ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)

Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)

Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)Txo qhov txaus ntshai ntawm kev siv DoH thiab DoT

Kev tiv thaiv DoH thiab DoT

Koj puas tswj koj lub tsheb DNS? Cov koom haum tau nqis peev ntau lub sijhawm, nyiaj txiag, thiab kev siv zog rau kev ruaj ntseg lawv cov tes hauj lwm. Txawm li cas los xij, ib cheeb tsam uas feem ntau tsis tau txais kev saib xyuas txaus yog DNS.

Kev pom zoo ntawm cov kev pheej hmoo uas DNS coj yog Verisign nthuav qhia ntawm lub rooj sib tham Infosecurity.

Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)31% ntawm cov chav kawm ransomware tshawb fawb siv DNS rau kev sib pauv tseem ceeb. Kev Tshawb Nrhiav

31% ntawm cov chav kawm ransomware tshawb fawb siv DNS rau kev pauv pauv tseem ceeb.

Qhov teeb meem loj heev. Raws li Palo Alto Networks Unit 42 kev tshawb fawb lab, kwv yees li 85% ntawm malware siv DNS los tsim cov lus txib thiab tswj cov channel, tso cai rau cov neeg tawm tsam kom yooj yim txhaj malware rau hauv koj lub network nrog rau nyiag cov ntaub ntawv. Txij li thaum nws pib, DNS kev khiav tsheb tau loj heev unencrypted thiab tau yooj yim txheeb xyuas los ntawm NGFW kev ruaj ntseg mechanisms. 

Cov txheej txheem tshiab rau DNS tau tshwm sim los txhawm rau nce kev ceev ntiag tug ntawm DNS kev sib txuas. Lawv nquag txhawb nqa los ntawm cov neeg muag khoom browser thiab lwm tus neeg muag khoom software. Encrypted DNS tsheb yuav sai sai no pib loj hlob nyob rau hauv koom tes tes hauj lwm. Encrypted DNS kev khiav tsheb uas tsis raug txheeb xyuas thiab daws tau los ntawm cov cuab yeej ua rau muaj kev nyab xeeb rau lub tuam txhab. Piv txwv li, xws li kev hem thawj yog cryptolockers uas siv DNS los pauv cov yuam sij encryption. Tam sim no cov neeg tawm tsam tau thov tus nqe txhiv ntau lab daus las los kho koj cov ntaub ntawv. Garmin, piv txwv li, them $ 10 lab.

Thaum teeb tsa kom raug, NGFWs tuaj yeem tsis lees paub lossis tiv thaiv kev siv DNS-dhau-TLS (DoT) thiab tuaj yeem siv los tsis lees txais kev siv DNS-over-HTTPS (DoH), tso cai rau tag nrho DNS tsheb khiav hauv koj lub network los soj ntsuam.

Dab tsi yog encrypted DNS?

DNS yog dab tsi

Domain Name System (DNS) daws cov neeg nyeem tau cov npe sau npe (piv txwv li, chaw nyob www.paloaltonetworks.com ) rau IP chaw nyob (piv txwv li, 34.107.151.202). Thaum tus neeg siv nkag mus rau lub npe sau rau hauv lub vev xaib, tus browser xa cov lus nug DNS rau DNS server, nug tus IP chaw nyob cuam tshuam nrog lub npe sau npe. Hauv kev teb, DNS server xa rov qab IP chaw nyob uas qhov browser no yuav siv.

DNS queries thiab cov lus teb raug xa mus thoob plaws lub network hauv cov ntawv dawb, tsis muaj encrypted, ua rau nws yooj yim rau kev soj ntsuam lossis hloov cov lus teb thiab xa rov qab cov browser mus rau cov servers phem. DNS encryption ua rau nws nyuaj rau DNS thov kom taug qab lossis hloov pauv thaum sib kis. Encrypting DNS thov thiab cov lus teb tiv thaiv koj los ntawm Man-in-the-Middle attacks thaum ua haujlwm zoo ib yam li cov txheej txheem plaintext DNS (Domain Name System) raws tu qauv. 

Ob peb xyoos dhau los, ob lub DNS encryption raws tu qauv tau qhia:

  1. DNS-over-HTTPS (DoH)

  2. DNS-over-TLS (DoT)

Cov txheej txheem no muaj ib yam zoo sib xws: lawv txhob txwm zais DNS thov los ntawm kev cuam tshuam ... thiab los ntawm lub koom haum cov neeg saib xyuas kev nyab xeeb thiab. Cov txheej txheem feem ntau siv TLS (Kev Thauj Khoom Txheej Txheem Kev Ruaj Ntseg) los tsim kev sib txuas encrypted ntawm tus neeg siv cov lus nug thiab cov neeg rau zaub mov daws cov lus nug DNS hla qhov chaw nres nkoj uas tsis nquag siv rau DNS tsheb.

Qhov tsis pub lwm tus paub ntawm DNS cov lus nug yog qhov loj ntxiv ntawm cov txheej txheem no. Txawm li cas los xij, lawv tsim teeb meem rau cov neeg saib xyuas kev nyab xeeb uas yuav tsum tau saib xyuas kev sib txuas hauv network thiab ntes thiab thaiv kev sib txuas tsis zoo. Vim tias cov txheej txheem sib txawv hauv lawv qhov kev siv, cov txheej txheem tshuaj ntsuam yuav txawv ntawm DoH thiab DoT.

DNS dhau HTTPS (DoH)

Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)DNS hauv HTTPS

DoH siv qhov chaw nres nkoj paub zoo 443 rau HTTPS, uas RFC tshwj xeeb tshaj tawm hais tias lub hom phiaj yog "sib xyaw DoH tsheb nrog lwm yam HTTPS tsheb ntawm tib qho kev sib txuas", "ua rau nws nyuaj rau kev txheeb xyuas DNS tsheb" thiab yog li hla kev tswj hwm kev lag luam. ( RFC 8484 DoH Tshooj 8.1 ). DoH raws tu qauv siv TLS encryption thiab cov lus thov syntax muab los ntawm cov qauv HTTPS thiab HTTP / 2, ntxiv DNS thov thiab cov lus teb rau saum cov qauv HTTP thov.

Kev pheej hmoo cuam tshuam nrog DoH

Yog tias koj tsis tuaj yeem paub qhov txawv ntawm HTTPS cov tsheb khiav los ntawm DoH thov, ces cov ntawv thov hauv koj lub koom haum tuaj yeem (thiab yuav) hla cov chaw DNS hauv zos los ntawm kev xa rov qab thov rau cov neeg thib peb servers teb rau DoH thov, uas hla kev saib xyuas, uas yog, rhuav tshem lub peev xwm. tswj DNS tsheb. Qhov zoo tshaj plaws, koj yuav tsum tswj DoH siv HTTPS decryption functions. 

И Google thiab Mozilla tau siv lub peev xwm DoH nyob rau hauv qhov tseeb version ntawm lawv cov browsers, thiab ob lub tuam txhab ua haujlwm siv DoH los ntawm lub neej ntawd rau txhua qhov kev thov DNS. Microsoft tseem tab tom tsim cov phiaj xwm ntawm kev koom ua ke DoH rau hauv lawv cov kev khiav haujlwm. Qhov tsis zoo yog tias tsis yog cov tuam txhab software muaj npe nrov xwb, tab sis kuj tseem muaj cov neeg tawm tsam tau pib siv DoH los ua ib txoj hauv kev los ntawm kev hla kev lag luam kev ntsuas hluav taws xob. (Piv txwv li, saib cov lus hauv qab no: PsiXBot tam sim no siv Google DoH , PsiXBot txuas ntxiv txhim kho nrog hloov tshiab DNS infrastructure ΠΈ Godlua backdoor tsom xam .) Nyob rau hauv ob qho tib si, ob qho tib si zoo thiab phem DoH tsheb yuav mus undetected, ua rau lub koom haum dig muag mus rau siab phem siv DoH raws li ib tug conduit los tswj malware (C2) thiab nyiag cov ntaub ntawv rhiab heev.

Ua kom pom kev pom thiab tswj ntawm DoH tsheb

Raws li qhov kev daws teeb meem zoo tshaj plaws rau DoH tswj, peb pom zoo kom teeb tsa NGFW los txiav txim siab HTTPS tsheb thiab thaiv DoH tsheb (lub npe thov: dns-over-https). 

Ua ntej, xyuas kom NGFW tau teeb tsa los txiav txim siab HTTPS, raws li phau ntawv qhia rau cov txheej txheem decryption zoo tshaj plaws.

Thib ob, tsim txoj cai rau kev siv tsheb khiav "dns-over-https" raws li qhia hauv qab no:

Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)Palo Alto Networks NGFW Txoj Cai los thaiv DNS-dhau-HTTPS

Raws li ib qho kev xaiv ib ntus (yog tias koj lub koom haum tsis tau ua tiav HTTPS decryption), NGFW tuaj yeem teeb tsa los siv qhov "tsis lees paub" ua rau "dns-over-https" daim ntawv thov ID, tab sis cov txiaj ntsig yuav raug txwv rau kev thaiv qee qhov zoo- paub DoH servers los ntawm lawv lub npe sau, yog li yuav ua li cas tsis muaj HTTPS decryption, DoH tsheb tsis tuaj yeem kuaj xyuas tag nrho (saib  Applipedia los ntawm Palo Alto Networks   thiab nrhiav "dns-over-https").

DNS dhau TLS (DoT)

Txo qhov txaus ntshai ntawm kev siv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH)DNS hauv TLS

Thaum DoH raws tu qauv nyiam sib xyaw nrog lwm cov tsheb khiav ntawm tib qhov chaw nres nkoj, DoT hloov pauv hloov mus rau kev siv qhov chaw nres nkoj tshwj xeeb tshwj xeeb rau lub hom phiaj ib leeg, txawm tias tshwj xeeb txwv tsis pub tib lub chaw nres nkoj los ntawm kev siv los ntawm kev siv tsis raug DNS tsis raug cai ( RFC 7858, Tshooj 3.1 ).

DoT raws tu qauv siv TLS los muab kev encryption uas encapsulates tus qauv DNS raws tu qauv queries, nrog rau kev khiav tsheb siv qhov chaw nres nkoj paub zoo 853 ( RFC 7858 Tshooj 6 ). DoT raws tu qauv tau tsim los ua kom yooj yim rau cov koom haum los thaiv cov tsheb khiav ntawm qhov chaw nres nkoj, lossis lees txais kev khiav tsheb tab sis pab kom decryption ntawm qhov chaw nres nkoj.

Kev pheej hmoo cuam tshuam nrog DoT

Google tau siv DoT hauv nws cov neeg siv khoom Android 9 Pie thiab tom qab ntawd , nrog lub neej ntawd teeb tsa kom siv DoT yog tias muaj. Yog tias koj tau soj ntsuam cov kev pheej hmoo thiab npaj siv DoT ntawm lub koom haum, ces koj yuav tsum muaj cov thawj coj hauv lub network qhia meej tso cai rau cov tsheb khiav tawm ntawm qhov chaw nres nkoj 853 los ntawm lawv thaj tsam rau cov txheej txheem tshiab no.

Ua kom pom kev pom thiab tswj ntawm DoT tsheb

Raws li kev coj ua zoo tshaj plaws rau kev tswj hwm DoT, peb pom zoo ib qho ntawm cov saum toj no, raws li koj lub koom haum cov cai:

  • Configure NGFW kom decrypt tag nrho cov tsheb khiav mus rau qhov chaw nres nkoj 853. Los ntawm kev decrypting tsheb khiav, DoT yuav tshwm sim raws li ib daim ntawv thov DNS uas koj tuaj yeem siv txhua yam, xws li pab subscription Palo Alto Networks DNS Security tswj DGA domains lossis ib qho uas twb muaj lawm DNS Sinkholing thiab anti-spyware.

  • Lwm txoj hauv kev yog kom muaj lub cav App-ID tag nrho thaiv 'dns-over-tls' tsheb khiav ntawm chaw nres nkoj 853. Qhov no feem ntau yog thaiv los ntawm lub neej ntawd, tsis tas yuav tsum ua haujlwm (tshwj tsis yog koj tshwj xeeb tso cai 'dns-over-tls' daim ntawv thov lossis chaw nres nkoj traffic 853).

Tau qhov twg los: www.hab.com

Ntxiv ib saib