Kuderedza njodzi dzekushandisa DoH neDoT
DoH uye kuchengetedzwa kweDoT
Iwe unodzora yako DNS traffic? Masangano anodyara nguva yakawanda, mari, uye simba mukuchengetedza network dzavo. Nekudaro, imwe nzvimbo isingawanzo kuwana tarisiro yakakwana ndeyeDNS.
Kutarisisa kwakanaka kwenjodzi dzinounzwa neDNS ndeye pamusangano weInfosecurity.
31% yemakirasi erudzikinuro akaongororwa akashandisa DNS pakutsinhana kwakakosha. Zvakawanikwa pakudzidza
31% yemakirasi erudzikinuro akaongororwa akashandisa DNS yekuchinjana kwakakosha.
Dambudziko rakakomba. Zvinoenderana nePalo Alto Networks Unit 42 yekutsvagisa lab, ingangoita 85% yemalware inoshandisa DNS kumisikidza yekuraira uye kutonga chiteshi, ichibvumira vanorwisa kuti vabaye nyore malware munetwork yako pamwe nekuba data. Kubva payakavambwa, DNS traffic yanga isina kunyorwa uye inogona kuongororwa zviri nyore neNGFW kuchengetedza masisitimu.
Maprotocol matsva eDNS akabuda ane chinangwa chekuwedzera kuvanzika kweDNS yekubatanidza. Ivo vanoshingairira kutsigirwa nevanotungamira vatengesi vebrowser uye vamwe vatengesi vesoftware. Encrypted DNS traffic ichakurumidza kutanga kukura mumakambani network. Yakavharidzirwa DNS traffic isina kunyatsoongororwa uye kugadziriswa nemidziyo inoisa njodzi yekuchengetedza kambani. Semuenzaniso, kutyisidzira kwakadaro ndeye cryptolockers inoshandisa DNS kuchinjanisa makiyi ekunyorera. Vapambi vava kuda rudzikinuro rwemamiriyoni akati wandei emadhora kuti vadzorere kuwana data rako. Somuenzaniso, Garmin akabhadhara mamiriyoni gumi emadhora.
Kana yakanyatsogadziriswa, NGFWs inogona kuramba kana kudzivirira kushandiswa kweDNS-over-TLS (DoT) uye inogona kushandiswa kuramba kushandiswa kweDNS-over-HTTPS (DoH), ichibvumira zvose DNS traffic pane network yako kuti iongororwe.
Chii chinonzi encrypted DNS?
Chii chinonzi DNS
Iyo Domain Name System (DNS) inogadzirisa mazita anoverengwa nevanhu (semuenzaniso, kero ) kune IP kero (semuenzaniso, 34.107.151.202). Kana mushandisi apinza zita rezita muwebhu browser, bhurawuza inotumira DNS query kuDNS server, ichikumbira IP kero ine chekuita neiyo domain zita. Mukupindura, sevha yeDNS inodzorera IP kero ichashandiswa nebrowser iyi.
DNS mibvunzo nemhinduro zvinotumirwa kunetiweki nemavara akajeka, asina kunyorwa, zvichiita kuti ive panjodzi yekusora kana kushandura mhinduro uye kuendesa bhurawuza kumaseva ane hutsinye. DNS encryption inoita kuti zviome kuti zvikumbiro zveDNS zvitevedzwe kana kuchinjwa panguva yekufambisa. Kunyora zvikumbiro zveDNS uye mhinduro zvinokudzivirira kubva kuMan-in-the-Middle kurwiswa uchiita basa rakafanana nerekare rakajeka DNS (Domain Name System) protocol.
Mumakore mashoma apfuura, maviri DNS encryption protocol akaunzwa:
-
DNS-pamusoro-HTTPS (DoH)
-
DNS-over-TLS (DoT)
Aya maprotocol ane chinhu chimwe chete chakafanana: vanoviga nemaune zvikumbiro zveDNS kubva kune chero kubatwa ... uye kubva kuvarindi vesangano zvakare. Maprotocol anonyanya kushandisa TLS (Transport Layer Security) kumisikidza yakavanzika yekubatanidza pakati pemutengi ari kuita mibvunzo uye sevha inogadzirisa mibvunzo yeDNS pamusoro pechiteshi chisingawanzo kushandiswa kuDNS traffic.
Kuvanzika kwemibvunzo yeDNS yakakura pamwe neaya maprotocol. Nekudaro, ivo vanounza matambudziko kune vanochengetedza varindi vanofanirwa kutarisa network traffic uye kuona uye kuvhara hutsinye kubatana. Nekuti maprotocol anosiyana mukuita kwawo, nzira dzekuongorora dzichasiyana pakati peDoH neDoT.
DNS pamusoro peHTTPS (DoH)
DNS mukati meHTTPS
DoH inoshandisa iyo inozivikanwa port 443 yeHTTPS, iyo iyo RFC inotaura zvakananga kuti chinangwa "kusanganisa DoH traffic neimwe HTTPS traffic pane imwecheteyo kubatanidza", "kuita kuti zviome kuongorora DNS traffic" uye nekudaro kunzvenga kudzora kwemakambani. ( ) Iyo DoH protocol inoshandisa TLS encryption uye yekukumbira syntax inopihwa neyakajairika HTTPS uye HTTP/2 zviyero, ichiwedzera DNS zvikumbiro nemhinduro pamusoro peyakajairwa HTTP zvikumbiro.
Njodzi dzine chekuita neDoH
Kana usingakwanise kusiyanisa traffic yeHTTPS kubva kune zvikumbiro zveDoH, saka zvikumbiro mukati mesangano rako zvinogona (uye zvicha) kupfuura zvigadziriso zveDNS zvemuno nekuendesa zvikumbiro kumaseva echitatu-bato rinopindura zvikumbiro zveDoH, izvo zvinodarika chero kutarisisa, ndiko kuti, kuparadza kugona dzora iyo DNS traffic. Zvakanaka, iwe unofanirwa kudzora DoH uchishandisa HTTPS decryption mabasa.
Π mune yazvino vhezheni yemabhurawuza avo, uye makambani ese ari kushanda kushandisa DoH nekusarudzika kune zvese zvikumbiro zveDNS. pakubatanidza DoH muzvirongwa zvavo zvekushandisa. Chiri kunetsa ndechekuti haasi ega ega makambani esoftware ane mukurumbira, asiwo vanorwisa vatanga kushandisa DoH senzira yekunzvenga echinyakare corporate firewall matanho. (Somuenzaniso, dzokorora zvinyorwa zvinotevera: , ΠΈ .) Chero zvazvingava, zvose zvakanaka uye zvakaipa zveDoH traffic zvichaenda zvisina kuonekwa, zvichisiya sangano risingaoni kushandiswa kwakashata kweDoH senzira yekudzora malware (C2) uye kuba data inonzwisisika.
Kuve nechokwadi chekuonekwa uye kutonga kweDoH traffic
Semhinduro yakanakisa yekutonga kweDoH, isu tinokurudzira kugadzirisa NGFW kuti ibvise HTTPS traffic uye kuvhara DoH traffic (zita rekunyorera: dns-over-https).
Kutanga, ita shuwa kuti NGFW yakagadziridzwa kuti inyore HTTPS, maererano .
Chechipiri, gadzira mutemo wekushandisa traffic "dns-over-https" sezvakaratidzwa pazasi:
Palo Alto Networks NGFW Rule kuvharira DNS-pamusoro-HTTPS
Seimwe nzira yenguva pfupi (kana sangano rako risina kuita zvizere HTTPS decryption), NGFW inogona kugadzirwa kuti ishandise "kuramba" chiito kune "dns-over-https" application ID, asi mhedzisiro yacho inogumira kuvharira zvimwe zvakanaka- anozivikanwa maseva eDoH nezita renzvimbo, saka sei pasina HTTPS decryption, DoH traffic haigone kuongororwa zvizere (ona uye tsvaga "dns-over-https").
DNS pamusoro peTLS (DoT)
DNS mukati meTLS
Nepo chirongwa cheDoH chichida kusanganiswa nemamwe matraffic pachiteshi chimwe chete, DoT pachinzvimbo chayo inotadza kushandisa chiteshi chakachengeterwa chinangwa ichocho, kunyangwe kurambidza chiteshi chimwe chete kuti chisashandiswe nechinyakare chisina kunyorwa DNS traffic. ).
Iyo DoT protocol inoshandisa TLS kupa encryption inovhara yakajairwa DNS protocol mibvunzo, ine traffic inoshandisa inozivikanwa port 853 ( ) Iyo DoT protocol yakagadzirirwa kuita kuti zvive nyore kune masangano kuvhara traffic pachiteshi, kana kugamuchira traffic asi inogonesa decryption pachiteshi ichocho.
Njodzi dzakabatana neDoT
Google yakaisa DoT mumutengi wayo , ine default setting kuti ushandise otomatiki DoT kana iripo. Kana iwe waongorora njodzi uye wakagadzirira kushandisa DoT padanho resangano, saka unofanirwa kuve nevatariri venetiweki vanobvumira zvakajeka traffic inobuda pachiteshi 853 kuburikidza neperimeter yavo yeiyi protocol nyowani.
Kuve nechokwadi chekuonekwa uye kutonga kweDoT traffic
Semaitiro akanakisa ekutonga kweDoT, isu tinokurudzira chero zviri pamusoro, zvichibva pane zvinodiwa nesangano rako:
-
Gadzirisa NGFW kuti ibvise rondedzero yese yetraffic pachiteshi 853. Nekubvisa traffic, DoT ichaonekwa seDNS application yaunogona kushandisa chero chiito, sekugonesa kunyoresa. kudzora DGA domains kana iripo uye anti-spyware.
-
Imwe nzira ndeyekuita kuti injini yeApp-ID ivhare zvachose 'dns-over-tls' traffic pachiteshi 853. Izvi zvinowanzovharika nekusingaperi, hapana chiito chinodiwa (kunze kwekunge wanyatsobvumidza 'dns-over-tls' application kana chiteshi. traffic 853).
Source: www.habr.com