ProHoster > Ibhulogi > Ulawulo > Isikhokelo soKhuseleko seDNS

Isikhokelo soKhuseleko seDNS

Isikhokelo soKhuseleko seDNS

Nantoni na inkampani eyenza, ukhuseleko DNS kufuneka ibe yinxalenye yesicwangciso sayo sokhuseleko. Iinkonzo zamagama, ezisombulula amagama abamkeli kwiidilesi ze-IP, zisetyenziswa phantse zonke izicelo kunye nenkonzo kwinethiwekhi.

Ukuba umhlaseli ufumana ulawulo lwe-DNS yombutho, unokulula:

  • zinike ulawulo kwizibonelelo ekwabelwana ngazo
  • thumela kwakhona ii-imeyile ezingenayo kunye nezicelo zewebhu kunye nemizamo yokuqinisekisa
  • yenza kwaye uqinisekise izatifikethi ze-SSL/TLS

Esi sikhokelo sijonga ukhuseleko lwe-DNS ukusuka kwii-engile ezimbini:

  1. Ukwenza esweni rhoqo kunye nolawulo kwi-DNS
  2. Iiprothokholi ze-DNS ezintsha ezifana ne-DNSSEC, i-DOH kunye ne-DoT zinganceda njani ukukhusela imfezeko kunye nobumfihlo bezicelo ze-DNS ezigqithisiweyo

Yintoni ukhuseleko lwe-DNS?

Isikhokelo soKhuseleko seDNS

Ingqikelelo yokhuseleko lwe-DNS ibandakanya amacandelo amabini abalulekileyo:

  1. Ukuqinisekisa ukuthembeka okupheleleyo kunye nokufumaneka kweenkonzo ze-DNS ezisombulula amagama abamkeli kwiidilesi ze-IP
  2. Lawula umsebenzi we-DNS ukuchonga imiba yokhuseleko enokwenzeka naphi na kwinethiwekhi yakho

Kutheni i-DNS isesichengeni sokuhlaselwa?

Itekhnoloji ye-DNS yenziwa ngeentsuku zokuqala ze-Intanethi, kwakudala ngaphambi kokuba nabani na aqale ukucinga ngokhuseleko lwenethiwekhi. I-DNS isebenza ngaphandle koqinisekiso okanye uguqulelo oluntsonkothileyo, iqhubekisa izicelo ngokungaboniyo kuye nawuphi na umsebenzisi.

Ngenxa yoku, kukho iindlela ezininzi zokukhohlisa umsebenzisi kunye nokukhohlisa ulwazi malunga nokuba isisombululo samagama kwiidilesi ze-IP senzeka phi ngokwenene.

Ukhuseleko lwe-DNS: Imiba kunye neMicimbi

Isikhokelo soKhuseleko seDNS

Ukhuseleko lwe-DNS luquka ezininzi ezisisiseko zixhobo, nganye kuzo kufuneka ithathelwe ingqalelo ukuze kuqinisekiswe ukhuseleko olupheleleyo:

  • Ukomeleza ukhuseleko lweseva kunye neenkqubo zolawulo: ukwandisa inqanaba lokhuseleko lomncedisi kwaye wenze itemplate yokumisela umgangatho
  • Uphuculo lwemigaqo: sebenzisa i-DNSSEC, i-DoT okanye i-DoH
  • Uhlalutyo kunye nengxelo: yongeza i-log yesiganeko se-DNS kwinkqubo yakho ye-SIEM yomxholo owongezelelweyo xa uphanda iziganeko
  • I-Cyber ​​​​Intelligence kunye nokuFumana isoyikiso: rhuma kwisondlo esisebenzayo sothuso lobuntlola
  • Ukuzenzekela: yenza izikripthi ezininzi kangangoko uzenzekela iinkqubo

Amacandelo aphezulu akhankanywe ngasentla yincam nje ye-iceberg yokhuseleko lwe-DNS. Kwicandelo elilandelayo, siza kuntywila kwiimeko zokusetyenziswa ezikhethekileyo kunye neendlela ezifanelekileyo ekufuneka uzazi ngazo.

Uhlaselo lwe-DNS

Isikhokelo soKhuseleko seDNS

  • I-DNS spoofing okanye i-cache poisoning: ukusebenzisa ubuthathaka benkqubo ukwenza i-cache ye-DNS iqondise abasebenzisi kwenye indawo.
  • DNS itonela: isetyenziselwa ikakhulu ukugqitha ukhuseleko loqhagamshelo olukude
  • DNS ukuqweqwedisa: ukuqondisa kwakhona i-traffic ye-DNS eqhelekileyo kwithagethi eyahlukileyo ye-DNS iseva ngokutshintsha i-domain registrar
  • NXDOMAIN uhlaselo: ukwenza uhlaselo lwe-DDoS kumncedisi we-DNS ogunyazisiweyo ngokuthumela imibuzo yesizinda esingekho mthethweni ukufumana impendulo enyanzelwayo.
  • Phantom domain: ibangela ukuba umlungisi we-DNS alinde impendulo evela kwimida engekhoyo, ekhokelela ekusebenzeni kakubi
  • uhlaselo kwisizinda esisezantsi esingenamkhethe: iinginginya ezisengozini kunye neebhotnets ziqalisa uhlaselo lwe-DDoS kwisizinda esisebenzayo, kodwa zijolise kumlilo wazo kwii-subdomains ezingeyonyani ukunyanzela iseva ye-DNS ukuba ijonge iirekhodi kwaye ithathe ulawulo lwenkonzo.
  • indawo yokuvalela: ithumela iimpendulo ezininzi ze-spam ukuvala imithombo yomncedisi we-DNS
  • Uhlaselo lweBotnet kwizixhobo zababhalisile: ingqokelela yeekhompyuter, iimodem, iirotha kunye nezinye izixhobo ezigxininisa amandla ekhompyuter kwiwebhusayithi ethile ukuyilayisha kakhulu ngezicelo zetrafikhi.

Uhlaselo lwe-DNS

Uhlaselo oluthi ngandlel’ ithile lusebenzise i-DNS ukuhlasela ezinye iinkqubo (oko kukuthi, ukutshintsha iirekhodi zeDNS akusiyo injongo yokugqibela):

  • Ukukhawuleza-Flux
  • IiNethiwekhi zeFlux enye
  • Iinethiwekhi zeFlux ezimbini
  • DNS itonela

Uhlaselo lwe-DNS

Uhlaselo olukhokelela kwidilesi ye-IP efunwa ngumhlaseli ukuba abuyiswe kwiseva ye-DNS:

  • I-DNS spoofing okanye i-cache poisoning
  • DNS ukuqweqwedisa

Yintoni i-DNSSEC?

Isikhokelo soKhuseleko seDNS

I-DNSSEC - IiNjini zoKhuseleko zeNkonzo yegama leDomain - zisetyenziselwa ukungqinisisa iirekhodi zeDNS ngaphandle kokufuna ukwazi ulwazi olubanzi kwisicelo ngasinye seDNS.

I-DNSSEC isebenzisa i-Digital Signature Keys (PKIs) ukuqinisekisa ukuba iziphumo zombuzo wegama lesizinda zivela kumthombo osebenzayo.
Ukusebenzisa i-DNSSEC ayisiyiyo kuphela eyona ndlela yokwenziwa kweshishini, kodwa ikwasebenza ekuthinteleni uninzi lohlaselo lwe-DNS.

Isebenza njani iDNSSEC

I-DNSSEC isebenza ngokufanayo kwi-TLS / HTTPS, isebenzisa izibini ezingundoqo zoluntu kunye nezabucala ukusayina iirekhodi ze-DNS ngedijithali. Isishwankathelo jikelele senkqubo:

  1. Iirekhodi ze-DNS zisayinwa ngesitshixo sabucala-sabucala
  2. Iimpendulo kwimibuzo ye-DNSSEC iqulethe irekhodi eceliweyo kunye notyikityo kunye nesitshixo sikawonke-wonke
  3. Emva koko, isitshixo sikawonke-wonke isetyenziselwa ukuthelekisa ubunyani berekhodi kunye nomsayino

I-DNS kunye ne-DNSSEC yoKhuseleko

Isikhokelo soKhuseleko seDNS

I-DNSSEC sisixhobo sokujonga intembeko yemibuzo ye-DNS. Ayichaphazeli ubumfihlo be-DNS. Ngamanye amazwi, i-DNSSEC inokukunika ukuzithemba ukuba impendulo kumbuzo wakho we-DNS ayizange iphazanyiswe, kodwa nawuphi na umhlaseli unokuzibona ezo ziphumo njengoko zithunyelwe kuwe.

I-DoT - DNS ngaphezulu kwe-TLS

UKhuseleko loMaleko wezoThutho (TLS) yiprothokholi efihlakeleyo yokukhusela ulwazi olusasazwa kuqhagamshelwano lwenethiwekhi. Nje ukuba uqhagamshelwano olukhuselekileyo lwe-TLS lusekiwe phakathi komxhasi kunye nomncedisi, idatha ethunyelweyo ifihliwe kwaye akukho mthetheli unokuyibona.

TLS eyona iqhele ukusetyenziswa njengenxalenye ye-HTTPS (SSL) kwisikhangeli sakho sewebhu kuba izicelo zithunyelwa kukhuseleko lweeseva zeHTTP.

I-DNS-over-TLS (i-DNS phezu kwe-TLS, i-DoT) isebenzisa iprotocol ye-TLS ukubethela i-UDP traffic yezicelo ze-DNS eziqhelekileyo.
Ukufihla ezi zicelo kumbhalo ocacileyo kunceda ukukhusela abasebenzisi okanye izicelo ezenza izicelo kuhlaselo oluninzi.

  • MitM, okanye "indoda phakathi": Ngaphandle koguqulelo oluntsonkothileyo, inkqubo ephakathi phakathi komxhasi kunye nomncedisi we DNS onegunya unokuthumela ulwazi olungeyonyani okanye oluyingozi kumxhasi ngempendulo kwisicelo.
  • Ubuntlola kunye nokulandela umkhondo: Ngaphandle kwezicelo zoguqulelo oluntsonkothileyo, kulula kwiinkqubo ze-middleware ukubona ukuba zeziphi iisayithi umsebenzisi othile okanye isicelo esifikelelayo. Nangona i-DNS iyodwa ayiyi kutyhila iphepha elithile elityelelwe kwiwebhusayithi, ukwazi nje iindawo eziceliweyo kwanele ukwenza iprofayile yenkqubo okanye umntu.

Isikhokelo soKhuseleko seDNS
umthombo: IYunivesithi yaseCalifornia Irvine

I-DoH-DNS ngaphezulu kwe-HTTPS

I-DNS-over-HTTPS (i-DNS phezu kwe-HTTPS, i-DoH) yiprotocol yokulinga ekhuthazwa ngokubambisana yi-Mozilla kunye ne-Google. Iinjongo zayo zifana neprotocol ye-DoT-ukuphucula ubumfihlo babantu kwi-intanethi ngokufihla izicelo kunye neempendulo ze-DNS.

Imibuzo eqhelekileyo yeDNS ithunyelwa nge-UDP. Izicelo kunye neempendulo zinokulandelelwa ngokusebenzisa izixhobo ezifana IWireshark. I-DoT ifihla ezi zicelo, kodwa zisachongwa njengetrafikhi ye-UDP eyahlukileyo kuthungelwano.

I-DoH ithatha indlela eyahlukileyo kwaye ithumela izicelo zesisombululo esintsonkothileyo segama lenginginya kuqhagamshelo lwe-HTTPS, olukhangeleka njengaso nasiphi na isicelo sewebhu kuthungelwano.

Lo mahluko uneempembelelo ezibaluleke kakhulu kubalawuli benkqubo nakwikamva lesisombululo samagama.

  1. Ukucoca i-DNS yindlela eqhelekileyo yokucoca itrafikhi yewebhu ukukhusela abasebenzisi kuhlaselo lobuqhetseba, iisayithi ezisasaza i-malware, okanye ezinye izinto ezinokuba yingozi kwi-Intanethi kwinethiwekhi yeshishini. Iprothokholi ye-DoH iyadlula ezi zihluzo, ezinokuthi ziveze abasebenzisi kunye nothungelwano kumngcipheko omkhulu.
  2. Kwimodeli yesisombululo segama langoku, isixhobo ngasinye kuthungelwano ngaphezulu okanye ngaphantsi sifumana imibuzo yeDNS kwindawo enye (iseva yeDNS echaziweyo). I-DoH, kwaye ngakumbi ukuphunyezwa kwayo kweFirefox, ibonisa ukuba oku kunokutshintsha kwixesha elizayo. Usetyenziso ngalunye olukwikhompyuter lunokufumana idatha evela kwimithombo eyahlukeneyo ye-DNS, yenze ukusombulula ingxaki, ukhuseleko, kunye nemodeli yomngcipheko ibe nzima ngakumbi.

Isikhokelo soKhuseleko seDNS
umthombo: www.varonis.com/blog/what-is-powershell

Yintoni umahluko phakathi kwe-DNS ngaphezulu kwe-TLS kunye ne-DNS ngaphezulu kwe-HTTPS?

Masiqale nge-DNS ngaphezulu kwe-TLS (DoT). Inqaku eliphambili apha kukuba iprotocol ye-DNS yokuqala ayitshintshwanga, kodwa ihanjiswa ngokukhuselekileyo kwitshaneli ekhuselekileyo. I-DoH, kwelinye icala, ibeka i-DNS kwifomathi ye-HTTP ngaphambi kokuba wenze izicelo.

Izaziso zokuJonga iDNS

Isikhokelo soKhuseleko seDNS

Ukukwazi ukujonga ngokufanelekileyo itrafikhi ye-DNS kwinethiwekhi yakho kwizinto ezikrokrisayo zibalulekile ekubhaqweni kwangaphambili kolwaphulo. Ukusebenzisa isixhobo esifana neVaronis Edge kuya kukunika amandla okuhlala phezulu kuzo zonke iimethrikhi ezibalulekileyo kwaye wenze iiprofayili zeakhawunti nganye kwinethiwekhi yakho. Ungaqwalasela izilumkiso eziza kuveliswa njengesiphumo sokudityaniswa kweentshukumo ezenzeka kwixesha elithile.

Ukubeka iliso kwiinguqu ze-DNS, iindawo ze-akhawunti, ukusetyenziswa okokuqala kunye nokufikelela kwiidatha ezibucayi, kunye nomsebenzi wasemva kweeyure ezimbalwa nje iimethrikhi ezinokudityaniswa ukwakha umfanekiso obanzi wokubona.

umthombo: www.habr.com

Yongeza izimvo