Ukunciphisa iingozi zokusebenzisa i-DoH kunye ne-DoT
Ukhuseleko lwe-DoH nolwe-DoT
Ngaba uyayilawula itrafikhi yakho ye-DNS? Imibutho ityala ixesha elininzi, imali, kunye nomzamo wokukhusela amanethiwekhi abo. Nangona kunjalo, enye indawo ehlala ingafumani ngqalelo ngokwaneleyo yi-DNS.
Isishwankathelo esihle semingcipheko eziswa yiDNS kukuba
I-31% yeeklasi ze-ransomware eziphandwe zisebenzise i-DNS kutshintshiselwano oluphambili
I-31% yeeklasi ze-ransomware eziphononongiweyo zisebenzise i-DNS yotshintshiselwano oluphambili.
Ingxaki inzulu. Ngokutsho kwePalo Alto Networks Unit 42 lebhu yophando, malunga ne-85% ye-malware isebenzisa i-DNS ukuseka umyalelo kunye nolawulo lwetshaneli, evumela abahlaseli ukuba bafake ngokulula i-malware kwinethiwekhi yakho kunye nokuba idatha. Ukusukela ekusekweni kwayo, itrafikhi ye-DNS ibingabhalwanga kakhulu kwaye inokuhlalutywa ngokulula ngeendlela zokhuseleko ze-NGFW.
Iiprothokholi ezintsha ze-DNS ziye zavela ezijolise ekwandiseni imfihlo yoqhagamshelo lwe-DNS. Baxhaswa ngenkuthalo ngabathengisi abahamba phambili bebrawuza kunye nabanye abathengisi besoftware. I-Encrypted DNS traffic kungekudala iza kukhula ukukhula kwiinethiwekhi zeshishini. I-Encrypted DNS traffic engahlalutywanga ngokufanelekileyo kwaye isonjululwe ngezixhobo ibeka umngcipheko wokhuseleko kwinkampani. Ngokomzekelo, isoyikiso esinjalo si-cryptolockers esisebenzisa i-DNS ukutshintshisa izitshixo ze-encryption. Abahlaseli ngoku bafuna intlawulelo yezigidi ezininzi zeedola ukubuyisela ukufikelela kwidatha yakho. Ngokomzekelo, uGarmin, wahlawula i-10 lezigidi zeerandi.
Xa iqwalaselwe kakuhle, i-NGFWs inokukhanyela okanye ikhusele ukusetyenziswa kwe-DNS-over-TLS (DoT) kwaye ingasetyenziselwa ukukhanyela ukusetyenziswa kwe-DNS-over-HTTPS (DoH), ukuvumela yonke i-DNS traffic kwinethiwekhi yakho ukuba ihlalutywe.
Yintoni i-DNS efihliweyo?
Yintoni i-DNS
I-Domain Name System (DNS) isombulula amagama e-domain afundeka ngabantu (umzekelo, idilesi
Imibuzo kunye neempendulo ze-DNS zithunyelwa kuthungelwano ngokubanzi ngokubhaliweyo okucacileyo, okungafihlwayo, kuyenza ibe sesichengeni ekuhloleni okanye ekutshintsheni impendulo kwaye iphinde iqondise isikhangeli kwiiseva ezinobungozi. Uguqulelo oluntsonkothileyo lwe-DNS lwenza kube nzima ukuba izicelo ze-DNS zilandelelwe okanye zitshintshwe ngexesha lothumelo. Uguqulelo oluntsonkothileyo lwezicelo kunye neempendulo ze-DNS zikukhusela kuhlaselo lweNdoda-ekuMbindi ngelixa usenza umsebenzi ofanayo njengeprothokholi ecacileyo yeDNS (iNkqubo yeGama leDomain).
Kwiminyaka embalwa edlulileyo, iiprothokholi ezimbini ze-DNS encryption ziye zaziswa:
-
I-DNS-over-HTTPS (DoH)
-
I-DNS-over-TLS (DoT)
Ezi protocol zinento enye efanayo: zifihla ngamabomu izicelo ze-DNS kuyo nayiphi na i-interception ... kunye noonogada bombutho ngokunjalo. Iiprothokholi zisebenzisa i-TLS (uKhuseleko loMaleko wezoThutho) ukuseka uqhagamshelwano oluntsonkothileyo phakathi komthengi owenza imibuzo kunye nomncedisi oxazulula imibuzo yeDNS kwizibuko elingasetyenziswanga ngesiqhelo kwitrafikhi yeDNS.
Ubumfihlo bemibuzo ye-DNS ludibaniso olukhulu lwezi protocols. Nangona kunjalo, babeka iingxaki kubagcini bokhuseleko ekufuneka bebeke iliso kwitrafikhi yenethiwekhi kwaye babone kwaye bavale unxibelelwano olungalunganga. Ngenxa yokuba iiprothokholi zahlukile ekuphunyezweni kwazo, iindlela zokuhlalutya ziya kwahluka phakathi kwe-DoH ne-DoT.
I-DNS ngaphezulu kwe-HTTPS (DoH)
DNS ngaphakathi HTTPS
I-DoH isebenzisa i-port 443 eyaziwayo ye-HTTPS, apho i-RFC ichaza ngokuthe ngqo ukuba injongo "kukuxuba i-traffic ye-DoH kunye nezinye i-traffic ye-HTTPS kuxhulumaniso olufanayo", "ukwenza kube nzima ukuhlalutya i-DNS traffic" kwaye ngaloo ndlela uthintele ulawulo lwenkampani. (
Imingcipheko eyayanyaniswa ne-DoH
Ukuba awukwazi ukwahlula itrafikhi eqhelekileyo ye-HTTPS kwizicelo ze-DoH, ngoko ke izicelo ezingaphakathi kumbutho wakho zinako (kwaye ziya) ukugqitha useto lwe-DNS lwasekuhlaleni ngokuthumela izicelo kwiiseva zomntu wesithathu eziphendula izicelo ze-DoH, ezidlula nakuphi na ukubeka iliso, oko kukuthi, ukutshabalalisa ukukwazi lawula itrafikhi ye-DNS. Ngokufanelekileyo, kufuneka ulawule i-DoH usebenzisa imisebenzi yokuguqulela i-HTTPS.
Π
Ukuqinisekisa ukubonakala kunye nolawulo lwetrafikhi ye-DoH
Njengesona sisombululo silungileyo solawulo lwe-DoH, sincoma ukuqwalasela i-NGFW ukukhupha i-HTTPS yetrafikhi kunye nokuthintela itrafikhi ye-DoH (igama lesicelo: dns-over-https).
Okokuqala, qiniseka ukuba i-NGFW iqwalaselwe ukukhupha i-HTTPS, ngokutsho
Okwesibini, yenza umthetho wetrafikhi yesicelo "dns-over-https" njengoko kubonisiwe ngezantsi:
I-Palo Alto Networks NGFW Rule to Block DNS-over-HTTPS
Njengenye indlela yethutyana (ukuba umbutho wakho awukaphumezi ngokupheleleyo uguqulelo lwe-HTTPS), i-NGFW inokuqwalaselwa ukuba isebenzise inyathelo elithi "phika" kwi-ID yesicelo se-"dns-over-https", kodwa umphumo uya kuthintelwa ekuthinteleni okuthile kakuhle- abancedisi be-DoH abaziwayo ngegama labo lesizinda, ngoko njani ngaphandle koguqulelo oluntsonkothileyo lwe-HTTPS, itrafikhi ye-DoH ayinakuhlolwa ngokupheleleyo (bona
I-DNS ngaphezulu kwe-TLS (DoT)
DNS ngaphakathi TLS
Ngelixa iprothokholi ye-DoH ithande ukuxubana nezinye itrafikhi kwizibuko elinye, i-DoT endaweni yoko ayigqibekanga ekusebenziseni izibuko elikhethekileyo eligcinelwe loo njongo yodwa, nokungavumeli ngokukodwa izibuko elifanayo ekubeni lisetyenziswe yitrafikhi yeDNS engafihlwanga.
Iprotocol yeDoT isebenzisa iTLS ukunika uguqulelo oluntsonkothileyo olufaka imibuzo esemgangathweni yeDNS protocol, kunye netrafikhi esebenzisa izibuko elaziwayo-853 (
Imingcipheko enxulumene ne-DoT
UGoogle uphumeze iDoT kumxhasi wayo
Ukuqinisekisa ukubonakala kunye nolawulo lwetrafikhi yeDoT
Njengoqheliselo olungcono lolawulo lweDoT, sicebisa nayiphi na kwezingasentla, ngokusekwe kwiimfuno zombutho wakho:
-
Qwalasela i-NGFW ukuze uguqule uguqulelo oluntsonkothileyo lwendlela ekuyiwa kuyo 853. Ngokususa uguqulelo oluntsonkothileyo, i-DoT izakuvela njengesicelo seDNS apho unokufaka nasiphi na isenzo, esifana nokuvula ubhaliso.
Palo Alto Networks DNS Ukhuseleko ukulawula imimandla yeDGA okanye ekhoyoDNS Sinkholing kunye ne-anti-spyware. -
Enye indlela kukuba injini ye-ID ye-App ivale ngokupheleleyo i-'dns-over-tls' traffic kwizibuko 853. Oku kuvamise ukuvalwa ngokungagqibekanga, akukho ntshukumo ifunekayo (ngaphandle kokuba uvumela ngokukodwa i-'dns-over-tls' isicelo okanye izibuko. traffic 853).
umthombo: www.habr.com