Kuchepetsa kuopsa kogwiritsa ntchito DoH ndi DoT
Chitetezo cha DoH ndi DoT
Kodi mumayendetsa magalimoto anu a DNS? Mabungwe amawononga nthawi yambiri, ndalama, komanso mphamvu kuti ateteze maukonde awo. Komabe, gawo limodzi lomwe nthawi zambiri sililandira chidwi chokwanira ndi DNS.
Kuwunika kwabwino kwa zoopsa zomwe DNS imabweretsa ndi pa msonkhano wa Infosecurity.
31% ya makalasi a ransomware omwe adafunsidwa adagwiritsa ntchito DNS pakusinthana kwakukulu
31% ya makalasi a ransomware omwe adafunsidwa adagwiritsa ntchito DNS pakusinthana kwakukulu.
Vuto ndi lalikulu. Malinga ndi Palo Alto Networks Unit 42 kafukufuku labu, pafupifupi 85% ya pulogalamu yaumbanda imagwiritsa ntchito DNS kukhazikitsa njira yolamulira ndi kuwongolera, kulola owukira kuti alowetse pulogalamu yaumbanda mosavuta pamaneti yanu komanso kuba data. Kuyambira pomwe idakhazikitsidwa, kuchuluka kwa magalimoto a DNS sikunatchulidwe kwambiri ndipo kumatha kufufuzidwa mosavuta ndi njira zachitetezo za NGFW.
Ma protocol atsopano a DNS atuluka pofuna kukulitsa chinsinsi cha ma DNS. Amathandizidwa mwachangu ndi ogulitsa osatsegula otsogola ndi ogulitsa mapulogalamu ena. Magalimoto otetezedwa a DNS ayamba kukula m'mabungwe amakampani. Magalimoto obisika a DNS omwe samawunikidwa bwino ndikuthetsedwa ndi zida amakhala pachiwopsezo chachitetezo ku kampani. Mwachitsanzo, chiwopsezo chotere ndi ma cryptolockers omwe amagwiritsa ntchito DNS kusinthanitsa makiyi achinsinsi. Zigawenga tsopano zikufuna dipo la madola mamiliyoni angapo kuti abwezeretse mwayi wopeza deta yanu. Mwachitsanzo, Garmin analipira $10 miliyoni.
Mukakonzedwa bwino, ma NGFW akhoza kukana kapena kuteteza kugwiritsa ntchito DNS-over-TLS (DoT) ndipo angagwiritsidwe ntchito kukana kugwiritsa ntchito DNS-over-HTTPS (DoH), kulola kuti magalimoto onse a DNS pa intaneti yanu afufuzidwe.
Kodi DNS encrypted ndi chiyani?
DNS ndi chiyani
Domain Name System (DNS) imathetsa mayina amtundu wowerengeka ndi anthu (mwachitsanzo, adilesi ) kupita ku ma adilesi a IP (mwachitsanzo, 34.107.151.202). Wogwiritsa ntchito akalowetsa dzina la domain mu msakatuli, msakatuli amatumiza funso la DNS ku seva ya DNS, ndikufunsa adilesi ya IP yolumikizidwa ndi dzinalo. Poyankha, seva ya DNS imabwezera adilesi ya IP yomwe msakatuliyu adzagwiritse ntchito.
Mafunso ndi mayankho a DNS amatumizidwa pa netiweki m'mawu osavuta, osabisidwa, zomwe zimapangitsa kuti zikhale pachiwopsezo cha akazonde kapena kusintha mayankho ndikutumiza osatsegula ku maseva oyipa. Kubisa kwa DNS kumapangitsa kuti zikhale zovuta kuti zopempha za DNS zizitsatiridwa kapena kusinthidwa panthawi yotumizira. Kulemba mwachinsinsi zopempha ndi mayankho a DNS kumakutetezani ku Kuukira kwa Man-in-the-Middle kwinaku mukugwira ntchito yofanana ndi protocol ya DNS (Domain Name System).
Pazaka zingapo zapitazi, ma protocol awiri a DNS encryption adayambitsidwa:
-
DNS-over-HTTPS (DoH)
-
DNS-over-TLS (DoT)
Ma protocolwa ali ndi chinthu chimodzi chofanana: amabisa dala zopempha za DNS kuchokera kuzinthu zilizonse ... komanso kwa alonda a bungwe. Ma protocol amagwiritsira ntchito TLS (Transport Layer Security) kuti akhazikitse kulumikizana kwachinsinsi pakati pa kasitomala amene akufunsa mafunso ndi seva yomwe ikuyankha mafunso a DNS padoko lomwe siligwiritsidwa ntchito nthawi zambiri pamayendedwe a DNS.
Kusungidwa kwachinsinsi kwa mafunso a DNS ndikowonjezera kwambiri pama protocol awa. Komabe, amabweretsa zovuta kwa alonda omwe amayenera kuyang'anira kuchuluka kwa ma network ndikuwona ndikuletsa kulumikizana koyipa. Chifukwa ma protocol amasiyana pakukhazikitsidwa kwawo, njira zowunikira zidzasiyana pakati pa DoH ndi DoT.
DNS pa HTTPS (DoH)
DNS mkati mwa HTTPS
DoH imagwiritsa ntchito doko lodziwika bwino la 443 la HTTPS, pomwe RFC imanena mwachindunji kuti cholinga chake ndi "kusakaniza kuchuluka kwa magalimoto a DoH ndi magalimoto ena a HTTPS pamalumikizidwe omwewo", "kupangitsa kuti zikhale zovuta kusanthula kuchuluka kwa magalimoto a DNS" ndikuletsa kuwongolera kwamakampani. ( ). Protocol ya DoH imagwiritsa ntchito encryption ya TLS ndi mawu ofunsira omwe amaperekedwa ndi miyezo wamba ya HTTPS ndi HTTP/2, ndikuwonjezera zopempha ndi mayankho a DNS pamwamba pa zopempha za HTTP.
Zowopsa zokhudzana ndi DoH
Ngati simungathe kusiyanitsa kuchuluka kwa magalimoto a HTTPS ndi zopempha za DoH, ndiye kuti mapulogalamu omwe ali mgulu lanu atha (ndipo) kudumpha zoikamo za DNS zakomweko potumiza zopempha kwa ma seva ena omwe akuyankha zopempha za DoH, zomwe zimadumpha kuwunika kulikonse, ndiko kuti, kuwononga kuthekera wongolera kuchuluka kwa magalimoto a DNS. Momwemo, muyenera kuwongolera DoH pogwiritsa ntchito ntchito za HTTPS.
Π m'masakatuli awo aposachedwa, ndipo makampani onsewa akuyesetsa kugwiritsa ntchito DoH mwachisawawa pazopempha zonse za DNS. pakuphatikiza DoH ku machitidwe awo ogwirira ntchito. Choyipa ndichakuti si makampani odziwika okha apulogalamu, komanso owukira ayamba kugwiritsa ntchito DoH ngati njira yolambalala njira zachikhalidwe zamabizinesi. (Mwachitsanzo, onaninso nkhani zotsatirazi: , ΠΈ .) Mulimonse momwe zingakhalire, magalimoto abwino komanso oyipa a DoH sangadziwike, zomwe zidzasiya bungwe kuti lisamaone kugwiritsa ntchito koyipa kwa DoH ngati njira yowongolera pulogalamu yaumbanda (C2) ndikubera zinthu zobisika.
Kuwonetsetsa kuwoneka ndi kuwongolera kwamayendedwe a DoH
Monga yankho labwino kwambiri pakuwongolera kwa DoH, timalimbikitsa kukonza NGFW kuti isinthe kuchuluka kwa magalimoto a HTTPS ndikutsekereza kuchuluka kwa magalimoto a DoH (dzina lofunsira: dns-over-https).
Choyamba, onetsetsani kuti NGFW yakonzedwa kuti iwononge HTTPS, malinga ndi .
Chachiwiri, pangani lamulo la traffic traffic "dns-over-https" monga zikuwonekera pansipa:
Palo Alto Networks NGFW Lamulo loletsa DNS-over-HTTPS
Monga njira ina yanthawi yochepa (ngati bungwe lanu silinagwiritse ntchito kumasulira kwa HTTPS), NGFW ikhoza kukhazikitsidwa kuti igwiritse ntchito "kukana" pa ID ya "dns-over-https", koma zotsatira zake zikhala zongoletsa ena bwino- ma seva a DoH odziwika ndi dzina lawo, kotero kuti popanda kutsekedwa kwa HTTPS, kuchuluka kwa magalimoto a DoH sikungawunikidwe mokwanira (onani ndikusaka "dns-over-https").
DNS pa TLS (DoT)
DNS mkati mwa TLS
Ngakhale kuti ndondomeko ya DoH imakonda kusakanikirana ndi magalimoto ena padoko lomwelo, DoT m'malo mwake imalephera kugwiritsa ntchito doko lapadera lomwe linasungidwira cholinga chokhacho, ngakhale kuletsa doko lomwelo kuti ligwiritsidwe ntchito ndi magalimoto amtundu wa DNS omwe sanalembedwe. ).
Protocol ya DoT imagwiritsa ntchito TLS kuti ipereke ma encryption omwe amaphatikiza mafunso amtundu wa DNS protocol, ndi magalimoto ogwiritsa ntchito doko lodziwika bwino la 853 ( ). Protocol ya DoT idapangidwa kuti ikhale yosavuta kwa mabungwe kuletsa magalimoto padoko, kapena kuvomereza kuchuluka kwa magalimoto koma kuti azitha kumasulira padokolo.
Zowopsa zokhudzana ndi DoT
Google yakhazikitsa DoT mu kasitomala wake , ndi zoikamo zokhazikika kuti mugwiritse ntchito DoT yokha ngati ilipo. Ngati mwawunika kuopsa kwake ndipo mwakonzeka kugwiritsa ntchito DoT pamlingo wabungwe, ndiye kuti muyenera kukhala ndi oyang'anira maukonde momveka bwino kulola magalimoto otuluka padoko 853 kudzera m'mphepete mwa protocol yatsopanoyi.
Kuwonetsetsa kuwoneka ndi kuwongolera kwamayendedwe a DoT
Monga njira yabwino yoyendetsera DoT, timalimbikitsa zilizonse zomwe zili pamwambapa, kutengera zomwe bungwe lanu likufuna:
-
Konzani NGFW kuti iwononge kuchuluka kwa magalimoto onse padoko 853. Pochotsa kuchuluka kwa magalimoto, DoT idzawoneka ngati pulogalamu ya DNS yomwe mungagwiritse ntchito chilichonse, monga kuloleza kulembetsa. kuwongolera madera a DGA kapena omwe alipo ndi anti-spyware.
-
Njira ina ndikupangitsa injini ya App-ID kuti itsekeretu kuchuluka kwa magalimoto a 'dns-over-tls' pa port 853. Izi nthawi zambiri zimakhala zotsekeredwa mwachisawawa, palibe chochita (pokhapokha mutaloleza kugwiritsa ntchito 'dns-over-tls' kapena kuchuluka kwa magalimoto pamadoko. 853).
Source: www.habr.com