=\"#Ozet_ve_Sonraki_Adimlar\"><span class=\"toc_number toc_depth_1\">14<\/span> \u00d6zet ve Sonraki Ad\u0131mlar<\/a><\/li><\/ul><\/div>\n<h2><span id=\"DNS_Trafigi_Neden_Bu_Kadar_Onemli_Hale_Geldi\">DNS Trafi\u011fi Neden Bu Kadar \u00d6nemli Hale Geldi?<\/span><\/h2>\n<p>Son y\u0131llarda herkes HTTPS\u2019e, g\u00fc\u00e7l\u00fc \u015fifrelere ve iki ad\u0131ml\u0131 do\u011frulamaya odakland\u0131; ama \u00e7o\u011fu projede g\u00f6zden ka\u00e7an kritik bir katman var: DNS. Taray\u0131c\u0131 \u00e7ubu\u011funa bir alan ad\u0131 yazd\u0131\u011f\u0131n\u0131z anda ilk giden istek DNS sorgusu ve bu istek, varsay\u0131lan h\u00e2liyle \u015fifrelenmemi\u015f bir \u015fekilde a\u011f\u0131n\u0131zda dola\u015f\u0131yor. Dolay\u0131s\u0131yla biri DNS trafi\u011finizi okuyabiliyorsa, hangi sitelere gitti\u011finizi, hangi API\u2019leri kulland\u0131\u011f\u0131n\u0131z\u0131 ve kimi zaman hangi hizmetlere ba\u011fland\u0131\u011f\u0131n\u0131z\u0131 net bi\u00e7imde g\u00f6rebiliyor.<\/p>\n<p>DCHost taraf\u0131nda yapt\u0131\u011f\u0131m\u0131z g\u00fcvenlik denetimlerinde \u015funu s\u0131k g\u00f6r\u00fcyoruz: Web uygulamas\u0131 taraf\u0131nda HSTS, g\u00fc\u00e7l\u00fc TLS ayarlar\u0131, WAF ve rate limiting gibi pek \u00e7ok \u00f6nlem al\u0131nm\u0131\u015f oluyor ama DNS hala klasik, d\u00fcz UDP\/53 trafi\u011fiyle i\u015fliyor. Bu, hem gizlilik hem de b\u00fct\u00fcnl\u00fck a\u00e7\u0131s\u0131ndan ciddi bir a\u00e7\u0131k kap\u0131. <strong>DNS over HTTPS (DoH)<\/strong> ve <strong>DNS over TLS (DoT)<\/strong> tam da bu noktada devreye giriyor. Bu iki teknoloji, DNS trafi\u011fini TLS t\u00fcneli i\u00e7ine alarak sorgu i\u00e7eriklerini gizliyor ve araya girme (MITM) sald\u0131r\u0131lar\u0131n\u0131 zorla\u015ft\u0131r\u0131yor.<\/p>\n<p>Bu yaz\u0131da DoH ve DoT\u2019un ne oldu\u011funu, nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131, hangi sald\u0131r\u0131lara kar\u015f\u0131 koruma sa\u011flad\u0131\u011f\u0131n\u0131 ve DCHost \u00fczerinde y\u00f6netti\u011finiz hosting, <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a>, <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a> veya colocation altyap\u0131n\u0131za pratikte ne ifade etti\u011fini ad\u0131m ad\u0131m konu\u015faca\u011f\u0131z. Ayr\u0131ca kendi DoH\/DoT resolver\u2019\u0131n\u0131z\u0131 kurmak istedi\u011finizde dikkat etmeniz gereken mimari ayr\u0131nt\u0131lara da de\u011finece\u011fiz.<\/p>\n<h2><span id=\"DNS_Temelleri_Ustune_Ne_Ekledigimizi_Bilmek\">DNS Temelleri: \u00dcst\u00fcne Ne Ekledi\u011fimizi Bilmek<\/span><\/h2>\n<p>DoH ve DoT\u2019u anlamak i\u00e7in \u00f6nce klasik DNS\u2019in nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 kafada netle\u015ftirmek gerekiyor. DNS\u2019i zaten kullan\u0131yorsunuz ancak \u00e7o\u011fu zaman fark\u0131nda olmadan.<\/p>\n<p>Detayl\u0131 bir hat\u0131rlatma isteyenler i\u00e7in \u015fu rehber iyi bir temel sunuyor: <a href=\"https:\/\/www.dchost.com\/blog\/dns-kayitlari-nedir-a-aaaa-cname-mx-txt-ve-srv-rehberi\/\">A, AAAA, CNAME, MX, TXT ve SRV kay\u0131tlar\u0131n\u0131n ne i\u015fe yarad\u0131\u011f\u0131n\u0131 anlatt\u0131\u011f\u0131m\u0131z DNS kay\u0131tlar\u0131 rehberi<\/a>. Buradaki mekanizma \u00f6zetle \u015f\u00f6yle i\u015fler:<\/p>\n<ul>\n<li>\u0130stemci (taray\u0131c\u0131, sunucu, uygulama) bir alan ad\u0131 i\u00e7in DNS sorgusu \u00fcretir.<\/li>\n<li>Bu sorgu genellikle UDP\/53 veya TCP\/53 \u00fczerinden \u00e7\u00f6z\u00fcmleyici DNS sunucuya gider.<\/li>\n<li>\u00c7\u00f6z\u00fcmleyici gereken yerleri (root, TLD, authoritative) sorarak IP adresini bulur ve size d\u00f6ner.<\/li>\n<\/ul>\n<p>Bu s\u00fcrecin <strong>tamam\u0131 d\u00fcz metin<\/strong> \u015feklinde ilerler; yani a\u011fdaki biri, ISS\u2019niz, a\u00e7\u0131k Wi\u2011Fi y\u00f6neticisi veya sald\u0131rgan, bu paketleri okuyup \u00fczerinde oynayabilir. DNSSEC gibi teknolojiler, yan\u0131t\u0131n yetkili kaynaktan gelip gelmedi\u011fini kriptografik olarak do\u011frulamaya odaklan\u0131r; ancak sorgunun kendisi h\u00e2l\u00e2 \u015fifresiz ta\u015f\u0131n\u0131r. DNSSEC\u2019i detayl\u0131 incelemek isterseniz <a href=\"https:\/\/www.dchost.com\/blog\/dnssec-nedir-ne-ise-yarar-alan-adiniz-ve-hostinginiz-icin-adim-adim-dnssec-kurulum-rehberi\/\">DNSSEC nedir ve alan ad\u0131n\u0131z i\u00e7in nas\u0131l etkinle\u015ftirilir rehberimize<\/a> g\u00f6z atabilirsiniz.<\/p>\n<p>DoH ve DoT tam bu noktaya ek bir katman getiriyor: <strong>DNS trafi\u011fini de TLS ile sarmalamak<\/strong>.<\/p>\n<h2><span id=\"DNS_over_HTTPS_DoH_Nedir\">DNS over HTTPS (DoH) Nedir?<\/span><\/h2>\n<p>DNS over HTTPS, ad\u0131ndan da anla\u015f\u0131laca\u011f\u0131 \u00fczere, DNS sorgular\u0131n\u0131 klasik UDP\/53 yerine <strong>HTTPS \u00fczerinden<\/strong> ta\u015f\u0131yan bir protokold\u00fcr. Yani taray\u0131c\u0131n\u0131z veya i\u015fletim sisteminiz, DNS sorgusunu al\u0131p bir HTTPS iste\u011finin g\u00f6vdesine koyar, TLS oturumu i\u00e7inde sunucuya g\u00f6nderir, yan\u0131t\u0131 yine HTTPS \u00fczerinden al\u0131r. D\u0131\u015far\u0131dan bak\u0131ld\u0131\u011f\u0131nda bu trafik, s\u0131radan bir HTTPS iste\u011fi gibi g\u00f6r\u00fcn\u00fcr.<\/p>\n<h3><span id=\"DoHun_Calisma_Mantigi\">DoH\u2019un \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131<\/span><\/h3>\n<p>Tipik bir DoH ak\u0131\u015f\u0131n\u0131 sadele\u015ftirirsek:<\/p>\n<ol>\n<li>\u0130stemci, DoH kullanan bir DNS \u00e7\u00f6z\u00fcmleyici adresi (\u00f6rn. <code>https:\/\/resolver.ornek.net\/dns-query<\/code>) bilir.<\/li>\n<li>Taray\u0131c\u0131 veya i\u015fletim sistemi, DNS sorgusunu ya JSON ya da ikili DNS wire format\u0131nda HTTP iste\u011finin i\u00e7ine g\u00f6mer.<\/li>\n<li>Bu istek, <strong>TLS ile \u015fifrelenmi\u015f<\/strong> HTTPS ba\u011flant\u0131s\u0131 \u00fczerinden, genellikle 443 numaral\u0131 porttan gider.<\/li>\n<li>DoH sunucusu iste\u011fi \u00e7\u00f6zer, DNS yan\u0131t\u0131n\u0131 yine HTTPS g\u00f6vdesi i\u00e7inde geri yollar.<\/li>\n<\/ol>\n<p>Buradaki kritik nokta, <strong>t\u00fcm DNS i\u00e7eri\u011finin (sorgu ve yan\u0131t) TLS t\u00fcneli i\u00e7inde gizlenmesi<\/strong>dir. Aradaki y\u00f6nlendiriciler, ISS, Wi\u2011Fi noktas\u0131 veya yerel sald\u0131rgan, bu paketin sadece \u201cHTTPS trafi\u011fi\u201d oldu\u011funu g\u00f6r\u00fcr; hangi alan ad\u0131n\u0131 sordu\u011funuzu g\u00f6remez.<\/p>\n<h3><span id=\"DoHun_Avantajlari\">DoH\u2019un Avantajlar\u0131<\/span><\/h3>\n<ul>\n<li><strong>Gizlilik:<\/strong> A\u00e7\u0131k Wi\u2011Fi veya kurumsal a\u011fda DNS sorgular\u0131n\u0131z\u0131n okunmas\u0131n\u0131 zorla\u015ft\u0131r\u0131r.<\/li>\n<li><strong>Sans\u00fcr ve manip\u00fclasyona diren\u00e7:<\/strong> DNS sorgular\u0131n\u0131n i\u00e7erik temelli filtrelenmesini zorla\u015ft\u0131r\u0131r, sahte cevap enjekte etmeyi g\u00fc\u00e7le\u015ftirir.<\/li>\n<li><strong>HTTPS altyap\u0131s\u0131ndan yararlanma:<\/strong> HTTP\/2, HTTP\/3 ve mevcut TLS optimizasyonlar\u0131 (ALPN, multiplexing vb.) ile iyi performans verebilir.<\/li>\n<li><strong>Firewall\u2019lar i\u00e7in ay\u0131rt edilmesi zor trafik:<\/strong> \u00c7o\u011fu a\u011f cihaz\u0131 443 portundan ge\u00e7en DoH trafi\u011fini \u201cnormal web\u201d trafi\u011finden kolayca ay\u0131ramaz.<\/li>\n<\/ul>\n<h3><span id=\"DoHun_Sinirlamalari\">DoH\u2019un S\u0131n\u0131rlamalar\u0131<\/span><\/h3>\n<ul>\n<li><strong>Merkeziyet riski:<\/strong> T\u00fcm DNS trafi\u011finizi tek bir harici DoH sunucusunda toplarsan\u0131z, gizlili\u011fi ISS\u2019den al\u0131p bu sa\u011flay\u0131c\u0131ya devretmi\u015f olursunuz.<\/li>\n<li><strong>Kurumsal politika zorluklar\u0131:<\/strong> Kurumsal a\u011flar, i\u00e7 DNS b\u00f6lgeleri ve loglama politikalar\u0131n\u0131 y\u00f6netmekte zorlanabilir; \u00e7\u00fcnk\u00fc istemciler kendileri d\u0131\u015far\u0131daki bir DoH sunucusuna \u00e7\u0131kabilir.<\/li>\n<li><strong>Gecikme:<\/strong> K\u00f6t\u00fc yap\u0131land\u0131r\u0131lm\u0131\u015f bir DoH altyap\u0131s\u0131, her sorgu i\u00e7in fazladan TLS el s\u0131k\u0131\u015fmas\u0131 ve HTTP katman\u0131 ekleyerek TTFB\u2019yi art\u0131rabilir.<\/li>\n<\/ul>\n<h2><span id=\"DNS_over_TLS_DoT_Nedir\">DNS over TLS (DoT) Nedir?<\/span><\/h2>\n<p>DNS over TLS, DNS trafi\u011fini <strong>do\u011frudan TLS t\u00fcneli i\u00e7ine alan<\/strong> bir ba\u015fka \u015fifreli DNS y\u00f6ntemidir. DoH\u2019tan fark\u0131, HTTP katman\u0131n\u0131 kullanmamas\u0131d\u0131r. DNS protokol\u00fcn\u00fcn kendisi, TCP veya QUIC yerine TLS ile sar\u0131l\u0131r ve genellikle 853 numaral\u0131 port \u00fczerinden \u00e7al\u0131\u015f\u0131r.<\/p>\n<h3><span id=\"DoTun_Calisma_Mantigi\">DoT\u2019un \u00c7al\u0131\u015fma Mant\u0131\u011f\u0131<\/span><\/h3>\n<p>Basitle\u015ftirirsek:<\/p>\n<ol>\n<li>\u0130stemci, DoT destekleyen bir \u00e7\u00f6z\u00fcmleyici DNS sunucusunun IP adresini ve portunu (\u00e7o\u011funlukla 853) bilir.<\/li>\n<li>Arada <strong>TLS el s\u0131k\u0131\u015fmas\u0131<\/strong> yap\u0131l\u0131r, g\u00fcvenli bir kanal kurulur.<\/li>\n<li>\u0130stemci DNS sorgular\u0131n\u0131 bu TLS t\u00fcneli \u00fczerinden klasik DNS wire format\u0131yla g\u00f6nderir.<\/li>\n<li>Sunucu yan\u0131t\u0131 yine ayn\u0131 t\u00fcnelden geri yollar.<\/li>\n<\/ol>\n<p>DoT, \u00f6zellikle i\u015fletim sistemi seviyesinde veya a\u011f ge\u00e7idi seviyesinde (\u00f6rne\u011fin router\u2019larda) tercih edilen bir y\u00f6ntemdir; \u00e7\u00fcnk\u00fc HTTP katman\u0131 olmadan, do\u011frudan DNS protokol\u00fc \u00fczerinde \u00e7al\u0131\u015f\u0131r ve y\u00f6netmesi baz\u0131 senaryolarda daha nettir.<\/p>\n<h3><span id=\"DoH_ve_DoT_Arasindaki_Farklar\">DoH ve DoT Aras\u0131ndaki Farklar<\/span><\/h3>\n<table border=\"1\" cellpadding=\"6\" cellspacing=\"0\">\n<thead>\n<tr>\n<th>\u00d6zellik<\/th>\n<th>DNS over HTTPS (DoH)<\/th>\n<th>DNS over TLS (DoT)<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Ta\u015f\u0131ma Katman\u0131<\/td>\n<td>HTTPS (HTTP\/2 veya HTTP\/3 + TLS)<\/td>\n<td>TLS (genellikle TCP\/TLS)<\/td>\n<\/tr>\n<tr>\n<td>Varsay\u0131lan Port<\/td>\n<td>443<\/td>\n<td>853<\/td>\n<\/tr>\n<tr>\n<td>G\u00f6r\u00fcn\u00fcm<\/td>\n<td>Normal web trafi\u011fi gibi g\u00f6r\u00fcn\u00fcr<\/td>\n<td>DNS\u2019e \u00f6zel, ay\u0131rt edilebilir trafik<\/td>\n<\/tr>\n<tr>\n<td>Tipik Kullan\u0131m<\/td>\n<td>Taray\u0131c\u0131lar, uygulamalar<\/td>\n<td>\u0130\u015fletim sistemi, router, kurumsal gateway<\/td>\n<\/tr>\n<tr>\n<td>Politika Y\u00f6netimi<\/td>\n<td>Kurumsal a\u011flar i\u00e7in daha zor izlenebilir<\/td>\n<td>Firewall ve IDS\/IPS i\u00e7in daha belirgin<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00d6zetle, DoH daha \u00e7ok <strong>uygulama seviyesinde gizlilik<\/strong> ve engel a\u015fma senaryolar\u0131nda, DoT ise <strong>a\u011f ve i\u015fletim sistemi seviyesinde g\u00fcvenli DNS altyap\u0131s\u0131<\/strong> kurmak i\u00e7in tercih ediliyor.<\/p>\n<h2><span id=\"Gizlilik_Perspektifi_Kim_Ne_Gorebiliyor\">Gizlilik Perspektifi: Kim Ne G\u00f6rebiliyor?<\/span><\/h2>\n<p>\u015eifreli DNS konu\u015furken en \u00e7ok kar\u0131\u015ft\u0131r\u0131lan noktalardan biri, kimin neyi g\u00f6rebildi\u011fi. DoH\/DoT kulland\u0131\u011f\u0131n\u0131zda nelerin gizlendi\u011fini ve nelerin h\u00e2l\u00e2 g\u00f6r\u00fcn\u00fcr kald\u0131\u011f\u0131n\u0131 netle\u015ftirelim.<\/p>\n<ul>\n<li><strong>Gizlenen:<\/strong> Hangi alan adlar\u0131 i\u00e7in DNS sorgusu yapt\u0131\u011f\u0131n\u0131z, ald\u0131\u011f\u0131n\u0131z DNS yan\u0131tlar\u0131, TTL gibi detaylar.<\/li>\n<li><strong>Gizlenmeyen:<\/strong> Hangi IP adresine TCP\/TLS ba\u011flant\u0131s\u0131 kurdu\u011funuz, paket boyutlar\u0131, zamanlama bilgisi ve \u00e7o\u011fu durumda SNI \/ ECH durumu.<\/li>\n<\/ul>\n<p>Yani ISS veya a\u011f y\u00f6neticisi, hangi DoH\/DoT sunucusuna ba\u011fland\u0131\u011f\u0131n\u0131z\u0131 g\u00f6rmeye devam eder; ancak bu sunucuya sordu\u011funuz <strong>alan adlar\u0131n\u0131 do\u011frudan okuyamaz<\/strong>. \u00d6te yandan, sonras\u0131nda ba\u011fland\u0131\u011f\u0131n\u0131z web sitelerinin IP adresleri yine trafi\u011fe yans\u0131r. TLS 1.3 ve Encrypted Client Hello (ECH) gibi teknolojiler geli\u015fse de hen\u00fcz her yerde zorunlu de\u011fil.<\/p>\n<p>KVKK ve GDPR gibi d\u00fczenlemeler a\u00e7\u0131s\u0131ndan bakarsak, DNS loglar\u0131 genellikle <strong>ki\u015fisel veri<\/strong> kapsam\u0131nda de\u011ferlendirilmeye ba\u015fland\u0131. DCHost taraf\u0131nda <a href=\"https:\/\/www.dchost.com\/blog\/hosting-ve-e-posta-altyapisinda-log-saklama-sureleri\/\">hosting ve e-posta altyap\u0131s\u0131nda log saklama s\u00fcreleri<\/a> ile <a href=\"https:\/\/www.dchost.com\/blog\/kvkk-ve-gdpr-uyumlu-hosting-secimi-turkiye-avrupa-ve-abd-veri-merkezleri-arasinda-veri-yerellestirme-stratejisi\/\">KVKK ve GDPR uyumlu hosting stratejisi<\/a> yaz\u0131lar\u0131nda detayland\u0131rd\u0131\u011f\u0131m\u0131z gibi, hangi logu ne kadar tuttu\u011funuz, kimin eri\u015febildi\u011fi, nerede saklad\u0131\u011f\u0131n\u0131z hukuki olarak \u00f6nemli. DoH\/DoT, bu loglar\u0131n bir k\u0131sm\u0131n\u0131 yerel a\u011fdan al\u0131p se\u00e7ti\u011finiz DNS sa\u011flay\u0131c\u0131s\u0131na ta\u015f\u0131r; dolay\u0131s\u0131yla gizlilik dengesini yeniden kurman\u0131z gerekir.<\/p>\n<h2><span id=\"Guvenlik_Perspektifi_Hangi_Problemi_Cozer_Hangisini_Cozmez\">G\u00fcvenlik Perspektifi: Hangi Problemi \u00c7\u00f6zer, Hangisini \u00c7\u00f6zmez?<\/span><\/h2>\n<p>DoH\/DoT \u00e7o\u011fu zaman \u201cDNS g\u00fcvenli\u011fi\u201d ba\u015fl\u0131\u011f\u0131 alt\u0131nda anlat\u0131l\u0131r; ama hangi riskleri azaltt\u0131\u011f\u0131, hangilerine dokunmad\u0131\u011f\u0131 net olmal\u0131.<\/p>\n<h3><span id=\"Cozdugu_veya_Azalttigi_Riskler\">\u00c7\u00f6zd\u00fc\u011f\u00fc veya Azaltt\u0131\u011f\u0131 Riskler<\/span><\/h3>\n<ul>\n<li><strong>Pasif izleme:<\/strong> Ayn\u0131 a\u011fa ba\u011fl\u0131 bir sald\u0131rgan, DNS sorgular\u0131n\u0131z\u0131 koklayarak hangi sitelere gitti\u011finizi \u00f6\u011frenemez.<\/li>\n<li><strong>DNS spoofing \/ poisoning (baz\u0131 senaryolar):<\/strong> ISS taraf\u0131nda veya aradaki bir cihazda DNS yan\u0131t\u0131na m\u00fcdahale etmek, TLS do\u011frulamas\u0131 nedeniyle zorla\u015f\u0131r; kay\u0131tlar\u0131 manip\u00fcle etmek i\u00e7in \u00e7\u00f6z\u00fcmleyici seviyesine s\u0131zmak gerekir.<\/li>\n<li><strong>Captive portal d\u0131\u015f\u0131 manip\u00fclasyonlar:<\/strong> Baz\u0131 a\u011flar, belirli alan adlar\u0131n\u0131 sahte IP\u2019ye y\u00f6nlendirme y\u00f6ntemleri kullan\u0131yordu; bu t\u00fcr m\u00fcdahaleler DoH\/DoT ile daha zor h\u00e2le gelir.<\/li>\n<\/ul>\n<h3><span id=\"Cozmedigi_Riskler\">\u00c7\u00f6zmedi\u011fi Riskler<\/span><\/h3>\n<ul>\n<li><strong>Zararl\u0131 sitenin kendisi:<\/strong> DNS trafi\u011fi \u015fifreli olsa da, ziyaret etti\u011finiz sitenin zararl\u0131 olup olmad\u0131\u011f\u0131 de\u011fi\u015fmez. WAF, antivir\u00fcs, taray\u0131c\u0131 korumalar\u0131 h\u00e2l\u00e2 gerekli.<\/li>\n<li><strong>\u0130\u00e7erik filtreleme:<\/strong> Aile profilleri, kurumsal URL filtreleri gibi mekanizmalar DoH kullanan istemciler taraf\u0131ndan atlat\u0131labilir. Bu, hem avantaj hem risk.<\/li>\n<li><strong>Yetkili DNS sunucusuna sald\u0131r\u0131:<\/strong> DoH\/DoT, authoritative DNS sunucunuzu DDoS\u2019a veya zone transfer s\u0131z\u0131nt\u0131lar\u0131na kar\u015f\u0131 korumaz; bunlar i\u00e7in ayr\u0131 tedbirler gerekir.<\/li>\n<\/ul>\n<p>Buradan \u00f6nemli bir sonu\u00e7 \u00e7\u0131k\u0131yor: <strong>DoH\/DoT, DNSSEC\u2019in alternatifi de\u011fil, tamamlay\u0131c\u0131s\u0131d\u0131r.<\/strong> DNSSEC yan\u0131t\u0131n do\u011frulu\u011funu ve kayna\u011f\u0131n\u0131 imzalar; DoH\/DoT ise bu trafi\u011fin a\u011f \u00fczerinde gizlenmesini sa\u011flar. G\u00fc\u00e7l\u00fc bir DNS g\u00fcvenlik mimarisinde ikisini birlikte d\u00fc\u015f\u00fcnmek mant\u0131kl\u0131d\u0131r.<\/p>\n<h2><span id=\"Hosting_ve_Sunucu_Altyapisina_Etkileri\">Hosting ve Sunucu Altyap\u0131s\u0131na Etkileri<\/span><\/h2>\n<p>Gelelim DCHost perspektifinde bizi en \u00e7ok ilgilendiren k\u0131sma: DoH\/DoT\u2019un hosting, VPS, dedicated sunucu ve colocation altyap\u0131lar\u0131na etkisi.<\/p>\n<h3><span id=\"1_paylasimli_hosting_ve_Web_Siteleri_Acisindan\">1. <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a> ve Web Siteleri A\u00e7\u0131s\u0131ndan<\/span><\/h3>\n<p>Payla\u015f\u0131ml\u0131 hosting kullanan tipik bir web sitesi sahibi i\u00e7in DoH\/DoT, ilk bak\u0131\u015fta \u201cistemci taraf\u0131\u201dnda ger\u00e7ekle\u015fen bir yenilik gibi g\u00f6r\u00fcnebilir. Fakat dolayl\u0131 etkileri var:<\/p>\n<ul>\n<li><strong>CDN ve co\u011frafi y\u00f6nlendirme:<\/strong> Baz\u0131 DNS sa\u011flay\u0131c\u0131lar\u0131, IP tabanl\u0131 co\u011frafi y\u00f6nlendirme i\u00e7in EDNS Client Subnet gibi mekanizmalar kullan\u0131r. DoH\/DoT kullanan baz\u0131 \u00e7\u00f6z\u00fcmleyiciler, gizlilik amac\u0131yla bu bilgiyi g\u00f6ndermeyebilir. Bu da ziyaret\u00e7inin en yak\u0131n CDNe y\u00f6nlendirilmesini zorla\u015ft\u0131rabilir. Bu durum, <a href=\"https:\/\/www.dchost.com\/blog\/dns-yayilim-suresi-nedir-neden-24-saat-surer-ve-nasil-hizlandirilir\/\">DNS yay\u0131l\u0131m\u0131 ve co\u011frafi y\u00f6nlendirme davran\u0131\u015f\u0131n\u0131 anlatt\u0131\u011f\u0131m\u0131z yaz\u0131yla<\/a> birlikte de\u011ferlendirilmelidir.<\/li>\n<li><strong>Hata te\u015fhisi:<\/strong> DNS kaynakl\u0131 bir sorun ya\u015fand\u0131\u011f\u0131nda, kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131 veya i\u015fletim sistemi harici bir DoH sa\u011flay\u0131c\u0131s\u0131na gidiyorsa, siz hosting taraf\u0131nda nameserver\u2019lar\u0131n\u0131z\u0131 do\u011fru g\u00f6rseniz bile, kullan\u0131c\u0131 farkl\u0131 bir kaynaktan sorun ya\u015f\u0131yor olabilir. Destek s\u00fcre\u00e7lerinde \u201changi DNS\u2019i kullan\u0131yorsunuz?\u201d sorusu daha kritik h\u00e2le gelir.<\/li>\n<\/ul>\n<h3><span id=\"2_VPS_ve_Dedicated_Sunucularda_DNS_Mimarisi\">2. VPS ve Dedicated Sunucularda DNS Mimarisi<\/span><\/h3>\n<p>VPS veya dedicated sunucu kulland\u0131\u011f\u0131n\u0131zda, elinizde \u00e7ok daha esnek bir alan olur. Kendi DNS \u00e7\u00f6z\u00fcmleyicinizi kurabilir, DoT\/DoH destekleyen bir DNS cache sunucusu aya\u011fa kald\u0131rabilir ve t\u00fcm i\u00e7 trafi\u011finizi bu sunucu \u00fczerinden ko\u015fturabilirsiniz.<\/p>\n<p>DCHost \u00fczerinde y\u00f6netti\u011finiz bir VPS\/dedicated sunucuda tipik bir senaryo \u015f\u00f6yle olabilir:<\/p>\n<ul>\n<li>Sunucu \u00fczerinde yerel bir <strong>caching resolver<\/strong> \u00e7al\u0131\u015ft\u0131r\u0131rs\u0131n\u0131z.<\/li>\n<li>Bu resolver, d\u0131\u015f d\u00fcnyaya DoT \u00fczerinden ba\u011flan\u0131r ve DNS trafi\u011fi tamamen \u015fifreli \u00e7\u0131kar.<\/li>\n<li>Uygulamalar\u0131n\u0131z (web sunucular\u0131, API\u2019ler, arka plan i\u015fler) bu yerel resolver\u2019i kullan\u0131r; hem gecikme azal\u0131r hem de DNS trafi\u011fi a\u011f d\u0131\u015f\u0131na \u00e7\u0131karken g\u00fcvenlik kazan\u0131r.<\/li>\n<\/ul>\n<p>B\u00f6ylece hem DoT\/DoH\u2019un gizlilik avantaj\u0131ndan yararlan\u0131r, hem de DNS \u00e7\u00f6z\u00fcmleme performans\u0131n\u0131 kontrol alt\u0131na alm\u0131\u015f olursunuz. \u00d6zellikle mikrosaniye seviyesinde dahi gecikmenin kritik oldu\u011fu y\u00fcksek trafikli projelerde, <a href=\"https:\/\/www.dchost.com\/blog\/web-sitenizin-hizini-dogru-olcmek-gtmetrix-pagespeed-insights-ve-webpagetest-rehberi\/\">TTFB ve genel sayfa h\u0131z\u0131n\u0131 do\u011fru \u00f6l\u00e7meyi anlatt\u0131\u011f\u0131m\u0131z rehberle<\/a> birlikte bu DNS katman\u0131n\u0131 da izlemeniz \u00f6nemlidir.<\/p>\n<h3><span id=\"3_Kurumsal_Aglar_Ajanslar_ve_Coklu_Musteri_Mimarileri\">3. Kurumsal A\u011flar, Ajanslar ve \u00c7oklu M\u00fc\u015fteri Mimarileri<\/span><\/h3>\n<p>Ajanslar, SaaS sa\u011flay\u0131c\u0131lar\u0131 veya \u00e7ok kirac\u0131l\u0131 yap\u0131lar i\u00e7in DNS, sadece \u201calan ad\u0131n\u0131 IP\u2019ye \u00e7eviren mekanizma\u201d de\u011fil; ayn\u0131 zamanda eri\u015fim politikalar\u0131n\u0131, i\u00e7\/d\u0131\u015f b\u00f6lge ayr\u0131m\u0131n\u0131 ve loglamay\u0131 y\u00f6nettikleri kritik bir katmand\u0131r. DoH\/DoT burada iki ucu keskin b\u0131\u00e7ak olabilir:<\/p>\n<ul>\n<li><strong>Art\u0131:<\/strong> M\u00fc\u015fteri taraf\u0131nda, \u00f6zellikle uzaktan \u00e7al\u0131\u015fan ekipler ve ev-ofis ba\u011flant\u0131lar\u0131 i\u00e7in gizli DNS trafi\u011fi, m\u00fc\u015fteri verilerinin ISS veya misafir Wi\u2011Fi \u00fczerinden s\u0131zmas\u0131n\u0131 zorla\u015ft\u0131r\u0131r.<\/li>\n<li><strong>Eksi:<\/strong> Kurumsal a\u011f i\u00e7inde istemciler kendi ba\u015flar\u0131na d\u0131\u015f DoH hizmetlerine giderse, i\u00e7 DNS kay\u0131tlar\u0131n\u0131z (\u00f6r. <code>intranet.local<\/code>) ve split-horizon mimarileriniz bozulabilir; ayn\u0131 zamanda URL filtreleme ve denetim loglar\u0131n\u0131z seyrekle\u015fir.<\/li>\n<\/ul>\n<p>Bu nedenle, DCHost olarak \u00f6nerimiz, kurumsal yap\u0131larda <strong>merkez\u00ee, kurumsal bir DoT\/DoH \u00e7\u00f6z\u00fcmleyici<\/strong> ayarlay\u0131p istemcileri buna y\u00f6nlendirmek; rastgele harici DoH kullan\u0131m\u0131n\u0131 ise politika d\u00fczeyinde kontrol etmektir.<\/p>\n<h2><span id=\"Gercek_Senaryolar_Hangi_Durumda_DoHDoT_Mantikli\">Ger\u00e7ek Senaryolar: Hangi Durumda DoH\/DoT Mant\u0131kl\u0131?<\/span><\/h2>\n<h3><span id=\"Senaryo_1_Freelance_Gelistirici_ve_Kamusal_WiFi\">Senaryo 1: Freelance Geli\u015ftirici ve Kamusal Wi\u2011Fi<\/span><\/h3>\n<p>Bir\u00e7ok freelance geli\u015ftirici, m\u00fc\u015fterisiyle toplant\u0131dan toplant\u0131ya ko\u015farken kafelerde veya payla\u015f\u0131ml\u0131 ofislerde \u00e7al\u0131\u015f\u0131yor. Bu ortamlarda Wi\u2011Fi a\u011f\u0131n\u0131n kim taraf\u0131ndan nas\u0131l y\u00f6netildi\u011fini bilemezsiniz. \u015eifreli DNS kullanmak, \u00f6zellikle m\u00fc\u015fteri projelerinin panel adresleri, staging alan adlar\u0131 veya \u00f6zel API u\u00e7 noktalar\u0131n\u0131n a\u011f y\u00f6neticisi taraf\u0131ndan g\u00f6r\u00fclmesini zorla\u015ft\u0131r\u0131r. DoH\/DoT, VPN ile birlikte kullan\u0131ld\u0131\u011f\u0131nda bu gizlilik katman\u0131n\u0131 daha da g\u00fc\u00e7lendirir.<\/p>\n<h3><span id=\"Senaryo_2_ETicaret_Sitesi_ve_Coklu_Sunucu_Mimarisi\">Senaryo 2: E\u2011Ticaret Sitesi ve \u00c7oklu Sunucu Mimarisi<\/span><\/h3>\n<p>Orta \u00f6l\u00e7ekli bir e\u2011ticaret sitesini, DCHost \u00fczerinde birka\u00e7 VPS ve\/veya dedicated sunucu ile \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131n\u0131z\u0131 d\u00fc\u015f\u00fcn\u00fcn. Uygulama sunucular\u0131, veritaban\u0131 replikalar\u0131, cache katman\u0131 ve harici servislerle konu\u015fan cron job\u2019lar\u0131n\u0131z var. Burada, t\u00fcm sunucular\u0131n <strong>merkez\u00ee bir DoT destekli resolver<\/strong> kullanmas\u0131:<\/p>\n<ul>\n<li>DNS sorgular\u0131n\u0131n d\u0131\u015far\u0131 \u00e7\u0131karken <strong>gizli ve b\u00fct\u00fcnl\u00fckl\u00fc<\/strong> olmas\u0131n\u0131 sa\u011flar,<\/li>\n<li>DNS tabanl\u0131 MITM risklerini azalt\u0131r,<\/li>\n<li>Tek bir noktada DNS loglar\u0131n\u0131 izleyip anomali tespiti yapman\u0131z\u0131 kolayla\u015ft\u0131r\u0131r.<\/li>\n<\/ul>\n<p>B\u00f6ylece hem g\u00fcvenli\u011fi art\u0131r\u0131r hem de olas\u0131 bir DNS sorunu oldu\u011funda hangi katmanda aksama ya\u015fand\u0131\u011f\u0131n\u0131 daha rahat te\u015fhis edersiniz.<\/p>\n<h3><span id=\"Senaryo_3_Ajans_ve_Onlarca_Musteri_Sitesi\">Senaryo 3: Ajans ve Onlarca M\u00fc\u015fteri Sitesi<\/span><\/h3>\n<p>Bir ajans olarak DCHost \u00fczerinde onlarca WordPress ve e\u2011ticaret sitesini y\u00f6netiyorsan\u0131z, m\u00fc\u015fterilerinizin kendi lokal a\u011flar\u0131nda ne t\u00fcr DNS politikalar\u0131 oldu\u011funa h\u00e2kim olmayabilirsiniz. Baz\u0131 m\u00fc\u015fteriler kurumsal filtreler, baz\u0131lar\u0131 ise agresif antivirus yaz\u0131l\u0131mlar\u0131 kullan\u0131yor olabilir. Bu durumda, kendi taraf\u0131n\u0131zda DNS\u2019i sa\u011flam kurmak kadar, <a href=\"https:\/\/www.dchost.com\/blog\/ajanslar-icin-dns-ve-alan-adi-erisimi-yonetimi\/\">ajanslar i\u00e7in DNS ve alan ad\u0131 eri\u015fim y\u00f6netimi rehberimizde<\/a> anlatt\u0131\u011f\u0131m\u0131z gibi, alan adlar\u0131n\u0131 ve nameserver\u2019lar\u0131 da kontroll\u00fc y\u00f6netmek \u00f6nemlidir. DoH\/DoT burada, \u00f6zellikle ajans i\u00e7i ofis a\u011f\u0131n\u0131zda \u00e7al\u0131\u015fan ekipler i\u00e7in ek bir gizlilik katman\u0131 sunabilir.<\/p>\n<h2><span id=\"DoHDoT_Kullanirken_Dikkat_Etmeniz_Gereken_Noktalar\">DoH\/DoT Kullan\u0131rken Dikkat Etmeniz Gereken Noktalar<\/span><\/h2>\n<h3><span id=\"1_Gozlemlenebilirlik_ve_Loglama\">1. G\u00f6zlemlenebilirlik ve Loglama<\/span><\/h3>\n<p>DoH\/DoT devreye girdi\u011finde, a\u011f cihazlar\u0131n\u0131z\u0131n (firewall, IDS\/IPS, proxy) g\u00f6rd\u00fc\u011f\u00fc DNS verisi azal\u0131r. Bu, gizlilik i\u00e7in g\u00fczel; fakat g\u00fcvenlik izleme i\u00e7in zorlay\u0131c\u0131 olabilir. E\u011fer kendi DoH\/DoT resolver\u2019\u0131n\u0131z\u0131 kuruyorsan\u0131z:<\/p>\n<ul>\n<li>DNS sorgu loglar\u0131n\u0131 KVKK\/GDPR uyumlu \u015fekilde, s\u0131n\u0131rl\u0131 s\u00fcrelerle saklay\u0131n.<\/li>\n<li>Loglara sadece yetkili ki\u015filerin eri\u015febildi\u011finden emin olun.<\/li>\n<li>Anomali tespiti (\u00e7ok say\u0131da NXDOMAIN, \u015f\u00fcpheli domain\u2019ler) i\u00e7in temel alarmlar kurun.<\/li>\n<\/ul>\n<h3><span id=\"2_Performans_ve_Onbellek_Kullanimi\">2. Performans ve \u00d6nbellek Kullan\u0131m\u0131<\/span><\/h3>\n<p>Her DNS sorgusu i\u00e7in ayr\u0131 TLS el s\u0131k\u0131\u015fmas\u0131 yap\u0131p HTTP ba\u011flant\u0131s\u0131 a\u00e7arsan\u0131z, \u00f6zellikle y\u00fcksek trafi\u011fe sahip uygulamalarda performans kayb\u0131 ya\u015fars\u0131n\u0131z. Burada \u00fc\u00e7 kritik nokta var:<\/p>\n<ul>\n<li><strong>Keep\u2011alive:<\/strong> Hem DoH hem DoT i\u00e7in uzun \u00f6m\u00fcrl\u00fc ba\u011flant\u0131lar kullanmaya \u00e7al\u0131\u015f\u0131n.<\/li>\n<li><strong>\u00d6nbellekleme:<\/strong> Resolver taraf\u0131nda agresif ama RFC\u2019lere uygun cache ayarlar\u0131 yap\u0131n; TTL\u2019lere sayg\u0131 duyun.<\/li>\n<li><strong>Yerel resolver:<\/strong> Uygulamalar\u0131n\u0131z\u0131n, OS seviyesinde yerel bir resolver\u2019a (\u00f6r. <code>127.0.0.1<\/code>) soru sormas\u0131, DNS gecikmesini ciddi \u015fekilde azalt\u0131r.<\/li>\n<\/ul>\n<h3><span id=\"3_Kurumsal_Politikalar_ve_Harici_DoH_Engelleme\">3. Kurumsal Politikalar ve Harici DoH Engelleme<\/span><\/h3>\n<p>Kurumsal a\u011flarda \u00e7o\u011fu zaman i\u00e7erik filtreleme, loglama ve yasal y\u00fck\u00fcml\u00fcl\u00fckler nedeniyle DNS trafi\u011finin belirli bir yerden ge\u00e7mesi istenir. Harici DoH servislerine do\u011frudan giden istemciler, bu politikay\u0131 by\u2011pass etmi\u015f olur. B\u00f6yle durumlarda:<\/p>\n<ul>\n<li>A\u011f seviyesinde sadece kendi DoH\/DoT sunucular\u0131n\u0131za giden trafi\u011fe izin vermek,<\/li>\n<li>Taray\u0131c\u0131larda ve i\u015fletim sistemlerinde <strong>kurumsal DoH\/DoT endpoint\u2019lerini<\/strong> policy ile da\u011f\u0131tmak,<\/li>\n<li>Gerekirse 443 portunda bilinen DoH host\u2019lar\u0131na giden trafi\u011fi incelemek<\/li>\n<\/ul>\n<p>gibi tedbirler al\u0131nabilir. \u00d6zetle ama\u00e7, <strong>\u015fifreli DNS\u2019i yasaklamak de\u011fil, y\u00f6netilebilir h\u00e2le getirmektir<\/strong>.<\/p>\n<h2><span id=\"Kendi_DoHDoT_Resolverinizi_Kurmak_Yuksek_Seviyeli_Yol_Haritasi\">Kendi DoH\/DoT Resolver\u2019\u0131n\u0131z\u0131 Kurmak: Y\u00fcksek Seviyeli Yol Haritas\u0131<\/span><\/h2>\n<p>DCHost m\u00fc\u015fterilerinin s\u0131k sordu\u011fu sorulardan biri \u015fu: \u201cKendi DoH\/DoT resolver\u2019\u0131m\u0131z\u0131 DCHost\u2019ta \u00e7al\u0131\u015ft\u0131rabilir miyiz?\u201d Teknik olarak evet; hatta bir\u00e7ok senaryoda olduk\u00e7a mant\u0131kl\u0131. Y\u00fcksek seviyede izlenecek ad\u0131mlar \u015f\u00f6yle:<\/p>\n<ol>\n<li><strong>Uygun bir VPS veya dedicated sunucu se\u00e7in:<\/strong> DNS resolver i\u015flemleri CPU a\u00e7\u0131s\u0131ndan hafif, fakat bellek ve a\u011f a\u00e7\u0131s\u0131ndan yo\u011fun olabilir. Orta seviye bir DCHost VPS \u00e7o\u011fu kurum i\u00e7in fazlas\u0131yla yeterli olur.<\/li>\n<li><strong>DNS \u00e7\u00f6z\u00fcmleyici yaz\u0131l\u0131m\u0131 kurun:<\/strong> A\u00e7\u0131k kaynak ve ticari pek \u00e7ok DNS cache\/recursive sunucu mevcut. Se\u00e7iminizde DNSSEC do\u011frulama, DoT\/DoH deste\u011fi ve loglama se\u00e7eneklerini dikkate al\u0131n.<\/li>\n<li><strong>TLS sertifikas\u0131 al\u0131n:<\/strong> Klasik <code>ns.example.com<\/code> gibi bir host ad\u0131na Let\u2019s Encrypt veya kurumsal CA \u00fczerinden sertifika \u00e7\u0131kar\u0131n. Bu konuda <a href=\"https:\/\/www.dchost.com\/blog\/lets-encrypt-ile-ucretsiz-ssl-sertifikasi-kurulumu-cpanel-ve-directadminde-otomatik-yenileme-rehberi\/\">Let\u2019s Encrypt ile \u00fccretsiz SSL sertifikas\u0131 kurulum rehberimiz<\/a> size iyi bir temel verecektir.<\/li>\n<li><strong>DoT ve DoH endpoint\u2019lerini yap\u0131land\u0131r\u0131n:<\/strong> DoT i\u00e7in genellikle 853 portunu, DoH i\u00e7in ise <code>\/dns-query<\/code> gibi bir endpoint\u2019i kullan\u0131rs\u0131n\u0131z. HTTP\/2 ve HTTP\/3 deste\u011fini m\u00fcmk\u00fcnse aktif edin.<\/li>\n<li><strong>\u0130stemcileri bu resolver\u2019a y\u00f6nlendirin:<\/strong> Sunucular\u0131n\u0131z\u0131n <code>\/etc\/resolv.conf<\/code> ayarlar\u0131n\u0131, istemci cihaz DNS ayarlar\u0131n\u0131 ve taray\u0131c\u0131 DoH konfig\u00fcrasyonlar\u0131n\u0131 bu yeni resolver\u2019a i\u015faret edecek \u015fekilde g\u00fcncelleyin.<\/li>\n<\/ol>\n<p>Bu yakla\u015f\u0131m, ISS veya \u00fc\u00e7\u00fcnc\u00fc taraf sa\u011flay\u0131c\u0131lar\u0131n g\u00f6rebildi\u011fi DNS verisini minimuma indirir; trafi\u011fi kontrol edebildi\u011finiz bir DCHost sunucusuna ta\u015f\u0131m\u0131\u015f olursunuz.<\/p>\n<h2><span id=\"Tarayici_ve_Isletim_Sistemlerinde_DoHDoT_Nasil_Aktif_Edilir\">Taray\u0131c\u0131 ve \u0130\u015fletim Sistemlerinde DoH\/DoT Nas\u0131l Aktif Edilir?<\/span><\/h2>\n<p>Her taray\u0131c\u0131n\u0131n ve i\u015fletim sisteminin aray\u00fcz\u00fc farkl\u0131 oldu\u011fu i\u00e7in tek tek ekran g\u00f6r\u00fcnt\u00fcs\u00fc yerine, prensipleri anlatmak daha do\u011fru olacak.<\/p>\n<h3><span id=\"Modern_Tarayicilarda\">Modern Taray\u0131c\u0131larda<\/span><\/h3>\n<ul>\n<li>Ayarlar \/ Gizlilik ve G\u00fcvenlik \/ DNS veya G\u00fcvenli DNS b\u00f6l\u00fcmlerinde \u201cHTTPS \u00fczerinden DNS\u201d gibi se\u00e7enekler bulunur.<\/li>\n<li>\u00c7o\u011fu taray\u0131c\u0131 iki mod sunar: \u201cOtomatik\u201d (support eden ISS veya OS resolver\u2019\u0131 DoH kullan\u0131yorsa ona uyar) ve \u201c\u00d6zel sa\u011flay\u0131c\u0131\u201d (elle DoH URL\u2019si girersiniz).<\/li>\n<li>Kurumsal ortamlarda, bu ayarlar genellikle policy (group policy, enterprise policy) ile merkezi olarak y\u00f6netilebilir.<\/li>\n<\/ul>\n<h3><span id=\"Isletim_Sistemlerinde\">\u0130\u015fletim Sistemlerinde<\/span><\/h3>\n<ul>\n<li><strong>Masa\u00fcst\u00fc i\u015fletim sistemleri:<\/strong> Yeni nesil s\u00fcr\u00fcmlerde \u201c\u015fifreli DNS\u201d veya \u201cg\u00fcvenli DNS\u201d se\u00e7enekleri g\u00f6m\u00fcl\u00fc h\u00e2le geldi. Genelde a\u011f adapt\u00f6r\u00fc veya DNS ayarlar\u0131nda bu tercih yap\u0131labiliyor.<\/li>\n<li><strong>Mobil i\u015fletim sistemleri:<\/strong> \u00d6zel DNS (Private DNS) alan\u0131nda DoT hostname\u2019i yazarak t\u00fcm cihaz trafi\u011fini \u015fifreli DNS \u00fczerinden ge\u00e7irebiliyorsunuz.<\/li>\n<li><strong>Router ve gateway\u2019ler:<\/strong> Baz\u0131 modern router\u2019lar do\u011frudan DoT\/DoH destekliyor; yoksa router \u00fczerinde \u00e7al\u0131\u015fan k\u00fc\u00e7\u00fck bir VPS veya container ile bu g\u00f6rev \u00fcstlenilebilir.<\/li>\n<\/ul>\n<h2><span id=\"DNS_Nameserver_ve_Tasima_Stratejileriyle_Birlikte_Dusunmek\">DNS, Nameserver ve Ta\u015f\u0131ma Stratejileriyle Birlikte D\u00fc\u015f\u00fcnmek<\/span><\/h2>\n<p>DoH\/DoT tek ba\u015f\u0131na ele al\u0131nmamal\u0131; alan ad\u0131, nameserver ve TTL stratejinizle birlikte planlanmal\u0131. \u00d6rne\u011fin <a href=\"https:\/\/www.dchost.com\/blog\/cloudflare-dns-mi-hosting-dnsi-mi-en-dogru-nameserver-stratejisi\/\">Cloudflare DNS mi, hosting DNS\u2019i mi kullanman\u0131z gerekti\u011fini tart\u0131\u015ft\u0131\u011f\u0131m\u0131z yaz\u0131da<\/a> da anlatt\u0131\u011f\u0131m\u0131z gibi, hangi katmanda kontrol istedi\u011finiz \u00e7ok \u00f6nemli.<\/p>\n<p>Ayn\u0131 \u015fekilde, uygulama veya altyap\u0131 ta\u015f\u0131mas\u0131 yaparken, DoH\/DoT\u2019u aktif kullanman\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/zero-downtime-tasima-icin-ttl-stratejileri-dns-yayilimini-gercekten-nasil-hizlandirirsin\/\">TTL stratejileriyle zero\u2011downtime ta\u015f\u0131ma<\/a> planlar\u0131n\u0131z\u0131 etkilemez; \u00e7\u00fcnk\u00fc authoritative DNS taraf\u0131 ayn\u0131 kal\u0131r. Ancak son kullan\u0131c\u0131 taraf\u0131nda kullan\u0131lan \u00e7\u00f6z\u00fcmleyicilerin \u00f6nbellek davran\u0131\u015f\u0131 ve DoH\/DoT destekleri, fiili yay\u0131l\u0131m s\u00fcresini etkileyebilir.<\/p>\n<h2><span id=\"DCHost_Perspektifi_Nasil_Bir_Yol_Haritasi_Oneriyoruz\">DCHost Perspektifi: Nas\u0131l Bir Yol Haritas\u0131 \u00d6neriyoruz?<\/span><\/h2>\n<p>DCHost ekibi olarak, DNS g\u00fcvenli\u011fini katmanl\u0131 bir yakla\u015f\u0131m olarak ele al\u0131yoruz. Pratikte \u00f6nerdi\u011fimiz yol haritas\u0131 \u015f\u00f6yle:<\/p>\n<ul>\n<li><strong>Alan ad\u0131n\u0131z i\u00e7in DNSSEC etkinle\u015ftirin:<\/strong> B\u00f6ylece DNS kay\u0131tlar\u0131n\u0131z\u0131n yetkili kaynaktan geldi\u011fini kriptografik olarak ispatlars\u0131n\u0131z.<\/li>\n<li><strong>Nameserver ve TTL stratejinizi netle\u015ftirin:<\/strong> Ta\u015f\u0131ma, failover ve bak\u0131m s\u00fcre\u00e7lerinde nas\u0131l davranaca\u011f\u0131n\u0131za ba\u015ftan karar verin.<\/li>\n<li><strong>Sunucu taraf\u0131nda g\u00fcvenli bir resolver kullan\u0131n:<\/strong> VPS veya dedicated sunucular\u0131n\u0131zda, en az\u0131ndan DoT ile d\u0131\u015f d\u00fcnyaya \u00e7\u0131kan bir cache resolver tercih edin.<\/li>\n<li><strong>Geli\u015ftirici ve y\u00f6neticiler i\u00e7in DoH\/DoT profilini standardize edin:<\/strong> \u00d6zellikle y\u00f6netim panelleri ve SSH eri\u015fimi gibi kritik noktalarda kullan\u0131lan istemcilerin DNS gizlili\u011fi ve b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc art\u0131r\u0131n.<\/li>\n<li><strong>Loglama ve KVKK\/GDPR uyumunu birlikte d\u00fc\u015f\u00fcn\u00fcn:<\/strong> DNS loglar\u0131n\u0131 nerede tuttu\u011funuzu, kimlerin eri\u015fti\u011fini ve ne kadar s\u00fcre saklad\u0131\u011f\u0131n\u0131z\u0131 yaz\u0131l\u0131 h\u00e2le getirin.<\/li>\n<\/ul>\n<p>DCHost \u00fczerinde bar\u0131nd\u0131rd\u0131\u011f\u0131n\u0131z projelerde, ister payla\u015f\u0131ml\u0131 hosting, ister NVMe destekli VPS, ister y\u00fcksek kaynakl\u0131 dedicated sunucu veya colocation kullan\u0131n; DNS katman\u0131n\u0131 g\u00fc\u00e7lendirmek, toplam g\u00fcvenlik modelinizin \u00e7ok maliyeti d\u00fc\u015f\u00fck ama getirisi y\u00fcksek bir par\u00e7as\u0131 olacak.<\/p>\n<h2><span id=\"Ozet_ve_Sonraki_Adimlar\">\u00d6zet ve Sonraki Ad\u0131mlar<\/span><\/h2>\n<p>DNS over HTTPS (DoH) ve DNS over TLS (DoT), son y\u0131llarda \u201cgizlilik ve g\u00fcvenlik\u201d ba\u015fl\u0131\u011f\u0131 alt\u0131nda en \u00e7ok konu\u015fulan iki teknoloji h\u00e2line geldi. Temel fark\u0131 netle\u015ftirecek olursak: DoH, DNS sorgular\u0131n\u0131 HTTP\/2 veya HTTP\/3 \u00fczerinden, klasik web trafi\u011fi gibi ta\u015f\u0131yor; DoT ise do\u011frudan TLS t\u00fcnelinde, DNS\u2019e \u00f6zel bir port \u00fczerinden ileti\u015fim kuruyor. \u0130kisi de DNS sorgu ve yan\u0131tlar\u0131n\u0131 a\u011f \u00fczerindeki merakl\u0131 g\u00f6zlerden gizliyor, araya girme sald\u0131r\u0131lar\u0131n\u0131 zorla\u015ft\u0131r\u0131yor.<\/p>\n<p>Ancak hi\u00e7birisi <strong>tek ba\u015f\u0131na mucize \u00e7\u00f6z\u00fcm de\u011fil<\/strong>. DNSSEC, g\u00fc\u00e7l\u00fc TLS ayarlar\u0131, WAF, loglama, yedekleme ve izleme olmadan sadece DoH\/DoT kullanmak, resmin k\u00fc\u00e7\u00fck bir par\u00e7as\u0131na odaklanmak anlam\u0131na gelir. DCHost taraf\u0131nda biz, bu teknolojileri; alan ad\u0131 y\u00f6netimi, nameserver stratejisi, TT L planlamas\u0131 ve g\u00fcvenlik politikalar\u0131yla birlikte ele almay\u0131 tercih ediyoruz.<\/p>\n<p>E\u011fer siz de:<\/p>\n<ul>\n<li>Kendi DoH\/DoT resolver\u2019\u0131n\u0131z\u0131 DCHost VPS veya dedicated sunucuda aya\u011fa kald\u0131rmak,<\/li>\n<li>Mevcut hosting altyap\u0131n\u0131zda DNS g\u00fcvenli\u011fini katmanl\u0131 \u015fekilde g\u00fc\u00e7lendirmek,<\/li>\n<li>KVKK\/GDPR uyumlu log saklama ve DNS mimarisi tasarlamak<\/li>\n<\/ul>\n<p>istiyorsan\u0131z, teknik ekibimizle birlikte mimarinizi g\u00f6zden ge\u00e7irebiliriz. Alan ad\u0131, DNS, hosting, VPS, dedicated sunucu ve colocation ihtiya\u00e7lar\u0131n\u0131z\u0131; \u015fifreli DNS, DNSSEC, HTTP\/2\/3 ve modern g\u00fcvenlik standartlar\u0131yla uyumlu, s\u00fcrd\u00fcr\u00fclebilir bir b\u00fct\u00fcn olarak tasarlamak m\u00fcmk\u00fcn. Bir sonraki ad\u0131m olarak DNS kay\u0131tlar\u0131n\u0131z\u0131 ve mevcut nameserver yap\u0131n\u0131z\u0131 inceleyerek ba\u015flanabilir; sonras\u0131nda DoH\/DoT stratejinizi buna g\u00f6re \u015fekillendirirsiniz.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 DNS Trafi\u011fi Neden Bu Kadar \u00d6nemli Hale Geldi?2 DNS Temelleri: \u00dcst\u00fcne Ne Ekledi\u011fimizi Bilmek3 DNS over HTTPS (DoH) Nedir?3.1 DoH\u2019un \u00c7al\u0131\u015fma Mant\u0131\u011f\u01313.2 DoH\u2019un Avantajlar\u01313.3 DoH\u2019un S\u0131n\u0131rlamalar\u01314 DNS over TLS (DoT) Nedir?4.1 DoT\u2019un \u00c7al\u0131\u015fma Mant\u0131\u011f\u01314.2 DoH ve DoT Aras\u0131ndaki Farklar5 Gizlilik Perspektifi: Kim Ne G\u00f6rebiliyor?6 G\u00fcvenlik Perspektifi: Hangi Problemi \u00c7\u00f6zer, Hangisini \u00c7\u00f6zmez?6.1 \u00c7\u00f6zd\u00fc\u011f\u00fc veya Azaltt\u0131\u011f\u0131 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3870,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-3869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=3869"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3869\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/3870"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=3869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=3869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=3869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}