ProHoster > Блог > Gudanarwa > Jagoran Tsaro na DNS

Jagoran Tsaro na DNS

Jagoran Tsaro na DNS

Duk abin da kamfanin ya yi, tsaro DNS ya kamata ya zama wani muhimmin sashi na tsarin tsaro. Sabis na suna, waɗanda ke warware sunayen baƙi zuwa adiresoshin IP, ana amfani da su ta kusan kowane aikace-aikace da sabis akan hanyar sadarwa.

Idan maharin ya sami ikon sarrafa DNS na ƙungiya, yana iya sauƙi:

  • ba da kanka iko a kan raba albarkatun
  • tura imel masu shigowa da buƙatun yanar gizo da yunƙurin tabbatarwa
  • ƙirƙira da inganta takaddun shaida SSL/TLS

Wannan jagorar yana kallon tsaron DNS daga kusurwoyi biyu:

  1. Yin ci gaba da kulawa da sarrafawa akan DNS
  2. Yadda sabbin ka'idojin DNS irin su DNSSEC, DOH da DoT zasu iya taimakawa kare mutunci da sirrin buƙatun DNS da aka watsa.

Menene tsaro na DNS?

Jagoran Tsaro na DNS

Manufar tsaro ta DNS ta ƙunshi abubuwa biyu masu mahimmanci:

  1. Tabbatar da cikakken mutunci da wadatar sabis na DNS waɗanda ke warware sunayen baƙi zuwa adiresoshin IP
  2. Saka idanu ayyukan DNS don gano yiwuwar matsalolin tsaro a ko'ina a kan hanyar sadarwar ku

Me yasa DNS ke da rauni ga hare-hare?

An kirkiro fasahar DNS a farkon zamanin Intanet, tun kafin wani ya fara tunanin tsaro na cibiyar sadarwa. DNS yana aiki ba tare da tantancewa ko ɓoyewa ba, buƙatun sarrafa makanta daga kowane mai amfani.

Saboda haka, akwai hanyoyi da yawa don yaudarar mai amfani da kuma lalata bayanai game da inda ainihin ƙudurin sunaye zuwa adiresoshin IP ke faruwa.

Tsaro na DNS: Abubuwan da aka haɗa

Jagoran Tsaro na DNS

Tsaro na DNS ya ƙunshi na asali da yawa aka gyara, kowanne daga cikinsu dole ne a yi la'akari da shi don tabbatar da cikakkiyar kariya:

  • Ƙarfafa tsaro da hanyoyin gudanarwa: ƙara matakin tsaro na uwar garken kuma ƙirƙirar samfurin ƙaddamarwa
  • Inganta ladabi: aiwatar da DNSSEC, DoT ko DoH
  • Bincike da rahoto: ƙara log ɗin taron DNS zuwa tsarin SIEM ɗin ku don ƙarin mahallin yayin binciken abubuwan da suka faru
  • Haɗin Intanet da Gano Barazana: biyan kuɗi zuwa abinci mai aiki da barazanar hankali
  • Automation: ƙirƙira yawancin rubutun da zai yiwu don sarrafa matakai

Manyan abubuwan da aka ambata a sama sune kawai ƙarshen ƙanƙara na tsaro na DNS. A cikin sashe na gaba, za mu nutse cikin ƙarin takamaiman yanayin amfani da mafi kyawun ayyuka da kuke buƙatar sani game da su.

harin DNS

Jagoran Tsaro na DNS

  • DNS spoofing ko cache guba: yin amfani da raunin tsarin don sarrafa cache na DNS don tura masu amfani zuwa wani wuri
  • Tunneling DNS: da farko ana amfani da shi don ƙetare kariyar haɗin nesa
  • Satar DNS: sake tura zirga-zirgar ababen hawa na al'ada na DNS zuwa uwar garken DNS daban-daban ta hanyar canza mai rejista
  • harin NXDOMAIN: gudanar da harin DDoS akan uwar garken DNS mai iko ta hanyar aika tambayoyin yanki mara izini don samun martanin tilastawa.
  • yankin fatalwa: yana sa mai warwarewar DNS ya jira amsa daga wuraren da ba su wanzu ba, yana haifar da rashin aiki
  • kai hari kan wani yanki bazuwar: rundunonin da aka daidaita da kuma botnets sun kaddamar da harin DDoS a kan wani yanki mai inganci, amma mayar da hankali ga wutar su a kan ƙananan yankuna na karya don tilasta uwar garken DNS don duba bayanan da kuma kula da sabis ɗin.
  • toshe yanki: yana aika martanin spam da yawa don toshe albarkatun uwar garken DNS
  • Harin Botnet daga kayan aikin masu biyan kuɗi: tarin kwamfutoci, modem, hanyoyin sadarwa da sauran na'urori waɗanda ke mayar da hankali kan ikon kwamfuta akan takamaiman gidan yanar gizon don cika shi da buƙatun zirga-zirga.

harin DNS

Hare-haren da ko ta yaya suke amfani da DNS don kai hari ga wasu tsarin (watau canza bayanan DNS ba shine ƙarshen burin ba):

  • Mai sauri-Flux
  • Cibiyoyin sadarwa Guda Daya
  • Sau biyu hanyoyin sadarwa
  • Tunneling DNS

harin DNS

Hare-haren da ke haifar da adireshin IP ɗin da maharin ke buƙata ana dawo da shi daga sabar DNS:

  • DNS spoofing ko cache guba
  • Satar DNS

Menene DNSSEC?

Jagoran Tsaro na DNS

DNSSEC - Domain Name Service Security Engines - ana amfani da su inganta DNS records ba tare da bukatar sanin janar bayanai ga kowane takamaiman DNS request.

DNSSEC tana amfani da Maɓallan Sa hannu na Dijital (PKIs) don tabbatar da ko sakamakon binciken sunan yanki ya fito daga tushe mai inganci.
Aiwatar da DNSSEC ba kawai aikin mafi kyawun masana'antu ba ne, amma yana da tasiri a guje wa yawancin hare-haren DNS.

Yadda DNSSEC ke aiki

DNSSEC yana aiki daidai da TLS/HTTPS, ta amfani da maɓallan maɓalli na jama'a da masu zaman kansu don sanya hannu kan bayanan DNS a lambobi. Gabaɗaya bayanin tsari:

  1. An sanya hannu kan bayanan DNS tare da maɓalli na sirri-na sirri
  2. Amsoshi zuwa DNSSEC queries ƙunshi nema rikodin kazalika da sa hannu da kuma jama'a key
  3. sa'an nan jama'a key ana amfani dashi don kwatanta sahihancin rikodin da sa hannu

DNS da Tsaro na DNSSEC

Jagoran Tsaro na DNS

DNSSEC kayan aiki ne don bincika amincin tambayoyin DNS. Ba ya shafar sirrin DNS. A takaice dai, DNSSEC na iya ba ku kwarin gwiwa cewa amsar tambayar DNS ɗinku ba ta cika ba, amma kowane mai hari zai iya ganin waɗannan sakamakon kamar yadda aka aiko muku.

DoT - DNS akan TLS

Tsaro Layer Tsaro (TLS) ƙa'idar sirri ce don kare bayanan da aka watsa ta hanyar haɗin yanar gizo. Da zarar an kafa amintaccen haɗin TLS tsakanin abokin ciniki da uwar garken, bayanan da aka watsa ana rufaffen ɓoye kuma babu mai tsaka-tsaki da zai iya ganin sa.

TLS galibi ana amfani da su azaman ɓangare na HTTPS (SSL) a cikin burauzar gidan yanar gizon ku saboda ana aika buƙatun don amintattun sabar HTTP.

DNS-over-TLS (DNS akan TLS, DoT) yana amfani da ka'idar TLS don ɓoye zirga-zirgar UDP na buƙatun DNS na yau da kullun.
Rufe waɗannan buƙatun a cikin rubutu na fili yana taimakawa kare masu amfani ko aikace-aikacen da ke yin buƙatu daga hare-hare da yawa.

  • MitM, ko "mutum a tsakiya": Ba tare da ɓoyewa ba, tsarin tsaka-tsakin tsakanin abokin ciniki da uwar garken DNS mai iko na iya aika bayanan karya ko haɗari ga abokin ciniki don amsa buƙata.
  • Leken asiri da bin diddigi: Ba tare da rufaffen buƙatun ba, yana da sauƙi ga tsarin tsakiya don ganin waɗanne rukunin yanar gizo ne mai amfani ko aikace-aikacen ke shiga. Kodayake DNS kadai ba zai bayyana takamaiman shafin da ake ziyarta akan gidan yanar gizon ba, kawai sanin wuraren da ake buƙata ya isa ya ƙirƙiri bayanin martaba na tsarin ko mutum.

Jagoran Tsaro na DNS
source: Jami'ar California Irvine

DoH - DNS akan HTTPS

DNS-over-HTTPS (DNS akan HTTPS, DoH) ƙa'idar gwaji ce ta Mozilla da Google suka haɓaka tare. Makasudin sa sun yi kama da ka'idar DoT - haɓaka sirrin mutane akan layi ta hanyar ɓoye buƙatun DNS da martani.

Ana aika daidaitattun tambayoyin DNS akan UDP. Ana iya bin buƙatu da martani ta amfani da kayan aiki kamar Wireshark. DoT yana ɓoye waɗannan buƙatun, amma har yanzu ana gano su azaman keɓaɓɓen zirga-zirgar UDP akan hanyar sadarwar.

DoH yana ɗaukar wata hanya ta daban kuma tana aika buƙatun ƙudurin sunan mai ɓoye ɓoye akan haɗin HTTPS, wanda yayi kama da kowace buƙatar yanar gizo akan hanyar sadarwar.

Wannan bambance-bambance yana da tasiri mai mahimmanci ga masu gudanar da tsarin da kuma makomar ƙudurin suna.

  1. Tace DNS hanya ce ta gama gari don tace zirga-zirgar gidan yanar gizo don kare masu amfani daga hare-haren phishing, rukunin yanar gizon da ke rarraba malware, ko wasu ayyukan Intanet masu illa a kan hanyar sadarwar kamfani. Ka'idar DoH tana ƙetare waɗannan matatun, mai yuwuwar fallasa masu amfani da hanyar sadarwar zuwa babban haɗari.
  2. A cikin ƙirar ƙudurin suna na yanzu, kowace na'ura a kan hanyar sadarwar fiye ko žasa tana karɓar tambayoyin DNS daga wuri ɗaya (wani ƙayyadadden sabar DNS). DoH, musamman ma Firefox ta aiwatar da shi, ya nuna cewa wannan na iya canzawa a nan gaba. Kowace aikace-aikacen kan kwamfuta na iya karɓar bayanai daga tushen DNS daban-daban, yin matsala, tsaro, da ƙirar ƙira mai haɗari da yawa.

Jagoran Tsaro na DNS
source: www.varonis.com/blog/what-is-powershell

Menene bambanci tsakanin DNS akan TLS da DNS akan HTTPS?

Bari mu fara da DNS akan TLS (DoT). Babban mahimmin bayani anan shine ba a canza ainihin ka'idar DNS ba, amma ana watsa shi kawai ta hanyar amintaccen tashoshi. DoH, a gefe guda, yana sanya DNS cikin tsarin HTTP kafin yin buƙatun.

Faɗakarwar Kulawa na DNS

Jagoran Tsaro na DNS

Ikon sa ido sosai akan zirga-zirgar DNS akan hanyar sadarwar ku don abubuwan da ba su da tabbas yana da mahimmanci ga gano wani saɓani da wuri. Yin amfani da kayan aiki kamar Varonis Edge zai ba ku ikon kasancewa a saman duk mahimman ma'auni kuma ƙirƙirar bayanan martaba ga kowane asusu akan hanyar sadarwar ku. Kuna iya saita faɗakarwa don samar da sakamakon haɗuwar ayyukan da ke faruwa a kan takamaiman lokaci.

Kula da canje-canjen DNS, wuraren asusun ajiya, amfani na farko da samun dama ga bayanai masu mahimmanci, da ayyukan bayan sa'o'i kaɗan ne kawai waɗanda za'a iya danganta su don gina hoto mai faɗi.

source: www.habr.com

Add a comment