DoH ããã³ DoT ã䜿çšãããªã¹ã¯ãæå°éã«æãã
DoH ããã³ DoT ä¿è·
DNS ãã©ãã£ãã¯ãå¶åŸ¡ããŠããŸãã? çµç¹ã¯ãããã¯ãŒã¯ã®ã»ãã¥ãªãã£ã確ä¿ããããã«å€å€§ãªæéãè³éãåŽåãæè³ããŠããŸãã ãã ããååãªæ³šç®ãéãŸããªãé åã® XNUMX ã€ã¯ DNS ã§ãã
DNS ããããããªã¹ã¯ã®æŠèŠã¯æ¬¡ã®ãšããã§ãã
調æ»ããã©ã³ãµã ãŠã§ã¢ ã¯ã©ã¹ã® 31% ã¯ããŒäº€æã« DNS ã䜿çšããŠããŸããã
調æ»å¯Ÿè±¡ãšãªã£ãã©ã³ãµã ãŠã§ã¢ ã¯ã©ã¹ã® 31% ã¯ããŒäº€æã« DNS ã䜿çšããŠããŸããã
åé¡ã¯æ·±å»ã ã ããã¢ã«ããããã¯ãŒã¯ã¹ã® Unit 42 ç 究æã«ãããšããã«ãŠã§ã¢ã®çŽ 85% ã DNS ã䜿çšããŠã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãã£ãã«ã確ç«ããæ»æè ããããã¯ãŒã¯ã«ãã«ãŠã§ã¢ãç°¡åã«æ³šå ¥ããããããŒã¿ãçãã ãã§ããããã«ããŠããŸãã DNS ãã©ãã£ãã¯ã¯åœåããã»ãšãã©æå·åãããŠããããNGFW ã»ãã¥ãªã㣠ã¡ã«ããºã ã«ãã£ãŠç°¡åã«åæã§ããŸãã
DNS æ¥ç¶ã®æ©å¯æ§ãé«ããããšãç®çãšãããDNS ã®æ°ãããããã³ã«ãç»å ŽããŸããã ãããã¯ãäž»èŠãªãã©ãŠã¶ ãã³ããŒããã®ä»ã®ãœãããŠã§ã¢ ãã³ããŒã«ãã£ãŠç©æ¥µçã«ãµããŒããããŠããŸãã äŒæ¥ãããã¯ãŒã¯ã§ã¯ãæå·åããã DNS ãã©ãã£ãã¯ãéããªãå¢å ãå§ããã§ãããã ããŒã«ã«ãã£ãŠé©åã«åæããã³è§£æ±ºãããªãæå·åããã DNS ãã©ãã£ãã¯ã¯ãäŒæ¥ã«ã»ãã¥ãªã㣠ãªã¹ã¯ããããããŸãã ããšãã°ããã®ãããªè åšã¯ãDNS ã䜿çšããŠæå·åããŒã亀æããæå·ããã«ãŒã§ãã æ»æè ã¯çŸåšãããŒã¿ãžã®ã¢ã¯ã»ã¹ã埩å ããããã«æ°çŸäžãã«ã®èº«ä»£éãèŠæ±ããŠããŸãã ããšãã°ãGarmin 㯠10 äžãã«ãæ¯æããŸããã
NGFW ãé©åã«æ§æãããšãDNS-over-TLS (DoT) ã®äœ¿çšãæåŠãŸãã¯ä¿è·ããããDNS-over-HTTPS (DoH) ã®äœ¿çšãæåŠãããããããšãã§ãããããã¯ãŒã¯äžã®ãã¹ãŠã® DNS ãã©ãã£ãã¯ãåæã§ããããã«ãªããŸãã
æå·åãããDNSãšã¯äœã§ãã?
DNSãšã¯
ãã¡ã€ã³ ããŒã ã·ã¹ãã (DNS) ã¯ã人éãå€èªã§ãããã¡ã€ã³å (ã¢ãã¬ã¹ãªã©) ã解決ããŸãã
DNS ã¯ãšãªãšå¿çã¯ãæå·åãããŠããªããã¬ãŒã³ ããã¹ãã§ãããã¯ãŒã¯äžã«éä¿¡ããããããã¹ãã€è¡çºãå¿çã®å€æŽããã©ãŠã¶ã®æªæã®ãããµãŒããŒãžã®ãªãã€ã¬ã¯ãã«å¯ŸããŠè匱ã«ãªããŸãã DNS æå·åã«ãããéä¿¡äžã® DNS ãªã¯ãšã¹ãã®è¿œè·¡ãå€æŽãå°é£ã«ãªããŸãã DNS ãªã¯ãšã¹ããšã¬ã¹ãã³ã¹ãæå·åãããšãåŸæ¥ã®ãã¬ãŒã³ããã¹ã DNS (ãã¡ã€ã³ ããŒã ã·ã¹ãã ) ãããã³ã«ãšåãæ©èœãå®è¡ããªãããäžéè æ»æããä¿è·ãããŸãã
éå»æ°å¹Žã«ããã£ãŠã次㮠XNUMX ã€ã® DNS æå·åãããã³ã«ãå°å ¥ãããŸããã
-
DNS-over-HTTPSïŒDoHïŒ
-
DNS-over-TLS (DoT)
ãããã®ãããã³ã«ã«ã¯å ±éç¹ã XNUMX ã€ãããŸããããã¯ãDNS ãªã¯ãšã¹ããæå³çã«ååããé ããçµç¹ã®ã»ãã¥ãªã㣠ã¬ãŒããããé ããŸãã ãã®ãããã³ã«ã¯äž»ã« TLS (Transport Layer Security) ã䜿çšããŠãé垞㯠DNS ãã©ãã£ãã¯ã«äœ¿çšãããªãããŒãäžã§ãã¯ãšãªãè¡ãã¯ã©ã€ã¢ã³ããš DNS ã¯ãšãªã解決ãããµãŒããŒãšã®éã«æå·åãããæ¥ç¶ã確ç«ããŸãã
DNS ã¯ãšãªã®æ©å¯æ§ã¯ããããã®ãããã³ã«ã®å€§ããªå©ç¹ã§ãã ãã ãããããã¯ãŒã¯ ãã©ãã£ãã¯ãç£èŠããæªæã®ããæ¥ç¶ãæ€åºããŠãããã¯ããå¿ èŠãããã»ãã¥ãªã㣠ã¬ãŒãã«ãšã£ãŠã¯åé¡ãçºçããŸãã ãããã³ã«ã®å®è£ ãç°ãªããããDoH ãš DoT ã§ã¯åææ¹æ³ãç°ãªããŸãã
DNS over HTTPSïŒDoHïŒ
HTTPS å ã® DNS
DoH 㯠HTTPS ã«æ¢ç¥ã®ããŒã 443 ã䜿çšããŸããRFC ã§ã¯ããã®ç®çããDoH ãã©ãã£ãã¯ãšä»ã® HTTPS ãã©ãã£ãã¯ãåãæ¥ç¶äžã§æ··åããããDNS ãã©ãã£ãã¯ã®åæãå°é£ã«ãããããšã§äŒæ¥å¶åŸ¡ãåé¿ããããšã§ãããšå
·äœçã«è¿°ã¹ãŠããŸãã (
DoH ã«é¢é£ãããªã¹ã¯
éåžžã® HTTPS ãã©ãã£ãã¯ãš DoH ãªã¯ãšã¹ããåºå¥ã§ããªãå Žåãçµç¹å ã®ã¢ããªã±ãŒã·ã§ã³ã¯ãDoH ãªã¯ãšã¹ãã«å¿çãããµãŒãããŒã㣠ãµãŒããŒã«ãªã¯ãšã¹ãããªãã€ã¬ã¯ãããããšã§ãããŒã«ã« DNS èšå®ããã€ãã¹ããããšãã§ããŸã (ãããŠãã€ãã¹ããããšã«ãªããŸã)ãããã«ãããããããç£èŠããã€ãã¹ãããŸããã€ãŸãã DNS ãã©ãã£ãã¯ãå¶åŸ¡ããŸãã çæ³çã«ã¯ãHTTPS 埩å·åæ©èœã䜿çšã㊠DoH ãå¶åŸ¡ããå¿ èŠããããŸãã
Ð
DoH ãã©ãã£ãã¯ã®å¯èŠæ§ãšå¶åŸ¡ã®ç¢ºä¿
DoH å¶åŸ¡ã®æé©ãªãœãªã¥ãŒã·ã§ã³ãšããŠãHTTPS ãã©ãã£ãã¯ã埩å·åããDoH ãã©ãã£ãã¯ããããã¯ããããã« NGFW ãæ§æããããšããå§ãããŸã (ã¢ããªã±ãŒã·ã§ã³å: dns-over-https)ã
ãŸããNGFW ã HTTPS ã埩å·åããããã«èšå®ãããŠããããšã確èªããŸãã
次ã«ã以äžã«ç€ºãããã«ãã¢ããªã±ãŒã·ã§ã³ ãã©ãã£ãã¯ãdns-over-httpsãã®ã«ãŒã«ãäœæããŸãã
DNS-over-HTTPS ããããã¯ããããã¢ã«ããããã¯ãŒã¯ã¹ã® NGFW ã«ãŒã«
æ«å®çãªä»£æ¿æ段 (çµç¹ã HTTPS 埩å·åãå®å
šã«å®è£
ããŠããªãå Žå) ãšããŠããdns-over-httpsãã¢ããªã±ãŒã·ã§ã³ ID ã«ãæåŠãã¢ã¯ã·ã§ã³ãé©çšããããã« NGFW ãæ§æã§ããŸããããã®å¹æã¯ç¹å®ã®ãŠã§ã«ã®ãããã¯ã«éå®ãããŸããæ¢ç¥ã® DoH ãµãŒããŒã¯ãã¡ã€ã³åã§èå¥ããããããHTTPS 埩å·åããªããã° DoH ãã©ãã£ãã¯ãå®å
šã«æ€æ»ã§ããªãã®ã¯ãªãã§ãã (ã
DNS over TLS (DoT)
TLSå ã®DNS
DoH ãããã³ã«ã¯åãããŒãäžã§ä»ã®ãã©ãã£ãã¯ãšæ··åšããåŸåããããŸãããDoT ã¯ä»£ããã«ããã®å¯äžã®ç®çã®ããã«äºçŽãããç¹å¥ãªããŒããããã©ã«ãã§äœ¿çšããåŸæ¥ã®æå·åãããŠããªã DNS ãã©ãã£ãã¯ã«ããåãããŒãã®äœ¿çšãæ確ã«çŠæ¢ããŠããŸã (
DoT ãããã³ã«ã¯ãTLS ã䜿çšããŠæšæºã® DNS ãããã³ã« ã¯ãšãªãã«ãã»ã«åããæå·åãæäŸãããã©ãã£ãã¯ã«ã¯ãŠã§ã«ããŠã³ ããŒã 853 (
DoT ã«é¢é£ãããªã¹ã¯
Google ã¯ã¯ã©ã€ã¢ã³ãã« DoT ãå®è£
ããŸãã
DoT ãã©ãã£ãã¯ã®å¯èŠæ§ãšå¶åŸ¡ã®ç¢ºä¿
DoT å¶åŸ¡ã®ãã¹ã ãã©ã¯ãã£ã¹ãšããŠãçµç¹ã®èŠä»¶ã«åºã¥ããŠäžèšã®ãããããæšå¥šããŸãã
-
å®å ããŒã 853 ã®ãã¹ãŠã®ãã©ãã£ãã¯ã埩å·åããããã« NGFW ãæ§æããŸãããã©ãã£ãã¯ã埩å·åãããšãDoT ã DNS ã¢ããªã±ãŒã·ã§ã³ãšããŠè¡šç€ºããããµãã¹ã¯ãªãã·ã§ã³ã®æå¹åãªã©ã®ã¢ã¯ã·ã§ã³ãé©çšã§ããããã«ãªããŸãã
ããã¢ã«ããããã¯ãŒã¯ã®DNSã»ãã¥ãªã㣠DGA ãã¡ã€ã³ãŸãã¯æ¢åã®ãã¡ã€ã³ãå¶åŸ¡ããããDNSã·ã³ã¯ããŒã« ãããŠã¹ãã€ãŠã§ã¢å¯Ÿçã -
å¥ã®æ¹æ³ã¯ãApp-ID ãšã³ãžã³ã§ããŒã 853 ã®ãdns-over-tlsããã©ãã£ãã¯ãå®å šã«ãããã¯ããããšã§ããããã¯éåžžãããã©ã«ãã§ãããã¯ãããŠãããã¢ã¯ã·ã§ã³ã¯å¿ èŠãããŸããïŒãdns-over-tlsãã¢ããªã±ãŒã·ã§ã³ãŸãã¯ããŒã ãã©ãã£ãã¯ãç¹å¥ã«èš±å¯ããªãéãïŒ 853ïŒã
åºæïŒ habr.com