Jeceshahay iyo kuwa aan la jecleyn: DNS ka dul HTTPS

Waxaan falanqeyneynaa fikradaha ku saabsan sifooyinka DNS ee HTTPS, kuwaas oo dhowaan noqday "laf muran" ka dhex jira bixiyeyaasha internetka iyo horumarinta browserka.

/Fursaar/ Steve Halama

Nuxurka khilaafka

Dhawaan warbaahinta waaweyn и dhufto ee mawduucyada (ay ku jirto Habr), waxay inta badan wax ka qoraan DNS-ka borotokoolka HTTPS (DoH). Waxay siraysaa codsiyada server-ka DNS iyo jawaabaha iyaga. Habkani wuxuu kuu ogolaanayaa inaad qariso magacyada martigeliyaha uu isticmaaluhu galo. Laga soo bilaabo daabacaadaha waxaan ku soo gabagabeyn karnaa in borotokoolka cusub (ee IETF ansixiyay 2018) waxay bulshada IT u kala qaybisay laba qaybood.

Kala badh ayaa aaminsan in borotokoolka cusub uu wanaajin doono ammaanka internetka oo ay ku dhaqan gelinayaan codsiyadooda iyo adeegyadooda. Qaybta kale waxay ku qanacsan tahay in tignoolajiyada ay kaliya ka dhigayso shaqada maamulayaasha nidaamka mid aad u adag. Marka xigta, waxaan falanqayn doonaa doodaha labada dhinac.

Sida ay DoH u shaqeyso

Kahor intaanan u galin sababta ISP-yada iyo ka-qaybgalayaasha kale ee suuqa ay ugu taagan yihiin ama uga soo horjeedaan DNS ee HTTPS, aan si kooban u eegno sida ay u shaqeyso.

Marka laga hadlayo DoH, codsiga lagu go'aaminayo ciwaanka IP-ga waxaa lagu soo koobay taraafikada HTTPS. Kadib waxay aadaysaa server-ka HTTP, halkaas oo lagu farsameeyo API-ga. Waa kan tusaale ahaan codsi ka yimid RFC 8484 (bogga 6):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

Markaa, taraafikada DNS waxay ku qarsoon tahay taraafikada HTTPS. Macmiilka iyo server-ka waxay ku wada xiriiraan dekedda caadiga ah 443. Natiijo ahaan, codsiyada nidaamka magaca domainka ayaa ah qarsoodi.

Maxaa loo xaglin waayey?

Ka soo horjeeda DNS ee HTTPS dhehin hab-maamuuska cusub uu yarayn doono ammaanka isku xirka. By sida laga soo xigtay Paul Vixie, oo xubin ka ah kooxda horumarinta DNS, ayaa ku adkeyn doonta maamulayaasha nidaamka inay xannibaan goobaha xaasidnimada leh. Isticmaalayaasha caadiga ah waxay lumin doonaan awoodda ay ku dejiyaan kontaroolada waalidka shuruudaysan ee daalacashada.

Aragtida Paul waxaa wadaaga bixiyeyaasha internetka ee UK. Sharciga dalka waajib ka xannibo agabka leh waxyaabaha la mamnuucay. Laakiin taageerada DoH ee daalacashada ayaa adkeynaysa hawsha shaandhaynta taraafikada. Kuwa dhaleeceeya hab-maamuuska cusub waxaa sidoo kale ka mid ah Xarunta Isgaarsiinta Dowladda ee England (GCHQiyo Internet Watch Foundation (IMF), kaas oo haya diiwaanka agabka la xannibay.

In blog-keena Habré:

• US robocall war - yaa guulaysanaya iyo sababta
• Isgaadhsiinta Ingiriiska waxay bixin doontaa magdhowga macaamiisha u ah joojinta adeegga

Khubaradu waxay xuseen in DNS-ka ka sarreeya HTTPS uu noqon karo khatar amniga internetka ah. Bilawga Luulyo, khabiirada amniga macluumaadka ee Netlab daahfuray Fayraskii ugu horreeyay ee isticmaalay borotokoolka cusub si uu u fuliyo weerarrada DDoS - Godluu. Malware-ku wuxuu galay DoH si uu u helo diiwaannada qoraalka (TXT) oo uu u soo saaro amarka iyo xakamaynta URL-yada serverka.

Codsiyada DoH ee sir ah laguma aqoonsan software-ka antivirus. Khabiirada amniga macluumaadka way cabsanayaanin Godlua ka dib malware kale uu iman doono, oo aan la arki karin la socodka DNS ee dadban.

Laakin qof walba ma diidana

Isagoo difaacaya DNS ka badan HTTPS boggiisa hadlay Injineer APNIC Geoff Houston. Sida uu sheegay, hab-maamuuska cusub waxa uu suurtagelin doonaa in lala dagaallamo weerarrada afduubka ee DNS, oo waayadan dambe aad u soo badanayay. Xaqiiqadan xaqiijinaya Warbixinta Janaayo ee shirkadda amniga internetka ee FireEye. Shirkadaha waaweyn ee IT ayaa sidoo kale taageeray horumarinta borotokoolka.

Bilowgii sanadkii hore, DoH waxay bilowday in Google lagu tijaabiyo. Iyo bil ka hor shirkadda soo bandhigay Nooca Helitaanka Guud ee adeeggeeda DoH. On Google rajo, in ay kordhin doonto amniga xogta shakhsi ahaaneed ee shabakada iyo ka ilaalinta weerarrada MITM.

Horumariye browser kale - Mozilla - taageerooyinka DNS ka dul HTTPS ilaa xagaagii hore. Isla mar ahaantaana, shirkadu waxay si firfircoon u horumarinaysaa tignoolajiyada cusub ee deegaanka IT-ga. Taas awgeed, Ururka Bixiyeyaasha Adeegyada Internetka (ISPA) xataa la magacaabay Mozilla ee Abaalmarinta Vilain of the Year ee Internetka. Jawaabta, wakiilada shirkadda xusay, kuwaas oo ka xumaaday diidmada shirkadaha isgaadhsiinta si ay u horumariyaan kaabayaasha internetka ee duugoobay.

/Fursaar/ TETrebbien

Taageerada Mozilla warbaahinta waaweyn ayaa ka hadashay iyo qaar ka mid ah bixiyayaasha internetka. Gaar ahaan, British Telecom tixgelinin borotokoolka cusub uusan saameyn ku yeelan doonin shaandheynta waxyaabaha oo uu wanaajin doono ammaanka isticmaalayaasha UK. Cadaadiska dadweynaha ISPA waxay ahayd in dib loo soo celiyo magacaabista "Villain".

Bixiyeyaasha daruuraha ayaa sidoo kale u ololeeyay soo bandhigida DNS ee HTTPS, tusaale ahaan Cloudflare. Waxay horey u bixiyeen adeegyo DNS oo ku saleysan nidaamka cusub. Liis dhamaystiran oo ah daalacashada iyo macaamiisha taageera DoH ayaa laga heli karaa GitHub.

Si kastaba arrintu ha ahaatee, weli lama soo hadal qaadin soo afjarida iska horimaadka dhexmaray labada dhinac. Khubarada IT-da ayaa saadaaliyay in haddii DNS ka sarreeya HTTPS loo qoondeeyay inuu ka mid noqdo xirmooyinka tignoolajiyada internetka ee caadiga ah, ay qaadan doonto in ka badan toban sano.

Maxaa kale oo aan ku qorno blog-ga shirkadda:

• Sida shabakada bixiyaha internetka loo dhisay
• Adeegyada aasaasiga ah ee shabakadaha bixiyayaasha internetka
• Isku dhafka iyo midaynta - hawlo badan oo hal qalab ah

Source: www.habr.com