Rage haɗarin amfani da DoH da DoT
DoH da DoT kariya
Kuna sarrafa zirga-zirgar ku na DNS? Ƙungiyoyi suna kashe lokaci mai yawa, kuɗi, da ƙoƙari don tabbatar da hanyoyin sadarwar su. Koyaya, yanki ɗaya wanda galibi baya samun isasshen kulawa shine DNS.
Kyakkyawan bayyani na haɗarin da DNS ke kawowa shine a taron Infosecurity.
31% na azuzuwan ransomware da aka bincika sun yi amfani da DNS don maɓalli na musayar
31% na azuzuwan ransomware da aka bincika sun yi amfani da DNS don musayar maɓalli.
Matsalar tana da tsanani. Dangane da dakin bincike na Palo Alto Networks Unit 42, kusan kashi 85% na malware suna amfani da DNS don kafa umarni da tashar sarrafawa, yana bawa maharan damar shigar da malware cikin sauƙi a cikin hanyar sadarwar ku tare da satar bayanai. Tun lokacin da aka fara, zirga-zirgar DNS ba ta ɓoye ba kuma ana iya bincikar ta cikin sauƙi ta hanyoyin tsaro na NGFW.
Sabbin ka'idoji don DNS sun fito da nufin haɓaka sirrin haɗin yanar gizo. Ana samun goyon bayansu ta hanyar manyan dillalan burauza da sauran masu siyar da software. Rufaffen zirga-zirgar DNS nan ba da jimawa ba zai fara girma a cikin cibiyoyin sadarwar kamfanoni. Rufaffen zirga-zirgar DNS wanda ba a tantance shi da kyau da kayan aiki ba yana haifar da haɗarin tsaro ga kamfani. Misali, irin wannan barazanar shine cryptolockers waɗanda ke amfani da DNS don musayar maɓallan ɓoyewa. Maharan yanzu suna neman kudin fansa na dala miliyan da yawa don dawo da damar shiga bayanan ku. Misali, Garmin ya biya dala miliyan 10.
Lokacin da aka daidaita da kyau, NGFWs na iya musun ko kare amfani da DNS-over-TLS (DoT) kuma ana iya amfani da su don ƙin amfani da DNS-over-HTTPS (DoH), yana ba da damar bincika duk zirga-zirgar DNS akan hanyar sadarwar ku.
Menene rufaffen DNS?
Menene DNS
Tsarin Sunan Domain (DNS) yana warware sunayen yanki da mutum zai iya karantawa (misali, adireshi ) zuwa adireshin IP (misali, 34.107.151.202). Lokacin da mai amfani ya shigar da sunan yanki a cikin burauzar gidan yanar gizon, mai binciken yana aika tambayar DNS zuwa uwar garken DNS, yana neman adireshin IP mai alaƙa da sunan yankin. Don amsawa, uwar garken DNS yana mayar da adireshin IP ɗin da wannan mai binciken zai yi amfani da shi.
Ana aika tambayoyin DNS da martani a cikin hanyar sadarwa a cikin rubutu a sarari, ba a ɓoye ba, yana mai da shi mai rauni ga leƙen asiri ko canza amsa da tura mai binciken zuwa sabobin ƙeta. Rufewar DNS yana sa ya zama da wahala a iya bin saƙo ko canza buƙatun DNS yayin watsawa. Rufe buƙatun DNS da martani yana kare ku daga hare-haren Mutum-in-da-Tsakiya yayin da kuke aiwatar da ayyuka iri ɗaya da ƙa'idar DNS (Tsarin Sunan Domain) na al'ada.
A cikin 'yan shekarun da suka gabata, an gabatar da ka'idojin ɓoye bayanan DNS guda biyu:
-
DNS-over-HTTPS (DoH)
-
DNS-over-TLS (DoT)
Waɗannan ka'idoji suna da abu ɗaya gama gari: da gangan suna ɓoye buƙatun DNS daga kowane tsangwama ... da kuma daga masu tsaron ƙungiyar kuma. Ka'idojin da farko suna amfani da TLS (Transport Layer Security) don kafa haɗin ɓoye tsakanin abokin ciniki yana yin tambayoyi da uwar garken da ke warware tambayoyin DNS akan tashar jiragen ruwa wanda ba a saba amfani da shi don zirga-zirgar DNS.
Sirrin tambayoyin DNS babban ƙari ne na waɗannan ka'idoji. Duk da haka, suna haifar da matsaloli ga masu gadi waɗanda dole ne su sa ido kan zirga-zirgar hanyar sadarwa da ganowa da toshe haɗin ƙeta. Saboda ƙa'idodin sun bambanta wajen aiwatar da su, hanyoyin bincike zasu bambanta tsakanin DoH da DoT.
DNS akan HTTPS (DoH)
DNS a cikin HTTPS
DoH yana amfani da sanannen tashar jiragen ruwa 443 don HTTPS, wanda RFC ta bayyana musamman cewa manufar ita ce "haɗa zirga-zirgar DoH tare da sauran zirga-zirgar HTTPS akan wannan haɗin gwiwa", "yana da wahala a bincikar zirga-zirgar DNS" kuma don haka ke kewaye da sarrafa kamfanoni. ( ). Ka'idar DoH tana amfani da boye-boye na TLS da tsarin buƙatun da aka samar ta hanyar HTTPS na gama gari da ka'idodin HTTP/2, ƙara buƙatun DNS da martani akan daidaitattun buƙatun HTTP.
Hadarin da ke da alaƙa da DoH
Idan ba za ku iya bambanta zirga-zirgar HTTPS na yau da kullun daga buƙatun DoH ba, to aikace-aikacen da ke cikin ƙungiyar ku na iya (kuma za su) ketare saitunan DNS na gida ta hanyar tura buƙatun zuwa sabar ɓangare na uku da ke amsa buƙatun DoH, wanda ke ƙetare duk wani saka idanu, wato, yana lalata ikon. sarrafa zirga-zirgar DNS. Da kyau, yakamata ku sarrafa DoH ta amfani da ayyukan lalata HTTPS.
И a cikin sabon sigar masu binciken su, kuma kamfanonin biyu suna aiki don amfani da DoH ta tsohuwa don duk buƙatun DNS. akan haɗa DoH cikin tsarin aikin su. Abin da ya rage shi ne, ba kawai kamfanonin software masu daraja ba, har ma da maharan sun fara amfani da DoH a matsayin hanyar ketare matakan bangon kamfanoni na gargajiya. (Misali, bitar labarai masu zuwa: , и .) A kowane hali, duka zirga-zirgar DoH masu kyau da ƙeta za su tafi ba a gano su ba, barin ƙungiyar ta makantar da mummunar amfani da DoH a matsayin hanyar sarrafa malware (C2) da satar bayanai masu mahimmanci.
Tabbatar da gani da sarrafa zirga-zirgar DoH
A matsayin mafi kyawun bayani don sarrafa DoH, muna ba da shawarar daidaita NGFW don lalata zirga-zirgar HTTPS da toshe zirga-zirgar DoH (sunan aikace-aikacen: dns-over-https).
Da farko, tabbatar da an saita NGFW don lalata HTTPS, bisa ga .
Na biyu, ƙirƙirar doka don zirga-zirgar aikace-aikacen "dns-over-https" kamar yadda aka nuna a ƙasa:
Palo Alto Networks Dokokin NGFW don Toshe DNS-over-HTTPS
A matsayin madadin wucin gadi (idan ƙungiyar ku ba ta cika aiwatar da ɓarnawar HTTPS ba), ana iya saita NGFW don aiwatar da aikin "ƙin yarda" zuwa ID ɗin aikace-aikacen "dns-over-https", amma tasirin zai iyakance ga toshe wasu da kyau- Sabbin DoH da aka sani ta sunan yankin su, don haka ta yaya ba tare da lalata HTTPS ba, ba za a iya bincikar zirga-zirgar DoH gabaɗaya ba (duba kuma bincika "dns-over-https").
DNS akan TLS (DoT)
DNS a cikin TLS
Yayin da ka'idar DoH ke ƙoƙarin haɗuwa tare da sauran zirga-zirgar ababen hawa a tashar jiragen ruwa guda ɗaya, DoT a maimakon haka ta gaza yin amfani da tashar jiragen ruwa ta musamman da aka tanada don wannan kawai manufar, har ma da hana tashar tashar guda ɗaya daga amfani da zirga-zirgar DNS na gargajiya mara ɓoye ( ).
Ka'idar DoT tana amfani da TLS don samar da ɓoyewa wanda ke ɗaukar daidaitattun tambayoyin ka'idar DNS, tare da zirga-zirga ta amfani da sanannen tashar jiragen ruwa 853 ( ). An tsara ka'idar DoT don sauƙaƙawa ƙungiyoyi don toshe zirga-zirgar ababen hawa a tashar jiragen ruwa, ko karɓar zirga-zirgar ababen hawa amma ba da damar ɓoye bayanan a tashar.
Hadarin da ke da alaƙa da DoT
Google ya aiwatar da DoT a cikin abokin ciniki , tare da saitunan tsoho don amfani da DoT ta atomatik idan akwai. Idan kun ƙididdige haɗarin kuma kuna shirye don amfani da DoT a matakin ƙungiya, to kuna buƙatar samun masu gudanar da hanyar sadarwa suna ba da izinin zirga-zirgar ababen hawa a tashar jiragen ruwa 853 ta hanyar kewayen wannan sabuwar yarjejeniya.
Tabbatar da gani da sarrafa zirga-zirgar DoT
A matsayin mafi kyawun aiki don sarrafa DoT, muna ba da shawarar kowane ɗayan abubuwan da ke sama, dangane da buƙatun ƙungiyar ku:
-
Sanya NGFW don warware duk zirga-zirga don tashar tashar jiragen ruwa 853. Ta hanyar yanke zirga-zirgar zirga-zirga, DoT zai bayyana azaman aikace-aikacen DNS wanda zaku iya amfani da kowane aiki, kamar ba da damar biyan kuɗi. don sarrafa yankunan DGA ko wanda yake da anti-spyware.
-
Wani madadin shine samun injin App-ID gaba daya toshe zirga-zirgar 'dns-over-tls' akan tashar jiragen ruwa 853. Wannan yawanci ana toshe shi ta tsohuwa, babu wani aiki da ake buƙata (sai dai idan kun ba da izinin aikace-aikacen'dns-over-tls musamman ko tashar tashar jiragen ruwa). 853).
source: www.habr.com