Otu ndị nyocha sitere na Mahadum Tel Aviv na Interdisciplinary Center na Herzliya (Israel) usoro mbuso agha ohuru (), na-enye gị ohere iji ndị na-edozi DNS ọ bụla dị ka ndị na-amụba okporo ụzọ, na-enye ọnụego mmụba ruo ugboro 1621 n'ihe gbasara ọnụ ọgụgụ nke ngwugwu (maka arịrịọ ọ bụla ezigara onye na-edozi ya, ị nwere ike nweta arịrịọ 1621 na-ezigara na ihe nkesa onye ahụ) na ruo ugboro 163 n'ihe gbasara okporo ụzọ.
Nsogbu a metụtara ihe dị iche iche nke protocol ma na-emetụta sava DNS niile na-akwado nhazi ajụjụ recursive, gụnyere. (CVE-2020-8616) (CVE-2020-12667) (CVE-2020-10995) и (CVE-2020-12662), yana ọrụ DNS ọha nke Google, Cloudflare, Amazon, Quad9, ICANN na ụlọ ọrụ ndị ọzọ. Ejikọtara ndozi ahụ na ndị nrụpụta ihe nkesa DNS, ndị wepụtara mmelite n'otu oge iji dozie adịghị ike na ngwaahịa ha. Emebere nchedo mbuso agha na mwepụta
, , , .
Mwakpo ahụ dabere na onye na-awakpo ahụ na-eji arịrịọ na-ezo aka na ọnụ ọgụgụ buru ibu nke ndekọ NS akụkọ ifo a na-ahụbeghị na mbụ, nke a na-enyefe aha ya, ma na-enweghị ịkọwa ndekọ gluu na ozi gbasara adreesị IP nke sava NS na nzaghachi. Dịka ọmụmaatụ, onye na-awakpo na-eziga ajụjụ iji dozie aha sd1.attacker.com site na ijikwa ihe nkesa DNS maka ngalaba attacker.com. Na nzaghachi na arịrịọ onye na-edozi arịrịọ maka sava DNS nke onye mwakpo ahụ, a na-enye nzaghachi nke na-enyefe mkpebi nke adreesị sd1.attacker.com na sava DNS nke onye ahụ tara ahụhụ site n'igosi ndekọ NS na nzaghachi na-enweghị ịkọwapụta sava IP NS. Ebe ọ bụ na ahụbeghị ihe nkesa NS ahụ a kpọtụrụ aha na mbụ na akọwapụtaghị adreesị IP ya, onye na-eme mkpebi ahụ na-anwa ịchọpụta adreesị IP nke ihe nkesa NS site na iziga ajụjụ na sava DNS nke onye ahụ metụtara na-eje ozi na mpaghara ebumnuche (victim.com).
Nsogbu bụ na onye na-awakpo ahụ nwere ike ịzaghachi na nnukwu ndepụta nke sava NS na-adịghị emegharị ya na aha subdomain na-adịghị adị adị (fake-1.victim.com, fake-2.victim.com,... fake-1000. onye.com). Onye na-edozi ya ga-anwa iziga arịrịọ na sava DNS nke onye ahụ, mana ọ ga-enweta nzaghachi na achọtaghị ngalaba ahụ, mgbe nke ahụ gasịrị, ọ ga-anwa ịchọpụta ihe nkesa NS na-esote na listi ahụ, na ihe ndị ọzọ ruo mgbe ọ gbalịrị ihe niile. Ihe ndekọ NS nke onye mwakpo ahụ depụtara. N'ihi ya, maka arịrịọ otu onye na-awakpo, onye na-edozi ya ga-ezite ọnụ ọgụgụ dị ukwuu nke arịrịọ iji chọpụta ndị ọbịa NS. Ebe ọ bụ na a na-emepụta aha ihe nkesa NS na-enweghị usoro ma na-ezo aka na subdomains na-adịghị adị, a naghị ewepụta ha na cache na arịrịọ ọ bụla sitere n'aka onye na-awakpo ahụ na-ebute arịrịọ nke ihe nkesa DNS na-eje ozi na ngalaba onye ihe metụtara.
Ndị nchọpụta nyochara ogo nke adịghị ike nke ndị na-edozi DNS ọha na eze na nsogbu ahụ wee kpebie na mgbe ị na-eziga ajụjụ na CloudFlare resolver (1.1.1.1), ọ ga-ekwe omume ịbawanye ọnụ ọgụgụ nke ngwugwu (PAF, Packet Amplification Factor) site na ugboro 48, Google (8.8.8.8) - 30 ugboro, FreeDNS (37.235.1.174) - 50 ugboro, OpenDNS (208.67.222.222) - 32 ugboro. A na-ahụ ihe ngosi ndị ọzọ pụtara ìhè maka
Ọkwa 3 (209.244.0.3) - ugboro 273, Quad9 (9.9.9.9) - ugboro 415
SafeDNS (195.46.39.39) - ugboro 274, Verisign (64.6.64.6) - ugboro 202,
Ultra (156.154.71.1) - 405 ugboro, Comodo Secure (8.26.56.26) - 435 ugboro, DNS.Watch (84.200.69.80) - 486 ugboro, na Norton ConnectSafe (199.85.126.10) - 569 ugboro. N'ihi na sava dabeere na BIND 9.12.3, n'ihi parallelization nke arịrịọ, uru larịị nwere ike iru ruo 1000. Na Knot Resolver 5.1.0, uru larịị bụ ihe dị ka ọtụtụ iri iri ugboro (24-48), ebe ọ bụ na mkpebi siri ike nke. A na-eme aha NS n'usoro wee dabere na oke dị n'ime ọnụ ọgụgụ nke usoro mkpebi aha enyere maka otu arịrịọ.
E nwere isi ụzọ nchekwa ụzọ abụọ. Maka sistemụ nwere DNSSEC jiri iji gbochie oghere cache DNS n'ihi na ejiri aha na-ezigara arịrịọ. Ihe kachasị mkpa nke usoro a bụ ịmepụta nzaghachi na-adịghị mma na-enweghị ịkpọtụrụ sava DNS nwere ikike, na-eji nlele nso site na DNSSEC. Ụzọ dị mfe bụ ịmachi ọnụ ọgụgụ nke aha nwere ike ịkọwa mgbe ị na-ahazi otu arịrịọ e nyefere, ma usoro a nwere ike ịkpata nsogbu na ụfọdụ nhazi dị ugbu a n'ihi na akọwapụtaghị oke na protocol.
isi: opennet.ru