Yaraynta khataraha isticmaalka DoH iyo DoT
Ilaalinta DoH iyo DoT
Ma maamusho taraafikadaada DNS? Ururadu waxay galiyaan wakhti badan, lacag, iyo dadaal si ay u sugaan shabakadooda. Si kastaba ha ahaatee, hal aag oo inta badan aan helin feejignaan ku filan waa DNS.
Dulmar wanaagsan oo ku saabsan khataraha uu keeno DNS waa shirkii Infosecurity.
31% fasalada ransomware ee la sahamiyay waxay adeegsadeen DNS beddelka muhiimka ah Natiijooyinka Daraasadda
31% fasalada ransomware ee la sahamiyay waxay adeegsadeen DNS beddelka furaha.
Dhibaatadu waa halis. Sida laga soo xigtay Palo Alto Networks Unit 42 shaybaadhka, ku dhawaad ββ85% malware-ku waxay adeegsadaan DNS si ay u abuuraan amar iyo kanaalka xakamaynta, taas oo u oggolaanaysa weeraryahannada inay si fudud ugu duraan malware-ka shabakaddaada iyo sidoo kale inay xadaan xogta. Tan iyo markii la aasaasay, taraafikada DNS si weyn ayaa loo qariyay waxaana si sahlan loo falanqeyn karaa hababka amniga ee NGFW.
Hab-maamuusyo cusub oo DNS ah ayaa soo baxay kuwaas oo looga dan leeyahay in lagu kordhiyo sirta isku xirka DNS. Waxay si firfircoon u taageeraan iibiyeyaasha browserka iyo kuwa kale ee software-ka iibiya. Taraafikada DNS ee qarsoon ayaa dhawaan bilaabi doonta inay ku koraan shabakadaha shirkadaha. Taraafikada DNS ee sir ah oo aan si sax ah loo falanqeyn oo aan lagu xalin qalabku waxay khatar amni u keentaa shirkadda. Tusaale ahaan, khatartan oo kale waa cryptolockers kuwaas oo isticmaala DNS si ay u beddelaan furayaasha sirta ah. Weeraryahanadu waxay hadda dalbanayaan madaxfurasho dhowr milyan oo doolar ah si ay dib ugu soo celiyaan gelitaanka xogtaada. Garmin, tusaale ahaan, waxa uu bixiyay $10 milyan.
Marka si sax ah loo habeeyo, NGFWs waxay diidi karaan ama ilaalin karaan isticmaalka DNS-over-TLS (DoT) waxaana loo isticmaali karaa in lagu diido isticmaalka DNS-over-HTTPS (DoH), taas oo u oggolaanaysa dhammaan taraafikada DNS ee shabakadaada in la falanqeeyo.
Waa maxay DNS sir ah?
Waa maxay DNS
Nidaamka Magaca Domain-ka (DNS) wuxuu xalliyaa magacyada domain-ka ee aadanaha-akhrisan karo (tusaale, ciwaanka ) ciwaanada IP-ga (tusaale ahaan, 34.107.151.202). Marka adeegsaduhu galo magac domain geliyo biraawsarkaaga shabakadda, browserku wuxuu u soo diraa su'aal DNS server-ka DNS, isagoo weydiinaya ciwaanka IP-ga ee la xidhiidha magaca domainkaas. Iyadoo laga jawaabayo, server-ka DNS wuxuu soo celinayaa ciwaanka IP-ga ee browser-kani isticmaali doono.
Weydiinta DNS iyo jawaabaha waxaa loo diraa shabakada oo dhan qoraal cad, oo aan qarsoodi ahayn, taas oo ka dhigaysa mid u nugul basaasnimada ama beddelka jawaabta iyo u wareejinta browserka server-yada xaasidnimada leh. Sireeynta DNS waxay adkeyneysaa codsiyada DNS in lala socdo ama la beddelo inta lagu jiro gudbinta. Siraynta codsiyada iyo jawaabaha DNS waxay kaa ilaalinaysaa weerarrada Man-in-the-Dhexe iyadoo la fulinayo isla shaqeynta habka caadiga ah ee qoraalka caadiga ah ee DNS (Nidaamka Magaca Domain Name).
Dhowrkii sano ee la soo dhaafay, laba borotokoolka sirta ah ee DNS ayaa la soo bandhigay:
-
DNS-over-HTTPS (DoH)
-
DNS-over-TLS (DoT)
Nidaamyadani waxay leeyihiin hal shay oo ay wadaagaan: waxay si ula kac ah u qariyaan codsiyada DNS ka dhexgal kasta ... iyo sidoo kale ilaalada ammaanka ee ururka. Hab-maamuusyadu waxay ugu horreyn isticmaalaan TLS (Transport Layer Security) si ay u abuuraan xiriir qarsoodi ah oo ka dhexeeya macmiilka weydiinaya weydiimaha iyo server-ka xallinaya weydiimaha DNS ee deked aan caadi ahaan loo isticmaalin taraafikada DNS.
Qarsoonaanta weydiimaha DNS ayaa ah mid weyn oo lagu daray borotokoolladan. Si kastaba ha ahaatee, waxay dhibaato ku hayaan ilaalada amniga kuwaas oo ay tahay inay la socdaan taraafikada shabakada oo ay ogaadaan oo joojiyaan xidhiidhada xaasidnimada leh. Sababtoo ah hab-maamuusyadu ku kala duwan yihiin hirgelintooda, hababka falanqaynta ayaa ku kala duwanaan doona DoH iyo DoT.
DNS ka dul HTTPS (DoH)
DNS gudaha HTTPS
DoH waxay isticmaashaa dekedda caanka ah ee 443 ee HTTPS, taas oo RFC ay si gaar ah u sheegayso in ujeedadu tahay "isku-darka taraafikada DoH iyo taraafikada kale ee HTTPS ee isku mid ah", "ka dhig mid adag in la falanqeeyo taraafikada DNS" oo sidaas awgeed la wareego kontaroolada shirkadaha ( ). Nidaamka DoH wuxuu isticmaalaa sirta TLS iyo codsiga syntax ee ay bixiyaan heerarka HTTPS ee caadiga ah iyo HTTP/2, ku dara codsiyada DNS iyo jawaabaha kor ku xusan codsiyada HTTP caadiga ah.
Khatarta la xiriirta DoH
Haddii aadan kala saari karin taraafikada HTTPS ee caadiga ah codsiyada DoH, markaa codsiyada ka jira ururkaaga waxay dhaafi karaan (oo waxay dhaafi doonaan) goobaha DNS ee maxalliga ah adoo u wareejinaya codsiyada server-yada qolo saddexaad ee ka jawaabaya codsiyada DoH, taas oo ka gudubta kormeer kasta, taas oo ah, burburinaysa awoodda xakamee taraafikada DNS Fikrad ahaan, waa inaad xakameysaa DoH adoo isticmaalaya HTTPS hawlaha kala saarida.
Π Nooca ugu dambeeyay ee daalacashada, iyo labada shirkadoodba waxay ka shaqeynayaan inay u isticmaalaan DoH si caadi ah dhammaan codsiyada DNS. ku biirinta DoH ee nidaamyada hawlgalka. Dhinaca hoose waa in aan ahayn oo kaliya shirkadaha software ee sumcadda leh, laakiin sidoo kale weeraryahanadu waxay bilaabeen inay isticmaalaan DoH si ay uga gudbaan tallaabooyinka dab-damiska ee shirkadda. (Tusaale ahaan, dib u eeg maqaallada soo socda: , ΠΈ .) Labada xaaladoodba, taraafikada DoH-ga wanaagsan iyo kuwa xaasidnimada leh labadaba lama ogaan doono, taasoo ka dhigaysa ururka indhoole isticmaalka xun ee DoH sida marinka lagu xakameynayo malware (C2) oo uu xado xogta xasaasiga ah.
Xaqiijinta muuqaalka iyo xakamaynta taraafikada DoH
Sida xalka ugu fiican ee kantaroolka DoH, waxaan kugula talineynaa in la habeeyo NGFW si loo furfuro taraafikada HTTPS loona joojiyo taraafikada DoH (magaca codsiga: dns-over-https).
Marka hore, hubi in NGFW loo habeeyey si ay u furto HTTPS, marka loo eego .
Marka labaad, u samee qaanuun loogu talagalay taraafikada codsiga "dns-over-https" sida hoos ku cad:
Palo Alto Networks Xeerka NGFW si loo joojiyo DNS-over-HTTPS
Beddel ku meel gaar ah ahaan (haddii ururkaagu aanu si buuxda u hirgelin fur-furinta HTTPS), NGFW waxa loo habayn karaa in lagu dabaqo ficil "diiid" aqoonsiga codsiga "dns-over-https", laakiin saamayntu waxay ku koobnaan doontaa xannibista qaar ka mid ah si wanaagsan- Adeegayaasha DoH ee loo yaqaan magacooda domain, marka sida HTTPS la'aanteed, taraafikada DoH si buuxda looma baari karo (eeg oo raadi "dns-over-https").
DNS ka sarreeya TLS (DoT)
DNS gudaha TLS
In kasta oo nidaamka DoH uu u janjeero inuu ku dhex daro taraafikada kale ee isla deked, DoT beddelkeeda waxay u adeegsanaysaa deked gaar ah oo loogu talagalay ujeeddada keliya, xitaa si gaar ah u diidaya isla deked la mid ah in loo isticmaalo taraafikada DNS ee dhaqameed ee aan qarsoodi ahayn. ).
Hab-maamuuska DoT wuxuu isticmaalaa TLS si uu u bixiyo sir qarinaysa su'aalaha borotokoolka DNS ee caadiga ah, iyadoo taraafikada isticmaalaya dekedda caanka ah 853 ( ). Hab-maamuuska DoT waxaa loogu talagalay in uu u fududeeyo ururrada in ay xannibaan taraafikada dekedda, ama ay aqbalaan taraafikada laakiin awood u siinaya in si qarsoodi ah loo furo dekeddaas.
Khatarta la xiriirta DoT
Google waxay ka hirgalisay macaamiisheeda DoT , oo leh habka caadiga ah si toos ah loo isticmaalo DoT haddii la heli karo. Haddii aad qiimeysay khataraha oo aad diyaar u tahay inaad isticmaasho DoT heer urur, markaa waxaad u baahan tahay inaad maamulayaasha shabakadu si cad ugu oggolaadaan taraafikada ka baxsan dekedda 853 iyada oo loo marayo wareeggooda nidaamkan cusub.
Xaqiijinta muuqaalka iyo xakamaynta taraafikada DoT
Sida dhaqanka ugu wanaagsan ee kantaroolka DoT, waxaan kugula talineynaa mid kasta oo ka mid ah kuwa kore, iyadoo lagu saleynayo shuruudaha ururkaaga:
-
Ku habbee NGFW si aad u dejiso dhammaan taraafikada dekedda 853. Markaad dejiso taraafikada, DoT waxay u muuqan doontaa codsi DNS ah kaas oo aad ku dabaqi karto ficil kasta, sida awood u yeelashada si loo xakameeyo xayndaabka DGA ama mid jira iyo anti-spyware.
-
Beddelku waa in matoorka App-ID uu si buuxda u xannibo gaadiidka 'dns-over-tls' ee dekedda 853. Tani inta badan waa la xannibay si caadi ah, wax tallaabo ah looma baahna (haddii aadan si gaar ah u oggolaan codsiga 'dns-over-tls' ama dekedda gaadiidka 853).
Source: www.habr.com