Kuderedza njodzi dzekushandisa DoH neDoT
DoH uye kuchengetedzwa kweDoT
Iwe unodzora yako DNS traffic? Masangano anodyara nguva yakawanda, mari, uye simba mukuchengetedza network dzavo. Nekudaro, imwe nzvimbo isingawanzo kuwana tarisiro yakakwana ndeyeDNS.
Kutarisisa kwakanaka kwenjodzi dzinounzwa neDNS ndeye
31% yemakirasi erudzikinuro akaongororwa akashandisa DNS pakutsinhana kwakakosha. Zvakawanikwa pakudzidza
31% yemakirasi erudzikinuro akaongororwa akashandisa DNS yekuchinjana kwakakosha.
Dambudziko rakakomba. Zvinoenderana nePalo Alto Networks Unit 42 yekutsvagisa lab, ingangoita 85% yemalware inoshandisa DNS kumisikidza yekuraira uye kutonga chiteshi, ichibvumira vanorwisa kuti vabaye nyore malware munetwork yako pamwe nekuba data. Kubva payakavambwa, DNS traffic yanga isina kunyorwa uye inogona kuongororwa zviri nyore neNGFW kuchengetedza masisitimu.
Maprotocol matsva eDNS akabuda ane chinangwa chekuwedzera kuvanzika kweDNS yekubatanidza. Ivo vanoshingairira kutsigirwa nevanotungamira vatengesi vebrowser uye vamwe vatengesi vesoftware. Encrypted DNS traffic ichakurumidza kutanga kukura mumakambani network. Yakavharidzirwa DNS traffic isina kunyatsoongororwa uye kugadziriswa nemidziyo inoisa njodzi yekuchengetedza kambani. Semuenzaniso, kutyisidzira kwakadaro ndeye cryptolockers inoshandisa DNS kuchinjanisa makiyi ekunyorera. Vapambi vava kuda rudzikinuro rwemamiriyoni akati wandei emadhora kuti vadzorere kuwana data rako. Somuenzaniso, Garmin akabhadhara mamiriyoni gumi emadhora.
Kana yakanyatsogadziriswa, NGFWs inogona kuramba kana kudzivirira kushandiswa kweDNS-over-TLS (DoT) uye inogona kushandiswa kuramba kushandiswa kweDNS-over-HTTPS (DoH), ichibvumira zvose DNS traffic pane network yako kuti iongororwe.
Chii chinonzi encrypted DNS?
Chii chinonzi DNS
Iyo Domain Name System (DNS) inogadzirisa mazita anoverengwa nevanhu (semuenzaniso, kero
DNS mibvunzo nemhinduro zvinotumirwa kunetiweki nemavara akajeka, asina kunyorwa, zvichiita kuti ive panjodzi yekusora kana kushandura mhinduro uye kuendesa bhurawuza kumaseva ane hutsinye. DNS encryption inoita kuti zviome kuti zvikumbiro zveDNS zvitevedzwe kana kuchinjwa panguva yekufambisa. Kunyora zvikumbiro zveDNS uye mhinduro zvinokudzivirira kubva kuMan-in-the-Middle kurwiswa uchiita basa rakafanana nerekare rakajeka DNS (Domain Name System) protocol.
Mumakore mashoma apfuura, maviri DNS encryption protocol akaunzwa:
-
DNS-pamusoro-HTTPS (DoH)
-
DNS-over-TLS (DoT)
Aya maprotocol ane chinhu chimwe chete chakafanana: vanoviga nemaune zvikumbiro zveDNS kubva kune chero kubatwa ... uye kubva kuvarindi vesangano zvakare. Maprotocol anonyanya kushandisa TLS (Transport Layer Security) kumisikidza yakavanzika yekubatanidza pakati pemutengi ari kuita mibvunzo uye sevha inogadzirisa mibvunzo yeDNS pamusoro pechiteshi chisingawanzo kushandiswa kuDNS traffic.
Kuvanzika kwemibvunzo yeDNS yakakura pamwe neaya maprotocol. Nekudaro, ivo vanounza matambudziko kune vanochengetedza varindi vanofanirwa kutarisa network traffic uye kuona uye kuvhara hutsinye kubatana. Nekuti maprotocol anosiyana mukuita kwawo, nzira dzekuongorora dzichasiyana pakati peDoH neDoT.
DNS pamusoro peHTTPS (DoH)
DNS mukati meHTTPS
DoH inoshandisa iyo inozivikanwa port 443 yeHTTPS, iyo iyo RFC inotaura zvakananga kuti chinangwa "kusanganisa DoH traffic neimwe HTTPS traffic pane imwecheteyo kubatanidza", "kuita kuti zviome kuongorora DNS traffic" uye nekudaro kunzvenga kudzora kwemakambani. (
Njodzi dzine chekuita neDoH
Kana usingakwanise kusiyanisa traffic yeHTTPS kubva kune zvikumbiro zveDoH, saka zvikumbiro mukati mesangano rako zvinogona (uye zvicha) kupfuura zvigadziriso zveDNS zvemuno nekuendesa zvikumbiro kumaseva echitatu-bato rinopindura zvikumbiro zveDoH, izvo zvinodarika chero kutarisisa, ndiko kuti, kuparadza kugona dzora iyo DNS traffic. Zvakanaka, iwe unofanirwa kudzora DoH uchishandisa HTTPS decryption mabasa.
Π
Kuve nechokwadi chekuonekwa uye kutonga kweDoH traffic
Semhinduro yakanakisa yekutonga kweDoH, isu tinokurudzira kugadzirisa NGFW kuti ibvise HTTPS traffic uye kuvhara DoH traffic (zita rekunyorera: dns-over-https).
Kutanga, ita shuwa kuti NGFW yakagadziridzwa kuti inyore HTTPS, maererano
Chechipiri, gadzira mutemo wekushandisa traffic "dns-over-https" sezvakaratidzwa pazasi:
Palo Alto Networks NGFW Rule kuvharira DNS-pamusoro-HTTPS
Seimwe nzira yenguva pfupi (kana sangano rako risina kuita zvizere HTTPS decryption), NGFW inogona kugadzirwa kuti ishandise "kuramba" chiito kune "dns-over-https" application ID, asi mhedzisiro yacho inogumira kuvharira zvimwe zvakanaka- anozivikanwa maseva eDoH nezita renzvimbo, saka sei pasina HTTPS decryption, DoH traffic haigone kuongororwa zvizere (ona
DNS pamusoro peTLS (DoT)
DNS mukati meTLS
Nepo chirongwa cheDoH chichida kusanganiswa nemamwe matraffic pachiteshi chimwe chete, DoT pachinzvimbo chayo inotadza kushandisa chiteshi chakachengeterwa chinangwa ichocho, kunyangwe kurambidza chiteshi chimwe chete kuti chisashandiswe nechinyakare chisina kunyorwa DNS traffic.
Iyo DoT protocol inoshandisa TLS kupa encryption inovhara yakajairwa DNS protocol mibvunzo, ine traffic inoshandisa inozivikanwa port 853 (
Njodzi dzakabatana neDoT
Google yakaisa DoT mumutengi wayo
Kuve nechokwadi chekuonekwa uye kutonga kweDoT traffic
Semaitiro akanakisa ekutonga kweDoT, isu tinokurudzira chero zviri pamusoro, zvichibva pane zvinodiwa nesangano rako:
-
Gadzirisa NGFW kuti ibvise rondedzero yese yetraffic pachiteshi 853. Nekubvisa traffic, DoT ichaonekwa seDNS application yaunogona kushandisa chero chiito, sekugonesa kunyoresa.
Palo Alto Networks DNS Security kudzora DGA domains kana iripoDNS Sinkholing uye anti-spyware. -
Imwe nzira ndeyekuita kuti injini yeApp-ID ivhare zvachose 'dns-over-tls' traffic pachiteshi 853. Izvi zvinowanzovharika nekusingaperi, hapana chiito chinodiwa (kunze kwekunge wanyatsobvumidza 'dns-over-tls' application kana chiteshi. traffic 853).
Source: www.habr.com