Ukunciphisa iingozi zokusebenzisa i-DoH kunye ne-DoT
Ukhuseleko lwe-DoH nolwe-DoT
Ngaba uyayilawula itrafikhi yakho ye-DNS? Imibutho ityala ixesha elininzi, imali, kunye nomzamo wokukhusela amanethiwekhi abo. Nangona kunjalo, enye indawo ehlala ingafumani ngqalelo ngokwaneleyo yi-DNS.
Isishwankathelo esihle semingcipheko eziswa yiDNS kukuba kwinkomfa ye-Infosecurity.
I-31% yeeklasi ze-ransomware eziphandwe zisebenzise i-DNS kutshintshiselwano oluphambili
I-31% yeeklasi ze-ransomware eziphononongiweyo zisebenzise i-DNS yotshintshiselwano oluphambili.
Ingxaki inzulu. Ngokutsho kwePalo Alto Networks Unit 42 lebhu yophando, malunga ne-85% ye-malware isebenzisa i-DNS ukuseka umyalelo kunye nolawulo lwetshaneli, evumela abahlaseli ukuba bafake ngokulula i-malware kwinethiwekhi yakho kunye nokuba idatha. Ukusukela ekusekweni kwayo, itrafikhi ye-DNS ibingabhalwanga kakhulu kwaye inokuhlalutywa ngokulula ngeendlela zokhuseleko ze-NGFW.
Iiprothokholi ezintsha ze-DNS ziye zavela ezijolise ekwandiseni imfihlo yoqhagamshelo lwe-DNS. Baxhaswa ngenkuthalo ngabathengisi abahamba phambili bebrawuza kunye nabanye abathengisi besoftware. I-Encrypted DNS traffic kungekudala iza kukhula ukukhula kwiinethiwekhi zeshishini. I-Encrypted DNS traffic engahlalutywanga ngokufanelekileyo kwaye isonjululwe ngezixhobo ibeka umngcipheko wokhuseleko kwinkampani. Ngokomzekelo, isoyikiso esinjalo si-cryptolockers esisebenzisa i-DNS ukutshintshisa izitshixo ze-encryption. Abahlaseli ngoku bafuna intlawulelo yezigidi ezininzi zeedola ukubuyisela ukufikelela kwidatha yakho. Ngokomzekelo, uGarmin, wahlawula i-10 lezigidi zeerandi.
Xa iqwalaselwe kakuhle, i-NGFWs inokukhanyela okanye ikhusele ukusetyenziswa kwe-DNS-over-TLS (DoT) kwaye ingasetyenziselwa ukukhanyela ukusetyenziswa kwe-DNS-over-HTTPS (DoH), ukuvumela yonke i-DNS traffic kwinethiwekhi yakho ukuba ihlalutywe.
Yintoni i-DNS efihliweyo?
Yintoni i-DNS
I-Domain Name System (DNS) isombulula amagama e-domain afundeka ngabantu (umzekelo, idilesi ) kwiidilesi ze-IP (umzekelo, 34.107.151.202). Xa umsebenzisi efaka igama lesizinda kwisikhangeli sewebhu, isikhangeli sithumela umbuzo we-DNS kwiseva ye-DNS, icela idilesi ye-IP ehambelana nelo gama lesizinda. Ukuphendula, iseva ye-DNS ibuyisela idilesi ye-IP eya kusetyenziswa ngulo mkhangeli zincwadi.
Imibuzo kunye neempendulo ze-DNS zithunyelwa kuthungelwano ngokubanzi ngokubhaliweyo okucacileyo, okungafihlwayo, kuyenza ibe sesichengeni ekuhloleni okanye ekutshintsheni impendulo kwaye iphinde iqondise isikhangeli kwiiseva ezinobungozi. Uguqulelo oluntsonkothileyo lwe-DNS lwenza kube nzima ukuba izicelo ze-DNS zilandelelwe okanye zitshintshwe ngexesha lothumelo. Uguqulelo oluntsonkothileyo lwezicelo kunye neempendulo ze-DNS zikukhusela kuhlaselo lweNdoda-ekuMbindi ngelixa usenza umsebenzi ofanayo njengeprothokholi ecacileyo yeDNS (iNkqubo yeGama leDomain).
Kwiminyaka embalwa edlulileyo, iiprothokholi ezimbini ze-DNS encryption ziye zaziswa:
-
I-DNS-over-HTTPS (DoH)
-
I-DNS-over-TLS (DoT)
Ezi protocol zinento enye efanayo: zifihla ngamabomu izicelo ze-DNS kuyo nayiphi na i-interception ... kunye noonogada bombutho ngokunjalo. Iiprothokholi zisebenzisa i-TLS (uKhuseleko loMaleko wezoThutho) ukuseka uqhagamshelwano oluntsonkothileyo phakathi komthengi owenza imibuzo kunye nomncedisi oxazulula imibuzo yeDNS kwizibuko elingasetyenziswanga ngesiqhelo kwitrafikhi yeDNS.
Ubumfihlo bemibuzo ye-DNS ludibaniso olukhulu lwezi protocols. Nangona kunjalo, babeka iingxaki kubagcini bokhuseleko ekufuneka bebeke iliso kwitrafikhi yenethiwekhi kwaye babone kwaye bavale unxibelelwano olungalunganga. Ngenxa yokuba iiprothokholi zahlukile ekuphunyezweni kwazo, iindlela zokuhlalutya ziya kwahluka phakathi kwe-DoH ne-DoT.
I-DNS ngaphezulu kwe-HTTPS (DoH)
DNS ngaphakathi HTTPS
I-DoH isebenzisa i-port 443 eyaziwayo ye-HTTPS, apho i-RFC ichaza ngokuthe ngqo ukuba injongo "kukuxuba i-traffic ye-DoH kunye nezinye i-traffic ye-HTTPS kuxhulumaniso olufanayo", "ukwenza kube nzima ukuhlalutya i-DNS traffic" kwaye ngaloo ndlela uthintele ulawulo lwenkampani. ( ). I-protocol ye-DoH isebenzisa uguqulelo oluntsonkothileyo lwe-TLS kunye ne-syntax yesicelo enikezelwe yi-HTTPS eqhelekileyo kunye nemigangatho ye-HTTP/2, yongeza izicelo ze-DNS kunye neempendulo phezu kwezicelo eziqhelekileyo ze-HTTP.
Imingcipheko eyayanyaniswa ne-DoH
Ukuba awukwazi ukwahlula itrafikhi eqhelekileyo ye-HTTPS kwizicelo ze-DoH, ngoko ke izicelo ezingaphakathi kumbutho wakho zinako (kwaye ziya) ukugqitha useto lwe-DNS lwasekuhlaleni ngokuthumela izicelo kwiiseva zomntu wesithathu eziphendula izicelo ze-DoH, ezidlula nakuphi na ukubeka iliso, oko kukuthi, ukutshabalalisa ukukwazi lawula itrafikhi ye-DNS. Ngokufanelekileyo, kufuneka ulawule i-DoH usebenzisa imisebenzi yokuguqulela i-HTTPS.
Π kuguqulelo lwamva nje lwezikhangeli zazo, kwaye zombini iinkampani zisebenzela ukusebenzisa i-DoH ngokungagqibekanga kuzo zonke izicelo ze-DNS. ekudibaniseni i-DoH kwiinkqubo zabo zokusebenza. Icala elisezantsi lelokuba ayizizo kuphela iinkampani zesoftware ezibekekileyo, kodwa nabahlaseli sele beqalisile ukusebenzisa i-DoH njengendlela yokudlula imilinganiselo yesiqhelo yoshishino lomlilo. (Ngokomzekelo, hlola la manqaku alandelayo: , ΠΈ Kuyo nayiphi na imeko, zombini i-traffic ye-DoH elungileyo nekhohlakeleyo ayiyi kubhaqwa, nto leyo ishiya umbutho ungaboni usetyenziso olunolunya lwe-DoH njengomjelo wokulawula i-malware (C2) kwaye ube iinkcukacha ezibuthathaka.
Ukuqinisekisa ukubonakala kunye nolawulo lwetrafikhi ye-DoH
Njengesona sisombululo silungileyo solawulo lwe-DoH, sincoma ukuqwalasela i-NGFW ukukhupha i-HTTPS yetrafikhi kunye nokuthintela itrafikhi ye-DoH (igama lesicelo: dns-over-https).
Okokuqala, qiniseka ukuba i-NGFW iqwalaselwe ukukhupha i-HTTPS, ngokutsho .
Okwesibini, yenza umthetho wetrafikhi yesicelo "dns-over-https" njengoko kubonisiwe ngezantsi:
I-Palo Alto Networks NGFW Rule to Block DNS-over-HTTPS
Njengenye indlela yethutyana (ukuba umbutho wakho awukaphumezi ngokupheleleyo uguqulelo lwe-HTTPS), i-NGFW inokuqwalaselwa ukuba isebenzise inyathelo elithi "phika" kwi-ID yesicelo se-"dns-over-https", kodwa umphumo uya kuthintelwa ekuthinteleni okuthile kakuhle- abancedisi be-DoH abaziwayo ngegama labo lesizinda, ngoko njani ngaphandle koguqulelo oluntsonkothileyo lwe-HTTPS, itrafikhi ye-DoH ayinakuhlolwa ngokupheleleyo (bona kwaye ukhangele "dns-over-https").
I-DNS ngaphezulu kwe-TLS (DoT)
DNS ngaphakathi TLS
Ngelixa iprothokholi ye-DoH ithande ukuxubana nezinye itrafikhi kwizibuko elinye, i-DoT endaweni yoko ayigqibekanga ekusebenziseni izibuko elikhethekileyo eligcinelwe loo njongo yodwa, nokungavumeli ngokukodwa izibuko elifanayo ekubeni lisetyenziswe yitrafikhi yeDNS engafihlwanga. ).
Iprotocol yeDoT isebenzisa iTLS ukunika uguqulelo oluntsonkothileyo olufaka imibuzo esemgangathweni yeDNS protocol, kunye netrafikhi esebenzisa izibuko elaziwayo-853 ( ). Iprothokholi ye-DoT yayiyilwe ukwenza kube lula kwimibutho ukuvala itrafikhi kwizibuko, okanye yamkele itrafikhi kodwa yenze ukuba uguqulelo lwentsonkothe ββluvuleleke kwelo zibuko.
Imingcipheko enxulumene ne-DoT
UGoogle uphumeze iDoT kumxhasi wayo , kunye noseto olumiselweyo lokusebenzisa i-DoT ngokuzenzekelayo ukuba lukhona. Ukuba uvavanye umngcipheko kwaye ulungele ukusebenzisa i-DoT kwinqanaba lombutho, ngoko kufuneka ube nabalawuli bothungelwano bavumele ngokucacileyo i-traffic ephumayo kwi-port 853 ngokusebenzisa i-perimeter yabo yale protocol entsha.
Ukuqinisekisa ukubonakala kunye nolawulo lwetrafikhi yeDoT
Njengoqheliselo olungcono lolawulo lweDoT, sicebisa nayiphi na kwezingasentla, ngokusekwe kwiimfuno zombutho wakho:
-
Qwalasela i-NGFW ukuze uguqule uguqulelo oluntsonkothileyo lwendlela ekuyiwa kuyo 853. Ngokususa uguqulelo oluntsonkothileyo, i-DoT izakuvela njengesicelo seDNS apho unokufaka nasiphi na isenzo, esifana nokuvula ubhaliso. ukulawula imimandla yeDGA okanye ekhoyo kunye ne-anti-spyware.
-
Enye indlela kukuba injini ye-ID ye-App ivale ngokupheleleyo i-'dns-over-tls' traffic kwizibuko 853. Oku kuvamise ukuvalwa ngokungagqibekanga, akukho ntshukumo ifunekayo (ngaphandle kokuba uvumela ngokukodwa i-'dns-over-tls' isicelo okanye izibuko. traffic 853).
umthombo: www.habr.com