ProHoster > Blog > Utongi > DNS Security Guide

DNS Security Guide

DNS Security Guide

Chero zvingaitwa nekambani, kuchengetedza DNS inofanira kuva chikamu chinokosha cheurongwa hwayo hwekuchengetedza. Mazita masevhisi, anogadzirisa mazita ekugamuchira kune IP kero, anoshandiswa nechero application uye sevhisi pane network.

Kana munhu anorwisa akawana kutonga kweDNS yesangano, anogona nyore:

  • zvipe udzore pazvinhu zvakagovaniswa
  • tungamira maemail anouya pamwe nezvikumbiro zvewebhu uye kuedza kwechokwadi
  • gadzira uye simbisa SSL/TLS zvitupa

Gwaro iri rinotarisa DNS chengetedzo kubva kumakona maviri:

  1. Kuita kuenderera mberi kwekutarisa uye kutonga pamusoro peDNS
  2. Maitiro matsva eDNS mapuroteni akadai seDNSSEC, DOH uye DoT anogona kubatsira kuchengetedza kutendeseka uye kuvanzika kwezvinofambiswa zvikumbiro zveDNS

Chii chinonzi DNS kuchengetedza?

DNS Security Guide

Pfungwa yeDNS kuchengetedza inosanganisira zvinhu zviviri zvakakosha:

  1. Kuve nechokwadi chekutendeseka kwese uye kuwanikwa kweDNS masevhisi anogadzirisa mazita ekugamuchira kune IP kero
  2. Tarisa chiitiko cheDNS kuti uone zvingangoitika zvekuchengetedza chero kupi pane network yako

Nei DNS iri panjodzi yekurwiswa?

DNS tekinoroji yakagadzirwa mumazuva ekutanga eInternet, nguva refu munhu asati atombotanga kufunga nezvekuchengetedza network. DNS inoshanda isina humbowo kana encryption, neupofu kugadzirisa zvikumbiro kubva kune chero mushandisi.

Nekuda kweizvi, kune nzira dzakawanda dzekunyengedza mushandisi uye manyepo ruzivo nezvekuti kugadziriswa kwemazita kune IP kero kunoitika.

DNS Security: Nyaya uye Zvikamu

DNS Security Guide

DNS chengetedzo ine akati wandei ekutanga zvikamu, imwe neimwe inofanirwa kuverengerwa kuti ive nechokwadi chekuchengetedzwa kwakazara:

  • Kusimbisa server kuchengetedza uye manejimendi maitiro: wedzera mwero wekuchengetedza server uye gadzira yakajairwa yekumisikidza template
  • Kuvandudzwa kweProtocol: shandisa DNSSEC, DoT kana DoH
  • Analytics uye kushuma: wedzera DNS chiitiko log kune yako SIEM sisitimu yekuwedzera mamiriro paunenge uchiongorora zviitiko
  • Cyber ​​​​Intelligence uye Kutyisidzira Kuonekwa: nyoresa kune inoshanda yekutyisidzira intelligence feed
  • Automation: gadzira zvinyorwa zvakawanda sezvinobvira kuti uite otomatiki maitiro

Izvo zvakataurwa pamusoro-pamusoro-chikamu zvikamu zvinongori muromo weiyo DNS kuchengetedza iceberg. Muchikamu chinotevera, tichanyura mune mamwe chaiwo ekushandisa makesi uye akanakisa maitiro aunofanirwa kuziva nezvawo.

DNS kurwisa

DNS Security Guide

  • DNS spoofing kana cache chepfu: kushandisa kusazvibata kwehurongwa kushandisa iyo DNS cache kuendesa vashandisi kune imwe nzvimbo.
  • DNS tunneling: inonyanya kushandiswa kunzvenga zvidziviriro zvekubatanidza kure
  • DNS kubiwa: kudzoreredza yakajairika DNS traffic kune yakasarudzika DNS server nekushandura domain registrar
  • NXDOMAIN kurwisa: kuitisa DDoS kurwisa pane inotenderwa DNS server nekutumira zvisiri pamutemo domain mibvunzo kuti uwane mhinduro yekumanikidza.
  • phantom domain: inokonzeresa iyo DNS solver kumirira mhinduro kubva kune asiripo madomasi, zvichikonzera kusashanda zvakanaka
  • kurwisa pane isina kurongeka subdomain: akanganisa mauto uye botnets anotangisa DDoS kurwiswa panzvimbo inoshanda, asi tarisa moto wavo pane fake subdomain kumanikidza iyo DNS server kutarisa marekodhi uye kutora kutonga kwesevhisi.
  • domain blocking: iri kutumira akawanda spam mhinduro kuvharira DNS server zviwanikwa
  • Botnet kurwisa kubva kune vanonyorera michina: muunganidzwa wemakomputa, modemu, marouters uye zvimwe zvishandiso zvinonangidzira simba rekombuta pane chaiyo webhusaiti kuti iwedzere iyo nezvikumbiro zvetraffic.

DNS kurwisa

Kurwiswa kunoshandisa iyo DNS kurwisa mamwe masisitimu (kureva kuchinja marekodhi eDNS handicho chinangwa chekupedzisira):

  • Fast-Flux
  • Single Flux Networks
  • Double Flux Networks
  • DNS tunneling

DNS kurwisa

Kurwiswa kunoita kuti IP kero inodiwa neanorwisa adzoserwe kubva kuDNS server:

  • DNS spoofing kana cache chepfu
  • DNS kubiwa

Chii chinonzi DNSSEC?

DNS Security Guide

DNSSEC - Domain Name Service Chengetedzo Injini - dzinoshandiswa kusimbisa marekodhi eDNS pasina kuda kuziva ruzivo rwese kune yega yega DNS chikumbiro.

DNSSEC inoshandisa Digital Signature Keys (PKIs) kuona kana mhinduro dzezita remubvunzo dzakabva kune inoshanda.
Kuita DNSSEC haingori indasitiri yakanakisa tsika, asi inoshandawo mukudzivirira kurwiswa kwakawanda kweDNS.

Iyo DNSSEC inoshanda sei

DNSSEC inoshanda zvakafanana neTLS/HTTPS, ichishandisa veruzhinji uye yakavanzika makiyi maviri kusaina digitally marekodhi eDNS. General overview of the process:

  1. DNS marekodhi akasainwa neyakavanzika-yakavanzika kiyi peya
  2. Mhinduro kumibvunzo yeDNSSEC ine rekodhi yakakumbirwa pamwe nesaina uye kiyi yeruzhinji
  3. ndokubva kiyi yeruzhinji inoshandiswa kuenzanisa huchokwadi hwerekodhi uye siginicha

DNS uye DNSSEC Chengetedzo

DNS Security Guide

DNSSEC chishandiso chekutarisa kutendeseka kweDNS mibvunzo. Izvo hazvikanganisi DNS kuvanzika. Mune mamwe mazwi, DNSSEC inogona kukupa chivimbo chekuti mhinduro kumubvunzo wako weDNS haina kukanganiswa, asi chero munhu anorwisa anogona kuona izvo zvabuda sezvakatumirwa kwauri.

DoT - DNS pamusoro peTLS

Transport Layer Security (TLS) ndeye cryptographic protocol yekudzivirira ruzivo rwunofambiswa pane network yekubatanidza. Kana imwe yakachengeteka TLS yekubatanidza yasimbiswa pakati pemutengi neseva, iyo data inotumirwa inovharwa uye hapana murevereri anogona kuiona.

TLS inonyanya kushandiswa sechikamu cheHTTPS (SSL) mubrowser yako nekuti zvikumbiro zvinotumirwa kuchengetedza masevha eHTTP.

DNS-pamusoro-TLS (DNS pamusoro peTLS, DoT) inoshandisa TLS protocol kuvharidzira iyo UDP traffic yenguva dzose DNS zvikumbiro.
Kunyora zvikumbiro izvi mumagwaro akajeka kunobatsira kuchengetedza vashandisi kana maapplication ari kuita zvikumbiro kubva mukurwiswa kwakati wandei.

  • MitM, kana kuti "murume ari pakati": Pasina encryption, iyo yepakati sisitimu pakati pemutengi neane chiremera DNS server inogona kutumira ruzivo rwenhema kana njodzi kumutengi mukupindura chikumbiro.
  • Espionage uye kutevera: Pasina encrypting zvikumbiro, zviri nyore kuti middleware masisitimu aone kuti ndeapi masaiti anowanikwa nemushandisi kana application. Kunyangwe DNS yega isingaburitse iyo chaiyo peji iri kushanyirwa pawebhusaiti, kungoziva madomasi akakumbirwa zvakakwana kugadzira chimiro chehurongwa kana munhu.

DNS Security Guide
Source: Yunivhesiti yeCalifornia Irvine

DoH - DNS pamusoro peHTTPS

DNS-over-HTTPS (DNS pamusoro peHTTPS, DoH) iprotocol yekuedza inosimudzirwa pamwe chete neMozilla neGoogle. Zvinangwa zvaro zvakafanana neDoT protocol-kusimudzira kuvanzika kwevanhu online nekuvharira zvikumbiro zveDNS nemhinduro.

Yakajairika DNS mibvunzo inotumirwa pamusoro peUDP. Zvikumbiro nemhinduro zvinogona kuteverwa uchishandisa maturusi akadai Wireshark. DoT inovharidzira zvikumbiro izvi, asi zvichiri kuzivikanwa seyakasarudzika UDP traffic pane network.

DoH inotora nzira yakasiyana uye inotumira zvikumbiro zvekugadzirisa zita rakavharidzirwa pamusoro peHTTPS yekubatanidza, inoita sechimwe chikumbiro chewebhu panetiweki.

Uyu mutsauko une zvakakosha zvakanyanya kune vese masystem administrator uye kune ramangwana rekugadzirisa zita.

  1. DNS kusefa inzira yakajairika yekusefa webhu traffic kuchengetedza vashandisi kubva pakurwiswa kwe phishing, masaiti anoparadzira malware, kana zvimwe zvingangokuvadza zviitiko zveInternet pane network yekambani. Iyo DoH protocol inonzvenga mafirita aya, zvichigona kuisa vashandisi uye network kunjodzi huru.
  2. Mune yazvino zita rekugadzirisa modhi, mudziyo wega wega panetiweki zvakanyanya kana zvishoma unogamuchira DNS mibvunzo kubva kunzvimbo imwechete (yakataurwa DNS server). DoH, uye kunyanya kuita kwayo Firefox, inoratidza kuti izvi zvinogona kuchinja mune ramangwana. Yese yekushandisa pakombuta inogona kugamuchira data kubva kwakasiyana DNS masosi, ichiita kugadzirisa matambudziko, chengetedzo, uye njodzi yekuenzanisira zvakanyanya kuoma.

DNS Security Guide
Source: www.varonis.com/blog/what-is-powershell

Ndeupi musiyano uripo pakati peDNS pamusoro peTLS neDNS pamusoro peHTTPS?

Ngatitangei neDNS pamusoro peTLS (DoT). Chinhu chikuru apa ndechekuti yekutanga DNS protocol haina kuchinjwa, asi inongofambiswa zvakachengeteka pamusoro penzira yakachengeteka. DoH, kune rumwe rutivi, inoisa DNS muHTTP fomati isati yaita zvikumbiro.

DNS Monitoring Alerts

DNS Security Guide

Iko kugona kunyatso tarisa DNS traffic panetiweki yako yekufungira anomalies kwakakosha kuti uone nekukurumidza kwekutyorwa. Kushandisa chishandiso chakaita seVaronis Edge kunokupa iwe kugona kugara pamusoro peese akakosha metrics uye kugadzira profiles kune yega account panetiweki yako. Iwe unogona kugadzirisa zviyeuchidzo kuti zvigadzirwe semugumisiro wemusanganiswa wezviito zvinoitika pane imwe nguva yenguva.

Kutarisisa shanduko dzeDNS, nzvimbo dzeakaundi, kekutanga kushandisa uye kuwana data rakadzama, uye mushure memaawa chiitiko angori mashoma metrics anogona kubatanidzwa kuvaka yakakura yekuona mufananidzo.

Source: www.habr.com

Voeg